[plug] Securing your webserver

Quintin Lette qlette at gmail.com
Sat Aug 20 11:19:40 WST 2005


> Well, it's more of a how do you secure your entire computer. In
> general (depending on what your website is run off) the webserver
> (apache...) is secure.

Not entirely true, there have been numerous apache security issues,
and the web programming itself (how secure the programming is) is just
as important as the webserver itself.

> 
> The big question is "How did they get in?"
> Once we know that we can start securing the box.
> 

This technique really only secures you from people that try to get in
the same way (Security by patching the hole someone got in last time
is not a really good technique for keeping a secure system, you need
to keep ahead of the crackers, not 1 step behind them).

A few things you might want to look at are:

a. If you are serious about providing internet services to customers
let the professionals do it while you are still learning. (sorry if
this sounds rude, but based on some of your posts you really shouldn't
be providing these services by yourself yet, as you could get yourself
in a lot of legal / financial trouble if something goes wrong) I'm not
suggesting you give up, just that you don't host anything for a
"customer" until you really understand how networking / dns / web
services / security work. By all means host your own (preferably
non-business) stuff and ask questions, attend workshops etc about it
and learn how to be able to do this yourself.

b. try not to open so many ports on your firewall (and realistically,
don't host commercial stuff on your home adsl) Ie: do you really need
ftp, telnet and pop3 open to the world (all 3 will send passwords in
plain text over the internet) If you really need terminal access
remotely (from outside your firewall) use SSH (preferably not allowing
root login or passwords)

c. Ensure you have and enforce secure passwords!!!  (search through
previous posts about John the Ripper, it will only take a few mins to
get most unsecure passwords on a system)

d. Keep up to date with security bulletins and patches

e. If your really serious about security attend a Security course...
Security + will give you the _basics_ as will the Certified Ethical
Hacker course (don't take a pass in either as being competent at
security)

f. Take any advice/articles with a grain of salt (including mine)

Again, I'm really sorry if I sound rude or unco-operative, but
security is a huge area and there are lots more "bastards" out there
who will hack you and anyone else they can. Security is a huge area,
and is an essential requirement for any systems that face the
internet. Security is also not limited to technical aspects, but
includes "people" aspects as well as environmental aspects.

Ok, I'm shutting up before I sound too much like a w***ker



More information about the plug mailing list