[plug] Securing your webserver
Craig Ringer
craig at postnewspapers.com.au
Sat Aug 20 13:16:50 WST 2005
Quintin Lette wrote:
>b. try not to open so many ports on your firewall (and realistically,
>don't host commercial stuff on your home adsl) Ie: do you really need
>ftp, telnet and pop3 open to the world (all 3 will send passwords in
>plain text over the internet) If you really need terminal access
>remotely (from outside your firewall) use SSH (preferably not allowing
>root login or passwords)
>
>
If at all possible, configure the service to not listen on your external
network interface, or shut it down entirely. Your firewall is an extra
layer of protection - it's much better if the underlying service just
isn't listening. This isn't always possible of course - a caching BIND
that hosts some zones for your LAN too comes to mind here.
>c. Ensure you have and enforce secure passwords!!! (search through
>previous posts about John the Ripper, it will only take a few mins to
>get most unsecure passwords on a system)
>
>
I'm a big fan of ssh that only accepts RSA key based auth. Remote brute
force is hard anyway, but this makes it essentially impossible. It also
means that if they manage to nick your shadow password file and brute
force it, they will get exactly nowhere in their attempt to use it to
get a local login. If you don't store your private key on the machine,
that leaves the attacker pretty much stumped for ssh access.
>d. Keep up to date with security bulletins and patches
>
>
Note that - critically - this is not just for your OS and web server,
but also for any web script packages you are using. PHPBB, Drupal,
Mambo, Zope, Plone, etc etc. You must also be very security concious
with anything you write yourself. Naturally the same is also true for
any services you write, but I don't expect you'll be writing any
programs that provide network services directly.
--
Craig Ringer
More information about the plug
mailing list