[plug] Securing your webserver

Craig Ringer craig at postnewspapers.com.au
Sat Aug 20 13:16:50 WST 2005


Quintin Lette wrote:

>b. try not to open so many ports on your firewall (and realistically,
>don't host commercial stuff on your home adsl) Ie: do you really need
>ftp, telnet and pop3 open to the world (all 3 will send passwords in
>plain text over the internet) If you really need terminal access
>remotely (from outside your firewall) use SSH (preferably not allowing
>root login or passwords)
>  
>
If at all possible, configure the service to not listen on your external 
network interface, or shut it down entirely. Your firewall is an extra 
layer of protection - it's much better if the underlying service just 
isn't listening. This isn't always possible of course - a caching BIND 
that hosts some zones for your LAN too comes to mind here.

>c. Ensure you have and enforce secure passwords!!!  (search through
>previous posts about John the Ripper, it will only take a few mins to
>get most unsecure passwords on a system)
>  
>
I'm a big fan of ssh that only accepts RSA key based auth. Remote brute 
force is hard anyway, but this makes it essentially impossible. It also 
means that if they manage to nick your shadow password file and brute 
force it, they will get exactly nowhere in their attempt to use it to 
get a local login. If you don't store your private key on the machine, 
that leaves the attacker pretty much stumped for ssh access.

>d. Keep up to date with security bulletins and patches
>  
>
Note that - critically - this is not just for your OS and web server, 
but also for any web script packages you are using. PHPBB, Drupal,  
Mambo, Zope, Plone, etc etc. You must also be very security concious 
with anything you write yourself. Naturally the same is also true for 
any services you write, but I don't expect you'll be writing any 
programs that provide network services directly.

--
Craig Ringer



More information about the plug mailing list