Re: What security to use on web server



On Tue, Dec 09, 2008 at 06:29:31AM -0500, Hal Burgiss wrote:
On Tue, Dec 09, 2008 at 11:52:58AM +0100, Emil wrote:

What security packages, configs, etc. do you install and use on your web
servers? I've messed around a bit in bastille (have found it a bit hard

There is a lot of ways to go with this depending on how the server
will be used. So a few questions:

- How many users other than you need access to the server?
- Do any of the users (including you) need remote access? From more
than one location?
- What software will the server be serving, and who is supplying it?
How reliable are the code authors?
- What supplemental functionality will be required (eg do you need a
sql server, mail server)?
- Will you be handling sensitive data like bank account numbers or
credit cards?
- High profile or low profile sites?

My experience is that a minimalist Ubunutu *server* installation is
fairly secure out of the box. The defaults for Apache, mysql, sshd,
postfix and php are pretty sane.

The most immediate cause of intrusion type problems is things like
weak passwords. And poorly written php code that is easily expoitable,
either allowing direct system access or via sql injection techniques.
Then if someone gets in, you are dependent on how secure the local
system is, underneath the server layers. So it gets down to stuff that
the user inadvertantly does that opens up most systems. If you can have
just one user with strong passwords, that does not need any remote
access (or narrowly firewalled ssh access), then all you need open
is Apache, and that eliminates a bunch of potential weaknesses really
easily.

Your enemy for low profile sites is the unattended probing of scripted
attacks that are looking for known weaknesses. The biggest thing I see
aimed at Apache is attempts at spam injections into blogs or dynamic
content. Often these are hidden html snippest placed specifically to
effect google page rank. Nuisance stuff. They don't even want system
level access.

Higher profile sites surely attract more targeted type attacks. People
like banks have more to worry about than just the blind, scripted
stuff.

--
Hal


--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



Relevant Pages

  • Re: PHP Tutorials
    ... >> In this tutorial we assume that your server has activated support for PHP ... install a web server locally (not just Apache). ...
    (comp.lang.php)
  • Re: Silicon Image SIL680 RAID Controller
    ... >> the exact procedures required to setup and configure a web server ... page "Quick Start Guide" for setting up and running a FreeBSD web ... That is, installing/configuring apache, installing/configuring ... regimin to more or less systematically install Linux on several ...
    (comp.unix.bsd.freebsd.misc)
  • Re: CSS Newbie - CSS Works With Invalid DOCTYPE. Fails With Valid DOCTYPE.
    ... The server is OpenSolaris running Apache 2.2.15 installed two years ... HTML and CSS validators were fine with the change. ... I know this is an HTML newsgroup, and Apache is not the topic. ... I prefer to install all utilities, like Apache, from source. ...
    (alt.html)
  • Re: Please Help A Newbie With 2 Issues
    ... I have 4 machines on the lan an and ... a 3rd issue I cant find apache even though I know I installed apache2 Is ... Running WinBlowz 2000 Advanced Server) 2 are running WinBlowz 2000 Pro ... Port1 and even install drivers for it. ...
    (alt.os.linux.suse)
  • RE: [PHP] Question before upgrading to 5
    ... We only use php for intranet applications I create, ... so the server is basically dead at nights, which is when I do most of my ... so your going to shut down apache on ... install of apache would allow you to do. ...
    (php.general)