Protecting a Web server from external attack
How can we protect our Web server from external attack?
There are a number of things you can do to protect yourself
against external attacks.
First, the Web server should have only those services running
that are absolutely needed.
Second, the operating system and applications should all have the most
recent security patches installed. The OS should be "hardened"
as much as possible. A paper that is OpenBSD centric, but
has some application to hardening all operating systems can
be found at http://geodsoft.com/howto/harden/hardintro.htm
Third, it should sit behind a firewall that only allows those ports
needed for operation. For example, if it is purely a Web server
that does not need any access from the outside other than via
http and https, then only ports 80 and 443 need to be open. However,
if you are running a Web hosting company, your clients need to
be able to upload files and more. So you'll probably need to
enable the ports for FTP and Telnet. If you are combining this
with e-mail services, you'll need to open the ports for POP and SMTP,
or whatever protocols you use for mail.
Fourth, all form input should be validated by the script that handles
the form. Buffer overflows are a favorite type of attack. A good reference
for CGI script security is located at
Fifth, make use of audit logs. Use TCP_Wrapers where you can.
Sixth, make regular backups. Even the best security planning is
not perfect. Someone still might find a way to break in. And even if there
is no security break-in, you might lose a hard drive. So, you still
want to have regular backups.
Essentially, you want to do everything you can think of to improve
the security of the machine. You can do some Web searches for
security information on your particular combination of OS and Web
server application and find lots of good advice on the best things
to do to make the server as secure as possible.
This was first published in August 2001