Home > Ask the Security Experts > Questions & Answers > Protecting a Web server from external attack
Ask The Security Expert: Questions & Answers
EMAIL THIS

Protecting a Web server from external attack

Stephen Mencik EXPERT RESPONSE FROM: Stephen Mencik

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 29 August 2001
How can we protect our Web server from external attack?

>
There are a number of things you can do to protect yourself against external attacks.

First, the Web server should have only those services running that are absolutely needed.

Second, the operating system and applications should all have the most recent security patches installed. The OS should be "hardened" as much as possible. A paper that is OpenBSD centric, but has some application to hardening all operating systems can be found at http://geodsoft.com/howto/harden/hardintro.htm.

Third, it should sit behind a firewall that only allows those ports needed for operation. For example, if it is purely a Web server that does not need any access from the outside other than via http and https, then only ports 80 and 443 need to be open. However, if you are running a Web hosting company, your clients need to be able to upload files and more. So you'll probably need to enable the ports for FTP and Telnet. If you are combining this with e-mail services, you'll need to open the ports for POP and SMTP, or whatever protocols you use for mail.

Fourth, all form input should be validated by the script that handles the form. Buffer overflows are a favorite type of attack. A good reference for CGI script security is located at http://www.w3.org/Security/Faq/wwwsf4.html.

Fifth, make use of audit logs. Use TCP_Wrapers where you can.

Sixth, make regular backups. Even the best security planning is not perfect. Someone still might find a way to break in. And even if there is no security break-in, you might lose a hard drive. So, you still want to have regular backups.

Essentially, you want to do everything you can think of to improve the security of the machine. You can do some Web searches for security information on your particular combination of OS and Web server application and find lots of good advice on the best things to do to make the server as secure as possible.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Find Security Solutions for Your Business
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts