WEB SECURITY ADVISOR
Protecting the Web server
Stephen Mencik
09.18.2001
Rating: -4.20- (out of 5)
Protecting the Web server
By Stephen Mencik
SearchSecurity site expert Stephen Mencik offers his advice for
securing a Web server in this Ask the Expert Q&A.
Q: How can we protect our Web server from external attack?
There are a number of things you can do to protect yourself against
external attacks.
First, the Web server should have only those services running that
are absolutely needed.
Second, the operating system and applications should all have the
most recent security patches installed. The OS should be "hardened"
as much as possible. A paper that is OpenBSD centric, but has some
application to hardening all operating systems, can be found at
http://geodsoft.com/howto/harden/hardintro.htm.
Third, it should sit behind a firewall that only allows those ports
needed for operation. For example, if it is purely a Web server that
does not need any access from the outside other than via http and
https, then only ports 80 and 443 need to be open. However, if you
are running a Web hosting company, your clients need to be able to
upload files and more. So you'll probably need to enable the ports
for FTP and Telnet. If you are combining this with e-mail services,
you'll need to open the ports for POP and SMTP, or whatever protocols
you use for mail. (For more information on ports, go to
http://searchsecurity.techtarget.com/ateQuestionNResponse/0,289625,sid14_cid407639_tax285453,00.html.)
Fourth, all form input should be validated by the script that handles
the form. Buffer overflows are a favorite type of attack. A good
reference for CGI script security is located at
http://www.w3.org/Security/Faq/wwwsf4.html.
Fifth, make use of audit logs. Use TCP Wrappers where you can.
Sixth, make regular backups. Even the best security planning is not
perfect. Someone still might find a way to break in. And even if
there is no security break-in, you might lose a hard drive. So, you
still want to have regular backups.
Essentially, you want to do everything you can think of to improve
the security of the machine. You can do some Web searches for
security information on your particular combination of OS and Web
server application and find lots of good advice on the best things to
do to make the server as secure as possible.
-------------------------------------------------------------------
Talk back! Do you have any comments on this tip? If so, share them
in our Sound Off discussion forum.
Stephen Mencik has answered dozens of Web and network related
questions from your peers. Peruse the archive of Q&As, or submit a
question of your own.
Do you have a tip for securing a Web server? Submit it to
searchSecurity and you could win a prize. While you're at it, vote on
the tips your peers have submitted.
Related Book
Administrating Web servers, security and maintenance
By Eric Larson & Brian Stephens
Publisher Name: Prentice Hall
Date published: Dec. 1999
Pages: 350
Cover Type: Soft Cover
Summary:
This book is designed to provide individuals with the core skills
needed to meet the demands of the Web development and Internet
community. This user-friendly interactive text provides competency in
three key skill areas: 1. Web Business Management, from financial
issues to project management and marketing. 2. Content Management,
including user interface, authoring languages, multimedia and
graphics. 3. Technical Management involving administration,
protocols, performance and security.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
