Test the Configuration
Obtain nmap (http://www.insecure.org) and nessus (http://www.nessus.org)to test the system. Nmap is a utility for network exploration or security auditing. It supports many port scanning techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Nessus is a powerful, up-to-date and easy to use remote security scanner which will audit remotely a given network and determine whether bad guys may break into it, or misuse it in some way.
Regular Maintenance
It would be nice if all there were to putting up a Web services host were unpacking it and turning it on. Such is not the case. Regular periodic maintenance of the Web services host is required just like our cars and our teeth.
Keep Abreast of Security Advisories
Sun (http://sunsolve.sun.com/sunsolve/securitypub.html)
CERT (http://www.cert.org/)
CIAC (http://ciac.llnl.gov/)
ASSIST (http://www.assist.mil/)
COAST (http://www.cs.purdue.edu/coast/)
Keep Up-To-Date With Patches
Check the Sunsolve site (http://sunsolve.sun.com) for the most current recommended patch cluster that applies.
Check For Dormant Accounts
Check the system for dormant accounts and disable any that have not been used for a specified period (e.g., 3 months).
Physical Security
Locate the system in a controlled area (locks, limited access).
Backups
Develop a process and a procedure for backups, including retention policies. Store backups in secure area, equivalent to level of system being backed up. Develop processes and procedures for restoration from backups. Good backups can be used not only for quickly restoring a server to a known state but can also be used in forensic analysis.
Testing
The bad guys are going to probe the Web services host for vulnerabilities. It only makes sense to do the same thing and beat them to the punch.
Audit the server periodically using nmap, nessus, COPS, SATAN, NetSAINT, an others.
Log File Analysis and Review
Review the syslogs such as /var/adm/syslog and /var/adm/messages at least once a week. Make sure this is someone's assigned task.
Incident Handling
The best time to plan for an incident is before it happens. An excellent source of information on incident handling is Incident Handling by Kenneth R. van Wyk, Richard Forno from O'Reilly and Associates.
Web Server Security
A secure web services platform is no more secure than the services that run on it. Thus the web server software must be secured as well. Regardless of the software, Apache, iPlanet, Zeus, or others, there are things that can be done to secure the web serving software.
- Make backup copies of the server configuration files.
- Disable automatic directory listings. This will prevent the bad guys from perusing the directory structure to find files to exploit or corrupt.
- Disable symbolic links. This will prevent someone from establishing files outside the root directory of the server.
- Configure server auditing. These logs are useful for post-processing. Analyze web server logs with a tool such as webalizer (http://www.webalizer.org). Webalizer is a fast web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser. Webalizer report will aid in establishing usage patterns and may be useful finding attempts by bad guys to exploit the Web services host. It also produces excellent usage reports for upper management.
- Configure access control and authentication for sensitive information.
- Disable the exec form of server side includes. If bad guys manage substitute a Trojan-ized program to the server, this will prevent its execution when invoked.
- Restrict remote operations (e.g., PUT and POST).
Click here for the rest of this 12-part tip.
