Tip

Solaris Web services security: Test the configuration

Test the Configuration
Obtain nmap (http://www.insecure.org) and nessus (http://www.nessus.org)to test the system. Nmap is a utility for network exploration or security auditing. It supports many port scanning techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Nessus is a powerful, up-to-date and easy to use remote security scanner which will audit remotely a given network and determine whether bad guys may break into it, or misuse it in some way.

Regular Maintenance It would be nice if all there were to putting up a Web services host were unpacking it and turning it on. Such is not the case. Regular periodic maintenance of the Web services host is required just like our cars and our teeth.

Keep Abreast of Security Advisories
Sun (http://sunsolve.sun.com/sunsolve/securitypub.html)
CERT (http://www.cert.org/)
CIAC (http://ciac.llnl.gov/)
ASSIST (http://www.assist.mil/)
COAST (http://www.cs.purdue.edu/coast/)

Keep Up-To-Date With Patches
Check the Sunsolve site (http://sunsolve.sun.com) for the most current recommended patch cluster that applies.

Check For Dormant Accounts
Check the system for dormant accounts and disable any that have not been used for a specified period (e.g., 3 months).

    Requires Free Membership to View

Physical Security
Locate the system in a controlled area (locks, limited access).

Backups
Develop a process and a procedure for backups, including retention policies. Store backups in secure area, equivalent to level of system being backed up. Develop processes and procedures for restoration from backups. Good backups can be used not only for quickly restoring a server to a known state but can also be used in forensic analysis.

Testing
The bad guys are going to probe the Web services host for vulnerabilities. It only makes sense to do the same thing and beat them to the punch.

Audit the server periodically using nmap, nessus, COPS, SATAN, NetSAINT, an others.

Log File Analysis and Review
Review the syslogs such as /var/adm/syslog and /var/adm/messages at least once a week. Make sure this is someone's assigned task.

Incident Handling
The best time to plan for an incident is before it happens. An excellent source of information on incident handling is Incident Handling by Kenneth R. van Wyk, Richard Forno from O'Reilly and Associates.

Web Server Security
A secure web services platform is no more secure than the services that run on it. Thus the web server software must be secured as well. Regardless of the software, Apache, iPlanet, Zeus, or others, there are things that can be done to secure the web serving software.
- Make backup copies of the server configuration files.
- Disable automatic directory listings. This will prevent the bad guys from perusing the directory structure to find files to exploit or corrupt.
- Disable symbolic links. This will prevent someone from establishing files outside the root directory of the server.
- Configure server auditing. These logs are useful for post-processing. Analyze web server logs with a tool such as webalizer (http://www.webalizer.org). Webalizer is a fast web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser. Webalizer report will aid in establishing usage patterns and may be useful finding attempts by bad guys to exploit the Web services host. It also produces excellent usage reports for upper management. - Configure access control and authentication for sensitive information.
- Disable the exec form of server side includes. If bad guys manage substitute a Trojan-ized program to the server, this will prevent its execution when invoked.
- Restrict remote operations (e.g., PUT and POST).


In this 12-part tip Unix expert Gary Smith breaks down the process of building and maintaining a highly secure Web services architecture on the Solaris platform.

Table of contents:
Part 1: Isolate the Web services host server
Part 2: Install and configure a very basic operating system
Part 3: Force the use of su to gain root access
Part 4: Disable trusted host relationships and create a warning banner
Part 5: Configuring user accounts
Part 6: Disabling and removing unnecessary accounts
Part 7: Configure network access control
Part 8: Configure network services
Part 9: Install OpenSSH, disable NFS and reboot
Part 10: Set file permissions
Part 11: Test the configuration
Part 12: Conclusion

This was first published in October 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.