Test the Configuration
Obtain nmap (http://www.insecure.org) and nessus (http://www.nessus.org)to test the system. Nmap is a utility for network exploration or security auditing. It supports many port scanning techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Nessus is a powerful, up-to-date and easy to use remote security scanner which will audit remotely a given network and determine whether bad guys may break into it, or misuse it in some way.
Regular Maintenance It would be nice if all there were to putting up a Web services host were unpacking it and turning it on. Such is not the case. Regular periodic maintenance of the Web services host is required just like our cars and our teeth.
Keep Abreast of Security Advisories
Keep Up-To-Date With Patches
Check the Sunsolve site (http://sunsolve.sun.com) for the most current recommended patch cluster that applies.
Check For Dormant Accounts
Check the system for dormant accounts and disable any that have not been used for a specified period (e.g., 3 months).
Locate the system in a controlled area (locks, limited access).
Develop a process and a procedure for backups, including retention policies. Store backups in secure area, equivalent to level of system being backed up. Develop processes and procedures for restoration from backups. Good backups can be used not only for quickly restoring a server to a known state but can also be used in forensic analysis.
The bad guys are going to probe the Web services host for vulnerabilities. It only makes sense to do the same thing and beat them to the punch.
Audit the server periodically using nmap, nessus, COPS, SATAN, NetSAINT, an others.
Log File Analysis and Review
Review the syslogs such as /var/adm/syslog and /var/adm/messages at least once a week. Make sure this is someone's assigned task.
The best time to plan for an incident is before it happens. An excellent source of information on incident handling is Incident Handling by Kenneth R. van Wyk, Richard Forno from O'Reilly and Associates.
Web Server Security
A secure web services platform is no more secure than the services that run on it. Thus the web server software must be secured as well. Regardless of the software, Apache, iPlanet, Zeus, or others, there are things that can be done to secure the web serving software.
- Make backup copies of the server configuration files.
- Disable automatic directory listings. This will prevent the bad guys from perusing the directory structure to find files to exploit or corrupt.
- Disable symbolic links. This will prevent someone from establishing files outside the root directory of the server.
- Configure server auditing. These logs are useful for post-processing. Analyze web server logs with a tool such as webalizer (http://www.webalizer.org). Webalizer is a fast web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser. Webalizer report will aid in establishing usage patterns and may be useful finding attempts by bad guys to exploit the Web services host. It also produces excellent usage reports for upper management. - Configure access control and authentication for sensitive information.
- Disable the exec form of server side includes. If bad guys manage substitute a Trojan-ized program to the server, this will prevent its execution when invoked.
- Restrict remote operations (e.g., PUT and POST).
In this 12-part tip Unix expert Gary Smith breaks down the process of building and maintaining a highly secure Web services architecture on the Solaris platform.
Table of contents:
Part 1: Isolate the Web services host server
Part 2: Install and configure a very basic operating system
Part 3: Force the use of su to gain root access
Part 4: Disable trusted host relationships and create a warning banner
Part 5: Configuring user accounts
Part 6: Disabling and removing unnecessary accounts
Part 7: Configure network access control
Part 8: Configure network services
Part 9: Install OpenSSH, disable NFS and reboot
Part 10: Set file permissions
Part 11: Test the configuration
Part 12: Conclusion
This was first published in October 2002