[thelist] Hardening a webserver

Sun Jan 16 20:57:57 CST 2005

Hi Scott,

Overwhelmed yet?  As many have already said, the only truly secure
application is one that sits on a box where the power cord has been removed.

While you're considering your priorities, it is best to remain as paranoid
as possible and consider that when you connect your database application to
anything that is connected to the internet it WILL be hacked. In other
words, you prepare for the worst. If it happens, you are prepared, if not
we'll call you "Lucky Scott".

The database application is really the only thing that is truly vulnerable.
Anything else being compromised is just annoying and embarrassing.

If your knowledge and resources are limited, concentrate on understanding
how to lock down the app. The code must be as inaccessible as possible
(someone mentioned using a compiled language) and the app must be able to
verify, without a doubt where each request is coming from. Putting it behind
a firewall is not a bad idea, but often a false sense of security. 

I've had to set that up several times and sweat through the process every
time. My only solace is that I've been able to isolate the database machine
from the rest of the intranet making the open avenue a one destination stop.

In plain language... I can physically protect my child from all the ills of
the world by sheltering her with as many layers as possible, but if I
haven't equipped her with the knowledge that taking candy from strangers is
bad, she is vulnerable.

Concentrate on the app and work out from there. Set up monitors to identify
when things are not as they should be (rate and number of transactions is a
good thing to watch) so that if it is compromised you can minimize the
damage. Understand the basic patterns of attacks and plan against them.

Do the research that will help prepare you to express your needs clearly to
security consultants ('cause all the research in the world cannot make up
for professional experience) and to understand when your point is getting
across.

Its called "Safer" sex for a reason...

rose

----------------------------------------------------------------
"All my life I've wanted to be somebody; I see now I should have been more
specific."
 - Lily Tomlin

> -----Original Message-----
> From: thelist-bounces at lists.evolt.org [mailto:thelist-
> bounces at lists.evolt.org] On Behalf Of chris hardy
> Sent: Sunday, January 16, 2005 5:48 PM
> To: thelist at lists.evolt.org
> Subject: RE: [thelist] Hardening a webserver
> 
> Hi Scott,
> As others have hinted, hardening a server is only part of an overall
> security plan. If you really need excellent security, you'll probably be
> better off hiring a security firm.
> 
> When looking for books and articles, you might need to break it down into
> several categories: Physical security, Network security, webserver
> security,
> Application security, Database security, group policies, data encryption,
> etc.
> 
> There isn't really any 1 resource for security issues because the choices
> you make have to be based upon exactly what you need the server to do and
> what it needs to protect.
> 
> Application-wise, you may want to look at using a compiled language (java,
> c#, etc) and you definitely should consider a database that supports
> stored
> procedures and triggers (oracle, postgres).
> 
> For books, you might be interested in apache security
> http://tinyurl.com/5vclk
> and Essential System Administration http://tinyurl.com/7ys8d
> There are a number of books on Linux security. I like Essential System
> Administration because it emphasizes concepts that can be applied to any
> operating system.
> 
> seLinux is a US gov. funded project to explore building a secure operating
> system. I believe the NSA/CIA uses it in a production environment
> http://www.nsa.gov/selinux/
> 
> Even if you don't plan to use Gentoo, the gentoo ststem administration
> documentation provides a decent introduction to  security
> http://www.gentoo.org/doc/en/gentoo-security.xml
> 
> Linux Security HowTo at the Linux Documentation Project
> http://www.tldp.org/HOWTO/Security-HOWTO/
> 
> Apache has some security tips http://tinyurl.com/5l28l
> Linux Exposed article on basic hardening. http://tinyurl.com/3mpu9
> W3C has a web security FAQ http://www.w3.org/Security/Faq/
> Open Web Application Security Project http://www.owasp.org/index.jsp
> 
> 
> hth
> -chris
> http://www.semioticpixels.com/
> 
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !