[thelist] Hardening a webserver
chris hardy
lists at semioticpixels.com
Sun Jan 16 16:47:52 CST 2005
Hi Scott,
As others have hinted, hardening a server is only part of an overall
security plan. If you really need excellent security, you'll probably be
better off hiring a security firm.
When looking for books and articles, you might need to break it down into
several categories: Physical security, Network security, webserver security,
Application security, Database security, group policies, data encryption,
etc.
There isn't really any 1 resource for security issues because the choices
you make have to be based upon exactly what you need the server to do and
what it needs to protect.
Application-wise, you may want to look at using a compiled language (java,
c#, etc) and you definitely should consider a database that supports stored
procedures and triggers (oracle, postgres).
For books, you might be interested in apache security
http://tinyurl.com/5vclk
and Essential System Administration http://tinyurl.com/7ys8d
There are a number of books on Linux security. I like Essential System
Administration because it emphasizes concepts that can be applied to any
operating system.
seLinux is a US gov. funded project to explore building a secure operating
system. I believe the NSA/CIA uses it in a production environment
http://www.nsa.gov/selinux/
Even if you don't plan to use Gentoo, the gentoo ststem administration
documentation provides a decent introduction to security
http://www.gentoo.org/doc/en/gentoo-security.xml
Linux Security HowTo at the Linux Documentation Project
http://www.tldp.org/HOWTO/Security-HOWTO/
Apache has some security tips http://tinyurl.com/5l28l
Linux Exposed article on basic hardening. http://tinyurl.com/3mpu9
W3C has a web security FAQ http://www.w3.org/Security/Faq/
Open Web Application Security Project http://www.owasp.org/index.jsp
hth
-chris
http://www.semioticpixels.com/
More information about the thelist
mailing list