Securing my web server
I have just installed a Web server in my computer. I am running Windows 98 SE, at 133MHz Pentium Processor with 32MB SDRAM.
I orgionaly was going to use it for local CGI testing so that i reduce the load on my free web host who was kind enough to give me CGI access ( www.netfirms.com ). So I downloaded a few web servers and experemented. I tryed apache, simplke server, windows httpd, website and a few others.
I have found one that does what i want it to do, has security restrictions and works nicely called KF Web Server for fre at www.keyfocus.net
I have installed the latest version of Snort for Win32 with the latest rule set. I have also Kerio Personal firewall configured for maximum security (latest version), As well I use AVG antivirus and update every mourning at 7 AM. And i have Taumon which monitors and scans my computer for trojans.
However I am no security expert and I have a few questions.
Besides what i have already mentioned and keeping up to date with security patches from Microsoft, is there other things I should do to enoure the security of my computer now that I have opened up my computer to the entire world on port 80.
I am becomeing nervious already, today I have had about 10 popups with my firewall asking me if someone can conect to port 80. Some of these people I knew and others I dont. I have not yet set any firewall rules to restrict access to my port. As well there are no rules set to alow access to port 80, so any time someone wants to conect i must click permit.
I know other common ports are 8080 and 8088, which i am considering, i am even considering just useing the server for local access, blocking all other conections, and remaping the port to a uncommon number such as 6758.
Can someone help educate me a bit more about security and what i should look out for...excetra.
I am a newbie
nah dont worry about it dude i can think of some ways to make it harder for people to deface that website of yours but dont worry about them hacking your computer. Wanna know the best thing to do but it will take money if you are serious web master and you dont want to get defaced or hacked, get a mac os with no telnet program and running no other programs (besides maybe a firewall and lots of patches) and if they hacked that man they are pretty good...
Thanks, however i have been made aware of a few exploits for software I am currently useing, such as my firewall which alows a SYN overflow to hang my computer if enough SYS packets are sent, and a few CGI script exploits with previous versions of my Web Server software.
I think curently I am not so woryed about web site defacement, but DOS atacks and people trying to view my files, delete files, and upload things.
are you using this computer for other thing besides a webserver? if you are...thats dumb. If your not, just back up your files and live and learn.
I have a similar setup:
I used to run a small website on Windows ME, connected to a DSL line. But, I got a little more interested in security, and I bought a NAT router, a deticated server off of ebay, and installed linux on it. At least that can make me sleep ok at night, lol, and even if its not more secure than the first option, it still gives me a sense of security, and that's really all it's about.
I'm actually very paranoid when it comes to that. I have all my sensitive file encrypted with Maxcrypt, a great encryption program. I'd say if you have a few bucks, at least make the server a different computer than your main one, and well if you have more money, get a NAT router and share the DSL connection or whatever you're leasing. At like I said, it lets me sleep at night.
Unfortunately this is my ownly computer and I do everything on it, When i get some moeny I will try to make a new computer.
I learned a while ago that hackers purposly try to access pages that dont exist so they can get the error 404 and see what server i am running at the bottom. To fix this i read the FAQ for my server software and learned how i can customize my error 404 page. I found a web site, generated the error 404, and looked at their setup. They were running Apache, so I edited my 404 error message to look exactly like the one from a Apache web server. I am not sure if this was a good idea but I hope that now people will not know what i am running and be less likely to find a exploit.
I just checked the headers returned from my server, I used the log window that comes with proxomitron. Where it tells you the server it says Apache/2.0.43 which when i checked the apache web site, it is the current version for windows. Hopefully this will trick some black hats.
Perhaps some day i will have the money to buy a new computer and perhaps a router.
Well first off's you can get cheap (new) wholesale computer products from www.tigerdirect.com They are an excellent company.
Secondly, there are other ways for a hacker to find out what kind of server you're running, and what you did was hardly worth the time and effort.
Every website you go to sends HTTP headers to and from the browser. One of these headers is a server header and looks like this:
Server: Apache/1.3.26 (Trustix Secure Linux/Linux) mod_perl/1.26
So, in this the attacker can see not only the server program you're running, but in some cases your operating system and any extra modules you installed (in my case, mod_perl). Using a special program, or even the telnet program built into Windows, they can view what kind of server you're running. So it's really hardly worth the time.
Instead of purchasing a router, you can make an inexpensive one yourself from an old 80486 or even 80386 with a little linux program called freesco. Available from www.freesco.org
You can use this as a router between your ISP and your local network, it does NAT and is a statefull packet firewall for your network. Then you open only the port you are running a webserver from, this will reduce some risks. However, like said above, it's a very bad idea to run a webserver from your main computer. FreeSCO has an inbuilt webserver, you can use that one instead of your WIN stuff... however when using FreeSco with the webserver enabled you will need a better pc to garantee service :(
Thank you everyone for the info. I have a old 286 but it is real old and does not have a modem. As for the HTTP headers, when i fixed my error 404 I also found a setting in my server that alows me to change to http header information too :)
I have tested this with telnet and with proxomitron www.proxomitron.cjb.net
On the web site for my server they list the difernt versions and the bug fixes, they have fixed a couple of exploits that was reported to them, I did a web search for exploits and all the exploits i found were older versions. But this means I cant be lazy anymore, I will have to constantly update.
However I have recently hered there was a version of Sendmail released with a trojan, I have no idea if this was true. But it just shows me that even if you trust the download source, you can never be too sure. When I downloaded this software, it did some sort of package verification before it installed, if i rember corectly.
But other then the HTTP headers that are returned and the error pages, are there any other ways of finding out what server software I have?
And if I was to get DOSed could this damage my computer,?
I would suggest that you regulalry run a vulnerability scanner against the box, get hold of a copy of Nessus and run that. There are an evergrowing number of CGI scanners out there which you could run as well. Do this regulalry to find any obvious holes you have. Be aware that Snort can be defeated in a number of ways, its still useful but not the answer to everything.
As for making use of some kind of router, I`d suggest throwing up a copy of OpenBSD acting as a firewall. The OS is free, and for the most part secure. In fact you could move your entire site to OpenBSd and have alot safer setup. Use the one machine you have, get rid of Win 95 and stick OpenBSD on there. OpenBSD is a little trickier to use if you have only been exposed to Windows as there is no gui, so if that concerns you get a copy of "Building Linux and OpenBSD firewalls" by Wes Sonnenreich and Tom yates. If you have a DSL line and purchase one of the DSL routers that are available be aware that they all seem to run TFTP which can be accessed by attackers and you config retrieved. If you have a bit of cash get hold of an s-box which is a firewall 1 based appliance for small office use.
If you get DoS'd there are a couple of things that might happen, first and most obviously you`ll system will go down and you`ll need to reboot it. Second it could be the result of a buffer overflow attack being executed against the box which means some malicious code may have been introduced.
You are not going to be able to stop an attacker finding out what web site you are running, there are numerous ways and blocking them all is not really a viable option, instead focus on getting a secure setup in place, keep up to date on pacthes, keep snort up to date, use a decent firewall, and you should be safe from all but the most determined attackers.