NEW web server

[elfguy]

hi guys
i have a new website. what are the thingz i need to do to keep safe enough????
help me please

[¤The¤Spe©ialist]

burp... update, backup, audit, review results, repeat?

[elfguy]

what settings do i need to change so that regular loopholes are covered

[XTC46]

update...patch...reboot....repeat.


then backups....


how can you possibly expect mor einfo than that without details...you have a website, good for you. Are you hosting it? or do you have a host? is it their server? is the server a winxp box on your bedroom floor? details.

[elfguy]

its an apache, i'm hosting it, linux

[Katja]

If you want to keep it 100% safe and secure, disconnect it from the Internet. Otherwise, accept the risk that your security might be broken one day, so you will have to keep a regular eye on that system to check for weird irregularities. Don't use automated tools to do the checking, since even those tools might get fooled by some hacker.
In other words, how paranoid do you want to be? There's always a small risk anyway. So main setting? Turn your "Common Sense" on.

[the_JinX]

The biggest trouble I've seen with a well up to date linux and apache.. is the php stuff people put on it..

Webmail (squirrelmail) and forum software (phpbb) only one version older then the latest might open you up to mass mailing or irc spamming worms..

[kr5kernel]

WHat distribution are you running? Then google web server hardening + yourdistribution.

thats a good start.

[576869746568617]

As with any server, step one is to harden the operating system and application software. Install all available patches, and disable all non-essential services. Also, make sure that the password for root is as complex as you can feasably make it. I would also recommend that the server is situated behind a firewall, but that's just plain old common sense these days.

I typically like to situate my webservers behind a seperate firewall than the one that I use for internet access, on the gateway's DMZ port. That way I can be a little more granular with the firewall rules, and not affect the useability of the corporate LAN. Also, I like to run a promiscuous mode sniffer as an IDS, like snort, on the DMZ, just to see what kind of traffic is occuring and to spot suspicious activity.

For example, If all you have is a plain jane webserver running no additional services, such as email or ftp, and you see traffic destined to your server on non-http or https ports, this could indicate an intrusion attempt. A host based IDS is a start, but a determined cracker can defeat such countermeasures (or any that are put in place for that matter...which is why we as security admins must remain dilligent).

Also, as a webserver is a publicly accessable system, the log files should be remotely stored on a syslog server for security reasons, because when the webserver is compromised, nothing that resides on that system can be trusted for anything. (I say when because it is only a matter of time before it happens...you should expect that one day, despite your determined efforts and hard work, that system will be hacked.) The Honeynet project has excellent details on how to accomplish this, among other interesting security methods.

I would also recommend visiting some other security related sites, such as Security Focus, and pick up a good book like Hacking Linux Exposed to use as a starting point.

Also, Google the topic and learn more...learn, learn, learn...never stop.

kr5kernel and Katja: great minds think alike! The majority of system security is to excercise common sense and sound judgement. Basic hardening is likewise just common sense.

Sorry for the lengthy post...security may be mostly common sense, but it is also a complex subject.