Results 1 to 7 of 7

Thread: Private secure webserver

  1. #1
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422

    Private secure webserver

    Ok, so I have this idea to create a private and secure webserver, however I'm not the best at securing apache. I came up with this idea, since I'm the only one (and maybe a few other people that I know personally) that's going to be using it, and I want to be able to access it from anywhere with an internet connection. So I came up with this idea that the webserver ignores any connections including pings, so it looks like a computer that's turned off. However when you ping it X times with no reply, then wait a minute (or another specified amount of time) then you can type the IP in your browser and it will serve you a web page for X hours before removing your IP from it's white-list. I was just thinking how easy it is to crack and exploit something that is online, regardless of how up to date it is, and well this has no password to crack, but rather a procedure of things to do that allow your computer to connect. In my opinion, this would add a huge level of security to those that haven't been told how to correctly connect to your server. I realize that this would probably require a reprogramming of the ping command, but it would be custom security, which I think would be pretty cool. Any thoughts?

  2. #2
    Senior Member
    Join Date
    Mar 2008
    Posts
    262
    Why not implement something similar to the old fashioned call-back scenario used in the dial-up days?
    The user hits a URL and it returns a random string.
    The user then must contact a different URL with the random string within x amount of time to gain access for y amount of time.

    On my home Win7 servers (web, mail, ftp) I keep things simple and control most things at the router. I filter inbound IP addresses. The port numbers used for access and the forwarded IP varies according to a schedule. My D-Link router holds 24 port-schedule entries. At the server level I use a lengthy pass phrase. At one time I used secure tunnels, RSA SecurID, etc. Over the past few years I've simplified things by eliminating Windows domains, mirrored servers, TPM devices, etc. I bought the consumer grade D-Link DIR-855 because of its extensive ACL capabilities.

  3. #3
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    You're adding levels of confusion to the user, and overcomplicating the system.

    I'd rather lock down Apache and just grant broad access to the service. Use rinetd to allow Apache to run on a non-priveleged port, eliminating any paths to root. Drop any uneeded modules, configure SELinux to compartmentalize Apache and PHP's acess to the system, etc. Since only *trusted* users are going to be on the system, you don't have to worry about the broad security issues of a shared hosting environment. Instead, you can concentrate on mitigating web vulnerabilities.

    You can use a VPN to allow for remote service access for SSH, FTP, and anything else you need on the administrative end.
    Real security doesn't come with an installer.

  4. #4
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    Thanks for the info. Making it confusing is kindof the point, as I'll end up being using it 99% of the time, and one or two other people the rest.

    Quote Originally Posted by D0pp139an93r View Post
    You can use a VPN to allow for remote service access for SSH, FTP, and anything else you need on the administrative end.
    This brings up an interesting thought. Is it a very bad Idea to have SSH open to the internet? I would set the password lockout limit to 3 tries, but I guess that adds the possibility of a vulnerability. But then again, how long has it been since a serious vulnerability has been found in Open SSH? And I don't use ftp, I usually use SCP.

    This is something I should know more about...securing webservers

  5. #5
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    Quote Originally Posted by metguru View Post
    Thanks for the info. Making it confusing is kindof the point, as I'll end up being using it 99% of the time, and one or two other people the rest.



    This brings up an interesting thought. Is it a very bad Idea to have SSH open to the internet? I would set the password lockout limit to 3 tries, but I guess that adds the possibility of a vulnerability. But then again, how long has it been since a serious vulnerability has been found in Open SSH? And I don't use ftp, I usually use SCP.

    This is something I should know more about...securing webservers
    It is and it isn't... It's really a question of configuration. Privileged users shouldn't be able to SSH, there needs to be a lockout function, etc.

    Other than that, the service is secure enough. I'm always cautious about paths to root. If you're just running SSH and Apache, that's one thing... but if you plan on having multiple services available, the VPN is usually safer as it allows for a smaller attack surface on the public side. It also means you have a VPN that can be used for other things.

    The most important thing is to consider the web content. If you're serving static HTML on a locked down Apache with no other services/scripting languages, there's not much to attack. It's very difficult to compromise a database that doesn't exist.
    Real security doesn't come with an installer.

  6. #6
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    Well actually I plan on serving a specific directory in my server using the apache directory viewer thing. So unless that has vulnerabilities I should be secure in that respect. In other words the webserver isn't even going to be hosting a 'website' but just a viewable directory of certain levels of my hard drive with non-sensitive data. The only services that will be available to the internet are apache and OpenSSH. I may or may not run FTP on the intranet for the sake of transfer speeds over ssh, but that shouldn't affect any security. Lastly, I am the ONLY person who will be using SSH, and the 1% of the time that others use it will just be viewing the apache directory tree. So I think it'll be pretty locked down.

  7. #7
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    Yeah, you can pretty much run just the Apache core with no real issues.

    Make sure that file permissions for the data area allow only reading.
    Real security doesn't come with an installer.

Similar Threads

  1. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  2. Java Help Please - JPANELS!!!
    By DrewDodson89 in forum General Programming Questions
    Replies: 1
    Last Post: November 7th, 2006, 02:12 AM
  3. Using IPSec to Secure Computers and Network Traffic.
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 0
    Last Post: October 7th, 2004, 07:18 PM
  4. ports
    By hatebreed2000 in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: March 14th, 2003, 06:36 AM
  5. Installation of a secure webserver.
    By instronics in forum The Security Tutorials Forum
    Replies: 0
    Last Post: January 19th, 2003, 01:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •