What security to use on web server

Hal Burgiss hal at burgiss.net
Tue Dec 9 21:13:54 UTC 2008


On Tue, Dec 09, 2008 at 06:29:31AM -0500, Hal Burgiss wrote:
> On Tue, Dec 09, 2008 at 11:52:58AM +0100, Emil wrote:
> > 
> > What security packages, configs, etc. do you install and use on your web
> > servers? I've messed around a bit in bastille (have found it a bit hard

There is a lot of ways to go with this depending on how the server
will be used. So a few questions:

 - How many users other than you need access to the server?
 - Do any of the users (including you) need remote access? From more
   than one location?
 - What software will the server be serving, and who is supplying it?
   How reliable are the code authors?
 - What supplemental functionality will be required (eg do you need a
   sql server, mail server)?
 - Will you be handling sensitive data like bank account numbers or
   credit cards?
 - High profile or low profile sites?

My experience is that a minimalist Ubunutu *server* installation is
fairly secure out of the box. The defaults for Apache, mysql, sshd,
postfix and php are pretty sane. 

The most immediate cause of intrusion type problems is things like
weak passwords. And poorly written php code that is easily expoitable,
either allowing direct system access or via sql injection techniques.
Then if someone gets in, you are dependent on how secure the local
system is, underneath the server layers. So it gets down to stuff that
the user inadvertantly does that opens up most systems. If you can have
just one user with strong passwords, that does not need any remote
access (or narrowly firewalled ssh access), then all you need open
is Apache, and that eliminates a bunch of potential weaknesses really
easily. 

Your enemy for low profile sites is the unattended probing of scripted
attacks that are looking for known weaknesses. The biggest thing I see
aimed at Apache is attempts at spam injections into blogs or dynamic
content. Often these are hidden html snippest placed specifically to
effect google page rank. Nuisance stuff. They don't even want system
level access.

Higher profile sites surely attract more targeted type attacks. People
like banks have more to worry about than just the blind, scripted
stuff. 

-- 
Hal





More information about the ubuntu-users mailing list