[2923] in WWW Security List Archive
Re: server protection
daemon@ATHENA.MIT.EDU (Adam Shostack)
Wed Sep 11 12:47:50 1996
From: Adam Shostack <adam@homeport.org>
To: alsalqan@cerc.wvu.edu (Yahya Alsalqan)
Date: Wed, 11 Sep 1996 07:43:14 -0500 (EST)
Cc: bikkasan@ag-data.com, www-security@ns2.rutgers.edu, hobika@kodak.com
In-Reply-To: <9609101732.AA11481@cerc.wvu.edu> from "Yahya Alsalqan" at Sep 10, 96 01:32:26 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Yahya Alsalqan wrote:
| what is the easiest way to protect a web server from being compromised
| ... i.e. no body should be able to change any page on the web server?
Turn off the disks. Then no one can change the pages.
More seriously, don't have any services other than httpd
running on the machine. This means a portscan of the machine will
only show a listener on port 80. Also, no CGIs should be allowed.
Many exploits involve CGI scripts. Lastly, run a freely available web
server so you can review the source.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
