[2931] in WWW Security List Archive
Re: server protection
daemon@ATHENA.MIT.EDU (Patrick Larkin Jr)
Thu Sep 12 13:28:14 1996
From: plarkin@iphase.com (Patrick Larkin Jr)
To: adam@homeport.org (Adam Shostack)
Date: Thu, 12 Sep 1996 08:56:04 -0500 (CDT)
Cc: alsalqan@cerc.wvu.edu, bikkasan@ag-data.com, www-security@ns2.rutgers.edu,
hobika@kodak.com
In-Reply-To: <199609111243.HAA24946@homeport.org> from "Adam Shostack" at Sep 11, 96 07:43:14 am
Reply-To: plarkin@iphase.com
Errors-To: owner-www-security@ns2.rutgers.edu
Earlier, Adam Shostack wrote:
>
> Yahya Alsalqan wrote:
> | what is the easiest way to protect a web server from being compromised
> | ... i.e. no body should be able to change any page on the web server?
>
> Turn off the disks. Then no one can change the pages.
Well, that's actually a pretty good idea!
Put everything but your log files on an external disk with a
HARDWARE write protect switch! Then, they'll have to gain physical
access before they can change the content.
>
> More seriously, don't have any services other than httpd
> running on the machine. This means a portscan of the machine will
> only show a listener on port 80. Also, no CGIs should be allowed.
> Many exploits involve CGI scripts. Lastly, run a freely available web
> server so you can review the source.
>
> Adam
>
> --
> "It is seldom that liberty of any kind is lost all at once."
> -Hume
>
>
--
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
[ PATRICK LARKIN <plarkin@iphase.com> INTERPHASE Systems Administrator ]
[ Internet Paging: <plarkin-page@iphase.com> (I see Subject line ONLY!) ]
[ "Poor planning on YOUR part, does not create an emergency on MY part!!" ]
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
