[3271] in WWW Security List Archive
Re: www web security !
daemon@ATHENA.MIT.EDU (John Cronin)
Wed Oct 16 18:05:10 1996
From: John Cronin <John.Cronin@oit.gatech.edu>
To: pyb@cadrus.fr (Pierre-Yves Bonnetain)
Date: Wed, 16 Oct 1996 14:39:22 -0400 (EDT)
Cc: joang@lix.intercom.es, BZH01572@niftyserve.or.jp,
www-security@ns2.rutgers.edu
In-Reply-To: <199610160933.KAA05695@localhost> from "Pierre-Yves Bonnetain" at Oct 16, 96 10:33:21 am
Errors-To: owner-www-security@ns2.rutgers.edu
Once upon a time, Pierre-Yves Bonnetain told me this tale:
->
->> T.Kodera wrote:
->> > Now, i'm worried abut www security.
->> > Offcause, www server is outside of fire wall.
->>
->> What do you thing about to put your www server inside fw?
->>
-> IMHO, this wouldn not be a clever solution. The public W3 server belongs
->at the very list to the DMZ, never to the inside of the firewall
Yes, if you have a firewall, I think you should put the web server outside.
If you have need of an internal web server too, seriously consider using
two web servers, one for the "Intranet" (I hate that word, but there it
is), and one for the rest of the world. Make sure you secure them both,
though. Just because something is inside a firewall does not mean it is
safe.
-> If you want to protect your server, chroot it, use tools such as
->tripwire (to detect alterations), check (twice or thrice at the very least)
->your cgi scripts and server configurations, etc.
-> Make your W3 server machine as close to a sacrificial lamb as you can, it
->will expose less of itself and so should be less vulnerable to attack.
Also:
Make sure you have all the latest versions (or at least the most stable and
secure versions) of ALL required software - this includes sendmail, ftp and
news servers as well, if these are on your machines. Get all the recommended
patches too. Don't put stuff on the machine you don't need.
Turn off all services you don't need. If you don't need to have your web
server RECEIVE email, you can bring up the sendmail daemon in send only
mode (/usr/lib/sendmail -q15m). If you don't need an ftp server, disable
the ftpd (you can still ftp out). There are a number of other services
you can disable as well.
Don't have any lists of trusted hosts on the web server, and don't put
the web server in any list of trusted hosts.
If you are paranoid, allow logins only from the console. Definitely don't
allow root logins via telnet.
Use a tcp wrapper to prevent telnet, ftp, etc from all but a few select
machines. If you are running some flavor of Unix, do a web search on "tcpd"
and use that.
Figure out how to use "xhost -" and "xhost +" properly to keep people from
spying in on your Xwindows connections.
Use something like ssh to prevent sniffers on compromised machines from
grabbing passwords, hijacking your TCP connections, and other fun tricks.
Use various web searchers to search on "security" or something like that,
and do research on the web. There is a lot out there. Search on "hacking"
or "hacker" too, and see what the latest and greatest threats are.
Use port scanners to look for obvious problems. Internet Security Systems
will let you download a demo version of the Internet Security Scanner for
free. It only works on "localhost" but it is very thorough and relatively
easy to use. SATAN is a freely available scanner, and our opponents may
use it so it is a good idea to see what others see when they scan our
systems.
Subscribe to something like the CERT mailing list, so that if new threats
are discovered, you will be aware of them, and usually have some options
mentioned that will prevent or reduce the threat. CERT is usually short
on details about an attack, but usually has a list of vendors and their
vulnerabilities and recommended remedies.
I could go on, but I think I hit the high points. Securing a server
is not something you do once when you set a machine up but something
you have to keep up with constantly.
--
John Cronin
Office of Information Technology Customer Support Center 0710
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: john.cronin@oit.gatech.edu
phone: (404) 894-7563
