[3328] in WWW Security List Archive
Re: www web security !
daemon@ATHENA.MIT.EDU (John Cronin)
Tue Oct 22 13:57:12 1996
From: John Cronin <John.Cronin@oit.gatech.edu>
To: alexf@iss.net (Alex Filacchione)
Date: Tue, 22 Oct 1996 11:43:43 -0400 (EDT)
Cc: John.Cronin@oit.gatech.edu, pyb@cadrus.fr, BZH01572@niftyserve.or.jp,
joang@lix.intercom.es, www-security@ns2.rutgers.edu
In-Reply-To: <01BBC009.AC596900@alexf.iss.net> from "Alex Filacchione" at Oct 22, 96 11:10:44 am
Errors-To: owner-www-security@ns2.rutgers.edu
Once upon a time, Alex Filacchione told me this tale:
->
->----------
->From: John Cronin[SMTP:John.Cronin@oit.gatech.edu]
->Sent: Wednesday, October 16, 1996 10:39 AM
->
->Yes, if you have a firewall, I think you should put the web server outside.
[Heavily edited to remove material not relevant to this post]
->If you are paranoid, allow logins only from the console. Definitely don't
->allow root logins via telnet.
->
->Use something like ssh to prevent sniffers on compromised machines from
->grabbing passwords, hijacking your TCP connections, and other fun tricks.
->
->Use port scanners to look for obvious problems. Internet Security Systems
->will let you download a demo version of the Internet Security Scanner for
->free. It only works on "localhost" but it is very thorough and relatively
->easy to use.
->
->=-=-=-=-
->
->These are all great suggestions. Here are a few more...
->
->Why should you not put your web server BEHIND a firewall? It opens up your
->internal network (it provides a path through your firewall. All someone
->needs to do is compromise your webserver, not your firewall then)
I would not put it behind the firewall if it was intended primarily for
EXTERNAL use (ie for use by users who are NOT part of your organization).
This server would have security as tight as (or tighter than) the firewall.
It's services would be strictly limited. If possible, I would put it on
it's own subnet, or perhaps with the firewall. This way, if it is
compromised (through the http port, in particular - CGI bin script somehow
overlooked or something), it is not a door through the firewall. Why let
a bunch if external users INSIDE your firewall?
If I needed an internal web server, I would use a SECOND web server inside
the firewall if that is feasible, and not allow external users access to
the internal web server.
->Keep logs on everything. If you keep the logs on the web server, tgz (tar
->and gzip) them and move them off everyday. Also, PARTITION YOUR HARD
->DRIVE! Kepp the logs on a separate partition. If someonee tries to launch
->a denial of service attack against your web servers logs, if the drive is
->partitioned and fills up your logs might fail, but the server won't go
->down. You can also set alarms (via a cron job, maybe?) that will check the
->status and immediately move logs off of the server if the drive space is at
->80% or greater.
This is a good idea. I had not thought of it, actually. I am paranoid
enough, I might have a separate log server on some machines. I am not
sure I would go to the trouble on an external web server unless I was having
hacking problems. This way, the intruders would have to hack a second
machine (the log server) to delete the log files. Makes it easier to trace
attacks, since if the log server is well secured, intruders will probably
not be able to get to the log files.
->Don't leave compilers lieing (sp?) around. If you need to use one, install
->it via a console log-in, and then delete it.
Or compile on another machine, and then tar up the needed files and transfer
them to the web server.
->Your CGI-BIN scripts, server version, etc. can all be checked by our ISS
->Web Security Scanner. You can check out all of the features that the web
->security scanner offers at our webpage (including all cgi-bin checks, phf
->checks, brute force default server account checks, etc.)...
->
->http://www.iss.net
->
->Click on "products" and read about the Web Security Scanner. This piece of
->software is on special. You can get a copy for $99 until October 31.
-> Contact our sales department (or you can email me and I can forward it) if
->you are interested in this.
I got the demo version at Networld+InterOp. I have used it and can say that
it works pretty well. I was also pretty happy that it didn't find anything
wrong on the two systems I checked out (a web server and my own personal
machine), but also a little disappointed. I was hoping it would find some-
thing I missed. I do a pretty good job of keeping up with security, but I
am not always fanatic about it. There are a lot of things I intend to do
if I ever get the time. This is not a criticism of the software. However,
you cannot rely on a port scanner alone. I know for a fact that the version
of sendmail I was running at the time had the usual buffer overflow problems,
and the ISS Web Security Scanner did not detect that. I did not really
expect it to, as my version of sendmail was quite recent, and the CERT
bulletins etc had just gone out. (Sendmail 8.7.5, for those who are curious).
->These and the previous suggestions should keep you busy for a while :)
I find that security can keep you busy pretty much forever in a well
publicized site.
--
John Cronin
Office of Information Technology Customer Support Center 0710
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: john.cronin@oit.gatech.edu
phone: (404) 894-7563
