[3329] in WWW Security List Archive
RE: www web security !
daemon@ATHENA.MIT.EDU (Alex Filacchione)
Tue Oct 22 13:57:49 1996
From: Alex Filacchione <alexf@iss.net>
To: "'John Cronin'" <John.Cronin@oit.gatech.edu>,
Pierre-Yves Bonnetain
<pyb@cadrus.fr>
Cc: "BZH01572@niftyserve.or.jp" <BZH01572@niftyserve.or.jp>,
"joang@lix.intercom.es" <joang@lix.intercom.es>,
"www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Date: Tue, 22 Oct 1996 11:10:44 -0400
Errors-To: owner-www-security@ns2.rutgers.edu
----------
From: John Cronin[SMTP:John.Cronin@oit.gatech.edu]
Sent: Wednesday, October 16, 1996 10:39 AM
To: Pierre-Yves Bonnetain
Cc: joang@lix.intercom.es; BZH01572@niftyserve.or.jp;
www-security@ns2.rutgers.edu
Subject: Re: www web security !
Yes, if you have a firewall, I think you should put the web server outside.
-> If you want to protect your server, chroot it, use tools such as
->tripwire (to detect alterations), check (twice or thrice at the very
least)
->your cgi scripts and server configurations, etc.
-> Make your W3 server machine as close to a sacrificial lamb as you can,
it
->will expose less of itself and so should be less vulnerable to attack.
Make sure you have all the latest versions (or at least the most stable and
secure versions) of ALL required software - this includes sendmail, ftp and
news servers as well, if these are on your machines. Get all the
recommended
patches too. Don't put stuff on the machine you don't need.
Turn off all services you don't need. If you don't need to have your web
server RECEIVE email, you can bring up the sendmail daemon in send only
mode (/usr/lib/sendmail -q15m). If you don't need an ftp server, disable
the ftpd (you can still ftp out). There are a number of other services
you can disable as well.
Don't have any lists of trusted hosts on the web server, and don't put
the web server in any list of trusted hosts.
If you are paranoid, allow logins only from the console. Definitely don't
allow root logins via telnet.
Use a tcp wrapper to prevent telnet, ftp, etc from all but a few select
machines. If you are running some flavor of Unix, do a web search on
"tcpd"
and use that.
Figure out how to use "xhost -" and "xhost +" properly to keep people from
spying in on your Xwindows connections.
Use something like ssh to prevent sniffers on compromised machines from
grabbing passwords, hijacking your TCP connections, and other fun tricks.
Use port scanners to look for obvious problems. Internet Security Systems
will let you download a demo version of the Internet Security Scanner for
free. It only works on "localhost" but it is very thorough and relatively
easy to use.
=-=-=-=-
These are all great suggestions. Here are a few more...
Why should you not put your web server BEHIND a firewall? It opens up your
internal network (it provides a path through your firewall. All someone
needs to do is compromise your webserver, not your firewall then)
Keep logs on everything. If you keep the logs on the web server, tgz (tar
and gzip) them and move them off everyday. Also, PARTITION YOUR HARD
DRIVE! Kepp the logs on a separate partition. If someonee tries to launch
a denial of service attack against your web servers logs, if the drive is
partitioned and fills up your logs might fail, but the server won't go
down. You can also set alarms (via a cron job, maybe?) that will check the
status and immediately move logs off of the server if the drive space is at
80% or greater.
Don't allow telnet, or anything else. Allow administration via SSH or
console, only. If you must allow ftp, chroot it, allow anonymous log ins
ONLY, and make sure that your perms are all set properly (see the FTP
security FAQ, available at rtfm.mit.edu). Doing port scans is a good idea.
Our Intranet Scanner can help out by running this on the server. We also
sell a Web Security Scanner (more on that later). IMPORTANT: if you run a
scan, MOVE ALL LOGS, etc. off of that machine! Delete the software. If
someone does manage to break in, you don't want to make their job easier if
they have not yet achieved root! Run netstat -a (I believe that that is
the correct option) to check what services are running.
Don't leave compilers lieing (sp?) around. If you need to use one, install
it via a console log-in, and then delete it.
Make sure that your CGI-Bin scripts are all secure. Check for open , exec,
etc. commands. ANything that looks like a user (visitor to your web site)
could exploit by issueing commands to a shell should be fixed or deleted.
If you are running Perl scripts, use tainted Perl. Run your web daemon as
nobody or something similar. Do NOT run it as root! Get rid of phf! (or
at least fix it)
Your CGI-BIN scripts, server version, etc. can all be checked by our ISS
Web Security Scanner. You can check out all of the features that the web
security scanner offers at our webpage (including all cgi-bin checks, phf
checks, brute force default server account checks, etc.)...
http://www.iss.net
Click on "products" and read about the Web Security Scanner. This piece of
software is on special. You can get a copy for $99 until October 31.
Contact our sales department (or you can email me and I can forward it) if
you are interested in this.
These and the previous suggestions should keep you busy for a while :)
Hope this helps,
Alex F
alexf@iss.net
webmaster/security training
