World Wide Web Server Security Best Practices

Written on February 10, 2010 by Jerson

  1. Place your web server(s) in a DMZ. Set your firewall to drop connections to your web server on all ports but http (port 80) or https (port 443).
  2. Remove all unneeded services from your web server, keeping FTP (but only if you need it) and a secure login capability such as secure shell. An unneeded service can become an avenue of attack.
  3. Disallow all remote administration unless it is done using a one-time password or an encrypted link.
  4. Limit the number of persons having administrator or root level access.
  5. Log all user activity and maintain those logs either in an encrypted form on the web server or store them on a separate machine on your Intranet.
  6. Monitor system logs regularly for any suspicious activity. Install some trap macros to watch for attacks on the server (such as the PHF attack). Create macros that run every hour or so that would check the integrity of password and other critical files. When the macros detect a change, they should send an e-mail to the system manager.
  7. Remove ALL unnecessary files such as phf from the scripts directory /cgi-bin.
  8. Remove the “default” document trees that are shipped with Web servers such as IIS and ExAir.
  9. Apply all relevant security patches as soon as they are announced.
  10. If you must use a GUI interface at the console, remove the commands that automatically start the window manager from the .RC startup directories and then create a startup command for the window manager. You can then use the window manager when you need to work on the system, but shut it down when you are done. Do not leave the window manager running for any extended length of time.
  11. If the machine must be administered remotely, require that a secure capability such as secure shell is used to make a secure connection. Do not allow telnet or non-anonymous ftp (those requiring a username and password) connections to this machine from any untrusted site. It would also be good to limit these connections only to a minimum number of secure machines and have those machines reside within your Intranet.
  12. Run the web server in a chroot-ed part of the directory tree so it cannot access the real system files.
  13. Run the anonymous FTP server (if you need it) in a chroot-ed part of the directory tree that is different from the web server’s tree.
  14. Do all updates from your Intranet. Maintain your web page originals on a server on your Intranet and make all changes and updates here; then “push” these updates to the public server through an SSL connection. If you do this on a hourly basis, you can avoid having a corrupted server exposed for a long period of time.
  15. Scan your web server periodically with tools like ISS or nmap to look for vulnerabilities.
  16. Have intrusion detection software monitor the connections to the server. Set the detector to alarm on known exploits and suspicious activities and to capture these sessions for review. This information can help you recover from an intrusion and strengthen your defenses.

Source

Posted in Prevention, Tips, Web Security

If you enjoyed this post you might want to subscribe to our RSS Feed!

- - - -

Comments are closed now, So Sorry!.