>> BTW, if I may ask another question on the same topic,
> What are the standard steps that should be used for securing a web
> server? I'm sure that'sa very broad question but I want to make sure
> I've all angles covered if what I'm hoping goes ahead.
Security is as much an art, as a science, but a few random thoughts to get
you started - some of them will be more practical than others depending on
your circumstances - you just have to examine your on system, decide what
you can do, and then decide what's worth doing.
Privilage Separation. If use possible use different accounts for different
tasks, with each account only having the permissions necessary to carry out
it's task. For example if you use a read-only db account, to retrieve
information, could prevent a flaw in the retrieval of records in the
application from being used to write information to the DB.
Resource Limiting - Kind of related, but one way to make it more difficult
for a flaw to access the filesystem, by running your webserver in a chroot
jail, or virtual server ( dedicated to that service ). I believe OpenBSD
takes this approach, but you should remember that it is possible to break
out of a chroot jail, particularly with root privileges ( eg by creating,
and mounting the relevent device files ).
Also, it might be possible to restrict access to your applications admin
control panel ( for example ), by your IP address ( eg using .htaccess to
restrict the acp to your IP address )
Operating System level - no unnecessary applications or processes - crackers
can use these. Remove anything you don't need - check the output of 'ps
-ef', and kill anything you don't need. RHEL is particularly bad for this -
a basic installation has X11, which you have no need for in a server.
Firewall outgoing connections - if there is no reason for your server to
initiate outbound connections, then block them.
Subscribe to mailing lists, particularly from your operating system provider
Lock the door - physical access is a vulnerability in itself.
>>> I've already got the firewall up so the only ports that should except
> access are 22 and 80. I'm later hoping to further tighten security by
> only allowing access to port 22 from one address.
Don't forget blocking outbound connections, so "bad apps" can't call home.
>> Thanks again
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug> Who we are : http://www.linux.ie/> Where we are : http://www.linux.ie/map/>
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!