Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Securing Web Servers Against Cracking

Posted by Cliff on from the building-the-steel-web dept.

Bryan Andersen asks: "I'm looking for information on securing web servers against hacking. In particular, I'm interested in securing Apache on Debian Linux and OpenBSD, but discussion on other server/OS combinations are welcome. Links to sites with good information would be greatly appreciated."

2 of 177 comments (clear)

  1. A cracker's opionion by Anonymous Coward · · Score: 5

    I have cracked/hacked many a web server. Most if not all allowed us to exploit poorly configured mahines or applications. A good admin will beat us everytime.. but most places wont pay for a good admin. The hardest computers to crack are the ones limited to the least ammount of accesss they allow. So.. if you dont use it..dont run it. IE if your not using a ftp server why allow ftp access? why not turn off the deamon.. then sshd to move files. Its secure.. and will close all the hundreds of ftpd exploits. Now some would say that a good firewall rule will solve this.. but as I have beaten many a fire wall why not just shut down the stuff your not going to need. This applies to just about every deamon you can think of.. if you dont need it, kill it. Now after that some good firewall rules wont hurt. If this is only going to be a web server then I would only allow your web server port.. firewall with a seperate machine.. then only run your webdeamon. If you need other access allow other machines to do that for you.. your web sever is the big juicy target. Owning a ftp server is all nice and good but If i dont need the space / bandwidth then I really wont bother. Warez kiddies wont even bother to own a system so many ftp server allow anon access that its just funny.. why waste the time on something you can get for free. Really the kernel or OS that you use doesnt really matter.. its how well you configure it.. Its no harder to root/crack a Misconfigured OpenBSD/debian/Irix/winNT/or any other OS. You will see attempts.. but with good backups you should be off line for only a few hours. If you do get hacked make sure that you follow the code of ethics.. most hackers/crackers wont destroy more than they need to get their message up.. So for not killing your file system you should give copies of all the hacked files to 2600.com so that they can mirror it. They will get it anyways but its like saying " you got me.. but wait for next round"

  2. Checklist by Phexro · · Score: 5

    Here's a quick(??) checklist:

    * Disable all the unused services. ftp, talk, biff, finger - the usual suspects. Make sure the inetd internal services (echo, chargen, discard, daytime, time) are disabled; there are some inetds that have overflow problems with these services, which will crash inetd.

    * Shadow passwords.

    * MD5 crypted passwords. Don't know if this is supported on RH, but Debian 2.0 or better does. This is a wonderful feature, it's settable in /etc/login.defs. It allows passwords longer than 8 characters (standard shadow limit), and to the best of my knowledge there are no password crackers which will crack MD5 hashed *NIX passwords. There's also lots of other fun stuff to mess with in login.defs, btw.

    * Strict firewall rules; allow only addresses that should be coming into your system (or network) in on only the interfaces configured for them. Reject anything else, and log it. Reject ports you don't use. When setting up firewall rules, use numeric IP addreses to prevent DNS spoofing attacks.

    * Make sure the line `ALL: PARANOID' is in /etc/hosts.deny - this will drop all connections from systems where the connecting ip and dns do not resolve properly; e.g. if a connect from 10.1.1.1 comes in, and reverse-resolves to proxy.somenet.com, but proxy.somenet.com resolves to 192.168.1.1, the connection is dropped. This prevents DNS spoofing attacks.

    * Think about a chroot()'d webspace. Make sure the chroot() jail is writable only by a privledged user.

    * Never log in as root. Have a user account and use su or sudo.

    * Strong passwords.

    * Never ever perform a privledged operation (like su) over an insecure transport like telnet or rsh. ssh is your friend here.

    * Think about mounting your root partition read-only to prevent trojans. Maybe also set the ext2 immutable flag (chattr +i files) on areas which should not be modified; /bin /sbin /usr/bin /usr/sbin - etc.

    * Run a logwatcher which will filter your logs and mail suspicious entries to you. Abacus logwatcher is good. (http://www.psionic.com/abacus/) Set it up to page your alphapager if something funny happens. (All serious *NIX admins have alphapagers, right? right??)

    * Write an init script to alphapage you when the system changes runlevels.

    * Workstations make bad servers, and vice-versa. Don't use a server as your desktop machine.

    * Once you have a stable configuration, leave it unless you must change something. (bug etc)

    * BUGTRAQ

    * Common sense.