Yohei, On 27-Sep-01 Ray Dillinger wrote:
On Thu, 27 Sep 2001, Boris Lorenz wrote:
Hi,
On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
[...]
I consider it mistaken to have lax security on a machine because it's "internal" -- that sets up a situation where one subverted machine destroys the security of the whole network. That may be tolerable if you're responsible for a hundred machines and you can't possibly keep idiots off of them, but when you have just six machines and nobody who isn't you ever has the console, it's just lazy.
Quite right. Personally I think a little paranoia here and there does a world of good to any system, even if it's "just" a small lil' client in a small lil' net. However, if we're talking about a privately used home PC with only a modem to connect to the internet, things like SuSE personal firewall should suffice. It would be kinda overblown to do full security audit for a home PC, although a good practise.
This one box I'm worried about in particular because of the presence of gcc, etc. And firewall config on it is really irritating because of the particular nature of the software I'm developing -- it tends to have fights with the firewall because it has to connect to other machines on pseudo-randomly determined ports.
Hm, I see.
on it, or just your client PC connected via ISDN/cable/modem. If it is a publicly accessible server I would definitely firewall it, no matter how many backups I'd have to reconstruct the system. There are many ways to "own" (crack) an improperly secured web server,
Agreed. I guess I want to know about properly securing a webserver and where I can read about properly securing webservers. I have done all I know to do to secure it, but what might I have missed?
SuSE's Marc Heuse has put up some documents on how to set up a secure web server (in German): http://www.suse.de/de/linux/docu/webserver/ For the protection of Apache (I guess you use this one, right?), take a look at: http://httpd.apache.org/docs/misc/security_tips.html Openwall offers good security patches for your kernel: http://www.openwall.com/linux/ ...and of course the good old security-HOWTO, and sites like www.securityfocus.com, www.securityportal.com, cve.mitre.org and others. I also recommend the book "Practical Unix and Internet Security" (O'Reilly), a very useable and readable introduction to Unix/Linux security.
Bear
Happy reading,
Boris Lorenz