Home Web Server Security Part 2
For those of you who weren't scared away by the last article and really do want a Web server in your home, there are a few things you should know first.
Section 1You can generally set up most web servers to provide directory and file level security based on usernames and passwords. This of course won't make your server un-hackable, but it will be a start. One thing I'd like to point out before I go any farther:
"Security is a process, not a program."
From Security Complete:
--Use "Secure Sockets Layer" (SSL) and "Transport Layer Security" (TLS) protocols to authenticate users and send things over the network or Internet that you want to keep from prying Eyes.
You've probably seen this before. When you go to your bank's website, you may notice "HTTPS" instead of "HTTP" at the beginning of the URL bar. That tells you they are using a secure server so people aren't snooping your data as easily as they could with HTTP, which sends the data in a plain text format that anyone can read with a packet sniffer. For Secure Channels which offer "Confidential Encrypted Financial Transactions" you may want to look into the "Server Gated Cryptography" (SGC) protocol.
Sources of additional information:
- Windows Server 2003 guide
- Windows Server System Info Page
- IIS Answers
- IIS Answers and Resources
- The IIS FAQ
- Tutorial for Installing IIS on Windows XP Professional
- Another IIS FAQ
More Security Tips: Access PermissionsI'm going to use SUSE Linux in this example as it's not only a good OS, it's easy to lock down. By default, the DocumentRoot directory in /srv/www/htdocs and the CGI directory belong to root. Unless you know what you are doing, you should leave this alone. Why? Because if anyone can write to them, they could put anything they want on the server, including viruses and backdoor applications. Addionally, it's not a good idea to provide Apache with write access to the data and scripts it delivers.
If you want others to be able to write something in the Document Directory of Apache, don't make it writable by all, just make a directory such as /srv/www/htdocs/DirectoryYouMake and that way you aren't compromising security. If you have multiple users on the system, this is a time where the default directory in home folders on SUSE systems named "public_html" comes in handy.
Say you have a user named "jimbo" on your system, and want to put things on the web server from the home directory. You would put them into the public_html directory, and then use the following to find it: http://www.someExamplePage.com/~jimbo
This would display files in the public_html directory without having to provide users with root access to your web server. It also wouldn't hurt to keep an eye on /var/log/apache
This can help you find out specifically what is going on. If you have problems with your server, always check there first. Also remember that Apache itself needs root permissions to run properly. The processes that it spawns however, do not. For more information on Apache, and some of the technologies you can use with it, extra security tips and more, check out the following sites:
In closingI tried to make this article easy to follow so that anyone with a bit of web experience would be able to learn from it. Entire books have been written about web servers, and just as many have been written about security for those web servers. I wanted to provide a introduction to the subject, and then provide some links to sites where the reader can find additional information.
A Final Word on SecuritySome people say that the reason Microsoft Windows has so many security issues is because it's the most popular operating system with more users than any other. They say that "if as many people used Linux or BSD as they do Windows, those OSes would have just as many problems." The stats on the use of the Apache web server make that hard to believe, because it still has many more users than IIS. Finally, even if you aren't running a web server--be sure to keep your system updated with the latest patches--the security of your system depends on it!
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...