Home Web Server Security Part 2

In my last article I brought up the dangers that are involved in hosting a Web Server using your home computer, and how fast a web server can be taken down. This article is going to discuss what you can do to prevent hack attacks, and also help you learn about web servers in general.

For those of you who weren't scared away by the last article and really do want a Web server in your home, there are a few things you should know first.

Section 1

You can generally set up most web servers to provide directory and file level security based on usernames and passwords. This of course won't make your server un-hackable, but it will be a start. One thing I'd like to point out before I go any farther:

"Security is a process, not a program."

No program or application, no matter what it costs, should make you sleep well at night in regards to security. History has shown us that most applications have their own security problems as well. In Windows server systems, IIS is usually the web server that is used. Some of the things you can do to help with security under IIS include:

From Security Complete:

--Use "Secure Sockets Layer" (SSL) and "Transport Layer Security" (TLS) protocols to authenticate users and send things over the network or Internet that you want to keep from prying Eyes.

You've probably seen this before. When you go to your bank's website, you may notice "HTTPS" instead of "HTTP" at the beginning of the URL bar. That tells you they are using a secure server so people aren't snooping your data as easily as they could with HTTP, which sends the data in a plain text format that anyone can read with a packet sniffer. For Secure Channels which offer "Confidential Encrypted Financial Transactions" you may want to look into the "Server Gated Cryptography" (SGC) protocol.

Sources of additional information:

• Windows Server 2003 guide
• Windows Server System Info Page
• IIS Answers
• IIS Answers and Resources
• The IIS FAQ
• Tutorial for Installing IIS on Windows XP Professional
• Another IIS FAQ

Apache is the most popular web server software in existence. For Web Applications, it is often used with Linux, a MySQL database, and the programming language known as Perl. This combination is often referred to as LAMP.

More Security Tips: Access Permissions

I'm going to use SUSE Linux in this example as it's not only a good OS, it's easy to lock down. By default, the DocumentRoot directory in /srv/www/htdocs and the CGI directory belong to root. Unless you know what you are doing, you should leave this alone. Why? Because if anyone can write to them, they could put anything they want on the server, including viruses and backdoor applications. Addionally, it's not a good idea to provide Apache with write access to the data and scripts it delivers.

If you want others to be able to write something in the Document Directory of Apache, don't make it writable by all, just make a directory such as /srv/www/htdocs/DirectoryYouMake and that way you aren't compromising security. If you have multiple users on the system, this is a time where the default directory in home folders on SUSE systems named "public_html" comes in handy.

Say you have a user named "jimbo" on your system, and want to put things on the web server from the home directory. You would put them into the public_html directory, and then use the following to find it: http://www.someExamplePage.com/~jimbo

This would display files in the public_html directory without having to provide users with root access to your web server. It also wouldn't hurt to keep an eye on /var/log/apache

This can help you find out specifically what is going on. If you have problems with your server, always check there first. Also remember that Apache itself needs root permissions to run properly. The processes that it spawns however, do not. For more information on Apache, and some of the technologies you can use with it, extra security tips and more, check out the following sites:

• Apache.org
• Security Tips
• More Security Tips
• Perl's Apache page
• ModPerl.com
• FastCGI

In closing

I tried to make this article easy to follow so that anyone with a bit of web experience would be able to learn from it. Entire books have been written about web servers, and just as many have been written about security for those web servers. I wanted to provide a introduction to the subject, and then provide some links to sites where the reader can find additional information.

A Final Word on Security

Some people say that the reason Microsoft Windows has so many security issues is because it's the most popular operating system with more users than any other. They say that "if as many people used Linux or BSD as they do Windows, those OSes would have just as many problems." The stats on the use of the Apache web server make that hard to believe, because it still has many more users than IIS. Finally, even if you aren't running a web server--be sure to keep your system updated with the latest patches--the security of your system depends on it!