Home Web Server Security Part 2
For those of you who weren't scared away by the last article and really do want a Web server in your home, there are a few things you should know first.
Section 1
You can generally set up most web servers to provide directory and file level security based on usernames and passwords. This of course won't make your server un-hackable, but it will be a start. One thing I'd like to point out before I go any farther:"Security is a process, not a program."
No program or application, no matter what it costs, should make you sleep well at night in regards to security. History has shown us that most applications have their own security problems as well. In Windows server systems, IIS is usually the web server that is used. Some of the things you can do to help with security under IIS include:
From Security Complete:
--Use "Secure Sockets Layer" (SSL) and "Transport Layer Security" (TLS) protocols to authenticate users and send things over the network or Internet that you want to keep from prying Eyes.
You've probably seen this before. When you go to your bank's website, you may notice "HTTPS" instead of "HTTP" at the beginning of the URL bar. That tells you they are using a secure server so people aren't snooping your data as easily as they could with HTTP, which sends the data in a plain text format that anyone can read with a packet sniffer. For Secure Channels which offer "Confidential Encrypted Financial Transactions" you may want to look into the "Server Gated Cryptography" (SGC) protocol.
Sources of additional information:
- Windows Server 2003 guide
- Windows Server System Info Page
- IIS Answers
- IIS Answers and Resources
- The IIS FAQ
- Tutorial for Installing IIS on Windows XP Professional
- Another IIS FAQ
More Security Tips: Access Permissions
I'm going to use SUSE Linux in this example as it's not only a good OS, it's easy to lock down. By default, the DocumentRoot directory in /srv/www/htdocs and the CGI directory belong to root. Unless you know what you are doing, you should leave this alone. Why? Because if anyone can write to them, they could put anything they want on the server, including viruses and backdoor applications. Addionally, it's not a good idea to provide Apache with write access to the data and scripts it delivers.If you want others to be able to write something in the Document Directory of Apache, don't make it writable by all, just make a directory such as /srv/www/htdocs/DirectoryYouMake and that way you aren't compromising security. If you have multiple users on the system, this is a time where the default directory in home folders on SUSE systems named "public_html" comes in handy.
Say you have a user named "jimbo" on your system, and want to put things on the web server from the home directory. You would put them into the public_html directory, and then use the following to find it: http://www.someExamplePage.com/~jimbo
This would display files in the public_html directory without having to provide users with root access to your web server. It also wouldn't hurt to keep an eye on /var/log/apache
This can help you find out specifically what is going on. If you have problems with your server, always check there first. Also remember that Apache itself needs root permissions to run properly. The processes that it spawns however, do not. For more information on Apache, and some of the technologies you can use with it, extra security tips and more, check out the following sites: