[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Precautions to Host my Live application

Posted on 2004-08-19
6
Medium Priority
?
340 Views
Last Modified: 2010-03-04
Hi...
I have to host an application developed in .NET live 24/7 on RHL9.0/Apache2.0. I am looking for all the possible precautions which i should take in order to keep this applications secure and robust and how to do them.I am naive to Apache/Linux so i would like to get advise from all the experts.All the help provided will be higly highly appreciated.
Regards
0
Comment
Question by:parvinderg
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:samri
ID: 11849704
Hi Parvinderg,

The very first thing that you may need to do is to secure the server at the OS level.  Turning off the unneded services.  have firewall running, and such.

On Apache, you could visit Apache docs website at http://httpd.apache.org/docs-2.0/, and specifically some tips on Security : http://httpd.apache.org/docs-2.0/misc/security_tips.html

Apache itself is considered to be quite mature, and quite stable (performance/security-wise) -  so the apache server is less of your worries.

The next thing to worry is the application itself -- which some code may have bugs which lead to "unknown" result.  Check this too.

Apart from these tips, monitor your server closely, mod_status (http://httpd.apache.org/docs-2.0/mod/mod_status.html) is provided with apache to enable you to view the server status on-line (realtime). This should be able to give you some indication on what is happening, shoud you think that your apache is behaving weirdly.


HTH.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 1000 total points
ID: 11849897
ok, hardening OS and apache explained by samri, this is necessary as fallback when your application runs crazy.
You need to review your application if it could be threaten at least for:
   cross-site scripting, HTML Injection, SQL Injection, OS Command injection, buffer overflows, session injection, session hijacking, etc. etc.
all in all, this is called web application security
0
 
LVL 15

Accepted Solution

by:
samri earned 1000 total points
ID: 11852204
parvinderg,

I think the most *tricky* question (IMHO) that I had came across in EE is -- performance, and security?

I would think that in most cases, we would need to analyze how robust an implementation could be, and how secure we want it to be -- would pretty much depend on what we actually want - and what we could afford to lose.

Apache, and most OS are defaulted with security and performance model that should be at a comfortable level to everyone (IMHO), and personally I would think that these two components would be least of your attention (as for now).  Try to concentrate on the application -- as Ahoffmann did mentioned.

Fore more information on Unix/Linux security -- you may ran a query on any search engine on "unix security", and there should be tons of link that could get you busy (and confused ?).

Stokely has a nice collection to start with : http://www.stokely.com/unix.sysadm.resources/security.html -- not that I work for them.

http://www.google.com.my/search?hl=en&ie=UTF-8&q=apache+performance+tuning&btnG=Google+Search
* tons of link.
- http://www.xenoclast.org/doc/benchmark/HTTP-benchmarking-HOWTO/node7.html
- http://www.ece.concordia.ca/~daniel/tips/apache_tuning.html  <-- this one is kinda straight to the point. I never tried it, but looks good.

0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 

Author Comment

by:parvinderg
ID: 11874412
Any other suggestions Mr.Hoffmann or Mr.Samri? Mr.Hoffmann, you have mentioned a couple of ways of reviewing the application.How would u advise me to let the application developer accomplish this task (as i am not developing the application) ? Mr.Samri the link of the company which you are working for is fantastic.I appreciate that.
regards
0
 

Author Comment

by:parvinderg
ID: 11895719
I have almost followed all those steps which were mentioned by hoffman and samri plus i found very valuable information at http://www.securityfocus.com/infocus/1786.
Wots the function of suExec and chroot?
How can i implement those too without disturbing my current cnofiguration or messing up with that?
Any other suggestions which i really need to focus on.How can i test for the security and robustness.?
Regards
0
 
LVL 15

Assisted Solution

by:samri
samri earned 1000 total points
ID: 11934434
hi parvinderg,

Lucky you posted the cross-reference in your other porst:

suExec: http://httpd.apache.org/docs-2.0/suexec.html
-- copied from Apache website:
The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

chroot or sometimes called "chroot jailed", is a feature where you run application in an environment such that the apps only "see" very limited areas of the OS filesystem.  Any damages that could happen would be limited to those defined by the 'chroot' perimiter (I hope I got the terminology right:)

I never tried doing this, but the following link could gets you busy for a while.
http://www.cgisecurity.com/webservers/apache/chrootapache2-howto.html
http://penguin.epfl.ch/chroot.html

cheers.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month18 days, left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question