Solved

Precautions to Host my Live application

Posted on 2004-08-19
6
329 Views
Last Modified: 2010-03-04
Hi...
I have to host an application developed in .NET live 24/7 on RHL9.0/Apache2.0. I am looking for all the possible precautions which i should take in order to keep this applications secure and robust and how to do them.I am naive to Apache/Linux so i would like to get advise from all the experts.All the help provided will be higly highly appreciated.
Regards
0
Comment
Question by:parvinderg
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:samri
Comment Utility
Hi Parvinderg,

The very first thing that you may need to do is to secure the server at the OS level.  Turning off the unneded services.  have firewall running, and such.

On Apache, you could visit Apache docs website at http://httpd.apache.org/docs-2.0/, and specifically some tips on Security : http://httpd.apache.org/docs-2.0/misc/security_tips.html

Apache itself is considered to be quite mature, and quite stable (performance/security-wise) -  so the apache server is less of your worries.

The next thing to worry is the application itself -- which some code may have bugs which lead to "unknown" result.  Check this too.

Apart from these tips, monitor your server closely, mod_status (http://httpd.apache.org/docs-2.0/mod/mod_status.html) is provided with apache to enable you to view the server status on-line (realtime). This should be able to give you some indication on what is happening, shoud you think that your apache is behaving weirdly.


HTH.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 250 total points
Comment Utility
ok, hardening OS and apache explained by samri, this is necessary as fallback when your application runs crazy.
You need to review your application if it could be threaten at least for:
   cross-site scripting, HTML Injection, SQL Injection, OS Command injection, buffer overflows, session injection, session hijacking, etc. etc.
all in all, this is called web application security
0
 
LVL 15

Accepted Solution

by:
samri earned 250 total points
Comment Utility
parvinderg,

I think the most *tricky* question (IMHO) that I had came across in EE is -- performance, and security?

I would think that in most cases, we would need to analyze how robust an implementation could be, and how secure we want it to be -- would pretty much depend on what we actually want - and what we could afford to lose.

Apache, and most OS are defaulted with security and performance model that should be at a comfortable level to everyone (IMHO), and personally I would think that these two components would be least of your attention (as for now).  Try to concentrate on the application -- as Ahoffmann did mentioned.

Fore more information on Unix/Linux security -- you may ran a query on any search engine on "unix security", and there should be tons of link that could get you busy (and confused ?).

Stokely has a nice collection to start with : http://www.stokely.com/unix.sysadm.resources/security.html -- not that I work for them.

http://www.google.com.my/search?hl=en&ie=UTF-8&q=apache+performance+tuning&btnG=Google+Search
* tons of link.
- http://www.xenoclast.org/doc/benchmark/HTTP-benchmarking-HOWTO/node7.html
- http://www.ece.concordia.ca/~daniel/tips/apache_tuning.html  <-- this one is kinda straight to the point. I never tried it, but looks good.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:parvinderg
Comment Utility
Any other suggestions Mr.Hoffmann or Mr.Samri? Mr.Hoffmann, you have mentioned a couple of ways of reviewing the application.How would u advise me to let the application developer accomplish this task (as i am not developing the application) ? Mr.Samri the link of the company which you are working for is fantastic.I appreciate that.
regards
0
 

Author Comment

by:parvinderg
Comment Utility
I have almost followed all those steps which were mentioned by hoffman and samri plus i found very valuable information at http://www.securityfocus.com/infocus/1786.
Wots the function of suExec and chroot?
How can i implement those too without disturbing my current cnofiguration or messing up with that?
Any other suggestions which i really need to focus on.How can i test for the security and robustness.?
Regards
0
 
LVL 15

Assisted Solution

by:samri
samri earned 250 total points
Comment Utility
hi parvinderg,

Lucky you posted the cross-reference in your other porst:

suExec: http://httpd.apache.org/docs-2.0/suexec.html
-- copied from Apache website:
The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

chroot or sometimes called "chroot jailed", is a feature where you run application in an environment such that the apps only "see" very limited areas of the OS filesystem.  Any damages that could happen would be limited to those defined by the 'chroot' perimiter (I hope I got the terminology right:)

I never tried doing this, but the following link could gets you busy for a while.
http://www.cgisecurity.com/webservers/apache/chrootapache2-howto.html
http://penguin.epfl.ch/chroot.html

cheers.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now