Solved

Precautions to Host my Live application

Posted on 2004-08-19
6
331 Views
Last Modified: 2010-03-04
Hi...
I have to host an application developed in .NET live 24/7 on RHL9.0/Apache2.0. I am looking for all the possible precautions which i should take in order to keep this applications secure and robust and how to do them.I am naive to Apache/Linux so i would like to get advise from all the experts.All the help provided will be higly highly appreciated.
Regards
0
Comment
Question by:parvinderg
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:samri
ID: 11849704
Hi Parvinderg,

The very first thing that you may need to do is to secure the server at the OS level.  Turning off the unneded services.  have firewall running, and such.

On Apache, you could visit Apache docs website at http://httpd.apache.org/docs-2.0/, and specifically some tips on Security : http://httpd.apache.org/docs-2.0/misc/security_tips.html

Apache itself is considered to be quite mature, and quite stable (performance/security-wise) -  so the apache server is less of your worries.

The next thing to worry is the application itself -- which some code may have bugs which lead to "unknown" result.  Check this too.

Apart from these tips, monitor your server closely, mod_status (http://httpd.apache.org/docs-2.0/mod/mod_status.html) is provided with apache to enable you to view the server status on-line (realtime). This should be able to give you some indication on what is happening, shoud you think that your apache is behaving weirdly.


HTH.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 250 total points
ID: 11849897
ok, hardening OS and apache explained by samri, this is necessary as fallback when your application runs crazy.
You need to review your application if it could be threaten at least for:
   cross-site scripting, HTML Injection, SQL Injection, OS Command injection, buffer overflows, session injection, session hijacking, etc. etc.
all in all, this is called web application security
0
 
LVL 15

Accepted Solution

by:
samri earned 250 total points
ID: 11852204
parvinderg,

I think the most *tricky* question (IMHO) that I had came across in EE is -- performance, and security?

I would think that in most cases, we would need to analyze how robust an implementation could be, and how secure we want it to be -- would pretty much depend on what we actually want - and what we could afford to lose.

Apache, and most OS are defaulted with security and performance model that should be at a comfortable level to everyone (IMHO), and personally I would think that these two components would be least of your attention (as for now).  Try to concentrate on the application -- as Ahoffmann did mentioned.

Fore more information on Unix/Linux security -- you may ran a query on any search engine on "unix security", and there should be tons of link that could get you busy (and confused ?).

Stokely has a nice collection to start with : http://www.stokely.com/unix.sysadm.resources/security.html -- not that I work for them.

http://www.google.com.my/search?hl=en&ie=UTF-8&q=apache+performance+tuning&btnG=Google+Search
* tons of link.
- http://www.xenoclast.org/doc/benchmark/HTTP-benchmarking-HOWTO/node7.html
- http://www.ece.concordia.ca/~daniel/tips/apache_tuning.html  <-- this one is kinda straight to the point. I never tried it, but looks good.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:parvinderg
ID: 11874412
Any other suggestions Mr.Hoffmann or Mr.Samri? Mr.Hoffmann, you have mentioned a couple of ways of reviewing the application.How would u advise me to let the application developer accomplish this task (as i am not developing the application) ? Mr.Samri the link of the company which you are working for is fantastic.I appreciate that.
regards
0
 

Author Comment

by:parvinderg
ID: 11895719
I have almost followed all those steps which were mentioned by hoffman and samri plus i found very valuable information at http://www.securityfocus.com/infocus/1786.
Wots the function of suExec and chroot?
How can i implement those too without disturbing my current cnofiguration or messing up with that?
Any other suggestions which i really need to focus on.How can i test for the security and robustness.?
Regards
0
 
LVL 15

Assisted Solution

by:samri
samri earned 250 total points
ID: 11934434
hi parvinderg,

Lucky you posted the cross-reference in your other porst:

suExec: http://httpd.apache.org/docs-2.0/suexec.html
-- copied from Apache website:
The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

chroot or sometimes called "chroot jailed", is a feature where you run application in an environment such that the apps only "see" very limited areas of the OS filesystem.  Any damages that could happen would be limited to those defined by the 'chroot' perimiter (I hope I got the terminology right:)

I never tried doing this, but the following link could gets you busy for a while.
http://www.cgisecurity.com/webservers/apache/chrootapache2-howto.html
http://penguin.epfl.ch/chroot.html

cheers.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now