• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 460
  • Last Modified:

Web Server Security

Hello experts,

I am looking for assistance dealing with hacking web servers.  I administer a web server and our on-site security expert showed me a list of items he was able to gain access to on my server.  However, he would not tell me what tool he used to hack into my server.  

My concern is this, if he can hack into the server so can anyone else - is there a list of do's and don'ts for web server security.  

I am running a domino server configuration with Sametime running on top of it.  I am also fairly new at web servers and am learning that there is more to securing databases than ACL's.  If anyone can assist with specific information or publications (i.e. ebooks preferred!) I am willing to consider upping the point value.

Thanks in advance.
  • 3
  • 2
  • 2
  • +1
3 Solutions
One of the best tools is NESSUS


You can also use nmap.

The key to securing any machine is to start secure.

It's no good having secure apps, and a secure web server, if your base os is wide open.

Look at the base OS you are running; I'd assume you are very familiar with it? If not, get help from someone who is, or ask other specific questions on how to secure it.

But basically, turn off all non-essiential servivces.
Apply the latest security patches. Don't run telnet and ftp, run ssh and scp/sftp.

Then look at best practise for domino, and sametime. Which will be 2 different approches.

You basically need to tie down both until they break, then wind back a small bit.
clkm84Author Commented:
Thank you - after posting this I discovered more options available on the domino server side and implemented more security in that respect.  

Thank you for the web link to the nessus site - The tasks running on the server have already been tightened (running Windows Server 2003 OS).  

I appreciate your guidance and quick response - as for best practices - there is a ton of information for domino server and due to its' abilities there is a lot of information to sift through.  Sametime info will refer you back to the domino best practices since Sametime is running on top of the domino.  
Fisrt off if your security expert will not tell you what tools he used I would concider another expert.
Second get gfi-languard nessus or n-stalker are all good programs.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

>  is there a list of do's and don'ts for web server security.  
as said before, the most critical part are the applications runniing within your webserver. In particular anything generating dynamic content is probably vulnerable to gain access to your webserver. That could be from simple SSI, CGI called by the server, embeded functionality (lPHP, FastCGI, etc.) to fat application servers.

If all these applicationes are developed with security in mind, and your server is fully patched, the chances are good that hacking gets complicated.

For the applications the most important thing is:
   don't trust any input (neither from browser nor any backend databse), until you verified and sanitized yourself
   All input is evil until sanitized. Dot.

Unfortunatelly there is not much software arround to check and/or secure your server. They are either $$$$ or more or less improper for testing web applications (including nessus, sorry)-:

If you're interested in more details, just let me know. But then you need to provide more details about your platform, and if you want to (penetration) test your application, or permanently secure your web server.
Abhoffman is correct. The least you can do is make sure all your web applications (any software actually) is up to date with the current stable releases and patches. The harder it is for someone to hack the less chances they are going to spend time trying. remember a mojority of your so called hackers only no how to use someone else's hack and don't know how to attempt one originally.

The vulnerbility scanning softare is only a guide line. And that is only if you know what it is you are looking at. Never depend on that stuff alone. I suggest GFI because it gives you a bit more information and is GUI for easier navigation.

If you are really concerned about the security try to find someone that is familular with IDS and IPS and ask them to test your server. You may have to pay a fee for this service and you may not depending on who you know and trust.

Since you stated you have a on site security professional I am assuming you are already taking measures. My only concern with my previous post was it seemed by your posting that all he does is scan the servers and does nothing to fix them. On top of that was not willing to share the information as to how he found these problem. I would ask him some questions

1. Was it an external or internal test?
2. Did he use privliged information not commonly known to a hacker ( Like a escalated account that is not easily known?)
3. What does he suggest to do to fix the problem? ( Since it seems it is not his job to fix but just to inform.)
> ..  your web applications (any software actually) is up to date with the current stable releases and patches.
No, this is not what I meant. It's a precondition for anything else.
I meant that teach application (written in asp, jsp, perl, PHP, whatever) has to do propper sanity checks!

Also keep in mind that "application scanners" are totally different to "network/port scanners". There are some products which use both worlds, like nessus, but for a secure web server you should insist on specialized application scanners (ports 80, 443 only).
clkm84Author Commented:
Thank you all for your responses...  I now have some guidelines to assist me with security policies on my web server.  

Currently, my application is internal only (i.e. intranet) my concern is I've recently been told that it may be going external (internet) to allow access by other users.  

I've decided to up the points to 300 and split them between the 3 of you.

Thanks again for the assistance.
clkm84Author Commented:
This is to increase the points - now I have to figure out how to split them - sorry to be a pain - first time awarding points and trying to split them up.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now