Link to home
Start Free TrialLog in
Avatar of robertdims
robertdims

asked on

The best method to protect our web server

We will soon have a server remotely hosted by Rackhost, it will be Linux 7.2 and they will supply the hardware firewall as well as tape backup.

From our side, how best to protect the server from hacking and stop these 'money demanding emails or we will shut down your server' type of threads ?

It will be a very large scale portal with a database upto 500MB, and once its up and running, we simply cant afford for it to go down.

Many thanks for the help.
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I would start the securing process from OS/application level, the firewall (while essential) should only be the icing on the cake, not the be-all of security. I'm not an expert in Linux security, so I can only point you towards some good reading:

http://www.sans.org/rr/whitepapers/linux/
http://www.sans.org/rr/whitepapers/webservers/
Patch the server, and any applications/services that run on it, keep your AV up2date. Audit your code for potenital bugs, or holes. Block all port's except what is absolutly needed. Get an IDS so you'll know when your under an attack, then block the attacker as fast as you can. Snort has in Inline feature that can do this cery well. Follow the best practices on apache's security page, and never run as root unless necessary.

-rich
Avatar of x4h
x4h

7.2 of what? Is it the latest version of the operating system?

There are so many things that need to be secured on the box, it all depends on what your running, who needs to access what etc.

A few things you will want to keep in mind:

* Disable insecure logins to the box such as telnet and use SSH2 (sshd)
* Disable direct root login, do not have any accounts you can login to which have root access. I'd suggest making logins only via certificates (alot more secure than using passwords), then have only the people who need access to root with the root password. They can then "su -" to root once they have logged into the box.
* Block ALL ports your not using.. for example if you only need people to access the website then have ports 22 (ssh), 80 (web), 443 (https).
* Keep your box updated with the latest patches (software and OS)

If its that important your website stays up and secure then your best getting somebody with good linux security knowledge to secure your box and keep it secure, you don't want to find out the hard way that you've missed something.
There are a few risk assesments you may need to consider when building high availability web site. Security is only one factor. My first question is whether you want to add a high availability features as well?

As for the OS; We use RedHat 7.3 as web sites and I think it is a very stable OS/
x4h draw preaty much the correct picture. Also, take in mind few more things; Disable the ability to browse the website and allow only authrized FTP sessions from authorized locations (i.e. IP Identification as well as user name and password - Configurable through the Firewall).

Cyber
7.3 is outdated and no longer supported by redhat meaning that no patches etc will come out for it. Its best to run a supported OS (in redhats case Redhat Enterprise or Fedora).
x4h,
I know that but the 7.3 turned out to be the most stable one (more than the Fedora, as workstation and RedHat's servers).

Cyber
I've run 7.3 upto 9 and currently running enterprise AS.

Enterprise is stable and if your thinking of running a server on redhat you should serious concider upgrading.

The point still remains that anything that is unsupported by the creators shouldn't be run as its a security risk.
> From our side, how best to protect the server from hacking  ..
about firewall and hardening OS see previous comments.
Then, if you've done that, secure your web app: check **all** input and sanatize or reject it if not what you expect
Hi,

Read this?

http://www.giac.org/practical/GCUX/Jacqui_Chau_GCUX.pdf

This is a great howto for hardening a webserver including snort for intrusion detection (IDS), it covers everything you'll need to know and is based on redhat

May I ask you to considder Debian stable?  
the APT packaging system with security updates are great

It has this great feature where security fixes can be automaticly downloaded etc.

http://channels.lockergnome.com/linux/archives/20020305_updating_debian_security_patches.phtml

Noordeloos
nice SANS document, but does not contain anything about web server (just chrooted) nor web application security :-((
no web application security again :-(
and basic security for the server only

but lets stop posting links 'til the questioner gets back ...
There is this filter at http://glob.com.au/http_filter/ okay..thats not all
did modify myself the script so that when someone try to put your server down with basic holes what there is in the server..it will block the network access from the ip.
under #return 403 error message
.
.
.
$client->close
 under this i did put the iptables scripts exampl.
 okay this aint the most secure way, as had to let the script run as root to get the iptables workin inside the script

system "/sbin/iptables -D INPUT -p tcp -s $client_ip -i eth1 -j REJECT";
system "/sbin/iptables -D INPUT -p tcp -s $client_ip -i eth1 -j DROP";
In a nutshell if you reallly want to secure a critical web app.

1.  Perform a vulnerability assessment scan on your webservers or other related hardware
2.  Harden and Patch as directed (and read up on such tasks)
3.  Have an application assessment (web app pen test) performed.
4.  Use an "application" firewall such as Netcontinuum's product (policy based or zero day detection).  Not your typical Cisco Pix or Stateful Inspection box.
5.  Make sure you have good disaster recovery or business continuity plans



nouellette offered the only advice I think you should listen to, but should have started with:

1)  Hire a security consultant to do this.

If you are running a major portal with big database, and are paying to have it hosted, then you will want strong security.  You are already running 2 strikes down because you have combined presentation layer, application layer and database all on the same box, and that means that compromising your system is that much easier.... if they root your webserver, they've also gained full control of your database (and data).

You should really consider a 3-tier design, with minimum of 2 firewalls, and only backup from the data tier.  To achieve high security on this model, I believe you will want consulting help.
again, I should shout but won't: firewalls (network or application layer) and OS hardening also as propper setup of services is only a second or third line of defence. You have to check you applications. Each input is evil, until you've sanatized/checked yourself. No way arround this. Sorry.
But hireing a specialised security consultant, probably pen testing too, could help, agreed.
ahoffman,  ???  

I'm in complete agreement, which is why I stated that nouellette had great advice.  I added 2 things, which was to provide a tiered approach to properly insulate the application layer, and getting professional help.

Now that you've focused the lens on the application space, I'll build on what you and nouellette stated:  To help ensure application-level security I would recommend a code walkthrough with an application security professional, coupled with a scan from a tool like WebInspect or AppScan as well.  That should expose clusters of security defects for deeper remediation efforts.

I'd also counsel a vulnerability assessment instead of an attack & penetration effort, and the vulnerability assessment shoud focus on 4 aspects of the system:  1) network, 2) hosts, 3) application, 4) database.

Take care,
1cissp
Any updates, questions concerns?
-rich