Topic awaiting preservation: Security (Page 1 of 1)

For my System's Programming project we're creating a site using Apache, mySQL, PHP, and XHTML. MY computer is going to be the server...and I was wondering if there's anything I can read about or dl to protect my computer from hackers. My firewall prevents everyone from viewing the stuff so I can't have it up while we're doing the project...a total of about 2 months.

I wasn't sure where to post this, I hope it's the right page.

Genevieve

Wowzers! o.O

Visit my cell! 754

You need to sanitize every little bit of input. That's one of the main things that people forget to do. They think they're safe because they have a firewall.

behmer - Google Bomb, for my dad's site.
kewlster

Genevieve: Is this site actually going to be online from there or are you just testing it on this computer?

If you are just testing things then it should be OK if not then you need to take the same kind of precautions that you would with a PHP site hosted elsewhere. Thanks to mr.maX, InI and others we have kicked this around before see this FAQ:

What are the security problems with using PHP and how can I fix them?

___________________
Emps

FAQs: Emperor

you should be really able to tell your firewall to let through the traffic for the Apache, while still blocking everything else.
That's my advice. Don't dump the firewall completly.

What OS are you running your web server on, and how is your firewall being done?

[This message has been edited by cycus (edited 10-30-2002).]

You didn't mention the OS but here's just the general concepts

First OS security. For whatever your OS is. If you are using a linux based solution that you can choose, my understanding is that FreeBSD is supposed to be the most secure out of the box. Then only allow those processes that you need, httpd, ftpd some sort of mail deamon and sshd for remote access. Just google Linux or Windows security to find out more. Also if you are doing a fresh install of a Linux just install what you need.

Then Server security best place for Apache info is straight from them Apache.og security tips

PHP Security again straight from the source.



.:[ Never resist a perfect moment ]:.

If you have your firewall locking down everything how are you going to be remotely accessing the files. I would assume that you would need some ports open such as your FTP server and for viewing purposes the HTTP server.

I would think that the majority of the security issues are going to resolve around the use of PHP and making sure your input is appropriately validated. The other issue that you would want to look into is the actual security of the box you are using. If you are using Microsoft then I don't think you can actually have security. The new EULA's along with code that noone has seen or been able to test outside of the corporation could cause some holes, that might not be fixed on time. With microsoft using Email on the server in question could be a big issue since Outlook is a big opening for potensial problems.

If you are using a *nix solution you could find yourself being a bit more secure. You will need to keep up to date on the security fixes and make sure you are able to test an implement them in a timely fashion. *nix systems are good but are far from perfect. You can easily implement a firewall and there are many different programs that can be used to ensure protection, most of these tools revolve around using log monitoring and analysins, these tools are very helpful. Another useful tool would be tripwire which can help you make sure that your box is not being touched in the wrong way.

I am sure that there are tools for windows that would perform similar functions. You just have to be on your toes.

If you are going to be a no name site that is just being built and you do not have a domain pointing to you (i.e. your home box and you are accessing it via http://localhost or via the IP) then your main concern for hack attempt will be coming from script kiddies, you will not really draw the attention of those who have a purpose. What you will have to watch out for more than anything is where the port scans are coming from and making sure you have a handle on blocking those IP's from touching your machine. If you keep those away you will not find your self in too much trouble.

Good luck on your endevor.

I don't think FreeBSD is the most secure. I am pretty sure OpenBSD has the best security currently. Not 100% sure, but FreeBSD does have a really good implementation of TCP/IP.

yeah I couldn't remember which of those it was you are probably right.



.:[ Never resist a perfect moment ]:.

Its traditionally maintained the Openbsd has the best of out of the box security posture, but that precludes any modification, for example a default install is not going to be running apache. I would say its more important to find an OS you are comfortable with and able to configure adequately, don?t count on security claims for a vanilla install.

Freebsd?s ports tree makes it pretty easy to stay up-to-date on installed packages, like your webserver, mysql, php. People tell me that Debian linux has a good package system as well.

Actually, bitdamaged, I heard from the FreeBSD guru of our local ISP that for a webserver, you basically only want httpd, inetd/ftpd, and sshd; sendmail poses a security threat unless you get multiple mail filtering software to protect the computer.

httpd for webserving
inetd or ftpd for ftp
sshd for secure shell

"If you don't use it; lose it"

Also, I've heard that FreeBSD has the best implementation of the TCP/IP stack... don't know if that has any merit tho.

[edit] found it!
``FreeBSD ... provides what is probably the most robust and capable TCP/IP stack in existence ...''
http://freebsd.org/internet.html
[/edit]

ABB--The guy with a FreeBSD Server



[This message has been edited by abb (edited 11-08-2002).]

This is all great stuff! Thanks so much for the help.

To answer a few questions:

The OS is Win 98 2nd edition (not wonderful, but what I've got x.x)
My firewall right now blocks anything incoming unless I say it's okay physically and all outgoing except things I've specified (like IE and AIM) that I use all the time or I will have to approve it physically.
My computer will be used for both testing and as the actual server of this web-site. It won't have to be up for long, just long enough to present in class and to the people we hope to sell it too once the class is done, and we should be the only people accessing the information (the key word there is SHOULD...should doesn't mean we will be. I've had plenty of hack attempts on my computer...and those are only the ones I KNOW about lol).

I'll look through all the links you've specified and ask if I have any other questions.

I just wanted to say thanks too for all the help everyone has been for me! I really appreciate it! You guys have sure helped me out on projects for both work and school and I coulda done it w/out ya...but not as well, not as easily, and not as quickly. lol. :-D

Genevieve

Genevieve

Wowzers! o.O

Visit my cell! 754

If you are running windows 98 I would really recommend that you don't. If there is a money concern with the box, then a *nix variety would be the way I would go, and I would recommend FreeBSD, as that is what I rely on daily.

If money is not an issue and you are comfortable with windows I would really reccomend an upgrade to 2000. If you are running a server on windows 98 you are just asking for trouble. Probabally in more ways than security.

I couldn't even get into them all.

A *nix build wouldn't cost you a thing and it would get you the best security you will be able to find for an inexpensive computer. The windows variants can't even touch it.

I really don't reccomend windows software ever, but 2000 or XP would be a much better choice than 98, and if you will not leave windows for a fear of the unknown it would be smart to move in the direction of an OS upgrade.