Linux Today: Linux News On Internet Time.

DevShed: Webserver Security (Part I)

Apr 20, 2000, 16:33 (0 Talkback[s])
(Other stories by Kristian Köhntopp)

[ Thanks to Randy Cosby for this link. ]

"If you examine the security problems reported with stolen credit card numbers or web server defacements in the last few months, it becomes obvious that many web applications have been slapped together with little care or planning for security. What are the most common problems leading to insecure webservers and how does one avoid them? How can one as a customer or end user recognize if a server fullfills the most elemental security requirements?"

"An analysis of the reported security flaws shows that most problems belong into one of three categories:

  • The server offers services to the public it was not intended to offer.
  • The server keeps supposedly private data in publicly accessible areas.
  • The server trusts data from untrustworthy sources."
"Obviously many server operators have never had a look at their machines from the outside, for example with a port scanner. If they had, they would not be operating so many services on their machines which have no place on a production server or which need not be accessible from all IP addresses. One promiment example was featured on the Heise newsticker. This particular server, a german bookstore, was being operated completely without a firewall ("for performance reasons") and exported several filesystems via Sun Network Filesystem world writeable. Their Oracle database was connectable from everywhere, too. For increased convenience, passwords for Oracle connections were stored in scripts available from the exported network drives. Could this be your server? Have you looked recently?"

Complete Story

Related Stories: