DevShed: Webserver Security (Part I)

[ Thanks to Randy
for this link. ]

“If you examine the security problems reported with stolen
credit card numbers or web server defacements in the last few
months, it becomes obvious that many web applications have been
slapped together with little care or planning for security.
What are the most common problems leading to insecure
webservers and how does one avoid them? How can one as a customer
or end user recognize if a server fullfills the most elemental
security requirements?”

“An analysis of the reported security flaws shows that most
problems belong into one of three categories:

  • The server offers services to the public it was not intended to
  • The server keeps supposedly private data in publicly accessible
  • The server trusts data from untrustworthy sources.”

“Obviously many server operators have never had a look at their
machines from the outside, for example with a port scanner. If they
had, they would not be operating so many services on their machines
which have no place on a production server or which need not be
accessible from all IP addresses. One promiment example was
featured on the Heise newsticker. This particular server, a german
bookstore, was being operated completely without a firewall (“for
performance reasons”) and exported several filesystems via Sun
Network Filesystem world writeable. Their Oracle database was
connectable from everywhere, too. For increased convenience,
passwords for Oracle connections were stored in scripts available
from the exported network drives. Could this be your server? Have
you looked recently?”