If you're running a Web server you need to be aware of security issues that can impact your business. Hackers patrol the Web and are always looking for new domains that have not got up-to-date security on their systems. They then use these vulnerable systems to break into other machines, and other nefarious activities.
Basic Web Security
There are some basic security rules you need to keep in mind when securing your
Web server.
- Passwords
Keep your Web server password secure, don't share it with other people (or write it down), and follow good password security. Your password should not be a word found in any dictionary, should include both letters and non-letters, use different cases, and be more than 6 characters long. An easy way to remember a good password is to think of a sentence and use the first (or last) letters and punctuation as your password. The number 2 for "to", 3 for "the", and so on.
- Security through Obscurity
Never think that because your domain is small, your site is about an obscure topic, or you get few hits, you're not vulnerable. There are tools that allow crackers to poll the Internet for new IPs and they will attempt to break in within hours of your site going up.
- Bragging Rights
It is never a good idea to brag. Remember that many big security Web sites have been hacked. The US White House site has been hacked, as has the US FBI Web site. Unless your company specializes in Web site security, bragging that you have a hacker-proof site will only present a challenge to the crackers.
Web Servers
If you are hosting your Web site on your own server, you need to pay particular
attention to security. You should probably install intrusion detection software
such as Tripwire. Here are some other
basic steps you can take to help create a more secure Web site:
- Running the Server
Servers running on Unix and Linux should be run as an account with little or no access. If you need a Web user, then make sure that that user account has no permissions on the server. NEVER RUN YOUR SERVER AS ROOT. It is better to run the server as "nobody", and only run as a Web user if you absolutely have to.
- CGI-BIN Directory
Make sure that your interpreters (programs that run your CGIs) are not stored in your cgi-bin directory. Perl, sh, Tcl, and so on, should be in directories that are not accessible from the Web. CGI programs that use an interpreter should call that interpreter with the first line of the CGI.
- Insecure CGIs
The most common problem with CGIs is that they allow readers to input anything to the Web server. For example, if you have a Web form that doesn't check the data before passing it to the server, a hacker using your site could type in code to view your /etc/passwd file. There is a CERT tech tip that explains how to do this.
The best place to go to learn about security on the Internet is the CERT Coordination Center. There you can find out about new vulnerabilities and solutions immediately.
