If you’re running a web server you need to be aware of security issues that can impact your business. Hackers patrol the web and are always looking for new domains that have not got up-to-date security on their systems. They then use these vulnerable systems to break into other machines, and other nefarious activities.
Basic Web Security
There are some basic security rules you need to keep in mind when securing your web server.
- Passwords
Keep your web server password secure, don’t share it with other people (or write it down), and follow good password security. Your password should not be a word found in any dictionary, should include both letters and non-letters, use different cases, and be more than 6 characters long. An easy way to remember a good password is to think of a sentence and use the first (or last) letters and punctuation as your password. The number 2 for "to", 3 for "the", and so on. - Security through Obscurity
Never think that because your domain is small, your site is about an obscure topic, or you get few hits, you’re not vulnerable. There are tools that allow crackers to poll the Internet for new IPs and they will attempt to break in within hours of your site going up. - Bragging Rights
It is never a good idea to brag. Remember that many big security websites have been hacked. The US White House site has been hacked, as has the US FBI website. Unless your company specializes in website security, bragging that you have a hacker-proof site will only present a challenge to the crackers.
Securing Web Servers
If you are hosting your website on your own server, you need to pay particular attention to security. You should probably install intrusion detection software such as Tripwire. Here are some other basic steps you can take to help create a more secure website:
- Look at the Account Running the Server
Servers running on Unix and Linux should be run as an account with little or no access. If you need a web user, then make sure that that user account has no permissions on the server. NEVER RUN YOUR SERVER AS ROOT. It is better to run the server as "nobody", and only run as a web user if you absolutely have to. - Secure Your CGI-BIN Directory
Make sure that your interpreters (programs that run your CGIs) are not stored in your cgi-bin directory. Perl, sh, Tcl, and so on, should be in directories that are not accessible from the web. CGI programs that use an interpreter should call that interpreter with the first line of the CGI. - Secure Your CGIs and PHP Scripts
The most common problem with CGIs is that they allow readers to input anything to the web server. For example, if you have a web form that doesn’t check the data before passing it to the server, a hacker using your site could type in code to view your/etc/passwdfile.
The best place to go to learn about security on the internet is the CERT Coordination Center. There you can find out about new vulnerabilities and solutions immediately.
