Installation of a secure Web server (5)

Web|web Service |web Server | security

Update! A system that is not updated with the latest security patches will soon be called the attacker's target.

After you have completed all the work required to configure your security system, remember that CGI scripts will be the biggest security risk. Most successful attacks are implemented through these scripts. The simple advice is to use CGI scripts that are publicly available and have been used by different websites for a while, and if administrators have to write CGI scripts, these programs should be routinely checked by others for their security reasons.

Conclusion

A very secure and highly available Web server-it seems paradoxical, but it is a good compromise-that can be configured in just 45 minutes. Of course you can do more to improve the security level of your system, but the systems configured here are sufficient for most applications.

Linux and security for more information

If you decide to choose Linux, you should be thankful that you can use a lot of good security programs for free, something other Unix and Windows platforms cannot match. To find the right tool, you'll find that security focus [9] and package Storm (Packetstorm [10]) are two better starting points.

To date, SuSE Linux is the most dedicated and secure of all commercial Linux releases. Some of the following tools are developed by SuSE, and you can download them free of need:

--------------------------------SuSE Security Software------------------------------
---------------------------------------------------------------------------------
Program name (RPM)---feature-----------from which version------can run-----download address-----------
-------------------------------is included in--------for other publications
-------------------------------Linux Publishing----------------
———————————————————————————————————————
FTP Agent Suite-a very--------6.3------------------http://proxy-suite.suse.de----
---------------Secure FTP---------------------------------------------------
---------------agent, it also----------------------------------------------
(FWPROXYS)-----supports SSL--------------------------------------------
SUSE Firewall-----A packet filter---6.3-------http://www.suse.de/~marc-(betas)
---------------, you can create a----------------(if the other--------------------------
(firewals)------Complex firewall----------------released, INIT.D------
-----------------system and very----------------and startup scripts-------
------------------easy to configure--------------------to readjust)----------------------------
-------------------------------------------------------------------------
Reinforce SuSE-------Configure a very-----6.1------------no------------http://www.suse.de/~marc-(betas)----
---------------Secure SuSE------------------(specifically for SuSE----------------------
(hardsuse)----------------------------------design)--------------
---------------------------------------------------------------
The security module-------a------------to prevent symlink--6.3 is-------------suse-ftp-server----
---------------, Hardlink,-pipe-------------------------------------------------------
(SECUMOD)------and many other security policies
-------------------slightly kernel module
----------------------------------------------------
The Security Inspector--------------Most of the--------------6.2 daily for local safety------suse-ftp-server----
---------------a routine check----------------------------------------------------
(seccheck)-----check---------------------------------------------http://www.suse.de/~marc-(betas)------
Compartment----procedures for safe packaging------Plan in------is-------------http://www.suse.de/~marc-(betas)
(-)------------, support the use of the chroot------7.0----------------------------------
---------------ing, privileges and abilities--------------------------------------------------------
---------------Assignment
--------------------------------------------------------------------
auditdisk-(-)-Security generation checksum------plan------is-------------there are no beta releases yet-------
---------------and Tripwire different------7.0 use---------------------------
---------------it cannot be avoided---------------------------------------------------
-------------------------------------------------------------------------------
Scslogger------can record inward and------6.2---------is-------------suse-ftp-server------------------- ---------------------------------http://www.suse.de/~thomas-to the external connection log
(betas)-----------------------
(scslog)-------kernel module-----------------------------------
----------------------------------------------------------
Security library---------A program for programmers------plan in------is-------------http://www.suse.de/~thomas-(betas)
(-)------------a library of functions, which is used in------7.0--------------------------------
---------------is not a safe function----------------------------------------------------
The---------------provides security features---------------------------------------------------
---------------Tips--------------------------------------------------------
Other security programs available on the CD are: Nessus, Saint, Nmap, PGP, GNU privacy Guard, OpenSSH, Tripwire, Freeswan, and so on.

In addition, there are two mailing lists for suse-security and suse-security-announce, in addition to a wide range of security content in the operating manuals that are published with SuSE Linux.

Of course, there are other options. For example Trustix[6] Linux publishing is a newly emerged fully security-oriented product. Disappointingly, the announcement is still in its infancy. However, its first alpha, approximately MB ISO file, is already available for download.

If you don't trust Linux, look at OpenBSD [5]. Just a few years ago, people checked the NetBSD release procedure for security issues on a row-by-line basis. By comparing the number and quality of messages about the security issues of UNIX variants (and of course windows), OpenBSD is found to be an undisputed winner. So what are the main obstacles? One of the reasons is that there are too few software applications. Bring all the OpenBSD together and not even fill up a CD. Other programs that need to be integrated into the system require the user to implement it through a so-called interface (ports) or a method called introduction (imported). None of this can be verified to be safe. Another problem is that its code base is BSD, affected by the Linux boom, and the BSD platform is no longer the strategic goal of the software industry. However, OpenBSD still has a good reputation among security professionals. If you don't need to run some special software, OpenBSD is still the right choice to configure a secure server.

Of course, there are a lot of commercially highly secure UNIX systems. They are called trusted {Solaris, Irix, SCO, ...}. Different systems have achieved C2, B1 and even B2 safety standards in the United States. These systems, in addition to being very expensive, are not as safe as they claim to be. While the implementation of the security standards significantly enhances the security of the system, it is unrealistic to expect 100% of the security of a lack of open source and quality reputation, which is not realistic (but still much better than Windows).