"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1166302733.583248.261760@80g2000cwy.googlegro ups.com...
> there are some basic rules before you bother testing,
> make sure you DONT just consider the web server as the problem, its the
> box its on!
> make sure
> its up to date, as with all software on box
> you're on the releases / bugs mailing list for all software on box
> have only the modules/services you need running / turn off all unneeded
> features
> if you dont need russian... visitors, dont allow them
> look over the owner and permissions
> who has physical access/rights to the box
> if uploads allowed place in non public/exec dir and set file perms, and
> scan stream up and down, and then for ciruses on file system.
> run a tight firewall.
> consider banning all connections to known problem areas - I ban 1.5
> million IPs
> hard code your hosts as IPs, dont rely on DNS
> run a web application proxy (or module like mod_security for apache) or
> dedicated appliance if you have the money which updates itself if you
> cant change the server or any software quickly enough this will help.
> (or if you just cant change the software cos its 3rd party you can at
> least filter its IO)
>
> it is interaction of web server with other services like ARP, DNS, FTP,
> SSH that is also a problem, and these days the most prevalent threat is
> through the web application layer - user to user attacks are possible
> even if web server is hard - so
> named person responsible for security who is not the developer
> audit your code with a fresh pair of eyes
> no cutting corners to make stuff work - house rules on coding
> regular training
> set strong passwords
>
> I write to companies whenever I spot problems in the web app layer
> which render firewalls/hard webservers irrelevant - anwswer is always
> same
> "were not sure if what you say is poss", then
> "erm yeah we'll fix that next rewrite", or
> "I cant understand"
> usually its the developer who is protecting their back and has their
> heart beating as they tried to justify their work.
>
> and this is just the tip of the iceberg,
>
> and yeah there are loads of automated testing tools, get yourself over
> to OWASP and join the mailing list to stay awake to security threats,
> and for any guidance on what scanners, bruteforcers etc... you can use.
>
>
> only AFTER learning and doing the very basics is it worth scanning, cos
> all you will get from a scanner is a false sense of security and lazy
> fingers if nothing shows up. thats my $0.000002

Shimmyshack - that is EXACTLY what I was trying to find. Do you kow where I
could find more details/step-by-step instructions for all these things you
itemize?

Many thanks!