how to test if your web server is secure?

Paul wrote:
> How do you test to make sure your web server is as secure as it can
> be?

Walking up to a group of hackers an boast security is as tight as it can
be?

It would work, but hardly a agreeable solution. There is no real way except
to read and reread all safety manuals and check it. There are companies
specialised in this kind of thing, but the good ones aren't cheap. I have
not yet heard of an automated method.
--
Rik Wasmus

How do you test to make sure your web server is as secure as it can be?

thanks for your input

"Rik" <luiheidsgoeroe@hotmail.com> wrote in message
news:b9886$45832f97$8259c69c$29525@news2.tudelft.n l...
> Paul wrote:
>> How do you test to make sure your web server is as secure as it can
>> be?
>
> Walking up to a group of hackers an boast security is as tight as it can
> be?
>
> It would work, but hardly a agreeable solution. There is no real way
> except
> to read and reread all safety manuals and check it. There are companies
> specialised in this kind of thing, but the good ones aren't cheap. I have
> not yet heard of an automated method.
> --
> Rik Wasmus
>

There are some reference books on Apache security
There is one I worked on ( I was the hobbyist reviewing the book as the
'less experienced user')
It was to be published by Pearson Technology Group or Pearson Educational.
Author was Ryan Barnett, title 'Securing Apache'
I don't know if the book was ever published. They were suposed to send me a
final copy, but it never arrived. Since I have the draft here I didn't realy
worry about it.

I learned a lot about hardening my server.

Stuart

> How do you test to make sure your web server is as secure as it can be?

There are various security scanning tools that you could try.
http://www.cirt.net/code/nikto.shtml

there are some basic rules before you bother testing,
make sure you DONT just consider the web server as the problem, its the
box its on!
make sure
its up to date, as with all software on box
you're on the releases / bugs mailing list for all software on box
have only the modules/services you need running / turn off all unneeded
features
if you dont need russian... visitors, dont allow them
look over the owner and permissions
who has physical access/rights to the box
if uploads allowed place in non public/exec dir and set file perms, and
scan stream up and down, and then for ciruses on file system.
run a tight firewall.
consider banning all connections to known problem areas - I ban 1.5
million IPs
hard code your hosts as IPs, dont rely on DNS
run a web application proxy (or module like mod_security for apache) or
dedicated appliance if you have the money which updates itself if you
cant change the server or any software quickly enough this will help.
(or if you just cant change the software cos its 3rd party you can at
least filter its IO)

it is interaction of web server with other services like ARP, DNS, FTP,
SSH that is also a problem, and these days the most prevalent threat is
through the web application layer - user to user attacks are possible
even if web server is hard - so
named person responsible for security who is not the developer
audit your code with a fresh pair of eyes
no cutting corners to make stuff work - house rules on coding
regular training
set strong passwords

I write to companies whenever I spot problems in the web app layer
which render firewalls/hard webservers irrelevant - anwswer is always
same
"were not sure if what you say is poss", then
"erm yeah we'll fix that next rewrite", or
"I cant understand"
usually its the developer who is protecting their back and has their
heart beating as they tried to justify their work.

and this is just the tip of the iceberg,

and yeah there are loads of automated testing tools, get yourself over
to OWASP and join the mailing list to stay awake to security threats,
and for any guidance on what scanners, bruteforcers etc... you can use.


only AFTER learning and doing the very basics is it worth scanning, cos
all you will get from a scanner is a false sense of security and lazy
fingers if nothing shows up. thats my $0.000002

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1166302733.583248.261760@80g2000cwy.googlegro ups.com...
> there are some basic rules before you bother testing,
> make sure you DONT just consider the web server as the problem, its the
> box its on!
> make sure
> its up to date, as with all software on box
> you're on the releases / bugs mailing list for all software on box
> have only the modules/services you need running / turn off all unneeded
> features
> if you dont need russian... visitors, dont allow them
> look over the owner and permissions
> who has physical access/rights to the box
> if uploads allowed place in non public/exec dir and set file perms, and
> scan stream up and down, and then for ciruses on file system.
> run a tight firewall.
> consider banning all connections to known problem areas - I ban 1.5
> million IPs
> hard code your hosts as IPs, dont rely on DNS
> run a web application proxy (or module like mod_security for apache) or
> dedicated appliance if you have the money which updates itself if you
> cant change the server or any software quickly enough this will help.
> (or if you just cant change the software cos its 3rd party you can at
> least filter its IO)
>
> it is interaction of web server with other services like ARP, DNS, FTP,
> SSH that is also a problem, and these days the most prevalent threat is
> through the web application layer - user to user attacks are possible
> even if web server is hard - so
> named person responsible for security who is not the developer
> audit your code with a fresh pair of eyes
> no cutting corners to make stuff work - house rules on coding
> regular training
> set strong passwords
>
> I write to companies whenever I spot problems in the web app layer
> which render firewalls/hard webservers irrelevant - anwswer is always
> same
> "were not sure if what you say is poss", then
> "erm yeah we'll fix that next rewrite", or
> "I cant understand"
> usually its the developer who is protecting their back and has their
> heart beating as they tried to justify their work.
>
> and this is just the tip of the iceberg,
>
> and yeah there are loads of automated testing tools, get yourself over
> to OWASP and join the mailing list to stay awake to security threats,
> and for any guidance on what scanners, bruteforcers etc... you can use.
>
>
> only AFTER learning and doing the very basics is it worth scanning, cos
> all you will get from a scanner is a false sense of security and lazy
> fingers if nothing shows up. thats my $0.000002

Shimmyshack - that is EXACTLY what I was trying to find. Do you kow where I
could find more details/step-by-step instructions for all these things you
itemize?

Many thanks!

> only AFTER learning and doing the very basics is it worth scanning, cos
> all you will get from a scanner is a false sense of security and lazy
> fingers if nothing shows up. thats my $0.000002

True, but most hackers use these scanners in their bots to find easy targets
without doing much work. Depends on who you are I guess.

Cheers,
Scott