Home arrow JavaScript arrow Page 4 - Building a Secure Web Server
JAVASCRIPT

Building a Secure Web Server


In this second part of a five-part series that focuses on securing your web server, you will learn how to build a secure server with Ubuntu. This article is excerpted from chapter four of Securing Ajax Applications: Ensuring the Safety of the Dynamic Web, written by Christopher Wells (O'Reilly, 2007; ISBN: 0596529317). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

Author Info:
By: O'Reilly Media
Rating: 4 stars4 stars4 stars4 stars4 stars / 4
September 18, 2008
TABLE OF CONTENTS:
  1. · Building a Secure Web Server
  2. · OS Hardening
  3. · Accounts management
  4. · Running services

print this article
SEARCH DEVARTICLES

TOOLS YOU CAN USE

advertisement
Building a Secure Web Server - Running services
(Page 4 of 4 )

In the case of a bastion web server sitting out on the Internet we want to be running as little as possible, and certainly not running any services that open up connections other than the web server itself. 

Here is a list of the default services installed on my fresh Ubuntu system:

  Sysklogd – the system logger
  klogd – the kernel logging facility
  mysql – the mysql database
  mysql-ndb-mgm – supporting mysql service
  makedev – create the devices in /dev used to interface with drivers in the kernel
  mysql-ndb – supporting mysql service
  rsync – facility for remote syncing of files
  atd – at daemon for running commands at a specified time
  cron – cron daemon for running commands on a periodic table
  apache2 – the apache2 web server
  rmnologin – remove /etc/nologin. allow users to login to your machine

On a Windows machine you can do this by right-clicking on My Computer and selecting Manage -> Services and Applications -> Services.

Start by looking through the list of running services and identify them. A modern operating system has many services, too many. For each one ask yourself whether the service is something that should be running on a web server.

In the case of this list, I plan on using everything listed. Your mileage may vary. For example, I chose Ubuntu’s LAMP install, which installed the MySql database services. If I didn’t want to run the database, I would disable it.

After you identify all the running services, make sure you know what each service is and what it does. The goal is to turn off as much as possible.

SUID and SGID

Some commands run with a special bit set that instructs the OS to run the command as a privileged user.

The idea is that some commands or daemon processes need to run with higher permissions than that of the user. Take for example thepasswdcommand. If a user wants to change his password he executes thepasswdcommand, but the user does not normally have permission to write to the /etc/passwd file. With the SUID bit set, the command can perform its function with superuser privileges.

This is obviously a security concern. It is critical that any command or process that has this bit set be something that is necessary and make sense given the system that we are creating. The best way to find these sorts of files is to issue a command that looks like this:

  find / -perm +4000 –user root –type f
–print

This command finds all the SUIDs for therootaccount. Examine the list and remove or disable any unnecessary items you find.

Logging and Auditing

A critical factor to a web server’s security is its logging. If there is an attack, often the most critical evidence will be found in the logs. Therefore, it is vital that the logs and logging mechanisms be securely implemented.

Unix/Linux

Syslog is the default logging facility on most Unix/Linux-based systems. It records events coming from the kernel (via klogd, a system daemon that intercepts and logs Linux kernel messages) and from any program or process running on the system. It can even record remote messages sent from other network devices and servers.

Please check back next week for the continuation of this article.


DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

blog comments powered by Disqus
JAVASCRIPT ARTICLES

- More Top jQuery Tutorials for Beginners
- More Top jQuery Plugins for Menus
- Top jQuery Tutorials for Beginners
- New UI Framework and SDK for JavaScript Rele...
- JavaScript OpenPGP Tool, Node.js 0.6.3 Avail...
- Yahoo Releases Cocktails Language and Develo...
- Customizing jQuery Slideshows: Dynamic Contr...
- Customizing jQuery Slideshows: the animate()...
- Customizing jQuery Slideshows: slideUp() and...
- Customizing jQuery Slideshows: hide() and sh...
- Web Workers: Performing Calculations in Para...
- More Top JavaScript Frameworks and Libraries
- More Dynamic jQuery Styling Techniques
- The Top JavaScript Libraries
- The Top JavaScript Frameworks

Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 



© 2003-2012 by Developer Shed. All rights reserved. DS Cluster 4 - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials