| 5:56 am on Jan 25, 2003 (gmt 0)|
Hello sai_suresh and welcome to WebmasterWorld.
You may like to review other related threads on this forum, like Apache works locally (on LAN) but not remotely (Internet) [webmasterworld.com] or viewing pages on a local apache [webmasterworld.com].
| 7:12 am on Feb 21, 2003 (gmt 0)|
I came to know that Linux default network configuration denies any request from a remote system.so, I could get web pages from my server if i run "service ipchains stop" which removes default firewall settings making my server accessible from a remote system but making it vulnerable by removing firewall settings. what should i do to make it secure. will installing secure web server( mad_ssl+openssl) work for me in that case?
| 7:43 am on Feb 21, 2003 (gmt 0)|
SSL will not make your server less crackable; it is needed to prevent third parties from eavesdropping the messages through the public internet, so them can only be translated by the trusting parties.
What you need to do is to configure ipchains to allow traffic through the port 80, the default for a web server. What a firewall really does is blocking traffic through ports you know are not needed for normal operation, i.e. all except the one you explicitely need.
| 9:49 am on Feb 21, 2003 (gmt 0)|
Thank you Dracula for ur earlier reply. but how can i be sure that my server is secure once i define the ipchain to allow only port 80 for communication? is there anyway that i can assure that the server is as secure as any other server on the internet. what r the testing strategies to ensure web server security.
| 10:23 am on Feb 21, 2003 (gmt 0)|
The only true way to secure a server is remove any physical way for the server to talk to the outside world - this to include network cables, monitors, and keyboards, and to site the computer in a locked room. :)
|is there anyway that i can assure that the server is as secure as any other server on the internet |
If you only open up port 80 (tcp) on the server, then the other services on the server will still be inaccessible. With computers on the internet, you want as few as possible services accessible to the outside world.
Testing strategies could include running a port scanner on the whole server using both TCP and UDP protocols - this should be run from a remote machine. nmap is quite a useful tool for this. There are further tools available such as Nessus, which is a security auditing tool. These will actually probe your open services for any known vulnerability and report back to you. Again, this is best run remotely so you can know exactly what a potential hacker can see.
Another route to go down would be monitoring, in conjunction with testing. Install something like logcheck to automatically email you your system logs containing any suspect behaviour. Run tripwire nightly. Run chkrootkit nightly. Look at the reports these utilities provide you with!
And of course, take backups, just in case the unthinkable happens. :)
| 11:02 am on Feb 21, 2003 (gmt 0)|
|is there anyway that i can assure that the server is secure |
I liked this article from the Linux Magazine: Hardening Linux Systems [linux-mag.com] (first on a series of three). You can't hardly get more secure than that. Beware, it borderlines paranoia.