Does anyone know of a comprehensive security guide about important basics / fundamentals which should be done to secure a web-server / website? A web link would do.
-
http://security.stackexchange.com/questions/514/what-does-defense-in-depth-entail-for-a-web-app/557#557 – Tate Hansen Jun 30 '11 at 15:45
-
2Hi @oshirowanen, welcome to the site! I think you'd get better results if you break this down to several specific questions, e.g. How to harden [Apache] webserver / How to harden [MySQL] database / How to harden [Linux] OS (for webserver) / How to harden [PHP] web application. In fact, I believe most of these have already been asked and answered pretty well, take a look at [tag:hardening] tag. – AviD Jun 30 '11 at 19:14
2 Answers
To get started, you're probably going to want to focus on two things:
- Securing your web server
- Security your website
That's really two different specialties, and I don't think I'm going to be able to dig up a single document describing both... the ardent security nerd would also point out that this assumes you're working in a secure network with decent physical security, security policies and protections in other arenas.
Securing the Web Server
Hands down, you're best information is going to be web server specific - each one has it's own foibles. Sight unseen, I'd recommend this:
http://iase.disa.mil/stigs/app_security/web_server/general.html
Yes, it's US DoD specific, but it's got some generally not so bad guidance.
I also really like NIST stuff:
http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf
Securing your website:
Hands down, my favorite site for secure web development is OWASP.
https://www.owasp.org/index.php/Main_Page
The information in this area is dense and there's a lot to take in no matter how you slice it. There's no one good checklist for web app security - you have to design security in from the start and be prepared to involve security considerations in all parts of development.
What I love about OWASP is their breakdown of specific issues, for example:
https://www.owasp.org/index.php/SQL_injection
Gives you the problem, the threats, the vulnerabilities, examples, and some idea for what to do about it - pretty much everything I need, whether I'm the security analyst or the poor guy trying to fix the problem.
- 11,656
- 1
- 28
- 59
This is really a pretty stinking huge question. Based on your chosen tags it looks like you're asking for guidance on a LAMP stack, so we'll focus on that. There are already a number of related hardening questions posted, so for some additional insights check out these questions:
MySQL Server Hardening
Hardening Linux Server
What are the best practices for hardening a php.ini file?
Apache Server Hardening
The specific techniques you take could depend highly on your environment and how your server will be used. Warning, this can take a lot of work in a test environment to build out and get done right. Followed by a lot of work to integrate into your production environment, and more importantly, business process.
First, however, check to see if your organization has any hardening policies, as those might be the most directly relevant. If not, depending on your role, this might be a great time to build them out. I would also recommend tackling each component separately from the bottom up.
The L
There are lots of good guides available to help you out. This list may or may not help you depending on your distribution.
- Center for Internet Security Benchmarks - Distribution specific for the major flavors
- CentOS Hardening HowTo - Follows closely to the CIS RHEL5 guide, but is a much easier read
- NIST SP800-123 - Guide to General Server Security
- NSA Hardening Factsheets - Not as recently updated as CIS, but still mostly applicable
- Tiger - Live System Security Auditing Software
The A
Apache can be fun to secure. I find it easier to harden the OS and maintain usability than either Apache or PHP.
- Apache Server Hardening - This question on the IT Security sister site has lots of good information.
- Center for Internet Security Benchmarks - Again, Apache benchmarks.
- Apache Security Tips - Straight from the Apache project, it looks like it covers the basics
- DISA Hardening Checklist - Checklist from the DoD Information Assurance guys
The M
- Center for Internet Security Benchmarks - Again, but for MySQL benchmarks
- OWASP MySQL Hardening
- General Security Guidelines - Basic checklist from the project devs
The P
This runs headlong into the whole idea of Secure Programming Practices, which is an entire discipline of its own. SANS and OWASP have a ridiculous amount of information on the subject, so I won't try to replicate it here. I will focus on the runtime configuration and let your developers worry about the rest. Sometimes the 'P' in LAMP refers to Perl, but usually PHP. I am assuming the latter.
- Hardening PHP - Some minor discussion, also on IT Security SE site.
- Hardened PHP Project - Main project that produces Suhosin, an attempt to patch the PHP application to project against certain types of attacks.
- Hardening PHP With Suhosin - A brief HowTo specifically for Suhosin
- Hardening PHP from php.ini - Short, but not bad discussion on some of the security related runtime options
- 15,217
- 5
- 62
- 91