10

Does anyone know of a comprehensive security guide about important basics / fundamentals which should be done to secure a web-server / website? A web link would do.

oshirowanen
  • 705
  • 3
  • 10
  • 21
  • http://security.stackexchange.com/questions/514/what-does-defense-in-depth-entail-for-a-web-app/557#557 – Tate Hansen Jun 30 '11 at 15:45
  • 2
    Hi @oshirowanen, welcome to the site! I think you'd get better results if you break this down to several specific questions, e.g. How to harden [Apache] webserver / How to harden [MySQL] database / How to harden [Linux] OS (for webserver) / How to harden [PHP] web application. In fact, I believe most of these have already been asked and answered pretty well, take a look at [tag:hardening] tag. – AviD Jun 30 '11 at 19:14

2 Answers2

12

To get started, you're probably going to want to focus on two things:

  1. Securing your web server
  2. Security your website

That's really two different specialties, and I don't think I'm going to be able to dig up a single document describing both... the ardent security nerd would also point out that this assumes you're working in a secure network with decent physical security, security policies and protections in other arenas.

Securing the Web Server

Hands down, you're best information is going to be web server specific - each one has it's own foibles. Sight unseen, I'd recommend this:

http://iase.disa.mil/stigs/app_security/web_server/general.html

Yes, it's US DoD specific, but it's got some generally not so bad guidance.

I also really like NIST stuff:

http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf

Securing your website:

Hands down, my favorite site for secure web development is OWASP.

https://www.owasp.org/index.php/Main_Page

The information in this area is dense and there's a lot to take in no matter how you slice it. There's no one good checklist for web app security - you have to design security in from the start and be prepared to involve security considerations in all parts of development.

What I love about OWASP is their breakdown of specific issues, for example:

https://www.owasp.org/index.php/SQL_injection

Gives you the problem, the threats, the vulnerabilities, examples, and some idea for what to do about it - pretty much everything I need, whether I'm the security analyst or the poor guy trying to fix the problem.

bethlakshmi
  • 11,656
  • 1
  • 28
  • 59
12

This is really a pretty stinking huge question. Based on your chosen tags it looks like you're asking for guidance on a LAMP stack, so we'll focus on that. There are already a number of related questions posted, so for some additional insights check out these questions:
MySQL Server Hardening
Hardening Linux Server
What are the best practices for hardening a php.ini file?
Apache Server Hardening

The specific techniques you take could depend highly on your environment and how your server will be used. Warning, this can take a lot of work in a test environment to build out and get done right. Followed by a lot of work to integrate into your production environment, and more importantly, business process.

First, however, check to see if your organization has any hardening policies, as those might be the most directly relevant. If not, depending on your role, this might be a great time to build them out. I would also recommend tackling each component separately from the bottom up.

The L
There are lots of good guides available to help you out. This list may or may not help you depending on your distribution.

The A
Apache can be fun to secure. I find it easier to harden the OS and maintain usability than either Apache or PHP.

The M

The P
This runs headlong into the whole idea of Secure Programming Practices, which is an entire discipline of its own. SANS and OWASP have a ridiculous amount of information on the subject, so I won't try to replicate it here. I will focus on the runtime configuration and let your developers worry about the rest. Sometimes the 'P' in LAMP refers to Perl, but usually PHP. I am assuming the latter.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91