Rough Sea Games » Web security

Secure your Webserver (part 2- A)

Ole — Mon, 20 Jul 2009 08:12:59 +0000

Hello everybody,

Finally you are able to read Part 2 of “Secure your Webserver”. Part 2 will be about Linux, Webserver and the other important services.

As I mentioned in Part 1, I will not write about Windows, MacOS or other operating systems, because the most common one for a webserver is Unix / Linux. Part 2 will have a part A and B. Today I am going to write about distributions, user managament, user rights, secure shell and their enormous importance for security.

Before you start, choose the right distribution of Linux for your aims. There are a lot of Linux versions (distributions) on the market. Most of them are free or have a free community edition. The most common free distributions are CentOS, Debian, Fedora, Gentoo, OpenSuse, Mandriva and Ubuntu. Of course there are also commercial destributions like Red Hat Linux Enterprises (RHEL) or Suse Linux Enterprises.

In general all these distributions are fine for a webserver. Their differences are minor and more a personal choice than a real technical question. A NEWBIE should maybe use OpenSUSE, Ubuntu or Fedora, as the support of the community seems to be bigger for them. Commercial products are usually superior to free distributions in their support system. They grant better support via phone, etc.

After you have chosen the right distrubtion for your purpose and installed it on your server machine, it is time to think about security.

1. User-Management and Shell-Access. (Secure Shell Daemon)

Linux security is mostly based on user rights. User rights are essential to the security concept of Unix and Linux systems. Usually all distributions are very strict and separate services (daemons), users, administrators, essential services like a webserver, MTA & MDA (Mail Transfer Agent & Mail Delivery Agent) into different groups and users.

All these groups and users have different write and read accesses. Usually groups are created to give a bunch of users the same rights. Therefore groups can make your administrator’s life far easier.

The most important “user” is called root. Root is the highest ranked user on a system. The “root user” has full read and write access. In the Windows world it would be the “Administrator”. This is the reason why it is not smart to use the root user in your everyday work. The root user should only be used for system critical and important parts. In all other cases it is wise to use a “normal” user, which you have created.
It is also possible to run root commands via your user account. Important commands for this purpose are “sudo” and “su”. Sudo runs a command line with a special user. The command su makes it possible to log in as another user via your own user shell. Of course you need the right password of the user to perform these actions.

It is common for Linux to allow remote login via secure shell (SSH), especially if your webserver is not reachable for you in person, e.g. a dedicated server in a data centre of your webhost. All connections via SSH are encrypted. It is nearly impossible to decrypt the data via your client and your server (Maybe the NSA or the CIA are able to decrypt this – who knows?). You should take care to choose the ssh version 2 protocol. This is safer, as recently some weaknesses were discovered in protocoll version 1. A common SSH-client for Windows is “Putty”.

It is possible to permit or forbid login via SSH for specific users or user groups. Maybe it is not wise to allow direct root login via SSH. It is also possible to login via a certificate. You create an public and private key. Upload the public part to your server (usually: /homedir/.ssh/authorized) and log in without password. Of course it is wiser to secure your private key with a passphrase. In this case you need to type the phassphrase to decrypt the private key to log in.

Next part will be about firewalls, virusscanners and how to avoid spam problems.

Share/Bookmark

Secure your Webserver (part 1)

Ole — Mon, 05 Jan 2009 10:44:37 +0000

Hello ,

today I am going to write about server security. I decided to split the post into 3 parts. The future parts will be published during the next weeks.

Part 1 deals with server security in general and the conception of your personal strategy to avoid security problems.

Security has become more and more important in the last 10 years , as the numbers of internet users and server services are growing year by year. Especially the web 2.0 revolution brings new security problems. Nowadays users with a bad understanding of the technical background are setting up blogs, forums, websites and other services.

Therefore I wrote a small introduction for those newcomers!

In general there are 3 main areas you have to keep an eye on.

1. Network infrastructure:

I will not deal with this, because usually only professionals can influence the network infrastructure or your provider does this for you with routing , firewalls and filters.

2. Operating System:

A big part of security solutions and problems rely on the chosen operating system. All common operating systems (e.g. Linux, Windows, Unix) have advantages and disadvantages. If you expect me to write down which is the best one, I WILL NOT ! Nobody can tell you. It depends on so many factors like the services you want to run, your personal knownledge about the operating system, etc… . Maybe you do not even have the chance to choose your OS as your provider pre installed already one for you.

Unfortunately, I will have to focus on one operating system in the second part of my post. In my point of view the most common one is Linux. Although I am aware of the fact that other operating systems are great. So do not bug me with comments like: “You hate Windows ! Why not using FreeBSD ? Solaris is the best one !”

3. Applications & Daemons

Daemons or services are the core of your security solutions and also the source of most security issues. Before offering several services, e.g. a Web-Server , Ftp-Server or an Email-Server, think about which services you really need and if it is really smart to offer all services on a single machine. Every application can be corrupted or compromised. Avoiding services and daemons is always a clever strategy to minimize the risks. Moreover security tools hinder security issues as well, for example virus scanner, firewall, spam filter, a handy user rights management, etc… .

Please think about all these facts before you run a public server.

The second part will be about the practical parts of server management to build a secure server. We are going to leave the boring theory, promised!

Share/Bookmark

Web Security – How to keep HTTP Variables secure

Dirk — Mon, 08 Sep 2008 20:25:12 +0000

When I am surfing, I often see websites that have big security leaks in the communication between Server and Client. I know to avoid this, and will describe it here.

The most common way for a web server and client to communication is through HTTP Variables. This means that values are stored in the URL (GET) or in the header of the request (POST).
I will give an example for a GET parameter: news.php?id=4. The GET variable “id” has the value 4. This is not a random example; I deliberately used one with the keyword ID.
Databases usually identify records through a number. If a new data record is added, the number is incremented.
If you change the value of the variable “id” to 3 or 2, the website will display the contents of the article with the id 3 or 2. Many websites are built in this way. This is a small security leak and not really dangerous. But think about a message system or a community where somebody can read the messages of another. This would be a really delicate issue. Luckily, it can be avoided in several ways.

Modifying the GET or POST data of an http request can also cause a issue called SQL injection. Hackers can concatenate your variable with an SQL query, executing the query when the request is sent. For example, they could change the GET parameter to “site.php?id=3; DROP DATABASE mydatabase”. Boing! Data is gone.

Here are some tips to avoid this problems:

Newer database systems support GUIDs (global unique identifiers). These are 128 bit keys, and hence “more unique” as an id. They can be generated simply by counting, beginning with 000000-000000-00000… . But the big size of the data type will increase the size of your database.
Create a user which only has read privileges. Web pages often only need to output data, not to modify it.
Have your code validate http vars before using them. Checking string or enum values will increase the source code size, so use a checksum for this. A lot of server side application languages support some kind of checksum function, like a MD5 hash. This works as follows: create a keyword, like “MM3banana13″. Now take your variables id, id2 and id3 and concatenate them with the keyword as prefix or suffix (note that the order is important). Use this string to generate the md5. The destination site receives the GET variables “id”,”id2″,”id3″ and “check” which includes the generated hash. The destination site now also concatenates the id’ s and the keyword in the same way. After that the destination site compares the generated and the received hash. If the data was modified the generated hash will differ. You can improve security by changing the keyword every day. This is a established method for communication with an e-payment service.
Use SSL connections for sensitive data. This will keep your data private and inaccessible to third parties.

I think these four things will help to keep a website secure (on the software side).

The basic idea is to expect data that you don’t expect.

Share/Bookmark