Knowledge Partner
Knowledge Partner
1542 views

web server protection

Any suggestions for protecting web servers? Running Apache on SLES.
That part is fine, just need something in front of it to protect
against attacks. Thanks.

--------------------------------------------------------
Create and vote for enhancements!
https://www.novell.com/products/enhancement-request.html
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
Labels (1)
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: web server protection

Most bigger clients of mine use NetIQ Access Manager (NAM) for that kind
of thing, since then it deals directly with clients (good or evil) and the
backend server has that extra bit of protection where it cannot be
directly accessed by anything other than the NAM Access Gateway systems.

If that's not an option, at least be sure that you enable the firewall,
block all ports in the external zone except for the ones needed for web
traffic (443, and probably 80 too), enable TLS/SSL for everything
possible, and then do some penetration testing. Also, be sure your
applications were not written poorly to avoid attacks that can get through
no matter what you do at the network or transport layers, such as SQL
injection and the like, since those can be used to either get information
out of a system, or elevate privileges within it, and can take place
regardless of security at other layers.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: web server protection

KeN Etter wrote:
> That part is fine, just need something in front of it to protect
> against attacks


A proxy like squid?

- Anders


0 Likes
Knowledge Partner
Knowledge Partner

Re: web server protection

On 06/10/16 15:47, ab wrote:

> If that's not an option, at least be sure that you enable the firewall,
> block all ports in the external zone except for the ones needed for web
> traffic (443, and probably 80 too), enable TLS/SSL for everything
> possible, and then do some penetration testing. Also, be sure your
> applications were not written poorly to avoid attacks that can get through
> no matter what you do at the network or transport layers, such as SQL
> injection and the like, since those can be used to either get information
> out of a system, or elevate privileges within it, and can take place
> regardless of security at other layers.


I'd also look at hardening the web server software itself to ensure it
doesn't leak unnecessary information.

With SUSE Linux Enterprise Server (and also applied to Micro Focus Open
Enterprise Server) you can do this by setting
APACHE_SERVERTOKENS="ProductOnly" in /etc/sysconfig/apache2 which
configures the server to only reveal Apache in the HTTP response header
field without any version, OS, or module information. If running Apache
later than version 2.0.44 it will also limit information displayed at
bottom of server-generated pages (error messages, etc.).

HTH.
--
Simon
Micro Focus Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------
0 Likes
Knowledge Partner
Knowledge Partner

Re: web server protection

Simon Flood wrote:
> I'd also look at hardening the web server software itself to ensure it
> doesn't leak unnecessary information.


Agreed. Check out tools like Nikto (https://cirt.net/Nikto2). They do
good job of weeding out problems.

- Anders


0 Likes
Knowledge Partner
Knowledge Partner

Re: web server protection

In article <hjlcvbhmv29o2vic4pop287qmr01vnijd8@4ax.com>, KeN Etter
wrote:
> Any suggestions for protecting web servers?


Take a gander at Distil Networks at http://www.distilnetworks.com/
might be over-kill, but still worth knowing about.

Are you talking about an external facing server or internal only?
Is there any user authentication being managed?


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Knowledge Partner
Knowledge Partner

Re: web server protection

On Fri, 14 Oct 2016 21:41:07 GMT, Andy Konecny
<konecnya@no-mx.forums.microfocus.com> wrote:

>In article <hjlcvbhmv29o2vic4pop287qmr01vnijd8@4ax.com>, KeN Etter
>wrote:
>> Any suggestions for protecting web servers?

>
>Take a gander at Distil Networks at http://www.distilnetworks.com/
>might be over-kill, but still worth knowing about.
>
>Are you talking about an external facing server or internal only?
>Is there any user authentication being managed?
>
>
>Andy of
>http://KonecnyConsulting.ca in Toronto
>Knowledge Partner
> http://forums.novell.com/member.php/75037-konecnya
>If you find a post helpful and are logged in the Web interface, please
>show your appreciation by clicking on the star below. Thanks!


Hmm...is Distil similar to Cloudflare? I started to check out
Cloudflare but saw some reviews that made me have second thoughts.

This is an external facing server with no user authentication - just
our public web site. I was hoping I could get a little protection for
the site without spending a ton of money or learning a whole new
program. (I don't need free, just reasonable.) I've been
self-hosting because it gives me full control for very little
investment. I suppose the other option might be to move it to a web
hosting service. But then I have to decide what web host to use...

Ken

--------------------------------------------------------
Create and vote for enhancements!
https://www.novell.com/products/enhancement-request.html
--
Ken
Knowledge Partner

Create and vote for enhancements!
https://www.microfocus.com/products/enhancement-request.html
0 Likes
Knowledge Partner
Knowledge Partner

Re: web server protection

KeN Etter wrote:
> This is an external facing server with no user authentication - just
> our public web site. I was hoping I could get a little protection for
> the site without spending a ton of money or learning a whole new
> program. (I don't need free, just reasonable.)


Then I suggest you just harden it as a start and monitor the logs
periodically.

- Anders


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.