Does anyone make a secure web server?
CHANGE username to westes
security problems, I wanted to know does anyone make a secure web
server? Since OpenBSD has the reputation of being the most
secure form of free UNIX available, I thought that this group
might have a good perspective on this question.
My requirements are fairly simple:
1) I want something that can handle a load of 50 concurrent users
of Java Dynamically generated pages (servlets) on a dual
processor Pentium II 550MHz box with 1 gig of physical memory.
2) I want to set it up and never have to think about security
again, or at least not very often, because the server should be
designed from the ground up with security in mind.
OpenBSD seems to fit that bill from the perspective of the OS.
Does anyone make a web server that is equally focused on security
as its primary selling point?
--
Will
Internet: westes at uscsw.com
PLEASE READ: To reply, CHANGE the username to westes AT
uscsw.com
Yamcha666
tricks. Plus its stable.
http://www.apache.org
Yamcha
http://www.fajet.com
"CHANGE username to westes" <DELETE...@uscsw.com> wrote in message
news:hV727.32315$Pf4.3...@bin1.nnrp.aus1.giganews.com...
Norm
run as a non-root user which can be accomplished on Linux or *BSD
with various techniques. If is is also being run in a chroot environment
there is little chance for an exploit working, unless you screw up.
The details of my setup are more complicated than I care to explain in
a news post, but it is possible.
The most recent CERT advisory I can find is more than a year old. This
is extremely good in comparison to a lot of other software. 24 hits on
CERT and most are guides. 178 for bind.
http://www.cert.org/advisories/CA-2000-02.html
Norm.
http://www.sunperf.com/Security.html
--
I have watched kids testifying before Congress. It is clear that they
are completely unaware of the seriousness of their acts. There is
obviously a cultural gap. The act of breaking into a computer system
has to have the same social stigma as breaking into a neighbor's house.
It should not matter that the neighbor's door is unlocked. The press
must learn that misguided use of a computer is no more amazing than
drunk driving of an automobile.
Ken Thompson Sept. 1995 ACM
tos...@aol.com ab...@aol.com ab...@yahoo.com ab...@hotmail.com
ab...@msn.com ab...@sprint.com ab...@earthlink.com
CHANGE username to westes
anything secure. The point is I want something that is secure
out of the box, and optimally which has features that are geared
toward security specifically.
For example, a web server could provide a tool to create a binary
image database of all static input files for a web site,
encrypted using some kind of public key encryption system. As
long as both keys aren't on the server, there is very little
chance that an intruder is going to be able to alter or even read
any of those files.
I guess I'm just feeling that there are only so many hours in
each day, and do I want to spend the rest of my life "learning
tricks" to make software safe to use? The whole point of
OpenBSD was to build the "tricks" into the box and make it secure
by default. I want a web server built in the same spirit.
--
Will
Internet: westes at uscsw.com
PLEASE READ: To reply, CHANGE the username to westes AT
uscsw.com
"Norm" <no...@justhacked.org> wrote in message
news:3B4901F7...@justhacked.org...
BigDog
warnings and problems...there really isn't a shortcut for that that leaves
you truly secure.
BigDog
"CHANGE username to westes" <DELETE...@uscsw.com> wrote in message
news:Ha927.33360$Pf4.3...@bin1.nnrp.aus1.giganews.com...
Norm
a CD, click OK and everything will be fine is a pipe
dream. If a one-size fits all OS is right for you,
then great. It just doesn't work for me.
The price of freedom is eternal vigilance.
Thomas Jefferson.
For the best chance of success, OpenBSD and Apache is a
good choice with a minimal install and no other services
running. There are a lot of easy mistakes to make and
the shear size and flexibility of UNIX systems makes them
complicated, and sometimes, difficult to administer.
I have not installed OpenBSD, but do run FreeBSD, and
I assume it has an anal security install option, which
would likely set the system up to be fairly secure.
Nonetheless, every system needs to have a well thought
out security policy which outlines the risks and takes
measures to reduce those risks without being overly
intrusive. My security policy is extremely intrusive and
I would not recommend it for most corporate environments
since my users would constantly object. The trick is
to not be overly intrusive while still maintaining the
security of the system.
Learning Security on the Internet is like learning to
drive during the Indianapolis 500.
A poorly administered UNIX box is not any more secure
than a poorly administered MS box. Finding buffer over
flows on MS is actually more difficult since you do
not have the source to analyze and the way it is organized
is goofy.
http://www.cs.ucsb.edu/~jzhou/security/overflow.html
I hope the world switches to UNIX + Apache that way maybe
I won't need do much disk space for IDS logs of IIS
attacks.
21:35:15 -0700 07/06/2001 211.53.210.94:2601 -> XX.XX.XXX.XX:80
TCP V 4 IHL 5 TOS 0 Length 151 Ident 12618 TTL 111 Checksum 14143
DF SN=938727855 AN=2176162604 W=8760 18 ACK PSH
00 E0 29 87 F8 C4 00 50 54 61 34 A8 08 00 45 00 ..)....PTa4...E.
00 97 31 4A 40 00 6F 06 37 3F D3 35 D2 5E XX XX ..1J@.o.7?.5.^..
XX XX 0A 29 00 50 37 F3 D9 AF 81 B5 9B 2C 50 18 .5.).P7......,P.
22 38 FC C4 00 00 47 45 54 20 2F 73 63 72 69 70 "8....GET /scrip
74 73 2F 2E 2E 25 63 30 25 61 66 2E 2E 2F 77 69 ts/..%c0%af../wi
6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 nnt/system32/cmd
2E 65 78 65 3F 2F 63 2B 63 6F 70 79 2B 63 3A 5C .exe?/c+copy+c:\
77 69 6E 6E 74 5C 73 79 73 74 65 6D 33 32 5C 63 winnt\system32\c
6D 64 2E 65 78 65 2B 63 3A 5C 69 6E 65 74 70 75 md.exe+c:\inetpu
62 5C 73 63 72 69 70 74 73 5C 73 68 65 6C 6C 2E b\scripts\shell.
65 78 65 0D 0A exe..
I wish the best of luck and recommend keeping things simple
until you can gain the skills you need.
Keith W. McCammon
You have to patch BSD too! You have to patch just about everything at some
point. Plus, slack administration (permissions, log audits, etc.) is as
much to blame for most compromises as the OS/server itself.
However, something like Stronghold or Apache will certainly cause you less
headache *once you've set it up correctly.* They're both extremely stable
and extremely secure web environments, and although you're still going to
have to patch them at some point, you should get a lot more mileage out of
them in the meantime.
two cents...
--
Keith W. McCammon
Sr. Network Engineer
DynCorp HITS
"CHANGE username to westes" <DELETE...@uscsw.com> wrote in message
news:Ha927.33360$Pf4.3...@bin1.nnrp.aus1.giganews.com...
Gandalf Parker
> Having gotten truly sick of keeping up with Microsoft's IIS
> security problems, I wanted to know does anyone make a secure web
> server? Since OpenBSD has the reputation of being the most
> secure form of free UNIX available, I thought that this group
> might have a good perspective on this question.
I dont use them myself but for alot of reasons a MAC might be your best
bet.
They have a great security record, they have the least number of
exploits available at any cracker download site, they are easy to
maintain.
Of course anything CAN be made secure. Part of a Mac advantage is that
fewer people use it, therefore fewer people are trying to figure out
ways of cracking it.
But then thats a disadvantage also in trying to find someone to run it
for you or answer questions on it. It should serve your needs though.
Gandalf Parker
If you ask a guru what operating system, they will tell you them most
irritating one they know. To be a guru requires an irritating operating
system.
CHANGE username to westes
than your OS" discussions because this is supposed to be a
security thread about web servers, not OS. But you didn't
research that remark well. Windows 2000 has a number of very low
I/O primitives, such as support for asynchronous network and file
I/O, and extraordinary multiprocessor support up to 8 processors
(the 32-processor support is still weak). Using I/O completion
ports all I/O events can be serviced in a completely asynchronous
fashion by a minimal number of threads, thereby minimizing
context switches and optimizing workflow. You can't seriously
compare FreeBSD to that, because it doesn't support huge numbers
of processors as well, and it doesn't include as mature
asynchronous I/O.
And our company's own work with many UNIX variants and Windows
2000 on high performance servers suggest that there may be many
reasons to hate Windows 2000, but performance is NOT one of them.
For an application that lends itself to a purely asynchronous
operation, like serving static web pages, nothing is going to go
faster than a well designed Windows 2000 application. Just from
an OS theory perspective, you cannot do better than a couple of
threads servicing 1000 concurrent connections, and never blocking
on any I/O operation. Any OS that can do that is going to be
blazing fast, and I don't care whether it calls itself NT or
UNIX.
Where Windows 2000 has a real weak spot is its internal
complexity. Unlike UNIX, which can be internally understood,
and whose administration can be simplified, Windows contains a
number of features that make it inherently complex and almost
impossible to fully understand even if you are a guru. The
registry, for example, succeeds is making such an interwoven set
of dependencies between so many different layers of the OS,
system applications, and user applications, that it becomes
almost impossible to understand all of the side effects from
shutting down services that you don't think your application
needs.
What I like about UNIX is the idea that I can follow a clear and
simple set of guidelines for securing an application, such as:
- Do not run the web server as root;
- Do not give read/write access to the web server's static web
pages to the userid that runs the web server,
- Do not run any other services on the box (except for secure
ones like SSH)
- Make sure the rest of the file system is secured.
You want to emulate such practices on Windows 2000 as well, but
its internal complexity constantly hampers your attempts to do
that. If you start to do the above, IIS starts to break
because it wants access to many different keys in the registry,
none of which are well documented. You start shutting off
services, and now all of the basic administration GUI tools stop
working. You shut off different parts of Windows 2000
networking, and the next time you go to apply a service patch it
fails because the patch assumed basic services would always be
running.
It just becomes an endless twine of detail, and it serves no
purpose other than to prove than Windows 2000 is hugely complex
undertaking of dozens of different teams, and that the system's
underlying principles were more around "how do we make all of
these things work together and work at all" and not "how can we
make it simple for people to reconfigure these services and
deploy them individually or in small groups of services."
At very least, I'm feeling that the registry as it was designed
is an abomination, and one of the most grotesque pieces of
engineering I've ever seen. The irony of the registry is that
it was selected over the use of individual application files
primarily so that you could secure access to individual registry
keys rather secure access to config files at the file system
level. But the size and disorganization of the beast has the
opposite effect. Very few people understand where all of its
parts extend, and you become afraid to secure anything, because
ultimately you end up breaking other things.
I'm feeling a need to make life simple, or at least more simple.
--
Will
Internet: westes at uscsw.com
PLEASE READ: To reply, CHANGE the username to westes AT
uscsw.com
"wej3715" <wej...@fox.tamu.edu> wrote in message
news:9ib7nr$mg9$2...@news.tamu.edu...
> Barf (deme...@optonline.net) wrote:
> : >1) I want something that can handle a load of 50 concurrent
users
> : >of Java Dynamically generated pages (servlets) on a dual
> : >processor Pentium II 550MHz box with 1 gig of physical
memory.
> :
> : I don't think OpenBSD can use the second processor.
>
> But getting rid of NT and you might get better performance out
> of OpenBSD and one processor than with NT and two processors.
>
> Eric Johnson
>
BigDog
crossposted it into the wrong group.
BigDog
"CHANGE username to westes" <DELETE...@uscsw.com> wrote in message
news:tKl27.26139$zH.19...@news5.aus1.giganews.com...
CHANGE username to westes
web server, I guess I know the topic of the original post. :)
But there is a clear relationship to firewalls, because some
products add security to the web server by acting as a firewall
or filter and intercepting the HTTP stream and scanning it for
potential hacker tricks, then blocking those attempts to access
the web server.
--
Will
Internet: westes at uscsw.com
PLEASE READ: To reply, CHANGE the username to westes AT
uscsw.com
"BigDog" <c...@BLAHBLAHhowdyags.com> wrote in message
news:w3n27.1460$8T1.1...@dfiatx1-snr1.gtei.net...
Unknown
>security problems, I wanted to know does anyone make a secure web
>server?
Possibly, if it's not connected to naything else...
>Since OpenBSD has the reputation of being the most
>secure form of free UNIX available, I thought that this group
>might have a good perspective on this question.
This group? I'm replying on the firewalls group, you crossposted to a
few non-BSD groups you know...
>My requirements are fairly simple:
>
>1) I want something that can handle a load of 50 concurrent users
>of Java Dynamically generated pages (servlets) on a dual
>processor Pentium II 550MHz box with 1 gig of physical memory.
FreeBSD does single processor only (unless it's changed in the last
year or so...). Other than that, assuming your Java isn't terribly
intensive, you should be fine with almost any common OS that will run
on the processor/platform.
>2) I want to set it up and never have to think about security
>again, or at least not very often, because the server should be
>designed from the ground up with security in mind.
Then hire someone to set it up and manage it. Security is a process,
not a single event.
>OpenBSD seems to fit that bill from the perspective of the OS.
>Does anyone make a web server that is equally focused on security
>as its primary selling point?
Security is the responsibility of the admin configuring the system.
Apache can be configured quite securely, but so can IIS. Both have
exploits and patches to avoid them, and by default a web server cannot
be totally secure since it is supposed to connect to other systems and
deliver requested files.
You're looking for an out of the box foolproof setup. For free. You
won't find it. On any platform.
Jeff
H C
> products add security to the web server by acting as a firewall
> or filter and intercepting the HTTP stream and scanning it for
> potential hacker tricks, then blocking those attempts to access
> the web server.
Cool. Really? Like what? Can you name some of the products?
CHANGE username to just westes
best. But it was expensive, and it was more like a toolkit for building
superset functionality on top of protocols that it filtered.
--
Will
NOTE: To reply, CHANGE the username to westes AT uscsw.com
"H C" <carv...@patriot.net> wrote in message
news:3B4A1552...@patriot.net...
Martin
security model of both to compliment each other.
M
"CHANGE username to westes" <DELETE...@uscsw.com> wrote in message
news:hV727.32315$Pf4.3...@bin1.nnrp.aus1.giganews.com...
lar...@no-spam.colargol.tihlde.org
:> But there is a clear relationship to firewalls, because some
The personal firewall BlackIce Defender can do this as it's both a personal
firewall and a IDS system. This means it can block attacks against the http
protocol. Another product that can be used to secure a web server is SecureIIS
by eEye (works only with MS IIS). There are also alot of other stand alone
IDS products that can discover and/or block many kinds of attacks.
Commercial IDS products include RealSecure, cisco Netranger, Cybercop, Dragon
Sensor. Free ones include Snort, Pakemon and Shoki IDS. In addition there
are a number of host based IDS products that audit the system log files
in realtime.
But I guess an IDS wasn't quite what the original poster had in mind?
Lars
H C
version of
Win32-snort from Mike Davis will allow the user to specify an RST packet be
sent
if the traffic matches the rule.
Dimitri Maziuk
[ lame OS advocacy snipped ]
> For an application that lends itself to a purely asynchronous
> operation, like serving static web pages, nothing is going to go
> faster than a well designed Windows 2000 application.
Isn't that an oxymoron?
> Just from
> an OS theory perspective, you cannot do better than a couple of
> threads servicing 1000 concurrent connections, and never blocking
> on any I/O operation.
As in "infinite bandwidth" and "unlimited throughput"?
Nice... can I have fries with that?
Dima (sorry, couldn't resist)
--
E-mail dmaziuk at bmrb dot wisc dot edu (@work) or at crosswinds dot net (@home)
http://www.bmrb.wisc.edu/descript/gpgkey.dmaziuk.ascii -- GnuPG 1.0.4 public key
Well, lusers are technically human. -- Red Drag Diva in asr
Rob J Meijer
>Of course anything CAN be made secure. Part of a Mac advantage is that
>fewer people use it, therefore fewer people are trying to figure out
>ways of cracking it.
So far I agree, but tyou need to think one step further to see this is a
disadvantage.
Fewer people will be triing to crack it, so probably fewer people will
crack it, therefore the change that one of these people will comunicate the
hole he/she found will be smaller, therefore overtime the product will
have much more remaining holes than a product that is more used.
If you use a open source product that is also used verry much like
apache and *bsd or linux, especialy with the modulair setup of these
product, and the possibility to exclude 'new features' this way the number
of exploitable holes will be minimal as holes will have litle change of
remaining in the code for verry long.
Using a obscure product for security reasons mostly means that there are
much more bugs, but almost all bugs are unknown, so the averadge tagging
hack kids will not take the time, or even have the skill to hack their
way into your system, and will go on to other systems.
However if the information you are protecting is valuable to anyone that
would be willing to $500/hr or so for a specialist to find a way truegh
your security he will get in much cheaper (a few days) than he would if you
were using up to date open source solutions (multiple weeks after
what there would be a reasonable change that he would conclude that it was
not possible).
If you just want to protect yourself from kids than sure go for a obscure
system, but if you have got something to protect go for a open system with
a large userbase and stay on top of it.
Tweetie Pooh
09 Jul 2001 05:50:07p with news:3B49E0BF...@127.0.0.1:
>
> Of course anything CAN be made secure. Part of a Mac advantage is that
> fewer people use it, therefore fewer people are trying to figure out
> ways of cracking it.
> But then thats a disadvantage also in trying to find someone to run it
> for you or answer questions on it. It should serve your needs though.
>
> Gandalf Parker
> If you ask a guru what operating system, they will tell you them most
> irritating one they know. To be a guru requires an irritating operating
> system.
>
On that basis an AS400 or whatever IBM has renamed them is even more secure.
It does cost a tad more though and your point on support,software etc is also
valid
Bruce Barnett
I can think of several products that actively block attacks.
However, these have to be generalized attacks. What is difficult is to
block an attack on a poorly designed web site. How do you prevent
someone from getting access to a poorly secured database that has
credit card numbers in it?
There is a commercial product that acts as a smart proxy for a web
application. It blocks all web accesses except for those that are
expected (by maintaining state of each client). It's unique strength
(IMHO) is the ability to prevent hackers from abusing poorly designed
web applications.
The company is Sanctum, Inc
and the product is AppShield. They also make AppScan - a vulnerability
analysis package for web applications.
For instance, it protects against the following classes of web attacks
(list extracted from their documents)
buffer overflows
cookie poisoning
cross site scripting
hidden manipulation
stealth commanding
3rd party misconfiguration
known holes
parameter tampering
backdoor and debug options
forceful browsing
For instance, a hacker can notice that the total of a "shopping cart"
is a hidden parameter. They can modify this, and reduce the total
spent from $1000 to $1. That's hidden manipulation.
Or they can create one account, and then modify the account number to
see what other information is stored there. They may learn - through
parameter tampering - other credit card numbers, etc.
The demo explains each of the terms above.
--
Bruce <barnett at crd. ge. com> (speaking as myself, and not a GE employee)
Konstantinos Agouros
>Since I was the original poster, and since the subject line says
>web server, I guess I know the topic of the original post. :)
>But there is a clear relationship to firewalls, because some
>products add security to the web server by acting as a firewall
>or filter and intercepting the HTTP stream and scanning it for
>potential hacker tricks, then blocking those attempts to access
>the web server.
Frankly Firewalls can do some protection of a webserver for the non-http-stuff
but quite a few of the last IIS hacks were based on legal HTTP-Requests, and
the Firewall pass RFC-conformant requests. What might help is a trusted OS
like HP's Virtual Vault or Argus Pitbull, but now we're getting off newsgroup
topic again \:)
--
Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: elw...@agouros.de
Otkerstr. 28, 81547 Muenchen, Germany. Tel +49 89 69370185
----------------------------------------------------------------------------
"Captain, this ship will not sustain the forming of the cosmos." B'Elana Torres
Rob J Meijer
>H C <carv...@patriot.net> writes:
>> > But there is a clear relationship to firewalls, because some
>> > products add security to the web server by acting as a firewall
>> > or filter and intercepting the HTTP stream and scanning it for
>> > potential hacker tricks, then blocking those attempts to access
>> > the web server.
>>
>> Cool. Really? Like what? Can you name some of the products?
>I can think of several products that actively block attacks.
>However, these have to be generalized attacks. What is difficult is to
>block an attack on a poorly designed web site. How do you prevent
>someone from getting access to a poorly secured database that has
>credit card numbers in it?
The simplest, and in my experience reasonable effective way is the use of high hitrate detection.
Most atacks (not including those on a well known insecure webserver that we should all know better
than to use outside a small office enviroment) generate a higher hitrate on a specific broken script files,
and next to this will generate a close to zero hitrate on any other files.
You can use these characteristics to detect and block a large percentage of the atacks.
Example for webserver:
* Deny access to all cgi php etc for IP's that are on a dynamic list
(generated by a monitoring script) of IP adresses, and to all cgi php etc files
that are on a second dynamic list.
* Allow access to cgi, php, etc only on a 'per file' bases.
* Let a logfile monitoring script know what are acceptable per-ip hitrates on each cgi,
php etc script, and if the limit for a ip/script combination is reached let it
put the IP in the incident list.
* Let the script also monitor what scripts are generating IP's into the incident list,
if a script reaches a treshold of blocked IP's put the script itself into the second
incident list.
I know acting on high-hitrate detection makes for an interesting DoS options (that probably why non of the
current blackbox type firewalls implement it anymore), but just remember that security always has a price.
You can choose, do you want to be DoSable or penetrateable (always the first question you should ask the user
before configuring a firewall, or better yet get someone else to ask the user, asking this question does
not make one popular )
Rob J Meijer
pixel fairy
openbsd does not support smp. freebsd does.
everyone else already gave you the security process lecture....