Subject: Re: security for netbsd as web server
To: Amadeus Stevenson <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 03/25/2005 17:23:34
In message <firstname.lastname@example.org>, Amadeus Stevenson writes:
>I've been pondering security for a web server + database server
>recently, in order to make it as secure as possible.
>The obvious things for me were:
>-database server accessible only from web server via local network
>-tried-and-tested versions of apache and cgi software (no new exploits
>-ipfilter block all default, allow in www with keep state
>-securing cgi for code injection etc. (probably biggest area of
>Is there anything else you could do? Password rotation? What would you
>do if you had to run, say, a security-critical (eg. a bank or paypal)
>system? Would you use netbsd? Why not (if so)?
>Sorry if this is the wrong group - I'm thinking about netbsd for this
>as for me it's stripped down service wise to a minimum as it is.
You don't need password rotation, because you don't need passwords.
Well, it wouldn't hurt to have a root password, but the groups that
apache and the db run in shouldn't be in a group that can use 'su'.
Ideally, you'd use two machines; put apache on one and the db on the
second. Ideally, both machines have two NICs:
Internet --- apache --- db --- back end
Have very strict ipfilters on both machines. Don't speak anything as
powerful as sql over that link; instead, it should be a very
narrowly-defined application-specific language. My usual term for that
language is "newspeak", named after Orwell's 1984: the language where
it was impossible to think a disloyal thought. Here, it should be a
language where you can't utter an insecure thought. Watch out for sql
injection attacks. Run regular scans using something like tripwire,
though that's hard to do properly from the suspect machine. Striclty
control access to either machine -- ssh only, via public key only
(watch for the @#$%^ PAM configurations if you're running -current),
and have a audit trail, possibly on a third machine that runs nothing
And most important of all, watch lots of mailing lists for security
reports on anything and everything to do with your system.
As for using NetBSD -- for these purposes, it's likely no better and no
worse than any other open source system. The flaws are likely to be in
the applications, and Apache and your CGI scripts will be about the
same on any platform.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb