Subject: Re: security for netbsd as web server
To: Steven M. Bellovin <email@example.com>
From: matthew sporleder <firstname.lastname@example.org>
Date: 03/25/2005 21:27:31
Is this newspeak that only allows strictly defined sql's accross the
link in existance, or is it just theory?
In reply to the actual question, I think netbsd would be great for
this. You could run the database chrooted as well as apache (possibly
in separate chroots using a virtual ip to talk). I would recommend a
hybrid IDS like prelude since it integrates system and network IDS.
Encrypt your cgi setup files since they have a bad habit of storing
database passwords, etc, in plaintext. This is a problem I am
currently working to overcome in php with blowfish, but cgd might not
be a bad solution.
For logging, nn append-only log file might be close in place of a
dedicated logging server.
On Fri, 25 Mar 2005 17:23:34 -0500, Steven M. Bellovin
> In message <email@example.com>, Amadeus Stevenson writes:
> >Hello all,
> >I've been pondering security for a web server + database server
> >recently, in order to make it as secure as possible.
> >The obvious things for me were:
> >-database server accessible only from web server via local network
> >-apache chrooted
> >-tried-and-tested versions of apache and cgi software (no new exploits
> >-ipfilter block all default, allow in www with keep state
> >-securing cgi for code injection etc. (probably biggest area of
> >potential weakness)
> >Is there anything else you could do? Password rotation? What would you
> >do if you had to run, say, a security-critical (eg. a bank or paypal)
> >system? Would you use netbsd? Why not (if so)?
> >Sorry if this is the wrong group - I'm thinking about netbsd for this
> >as for me it's stripped down service wise to a minimum as it is.
> You don't need password rotation, because you don't need passwords.
> Well, it wouldn't hurt to have a root password, but the groups that
> apache and the db run in shouldn't be in a group that can use 'su'.
> Ideally, you'd use two machines; put apache on one and the db on the
> second. Ideally, both machines have two NICs:
> Internet --- apache --- db --- back end
> Have very strict ipfilters on both machines. Don't speak anything as
> powerful as sql over that link; instead, it should be a very
> narrowly-defined application-specific language. My usual term for that
> language is "newspeak", named after Orwell's 1984: the language where
> it was impossible to think a disloyal thought. Here, it should be a
> language where you can't utter an insecure thought. Watch out for sql
> injection attacks. Run regular scans using something like tripwire,
> though that's hard to do properly from the suspect machine. Striclty
> control access to either machine -- ssh only, via public key only
> (watch for the @#$%^ PAM configurations if you're running -current),
> and have a audit trail, possibly on a third machine that runs nothing
> but syslogd.
> And most important of all, watch lots of mailing lists for security
> reports on anything and everything to do with your system.
> As for using NetBSD -- for these purposes, it's likely no better and no
> worse than any other open source system. The flaws are likely to be in
> the applications, and Apache and your CGI scripts will be about the
> same on any platform.
> --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb