netbsd-users: Re: security for netbsd as web server

Subject: Re: security for netbsd as web server
To: Amadeus Stevenson <amadeus.stevenson@gmail.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 03/25/2005 17:23:34
In message <1c42f0e050325140223d1bb1@mail.gmail.com>, Amadeus Stevenson writes:
>Hello all,
>
>I've been pondering security for a web server + database server
>recently, in order to make it as secure as possible.
>
>The obvious things for me were:
>
>-database server accessible only from web server via local network
>-apache chrooted
>-tried-and-tested versions of apache and cgi software (no new exploits
>appearing)
>-ipfilter block all default, allow in www with keep state
>-securing cgi for code injection etc. (probably biggest area of
>potential weakness)
>
>Is there anything else you could do? Password rotation? What would you
>do if you had to run, say, a security-critical (eg. a bank or paypal)
>system? Would you use netbsd? Why not (if so)?
>
>Sorry if this is the wrong group - I'm thinking about netbsd for this
>as for me it's stripped down service wise to a minimum as it is.
>

You don't need password rotation, because you don't need passwords.  
Well, it wouldn't hurt to have a root password, but the groups that 
apache and the db run in shouldn't be in a group that can use 'su'.

Ideally, you'd use two machines; put apache on one and the db on the 
second.  Ideally, both machines have two NICs:




Internet --- apache --- db --- back end


Have very strict ipfilters on both machines.  Don't speak anything as 
powerful as sql over that link; instead, it should be a very 
narrowly-defined application-specific language.  My usual term for that 
language is "newspeak", named after Orwell's 1984: the language where 
it was impossible to think a disloyal thought.  Here, it should be a 
language where you can't utter an insecure thought.  Watch out for sql 
injection attacks.  Run regular scans using something like tripwire, 
though that's hard to do properly from the suspect machine.  Striclty 
control access to either machine -- ssh only, via public key only 
(watch for the @#$%^ PAM configurations if you're running -current), 
and have a audit trail, possibly on a third machine that runs nothing 
but syslogd.

And most important of all, watch lots of mailing lists for security 
reports on anything and everything to do with your system.

As for using NetBSD -- for these purposes, it's likely no better and no 
worse than any other open source system.  The flaws are likely to be in 
the applications, and Apache and your CGI scripts will be about the 
same on any platform.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb