Forum
Changing from Apache to Hiawatha
Jim
29 March 2011, 13:43
Hello.
I have been running my own Apache webserver and still consider myself a beginner.
For a long while I have been tired of trying to figure out how to secure my Apache webserver installation so I am considering changing to Hiawatha webserver.
I gotta say the installing Hiawatha with PHP-FPM (fast-cgi) is VERY easy and I am very happy about that. But I got a couple of question i terms of securing my PHP applications.
- Is there build-in web application firewall (WAF) like Mod Security (mod_security) in Hiawatha?
- Do I need to install a firewall alongside like Shorewall (I guess I need to, just want to be clear)?
- Is there some kind of functionality that can help me prevent hackers to upload files/inject files with malious code?
Probably the last question is more about securing my Debian installation, but you might have some super smart feature that can help.
My main concern is how to secure my server so hackers don't upload files/inject files with malious code and if it happens how to get a complete picture of what happened and how to prevent it in the future. It is a problem I have repeatedly and it is very hard for me to track how they got access to my server other than I can see the files the compromised. So even though I re-install my server I sometimes don't know how to close the security holes since it is sometimes unclear how they broke in.
If my questions seems like rubbish I apologize since I am still new to the whole subject of securing a web server.
I have been running my own Apache webserver and still consider myself a beginner.
For a long while I have been tired of trying to figure out how to secure my Apache webserver installation so I am considering changing to Hiawatha webserver.
I gotta say the installing Hiawatha with PHP-FPM (fast-cgi) is VERY easy and I am very happy about that. But I got a couple of question i terms of securing my PHP applications.
- Is there build-in web application firewall (WAF) like Mod Security (mod_security) in Hiawatha?
- Do I need to install a firewall alongside like Shorewall (I guess I need to, just want to be clear)?
- Is there some kind of functionality that can help me prevent hackers to upload files/inject files with malious code?
Probably the last question is more about securing my Debian installation, but you might have some super smart feature that can help.
My main concern is how to secure my server so hackers don't upload files/inject files with malious code and if it happens how to get a complete picture of what happened and how to prevent it in the future. It is a problem I have repeatedly and it is very hard for me to track how they got access to my server other than I can see the files the compromised. So even though I re-install my server I sometimes don't know how to close the security holes since it is sometimes unclear how they broke in.
If my questions seems like rubbish I apologize since I am still new to the whole subject of securing a web server.
Hugo Leisink
29 March 2011, 19:29
- Hiawatha can filter request based on URL (via UrlToolkit), content (via DenyBody), by IP (AccessList) or UserAgent string (DenyBot).
- Installing a IP filtering firewall is of course a good thing (to only allow SSH traffic from trusted machines for example).
- Preventing hackers to upload files or malicious is not something a webserver should do. It's the task of the website / webapplication to prevent such things. May I advice you another project of mine: the Banshee PHP framework [www.banshee-php.org].
If you see yourself as 'new to the whole subject', then the first and most important thing you have to do is to become an expert on the subject. Trusting on 'tools' and 'smart features' is not going to help if you don't know what they do. Tools are only good if you know what you want and are looking for something (the tool) to make the job easy.
My advice is to start googling for the following terms: SQL injection, cross-site scripting, cross-site request forgery, directory traversal, code injection and file inclusion. Read about it until you fully understand what it means, how hackers use it and what needs to be done to prevent it. After you're done doing it, don't pretend to be an expert on the subject. Hackers are always looking for new ways to exploit things. So should you. Of course not with the goal to actually use the exploit, but to be a step ahead of hackers. And also emember that applying security is not a project, it's an ongoing process. It's never done! When you become sloppy, that's when things go wrong.
When you then still have questions (and you surely will have questions, otherwise you are only fooling yourself) you are welcome to come back and ask them here. But the internet is full of information about webserver and website security, there is no need for me to include it here.
- Installing a IP filtering firewall is of course a good thing (to only allow SSH traffic from trusted machines for example).
- Preventing hackers to upload files or malicious is not something a webserver should do. It's the task of the website / webapplication to prevent such things. May I advice you another project of mine: the Banshee PHP framework [www.banshee-php.org].
If you see yourself as 'new to the whole subject', then the first and most important thing you have to do is to become an expert on the subject. Trusting on 'tools' and 'smart features' is not going to help if you don't know what they do. Tools are only good if you know what you want and are looking for something (the tool) to make the job easy.
My advice is to start googling for the following terms: SQL injection, cross-site scripting, cross-site request forgery, directory traversal, code injection and file inclusion. Read about it until you fully understand what it means, how hackers use it and what needs to be done to prevent it. After you're done doing it, don't pretend to be an expert on the subject. Hackers are always looking for new ways to exploit things. So should you. Of course not with the goal to actually use the exploit, but to be a step ahead of hackers. And also emember that applying security is not a project, it's an ongoing process. It's never done! When you become sloppy, that's when things go wrong.
When you then still have questions (and you surely will have questions, otherwise you are only fooling yourself) you are welcome to come back and ask them here. But the internet is full of information about webserver and website security, there is no need for me to include it here.
Jim
29 March 2011, 19:47
Thank you very much for your comprehensive and informative answer. What I really like is your concrete example of things I should start researching.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
