Web Server Security

I'm about to put my 1st web server on the internet. It will have
sensitive information on it. So I'm looking for pointers to
information on how to secure a web server.

I'm also interested in understanding how the directories are secured.
I'm running an application that has a login screen, but I need to be
sure that you can't just go around the login page and drill down
directly into the directories - which does not seem to be the case
today.

Thanks in advance!

Re: Web Server Security

Post removed (X-No-Archive: yes)

Re: Web Server Security

On Jun 10, 2:01 am, engineer10325 wrote:
> I'm about to put my 1st web server on the internet. It will have
> sensitive information on it. So I'm looking for pointers to
> information on how to secure a web server.
>
> I'm also interested in understanding how the directories are secured.
> I'm running an application that has a login screen, but I need to be
> sure that you can't just go around the login page and drill down
> directly into the directories - which does not seem to be the case
> today.
>
> Thanks in advance!

my advice is that if you are running a bought and paid for app, then
subscribe to their security alerts using your principle email, if you
are making your own, then don't put it out there until you have had it
looked over by someone with security experience, (unless the buck
stops with someone else!!)
sensitive info (whatever that means) should only be placed on the net
if you have the experience to secure it, and have conformed to the
relevant laws for your country for data protection if applicable.
Security for a webserver (and webapplication) is different from "home
security" no firewalls, no antivirus will help you, it is about
minimisation of exposed surface area, no matter if you have secured
all but one single seemingly minor flaw, a decent hacker will find
that flaw and use it to throw open the rest, and who would boast about
all but a single flaw?
anyway, my advice is unless you KNOW, don't.

Re: Web Server Security

On Jun 10, 5:12 am, shimmyshack wrote:
> On Jun 10, 2:01 am, engineer10325 wrote:
>
> > I'm about to put my 1st web server on the internet. It will have
> > sensitive information on it. So I'm looking for pointers to
> > information on how to secure a web server.
>
> > I'm also interested in understanding how the directories are secured.
> > I'm running an application that has a login screen, but I need to be
> > sure that you can't just go around the login page and drill down
> > directly into the directories - which does not seem to be the case
> > today.
>
> > Thanks in advance!
>
> my advice is that if you are running a bought and paid for app, then
> subscribe to their security alerts using your principle email, if you
> are making your own, then don't put it out there until you have had it
> looked over by someone with security experience, (unless the buck
> stops with someone else!!)
> sensitive info (whatever that means) should only be placed on the net
> if you have the experience to secure it, and have conformed to the
> relevant laws for your country for data protection if applicable.
> Security for a webserver (and webapplication) is different from "home
> security" no firewalls, no antivirus will help you, it is about
> minimisation of exposed surface area, no matter if you have secured
> all but one single seemingly minor flaw, a decent hacker will find
> that flaw and use it to throw open the rest, and who would boast about
> all but a single flaw?
> anyway, my advice is unless you KNOW, don't.

You may interest in impletment suexec that I currently used on my new
webserver.