An important way to minimize the threats to your web server is by minimizing the other services that are offered by the computer on which the web server is running. This technique works because each network service carries its own risks. By eliminating all nonessential services, you eliminate potential avenues through which an attacker could break into your system.
Table 15-1 lists some of the services that you should disable or restrict if you wish to run a secure server. Many of these services are widely considered “safe” today, but that doesn’t mean that a serious flaw won’t be discovered in one of these services sometime in the future. For example, in the spring of 2001 a vulnerability was found with the Berkeley Internet Name Daemon (BIND) that allowed anyone on the Internet to obtain superuser privileges on any Unix computer running the most common version of the software package. Sites that had nameservers running on their web servers were vulnerable. Sites that had turned off their nameservers were not.
If you don’t need a service, disable it.
Table 15-1. Services to restrict on a secure server
On a Unix server, you can easily restrict unneeded services by commenting out appropriate lines in inetd.conf. Another small handful of services that run as standalone daemons (portmapper is an example) can be eliminated in the “rc” files, found in the files /etc/rc and /etc/rc.local, and the subdirectories below /etc/rc.d and /usr/local/etc/rc.d. Many Unix servers now include support for the TCP wrappers file hosts.allow. By modifying this file, you can effectively control which hosts are allowed to access which services on your computer. You can also use IP filtering tools, such as ipfw, to provide host-based access control for outbound services.
Disabling IP services with an NT or Windows 2000 system is a little trickier, because settings are sprinkled throughout the registry, and some services have to be functioning for the sake of NT. Many NT services can be audited and disabled using the Services control panel.
The good news is that NT servers come with built-in access list capability. You can use this to prohibit all traffic to certain ports, and thereby achieve the same results as you would by shutting down services. (You can set IP filtering under the control panel’s advanced TCP/IP settings.)
3.145.103.59