LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-22-2005, 10:36 PM   #1
iclinux
Member
 
Registered: Dec 2004
Posts: 69

Rep: Reputation: 15
what kind of website is much safer?


Good day,

I want to construct a website, and there're Apache+Php, WebSphere+Jsp, IIS+Asp,etc. But I don't know which one is much safer, much easier to be maintained.

What's your opinion?

Any suggestion will be greatly respected!

Regards,
iclinux
 
Old 09-23-2005, 01:18 AM   #2
linux-rulz
Member
 
Registered: Dec 2004
Distribution: Windows XP Home, Ubuntu Hoary
Posts: 584

Rep: Reputation: 30
A web server is only as secure as the admin behind it knows how to make it

An Apache server run by someone who doesn't know what they are doing will most likely be less secure than an IIS+Win2k3 server run by someone who knows what they're doing extremely well. Which do u have experience with?
 
Old 09-23-2005, 02:22 AM   #3
iclinux
Member
 
Registered: Dec 2004
Posts: 69

Original Poster
Rep: Reputation: 15
thanks,linux-rulz.

I know little about this aspect, but am eager to construct a much securer website.

And yes, the admin is very important, but I wonder what kind of website is much safer for a beginner? cause I haven't enough time to maintain the web

Best regards.
 
Old 09-23-2005, 03:52 AM   #4
j-ray
Senior Member
 
Registered: Jan 2002
Location: germany
Distribution: ubuntu
Posts: 1,456

Rep: Reputation: 104Reputation: 104
get some webspace from a professional hoster that supplies php or perl (cgi scripts). in general servers on linux work more reliable than on windows (at least my experience with some isps). what will be the use / intention if the website?

Last edited by j-ray; 09-23-2005 at 03:54 AM.
 
Old 09-23-2005, 04:31 AM   #5
iclinux
Member
 
Registered: Dec 2004
Posts: 69

Original Poster
Rep: Reputation: 15
j-ray, thanks.

The website is used for selling game-card, cause one friend's website has been intruded for several times. She asks me for help, but I know little about the web-security.

I'll choose linux os.

BTW, the script, which one is much better in security, jsp, php or something else?
 
Old 09-23-2005, 10:04 AM   #6
linux-rulz
Member
 
Registered: Dec 2004
Distribution: Windows XP Home, Ubuntu Hoary
Posts: 584

Rep: Reputation: 30
If you go with a professional web hosting company, such as www.1and1.com, they manage the servers for you and you just set up your scripts and html and stuff. It might be the best solution for you. It would definately save you a lot of time.
 
Old 09-24-2005, 02:58 AM   #7
iclinux
Member
 
Registered: Dec 2004
Posts: 69

Original Poster
Rep: Reputation: 15
thanks linux-rulz,

I will do it myself, it's a challenge, and I can learn more by doing it.

Best Regards.
 
Old 09-24-2005, 01:14 PM   #8
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
With all due respect, I will repeat what others have said: the site is only as secure as the admin makes it.

With that said, although the server may be secured, your web application is another matter. You can have a very secure server, but an easily-hacked web site. Look at some e-Commerce solutions where prices are posted to the back end through URLs - very insecure.

Likewise, PHP Global variables caught a bad rap because of sloppy programmers, and some apps are coded so badly (see above) that Zend (the creators of PHP) now regard PHP globals to be a security risk. I disagree - calling php_globals a security risk is like saying that giving users accounts is a security risk. Sure, if you do something stupid like add all users to the root group or chmod a+w /, then sure, it could be a risk, but that's just sheer stupidity or sloppy administration.

So from what perspective are you asking? Out-of-the-box security of the web server without considering the scripts/executables which will be running on it, or what portals/ecommerce solutions are coded in such a way that they are not inherently insecure?

One last thing: I would agree, that on MOST (not all) distributions (Linux and *BSD alike), Apache is going to be far more secure by default than IIS is. IIS can be locked down, but it's far less flexible, plus apache .conf files are a heck of a lot easier to manage than IIS's metabase.
 
Old 09-24-2005, 09:33 PM   #9
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by iclinux
BTW, the script, which one is much better in security, jsp, php or something else?
The question you should be asking is: "I have chosen language X to develop my custom application because it meets my needs. Where can I find resources about safe coding practices and auditing my application?"
 
Old 09-24-2005, 09:59 PM   #10
mrcheeks
Senior Member
 
Registered: Mar 2004
Location: far enough
Distribution: OS X 10.6.7
Posts: 1,690

Rep: Reputation: 50
Well said stickman. If you don't have time to manage the site and care about the safety of the scripts running on the server, you should pay for it.
You have to tests your scripts in all aspects...to meet your goals. You have to update your server if a security hole is discovered, etc. If you still want to do it yourself, it is the way to go.
 
Old 09-25-2005, 09:04 PM   #11
iclinux
Member
 
Registered: Dec 2004
Posts: 69

Original Poster
Rep: Reputation: 15
thanks all,

I thought maintaining a secure web was not very difficult, but now, I find I'm wrong.

In my opinion, a much securer web is consisted of a much securer OS, a much securer webserver, a much securer web-script, a better firewall, a better virus-scanner, a better secure analyse&policy, and a better administrator.

Um, this topic is so complicated that it's hard for a single person to do it better.

OK, I learn more from here, best regards
 
Old 09-28-2005, 12:27 PM   #12
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
The security of your web site is going to be only as strong as the weakest link.

You can have a well-coded web app with a proper architecture and all values used for logic stored on the back end, not revealed in the HTML output to the browser, but be on an insecure version of IIS or a poorly-configured apache, and get hacked in seconds.

Likewise, you could be on an iron-clad Apache installation or IIS with all of the latest patches, with a poorly-designed web app which, for example, implements php globals incorrectly, and get hacked in seconds.

Firewalls won't help in either case, because in both cases the attacks would come through ports 80 or 443, both of which will be open for normal valid web traffic. A firewall will just help protect you from listening ports which really ought to not be listening in the first place, or with commercial/enterprise-level firewalls, detect DDoS attempts and go into "stealth" mode and simply drop packets from those IPs. Firewalls in typical use do not protect open ports, because they are by definition open and unprotected (for the most part) by design.

It comes down to good administration AND a good software architect overseeing the web app implementation to ensure a secure site. Both good admin and strong development skills are crucial in attaining a secure web site.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
safer than S** mifan Linux - Newbie 7 05-29-2005 12:49 PM
how is linux safer than windows? learnfast Linux - Newbie 3 03-10-2005 11:01 AM
is red hat safer then winxp OMEGA-DOOM Linux - Security 4 05-18-2004 05:55 PM
kind of a programming quesion...kind of not tho jhorvath Programming 2 06-30-2003 11:05 PM
Can anyone help me make my computer safer please? packman Linux - General 1 10-26-2002 11:17 PM


All times are GMT -5. The time now is 07:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration