Good day,

I want to construct a website, and there're Apache+Php, WebSphere+Jsp, IIS+Asp,etc. But I don't know which one is much safer, much easier to be maintained.

What's your opinion?

Any suggestion will be greatly respected!

Regards,
iclinux

A web server is only as secure as the admin behind it knows how to make it

An Apache server run by someone who doesn't know what they are doing will most likely be less secure than an IIS+Win2k3 server run by someone who knows what they're doing extremely well. Which do u have experience with?

thanks,linux-rulz.

I know little about this aspect, but am eager to construct a much securer website.

And yes, the admin is very important, but I wonder what kind of website is much safer for a beginner? cause I haven't enough time to maintain the web

Best regards.

get some webspace from a professional hoster that supplies php or perl (cgi scripts). in general servers on linux work more reliable than on windows (at least my experience with some isps). what will be the use / intention if the website?

j-ray, thanks.

The website is used for selling game-card, cause one friend's website has been intruded for several times. She asks me for help, but I know little about the web-security.

I'll choose linux os.

BTW, the script, which one is much better in security, jsp, php or something else?

If you go with a professional web hosting company, such as www.1and1.com, they manage the servers for you and you just set up your scripts and html and stuff. It might be the best solution for you. It would definately save you a lot of time.

thanks linux-rulz,

I will do it myself, it's a challenge, and I can learn more by doing it.

Best Regards.

With all due respect, I will repeat what others have said: the site is only as secure as the admin makes it.

With that said, although the server may be secured, your web application is another matter. You can have a very secure server, but an easily-hacked web site. Look at some e-Commerce solutions where prices are posted to the back end through URLs - very insecure.

Likewise, PHP Global variables caught a bad rap because of sloppy programmers, and some apps are coded so badly (see above) that Zend (the creators of PHP) now regard PHP globals to be a security risk. I disagree - calling php_globals a security risk is like saying that giving users accounts is a security risk. Sure, if you do something stupid like add all users to the root group or chmod a+w /, then sure, it could be a risk, but that's just sheer stupidity or sloppy administration.

So from what perspective are you asking? Out-of-the-box security of the web server without considering the scripts/executables which will be running on it, or what portals/ecommerce solutions are coded in such a way that they are not inherently insecure?

One last thing: I would agree, that on MOST (not all) distributions (Linux and *BSD alike), Apache is going to be far more secure by default than IIS is. IIS can be locked down, but it's far less flexible, plus apache .conf files are a heck of a lot easier to manage than IIS's metabase.

The question you should be asking is: "I have chosen language X to develop my custom application because it meets my needs. Where can I find resources about safe coding practices and auditing my application?"

Well said stickman. If you don't have time to manage the site and care about the safety of the scripts running on the server, you should pay for it.
You have to tests your scripts in all aspects...to meet your goals. You have to update your server if a security hole is discovered, etc. If you still want to do it yourself, it is the way to go.

thanks all,

I thought maintaining a secure web was not very difficult, but now, I find I'm wrong.

In my opinion, a much securer web is consisted of a much securer OS, a much securer webserver, a much securer web-script, a better firewall, a better virus-scanner, a better secure analyse&policy, and a better administrator.

Um, this topic is so complicated that it's hard for a single person to do it better.

OK, I learn more from here, best regards

The security of your web site is going to be only as strong as the weakest link.

You can have a well-coded web app with a proper architecture and all values used for logic stored on the back end, not revealed in the HTML output to the browser, but be on an insecure version of IIS or a poorly-configured apache, and get hacked in seconds.

Likewise, you could be on an iron-clad Apache installation or IIS with all of the latest patches, with a poorly-designed web app which, for example, implements php globals incorrectly, and get hacked in seconds.

Firewalls won't help in either case, because in both cases the attacks would come through ports 80 or 443, both of which will be open for normal valid web traffic. A firewall will just help protect you from listening ports which really ought to not be listening in the first place, or with commercial/enterprise-level firewalls, detect DDoS attempts and go into "stealth" mode and simply drop packets from those IPs. Firewalls in typical use do not protect open ports, because they are by definition open and unprotected (for the most part) by design.

It comes down to good administration AND a good software architect overseeing the web app implementation to ensure a secure site. Both good admin and strong development skills are crucial in attaining a secure web site.