Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I want to construct a website, and there're Apache+Php, WebSphere+Jsp, IIS+Asp,etc. But I don't know which one is much safer, much easier to be maintained.
A web server is only as secure as the admin behind it knows how to make it
An Apache server run by someone who doesn't know what they are doing will most likely be less secure than an IIS+Win2k3 server run by someone who knows what they're doing extremely well. Which do u have experience with?
get some webspace from a professional hoster that supplies php or perl (cgi scripts). in general servers on linux work more reliable than on windows (at least my experience with some isps). what will be the use / intention if the website?
The website is used for selling game-card, cause one friend's website has been intruded for several times. She asks me for help, but I know little about the web-security.
I'll choose linux os.
BTW, the script, which one is much better in security, jsp, php or something else?
If you go with a professional web hosting company, such as www.1and1.com, they manage the servers for you and you just set up your scripts and html and stuff. It might be the best solution for you. It would definately save you a lot of time.
With all due respect, I will repeat what others have said: the site is only as secure as the admin makes it.
With that said, although the server may be secured, your web application is another matter. You can have a very secure server, but an easily-hacked web site. Look at some e-Commerce solutions where prices are posted to the back end through URLs - very insecure.
Likewise, PHP Global variables caught a bad rap because of sloppy programmers, and some apps are coded so badly (see above) that Zend (the creators of PHP) now regard PHP globals to be a security risk. I disagree - calling php_globals a security risk is like saying that giving users accounts is a security risk. Sure, if you do something stupid like add all users to the root group or chmod a+w /, then sure, it could be a risk, but that's just sheer stupidity or sloppy administration.
So from what perspective are you asking? Out-of-the-box security of the web server without considering the scripts/executables which will be running on it, or what portals/ecommerce solutions are coded in such a way that they are not inherently insecure?
One last thing: I would agree, that on MOST (not all) distributions (Linux and *BSD alike), Apache is going to be far more secure by default than IIS is. IIS can be locked down, but it's far less flexible, plus apache .conf files are a heck of a lot easier to manage than IIS's metabase.
Originally posted by iclinux BTW, the script, which one is much better in security, jsp, php or something else?
The question you should be asking is: "I have chosen language X to develop my custom application because it meets my needs. Where can I find resources about safe coding practices and auditing my application?"
Well said stickman. If you don't have time to manage the site and care about the safety of the scripts running on the server, you should pay for it.
You have to tests your scripts in all aspects...to meet your goals. You have to update your server if a security hole is discovered, etc. If you still want to do it yourself, it is the way to go.
I thought maintaining a secure web was not very difficult, but now, I find I'm wrong.
In my opinion, a much securer web is consisted of a much securer OS, a much securer webserver, a much securer web-script, a better firewall, a better virus-scanner, a better secure analyse&policy, and a better administrator.
Um, this topic is so complicated that it's hard for a single person to do it better.
The security of your web site is going to be only as strong as the weakest link.
You can have a well-coded web app with a proper architecture and all values used for logic stored on the back end, not revealed in the HTML output to the browser, but be on an insecure version of IIS or a poorly-configured apache, and get hacked in seconds.
Likewise, you could be on an iron-clad Apache installation or IIS with all of the latest patches, with a poorly-designed web app which, for example, implements php globals incorrectly, and get hacked in seconds.
Firewalls won't help in either case, because in both cases the attacks would come through ports 80 or 443, both of which will be open for normal valid web traffic. A firewall will just help protect you from listening ports which really ought to not be listening in the first place, or with commercial/enterprise-level firewalls, detect DDoS attempts and go into "stealth" mode and simply drop packets from those IPs. Firewalls in typical use do not protect open ports, because they are by definition open and unprotected (for the most part) by design.
It comes down to good administration AND a good software architect overseeing the web app implementation to ensure a secure site. Both good admin and strong development skills are crucial in attaining a secure web site.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.