Chapter 10. Securing Web ServersYou've hardened your server from the bottom up, with an external firewall protecting your DMZ, a local firewall blocking ports, and all the latest patches applied to your operating system. Your fortress is impregnable. But then you blast a hole straight through all these walls to a port on your server. Then you let anyone in the world wander in and run programs on your server, using their own input. You've lost touch with realityand/or you're a web administrator.The Web continues to grow, and security problems follow. As firewalls and security tools improve, attacks move up the food chain, particularly toward web applications. In this chapter, I assume that you are hosting web servers and are responsible for their security. Although the examples discuss servers exposed to the Internet, most of the discussion applies to intranets and extranets as well. The platform is still LAMP: Linux, Apache, MySQL, PHP (and Perl). I'll talk about A, M, and P here. MySQL database server security is covered in Chapter 8, but database access from Perl and PHP is discussed here. We'll see how to protect your whole web environmentserver, content, applicationsand keep the weasels out of your web house. |