Basic Security Measures

Notes:

One of the conclusions of Dan Farmer’s survey was that too many services were being provided by the majority of hosts. Although it may be possible to run each service (e.g. News, Web, Email) securely the multiplication of services increases the risk that one service contains a security hole. An equally important point is that unused services should be disabled. Unix is particularly errant in this regard, even though vendors now disable services such as finger and bootp by default. Unix isn’t the only culprit, Microsoft’s marketing blather would have users believe that NT and 95 are secure turnkey Internet solutions but this is certainly not the case.
All public services should be run either as the nobody id (e.g. user -2 on Unix) or under their own special account. They should certainly not run as the omnipotent root or system user. Running as nobody restricts the server to publicly readable files. The server should also be configured to run under a changed root directory tree, this restricts clients to a small subset of the file-system. Make sure that any log files generated by the server are secure. Where this is a Web server used for accepting credit card orders the log files may contain the credit card details themselves (if the GET method is used to submit forms). Hackers also like to cover their tracks by overwriting logging information.
Some servers permit access to be restricted by IP address or domain. While not a universal panacea it can assist where files should only be available to a limited audience. Many Web servers implement a password mechanism to protect documents or files. However, unlike the initial log-in required by FTP or Telnet the password information must be re-transmitted for every request. This is because HTTP is a stateless protocol. Frequent broadcasting of password information over insecure channels increases the chance of it being intercepted by hackers.