Re: Linux Web Server Hardening (LAMP + Wiki)

[Michael Peppard <mpeppard () impole com>]

" I'd argue that this is merely because they, being lesser known, 
represent a smaller attack surface"

This is a fallacy. The most interesting servers usually use the more 
secure operating systems, therefore they tend to get the most attention. 
LAMP for instance runs a great percentage of web servers with shopping 
carts and database access. Very high value targets.

The openness of the code for review by anyone with an interest should 
make these operating systems open targets, yet somehow it hasn't. In 
fact the most paranoid government agencies use a linux offshoot, android 
with custom selinux, for their secure servers. Strange huh?

-Mike


On 01/28/2013 01:48 PM, James Thomas wrote:
> Dear Eric,
>
> Thank you for your note.
>
> On 28/01/2013 03:19, Eric Furman wrote:
> > Don't use Linux. It is insecure. Use Windows or one of the BSDs.
> > All are much more secure.
> I'd argue that none of these are secure, that perfect security is an
> illusion, and that technical solutions aren't everything.  If there have
> been fewer exploits for the BSD's, I'd argue that this is merely because
> they, being lesser known, represent a smaller attack surface.  I'd be
> more concerned about configuring systems properly than with choice of
> OS, and training all associates to resist spearphishing, etc.
>
> Security should be seen as a series of layers, any of which might be
> breached, and the layer closest to one's skin should be an awareness of
> techniques that may be employed by an attacker, and how to mitigate
> them.  Mitnick's books are a good start for this.
>
> That said, I have no useful answers for Jeffrey's actual question offhand.
>
> James
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
> it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
> install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------