Web Servers Pay Particular Attention to Security

Web Servers
If you are hosting your Web site on your own server, you need to pay particular attention to security. You should probably install intrusion detection software such as Tripwire. Here are some other basic steps you can take to help create a more secure Web site:

* Running the Server
Servers running on Unix and Linux should be run as an account with little or no access. If you need a Web user, then make sure that that user account has no permissions on the server. NEVER RUN YOUR SERVER AS ROOT. It is better to run the server as "nobody", and only run as a Web user if you absolutely have to.

* CGI-BIN Directory
Make sure that your interpreters (programs that run your CGIs) are not stored in your cgi-bin directory. Perl, sh, Tcl, and so on, should be in directories that are not accessible from the Web. CGI programs that use an interpreter should call that interpreter with the first line of the CGI.

* Insecure CGIs
The most common problem with CGIs is that they allow readers to input anything to the Web server. For example, if you have a Web form that doesn't check the data before passing it to the server, a hacker using your site could type in code to view your /etc/passwd file. There is a CERT tech tip that explains how to do this.

The best place to go to learn about security on the Internet is the CERT Coordination Center. There you can find out about new vulnerabilities and solutions immediately.