[ILUG] Help with web site security
Tom Salmon
tom at tomsalmon.com
Thu Jan 5 14:43:40 GMT 2012
It may also be worth running one of the penetration testing tools against your server. I have often used openvas (formerly Nessus).
Although if you're using shared hosting, running scanning software against a server that someone else manages could be considered inappropriate.
Tom.
On Thu, Jan 05, 2012 at 02:30:24PM +0000, Killian Faughnan wrote:
> Hi,
>
> I'd look at upgrading Drupal first as theres a few known issues with 5.5
> (may or may not be applicable in your situation):
>
> http://www.cvedetails.com/cve/CVE-2008-3742/ (Unrestricted file upload)
> http://www.cvedetails.com/cve/CVE-2008-3741/ (XSS)
> http://www.cvedetails.com/cve/CVE-2008-3740/ (XSS)
> http://www.cvedetails.com/cve/CVE-2008-3222/ (Session fixation)
>
> If you own the server then restrict SSH access to the IP you usually manage
> the site from, remove root SSH access and restrict down to only the user
> you connect as using AllowUsers. Change the default listening port. Put
> on fail2ban etc. Restrict all outbound access as a lot of exploits require
> outbound access to work. Ideally you'd do this from a managed firewall
> instead of IPTables but make use of whatever you have. Remove services
> you're not using, especially ones that listen on the outside interface.
> Make sure your Apache is patched and look into mod_security. Pretty much
> anything you can do to limit the potential attack surface, and therefore
> make it more effort than it's worth.
>
> Killian
>
> --
> Killian Faughnan
>
> http://www.killianfaughnan.com
> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug
> Who we are : http://www.linux.ie/
> Where we are : http://www.linux.ie/map/
--
Tom Salmon BEng (Hons)
Software Engineer
http://tomsalmon.eu/
More information about the ILUG
mailing list