Are these steps enough to run secure website, please add more and comment on mine? [on hold]Myth or reality:...
PDF vs. PNG figure: why does figure load so much faster even if file sizes are the same?
Teaching a class likely meant to inflate the GPA of student athletes
Can I utilise a baking stone to make crepes?
How to learn Linux system internals
Longest bridge/tunnel that can be cycled over/through?
How to safely destroy (a large quantity of) valid checks?
Is there a set of positive integers of density 1 which contains no infinite arithmetic progression?
Has there been a multiethnic Star Trek character?
How to hide rifle during medieval town entrance inspection?
Why did Intel abandon unified CPU cache?
Non-aqueous eyes?
Is it possible for a vehicle to be manufactured without a catalytic converter?
What is the meaning of the Russian idiom "to taste tuna" ("отведать тунца")?
Scientist couple raises alien baby
With Ubuntu 18.04, how can I have a hot corner that locks the computer?
What is the color of artificial intelligence?
Why Does Mama Coco Look Old After Going to the Other World?
UTC timestamp format for launch vehicles
New bike, tubeless tire will not inflate
What are some really overused phrases in French that are common nowadays?
Are polynomials with the same roots identical?
How to “listen” to existing circuit
Which is the better way to call a method that is only available to one class that implements an interface but not the other one?
What are neighboring ports?
Are these steps enough to run secure website, please add more and comment on mine? [on hold]
Myth or reality: SELinux can confine the root user?Security for a web server for multiple people?Is there a solution for scanning webserver files for malicious code?Apache2 home directory on FedoraCan using chcon to essentially bypass selinux be less secure than setting selinux to permissive?how to create a custom SELinux labelSELinux is preventing /usr/bin/bash from execute access on the file myfilename.sh in nginx via php-fpmSELinux denied clamscan to delete uploaded file on nginx serverOptimization osm map serverSELinux is preventing /usr/sbin/nginx from execute access on the file /etc/ld.so.cache
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Imagine a website served by a web server in front of an App server
in front of a database. Now we are not discussing bandwidth
saturation attacks or HTTP/S flooding etc. We are only discussing
how to ensure maximum security of a website from DEVOPS/SysOPS
perspective. Obviously Application developers have their own role to
play but here my steps, can Any of you great gals/guys out there
point me to even more steps please to ensure website and Data
security?
To secure the Web site we will take the following steps:::
Note: static content or files are ones that do not change while on
the respective servers until next official release of
Web-application for our discussion here.
1) Ensure SELINUX is running on all three servers.
2) Ensure, all web-served static files are set to chattr Immutable
attribute.
3) Remove the CAP_LINUX_IMMUTABLE capability form HTTPD
(apache/Nginx etc.) process.
4) Self-similar step like #3 for any other linux processes or files
like in #2.
5) Set the append-only attribute (chattr) to the HTTPD log files.
6) Set the SELINUX context to Read-Only for the Web-served static
content: httpd_sys_content_t.
7) Set the SELINUX context to httpd_log_t for
only appending to log files.
8) Host the static non-changing
web-content on a Read-only Filesystem with permission for
apache/nginx to read and proper SELINUX context.
9) Setup script for
startup of apache/nginx to allow reading of Private Key for
certificate of website only initially and then change SELINUX
context of the private key file and ANY other such files that need
not be read later, after first start, like php.ini etc.
10) Block port 443 until the SELINUX context and read permissions of
the important files in above step have changed, then allow port to open
for Apache/Nginx.
11) Carry out similar steps for App Server and DB
servers.
12) Remove all compilers, FTP binaries or other unnecessary
binaries from web-server, App server, DB server.
13) Set the mount
options for the default or designated directories which Apache/Nginx
reads and serves files from, to be set to NOEXEC, so that no
binaries can execute even if an attempt to copy them after break-in
is done to the webserver.
14) Self-Similar step like #13 for App and
DB servers.
15) Ensure Apache/Nginx do not have any read capability
for any files using SELINUX context outside of their designated
serving directories.
16) Self similar for APP and DB servers.
17) Ensure HSTS with pre-loads are being used for the website being
served.
18) Lock down all ports for Web, App, DB server, scan
regularly for any open Unintended ports.
19) Place Network Intrusion
Detection system or Network Intrusion Prevention System between Web
and APP; and APP and DB servers; to detect early if any data is
being transported above normal rate or volume which would indicate a
break-in and data pilfering.
20) Place Web Application Firewall WAF
in front of Apache/Nginx and tune it for maximum security.
21) Create SHA based checksums of select important files and
immediately alert on changes on any of the servers if files are
modified; basically host Intrusion Detection System or Self-similar.
22) Scan log files in Jouranldctl command or SELINUX logs and alert
on any events for page-out.
23) Oh Great folks, please comment and
add more to the listing to ensure a safe and secure web-serving
experience for all.
linux security selinux web
asked 1 hour ago
user356853user356853
41
New contributor
user356853 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as primarily opinion-based by Jeff Schaller♦ 1 hour ago
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
Imagine a website served by a web server in front of an App server
in front of a database. Now we are not discussing bandwidth
saturation attacks or HTTP/S flooding etc. We are only discussing
how to ensure maximum security of a website from DEVOPS/SysOPS
perspective. Obviously Application developers have their own role to
play but here my steps, can Any of you great gals/guys out there
point me to even more steps please to ensure website and Data
security?
To secure the Web site we will take the following steps:::
Note: static content or files are ones that do not change while on
the respective servers until next official release of
Web-application for our discussion here.
1) Ensure SELINUX is running on all three servers.
2) Ensure, all web-served static files are set to chattr Immutable
attribute.
3) Remove the CAP_LINUX_IMMUTABLE capability form HTTPD
(apache/Nginx etc.) process.
4) Self-similar step like #3 for any other linux processes or files
like in #2.
5) Set the append-only attribute (chattr) to the HTTPD log files.
6) Set the SELINUX context to Read-Only for the Web-served static
content: httpd_sys_content_t.
7) Set the SELINUX context to httpd_log_t for
only appending to log files.
8) Host the static non-changing
web-content on a Read-only Filesystem with permission for
apache/nginx to read and proper SELINUX context.
9) Setup script for
startup of apache/nginx to allow reading of Private Key for
certificate of website only initially and then change SELINUX
context of the private key file and ANY other such files that need
not be read later, after first start, like php.ini etc.
10) Block port 443 until the SELINUX context and read permissions of
the important files in above step have changed, then allow port to open
for Apache/Nginx.
11) Carry out similar steps for App Server and DB
servers.
12) Remove all compilers, FTP binaries or other unnecessary
binaries from web-server, App server, DB server.
13) Set the mount
options for the default or designated directories which Apache/Nginx
reads and serves files from, to be set to NOEXEC, so that no
binaries can execute even if an attempt to copy them after break-in
is done to the webserver.
14) Self-Similar step like #13 for App and
DB servers.
15) Ensure Apache/Nginx do not have any read capability
for any files using SELINUX context outside of their designated
serving directories.
16) Self similar for APP and DB servers.
17) Ensure HSTS with pre-loads are being used for the website being
served.
18) Lock down all ports for Web, App, DB server, scan
regularly for any open Unintended ports.
19) Place Network Intrusion
Detection system or Network Intrusion Prevention System between Web
and APP; and APP and DB servers; to detect early if any data is
being transported above normal rate or volume which would indicate a
break-in and data pilfering.
20) Place Web Application Firewall WAF
in front of Apache/Nginx and tune it for maximum security.
21) Create SHA based checksums of select important files and
immediately alert on changes on any of the servers if files are
modified; basically host Intrusion Detection System or Self-similar.
22) Scan log files in Jouranldctl command or SELINUX logs and alert
on any events for page-out.
23) Oh Great folks, please comment and
add more to the listing to ensure a safe and secure web-serving
experience for all.
linux security selinux web
asked 1 hour ago
user356853user356853
41
New contributor
user356853 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as primarily opinion-based by Jeff Schaller♦ 1 hour ago
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
Imagine a website served by a web server in front of an App server
in front of a database. Now we are not discussing bandwidth
saturation attacks or HTTP/S flooding etc. We are only discussing
how to ensure maximum security of a website from DEVOPS/SysOPS
perspective. Obviously Application developers have their own role to
play but here my steps, can Any of you great gals/guys out there
point me to even more steps please to ensure website and Data
security?
To secure the Web site we will take the following steps:::
Note: static content or files are ones that do not change while on
the respective servers until next official release of
Web-application for our discussion here.
1) Ensure SELINUX is running on all three servers.
2) Ensure, all web-served static files are set to chattr Immutable
attribute.
3) Remove the CAP_LINUX_IMMUTABLE capability form HTTPD
(apache/Nginx etc.) process.
4) Self-similar step like #3 for any other linux processes or files
like in #2.
5) Set the append-only attribute (chattr) to the HTTPD log files.
6) Set the SELINUX context to Read-Only for the Web-served static
content: httpd_sys_content_t.
7) Set the SELINUX context to httpd_log_t for
only appending to log files.
8) Host the static non-changing
web-content on a Read-only Filesystem with permission for
apache/nginx to read and proper SELINUX context.
9) Setup script for
startup of apache/nginx to allow reading of Private Key for
certificate of website only initially and then change SELINUX
context of the private key file and ANY other such files that need
not be read later, after first start, like php.ini etc.
10) Block port 443 until the SELINUX context and read permissions of
the important files in above step have changed, then allow port to open
for Apache/Nginx.
11) Carry out similar steps for App Server and DB
servers.
12) Remove all compilers, FTP binaries or other unnecessary
binaries from web-server, App server, DB server.
13) Set the mount
options for the default or designated directories which Apache/Nginx
reads and serves files from, to be set to NOEXEC, so that no
binaries can execute even if an attempt to copy them after break-in
is done to the webserver.
14) Self-Similar step like #13 for App and
DB servers.
15) Ensure Apache/Nginx do not have any read capability
for any files using SELINUX context outside of their designated
serving directories.
16) Self similar for APP and DB servers.
17) Ensure HSTS with pre-loads are being used for the website being
served.
18) Lock down all ports for Web, App, DB server, scan
regularly for any open Unintended ports.
19) Place Network Intrusion
Detection system or Network Intrusion Prevention System between Web
and APP; and APP and DB servers; to detect early if any data is
being transported above normal rate or volume which would indicate a
break-in and data pilfering.
20) Place Web Application Firewall WAF
in front of Apache/Nginx and tune it for maximum security.
21) Create SHA based checksums of select important files and
immediately alert on changes on any of the servers if files are
modified; basically host Intrusion Detection System or Self-similar.
22) Scan log files in Jouranldctl command or SELINUX logs and alert
on any events for page-out.
23) Oh Great folks, please comment and
add more to the listing to ensure a safe and secure web-serving
experience for all.
linux security selinux web
asked 1 hour ago
user356853user356853
41
New contributor
user356853 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Imagine a website served by a web server in front of an App server
in front of a database. Now we are not discussing bandwidth
saturation attacks or HTTP/S flooding etc. We are only discussing
how to ensure maximum security of a website from DEVOPS/SysOPS
perspective. Obviously Application developers have their own role to
play but here my steps, can Any of you great gals/guys out there
point me to even more steps please to ensure website and Data
security?
To secure the Web site we will take the following steps:::
Note: static content or files are ones that do not change while on
the respective servers until next official release of
Web-application for our discussion here.
1) Ensure SELINUX is running on all three servers.
2) Ensure, all web-served static files are set to chattr Immutable
attribute.
3) Remove the CAP_LINUX_IMMUTABLE capability form HTTPD
(apache/Nginx etc.) process.
4) Self-similar step like #3 for any other linux processes or files
like in #2.
5) Set the append-only attribute (chattr) to the HTTPD log files.
6) Set the SELINUX context to Read-Only for the Web-served static
content: httpd_sys_content_t.
7) Set the SELINUX context to httpd_log_t for
only appending to log files.
8) Host the static non-changing
web-content on a Read-only Filesystem with permission for
apache/nginx to read and proper SELINUX context.
9) Setup script for
startup of apache/nginx to allow reading of Private Key for
certificate of website only initially and then change SELINUX
context of the private key file and ANY other such files that need
not be read later, after first start, like php.ini etc.
10) Block port 443 until the SELINUX context and read permissions of
the important files in above step have changed, then allow port to open
for Apache/Nginx.
11) Carry out similar steps for App Server and DB
servers.
12) Remove all compilers, FTP binaries or other unnecessary
binaries from web-server, App server, DB server.
13) Set the mount
options for the default or designated directories which Apache/Nginx
reads and serves files from, to be set to NOEXEC, so that no
binaries can execute even if an attempt to copy them after break-in
is done to the webserver.
14) Self-Similar step like #13 for App and
DB servers.
15) Ensure Apache/Nginx do not have any read capability
for any files using SELINUX context outside of their designated
serving directories.
16) Self similar for APP and DB servers.
17) Ensure HSTS with pre-loads are being used for the website being
served.
18) Lock down all ports for Web, App, DB server, scan
regularly for any open Unintended ports.
19) Place Network Intrusion
Detection system or Network Intrusion Prevention System between Web
and APP; and APP and DB servers; to detect early if any data is
being transported above normal rate or volume which would indicate a
break-in and data pilfering.
20) Place Web Application Firewall WAF
in front of Apache/Nginx and tune it for maximum security.
21) Create SHA based checksums of select important files and
immediately alert on changes on any of the servers if files are
modified; basically host Intrusion Detection System or Self-similar.
22) Scan log files in Jouranldctl command or SELINUX logs and alert
on any events for page-out.
23) Oh Great folks, please comment and
add more to the listing to ensure a safe and secure web-serving
experience for all.
linux security selinux web
linux security selinux web
asked 1 hour ago
user356853user356853
41
New contributor
user356853 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
user356853user356853
41
New contributor
user356853 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
user356853user356853
41
New contributor
user356853 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
user356853user356853
41
asked 1 hour ago
user356853user356853
41
41
New contributor
user356853 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user356853 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as primarily opinion-based by Jeff Schaller♦ 1 hour ago
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as primarily opinion-based by Jeff Schaller♦ 1 hour ago
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
add a comment |
0
active
oldest
votes
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
