Server Configuration - Basic Security Part 7

NB: This is the seventh post in a series of posts on web application security.

Configuring a server correctly is both 1) hard and 2) critical.

You’ve probably spent a bunch of time configuring Apache or nginx, or whatever your server of choice is, for performance. But have you configured it for security?

I can’t tell you exactly what to do without knowing your set up, but some basics:

  1. Are directories only writeable by the web serverapplication user1?
  2. Do all of them even need to be? Are you sure?
  3. Can the web process write to its own source files?
  4. Are any Alias or ScriptAlias directives set you don’t know about?
  5. Are your firewall rules restrictive enough?
  6. There is literally so much more. Contract a good sysadmin.
  7. Is PHP installed on your Python server?

1: See Valentin’s comment about running server and application(s) as separate users. He’s right.

Let me elaborate on the last one, because our security team will let me. We had left PHP installed (part of our puppet configs) on app servers that were only going to run Python. Someone discovered a small hole—we weren’t checking the extensions of uploaded images—and realized they could upload PHP scripts, and the Apache server, happily serving “static” files, interpreted and ran them.

Shit.

Don’t do that. Learn from us on that one. Double check. Then check again.

What else?

Those of you who’ve configured servers, webdevs, devops, sysadmins, what are other key things to check to make sure you’ve hardened your server configuration?