• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Securing a self hosted web server/site

J

-Jess-

Limp Gawd
Joined
Nov 28, 2010
Messages
291
Hey guys,

I've been using an internal Redmine server for quite some time now. It's the stack available from Bitnami running on Windows Server 2008 R2 (on Hyper-V). I've recently thought of making this server accessible to some of my colleagues for use in research projects/collaboration over the web - but I have a few concerns before publishing. Though the data isn't that critical, I'd rather not have my box/app compromised. :)

This is what I've done so far:
  1. I've made small changes here and there to the configuration files (vhost, app). From what I've read, the general configuration of Bitnami stacks are pretty secure as-is.
  2. Passwords for MySQL and the admin account for the application itself are strong.
  3. Robots.txt changed to disallow indexing (for bots that actually obey :rolleyes: ).

General Info/Other:
  1. Firewall/UTM is an Untangle 11 x64 box. Internet connection is 50/10; Static IP.
  2. Very likely to implement an SSL certificate for the Redmine box.
  3. Expected traffic is very low (six users total - all different timezones and probably about two connected users at any point).
  4. Even though its not currently available on the web, both stack and OS are updated and backed up often and this will continue if/when it goes live.

From my understanding, all I'd really need to do is port forward either 80 (or 443) and in theory I should be fine - but I still have some concerns:
  1. For an implementation like this - should the box still be isolated away from the general network (in a DMZ)?
  2. Would an Untangle box be suitable for firewall duties here or should I look be looking at running PFsense?. (If anyone currently using Untangle for protecting a webserver - Any recommendations for configuration?)
  3. Is running a WAF recommended in this type of setup and are there any recommendations for one that supports Windows Apache?

Since this is a first for me - any input or general recommendations on securing webservers/applications are appreciated. :D
 
Last edited:
Putting your server in a DMZ could help by isolating the rest of your network from a potential target. I like defense in depth at work, but you'll have to decide if it is worth the work to do it.

At work I use Modsecurity in Apache 2.2 on Redhat. Then add in the free OWASP rulesets that are applicable to my work environment. Looks like they have a Windows compiled version https://www.modsecurity.org/. I'm not sure what Redmine or Bitnami would need rules wise, we're mostly tomcat and a few IIS apps here.
 
Jake -
Thanks for the feedback. As my network was mostly for internal testing, any thought I gave to setting up a DMZ fell to the wayside. But you're right, it is good practice. I'll give a look into formally setting it up.

As for the WAF - ModSecurity is actually included with the stack but is disabled by default. I'm in the process of enabling/configuring it to see how it works. This should be interesting to say the least...:eek:

Thanks again!
 
-Jess- said:
Jake -
Thanks for the feedback. As my network was mostly for internal testing, any thought I gave to setting up a DMZ fell to the wayside. But you're right, it is good practice. I'll give a look into formally setting it up.

As for the WAF - ModSecurity is actually included with the stack but is disabled by default. I'm in the process of enabling/configuring it to see how it works. This should be interesting to say the least...:eek:

Thanks again!
Click to expand...

I'll give you a warning about modsec, right out of the FAQ:
Should I initially set the SecRuleEngine to On?

No. Every Ruleset can have false positive in new environments and any new installation should initially use the log only Ruleset version or if no such version is available, set ModSecurity to Detection only using the SecRuleEngine DetectionOnly command. After running ModSecurity in a detection only mode for a while review the events generated and decide if any modification to the rule set should be made before moving to protection mode.
Click to expand...

Run it as DetectionOnly for a little bit, and look at the logs after using it to make sure it isn't getting any false positives.
 
You must log in or register to reply here.
Back
Top