Securing a web server

[rotteneggz]

Hello,
I've got a web server with a very basic design. Basically it hosts company data like audio files. Right now anyone that get a hold of the ip address can access all these audio files. I need to be able to secure it. I know one way of doing this is by allowing certain IP addresses access the server but i want to make it really secure.

Can anyone suggest for other ways i can secure the server? I'm thinking of adding a username/password but i don't think that can stop anyone wanting to access the files.
Thanks

 

[PersonalJ]

You can use iptables to only allow access from certain ip addresses. You can also have an .htaccess file make users enter a user/password for the audio directory.

 

[nessus]

What webserver are you running?

 

[Berg0]

iis or apache? are you worried about securing the content, or the server itself? is it behind a firewall at the moment?

Blcok all ports you don't need, if its just serving up http traffic, it only need port 80.

As others have said, you can restrict it to only certain individual IPs or particular subnets (I'd personally do this with the firewall, not on the server)

If you want users to authenticate, we need ot know what you're using (IIS or apache) and if you want local auth (local users on the server) or do you need LDAP integration or something? (authenticate domain users)

 

[rotteneggz]

Its setup by my cousin and hosted in another country.
I'm speaking to him right now and hes using tomcat Apache.
I'll probably be using a seperate pfsense box for the iptables and block all ports like you suggested.
The audio files are accessed from a remote location and some local auth. As far as i know there are no LDAP integrations needed.

Is it hard setting up .htaccess file in order to add a username and password field?
Also anyone have any information on how to setup timed log off's for inactive users?

 

[LZ1]

You should probably use some sort of firewall iptables

Setting up an htaccess file is extremely easy. You can get a large number of examples on google.

 

[Digital Cro-Magnon]

You may want to secure connect via SSL so no one can see you passwords, in case you may access the server via a public wifi connection. So, in this case you would only open port 443 in your iptables rules.