Securing WebServers.

[dashpuppy]

Is there a guid or a list of things people do to secure their webservers, other than having them behind a good firewall and doing windows updates when they come out. ?

My servers being pounded on everyday, thought I would doubble check see if there are any recomendations etc etc.


Webserver is 2008R2 with IIS all updates are done etc etc.

Firewall is Sonicwall TZ210 updates every 15 min for protection.

Must have received a few dozen or so emails lastnight of people attempting to get in.

 

[Shockey]

Disable any features you do not require or plan to use.

IIS function
php function and addons ect...

 

[dashpuppy]

Disable any features you do not require or plan to use.

IIS function
php function and addons ect...

I can't disable the php because wordpress uses php.

 

[hutchingsp]

Stick it in a DMZ and don't give it any outbound access beyond what is required.

 

[dashpuppy]

Stick it in a DMZ and don't give it any outbound access beyond what is required.

is that by port or by ip i wonder...

 

[jjeff1]

Firewall rules should be checked,and dmz if you're not colocating it. What actually matters is the code on your site. If your site isn't coded well, no firewall will help. If your site is written by others, like Wordpress, make sure its up to date and you pay attention to security issues. If custom written, strongly consider a security audit. Obviously, audit for poor passwords and whatnot

 

[dashpuppy]

Firewall rules should be checked,and dmz if you're not colocating it. What actually matters is the code on your site. If your site isn't coded well, no firewall will help. If your site is written by others, like Wordpress, make sure its up to date and you pay attention to security issues. If custom written, strongly consider a security audit. Obviously, audit for poor passwords and whatnot

Its wordpress x 2 on windows 2008 server with all updates and wordpress is updated also. I check it every week. The wordpress & website is on its own installation of 2008 server running in a vm on my 2008r2 hyper v server.

 

[hutchingsp]

is that by port or by ip i wonder...

Both. If it's a webserver, it doesn't (OK shouldn't, assuming it's a dedicated webserver) need internet access.

For things like Windows Update or general software updates you can have a rule on your firewall and enable/disable it on the fly when it's needed.

 

[dashpuppy]

Both. If it's a webserver, it doesn't (OK shouldn't, assuming it's a dedicated webserver) need internet access.

For things like Windows Update or general software updates you can have a rule on your firewall and enable/disable it on the fly when it's needed.

It's a dedicated webserver in a vm.

 

[Jgedeon]

Depending how far you want to go, or what your except-able risk is.

Proxy in front of the webserver running mod-security.
SQL Firewall filtering SQL queries, greensql-fw.
Log monitoring with HIDS, OSSEC, and performing Active Response.
I've not used it, but there is a Wordpress firewall plugin that if I used wordpress I would look into.

Other normal protections like system updates, the least amount of access needed, proper placement on the network.
Defense in Depth.

 

[hutchingsp]

SQL Firewall filtering SQL queries, greensql-fw.

I don't want to hijack but have you used this and if so can you tell me anything about it beyond what's on the website?

I'm looking for a SQL application firewall for a DMZ webserver that needs to talk to a SQL server.

 

[Jgedeon]

I don't want to hijack but have you used this and if so can you tell me anything about it beyond what's on the website?

I'm looking for a SQL application firewall for a DMZ webserver that needs to talk to a SQL server.

Check your PM.

But for this thread, yes I have and still use it.