Title: Overview of WWW

KBTAG: kben10000128
URL: http://www.securityportal.com/lskb/10000100/kben10000128.html
Date created: 07/08/2000
Date modified: 10/08/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Overview of WWW
Keywords: Network/WWW

Summary:

WWW traffic is one of the largest components of Internet usage today. There are a variety of popular WWW servers for Linux, the most popular of course being Apache (with over %50 of the market). Most modern WWW servers also have the capability to use SSL to secure sessions (for e-commerce and so on). This section is very Apache-centric, but since this is the default www server for almost all Linux (and *BSD) distributions it makes sense. I'm also writing for the 1.3.9 version of Apache which no longer uses access.conf or srm.conf, but instead has rolled everything into httpd.conf.

HTTP runs on port 80, tcp, and if it is for internal use only (an Intranet, or www based control mechanism for a firewall server say) you should definitely firewall it.

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 80
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 80
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 80

or in ipchains:

ipchains -A input -p all -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 80
ipchains -A input -p all -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 80
ipchains -A input -p all -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 80

HTTPS runs on port 443, tcp, and if it is for internal use only (an Intranet, or www based control mechanism for a firewall server say) you should definitely firewall it.

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 443
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 443
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 443

or in ipchains:

ipchains -A input -p all -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 443
ipchains -A input -p all -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 443
ipchains -A input -p all -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 443

More information:

Web servers are usually not the problem, the problem is usually the CGI and other programs installed to make a website interactive/etc. Authentication of users on the web is also handled badly in most cases.

http://www.securityportal.com/research/www-auth/ - WWW Authentication

WWW Servers

Apache

kben1000130 - Apache webserver

thttpd

A lightweight http server suitable for web based interfaces and the like (Phoenix Adaptive firewall uses it for their interface for example). You can get it at: http://www.acme.com/software/thttpd/

AOL Server

I know, it sounds strange but it is true. AOL Server is a free www server, with source code available. Not only that but it supports SSL and several other advanced features. Definitely worth taking a look at. You can get it from: http://aolserver.com/.

There is more to securing your www server then installing Apache and configuring it properly. Most servers will need to allow access to their filesystems so that users can upload and modify files on the server. For this there are 4 widely used methods that I will cover in detail.

webfs

webfs is a lightweight www server that implements basic functionality and is available from: http://www.in-berlin.de/User/kraxel/webfs.html.

Simple Web Server

Simple Web Server is a small web server with basic functionality. You can get it at: http://linuxstuffs.cjb.net/.

Flash Web Server

A lightweight, fast www server, You can get it at: http://www.cs.rice.edu/~vivek/flash/.

Secure webservers

If you are located in the US, RSA is patented, so you either have to use DSA (which is hard to get site certificates for) or buy a commercial server based on Apache (like Stronghold). If you are located in Europe you may live in a country where IDEA is patented, so make sure you check first. There are also a variety of commercial packages. I have also written two article covering the various secure www servers:

Web server round-up, Part 1

Web server round-up, Part 2

Red Hat Secure Server

Red Hat Secure Server is an Apache based product from (guess who) Red Hat software. Essentially it is stock Apache with RSA cryptographic modules (which is what you are paying for essentially) and can also serve standard non cryptographic http requests. It can only be sold in the USA and Canada, and is the best option (in my opinion) as far as secure www servers that are legal to use in the US go (due to RSA patents). As far as security goes read the previous section on Apache / Apache-SSL, it all applies. Red Hat Secure Server costs $100 US and you get a $25 discount on your Thawte site certificate (so the site certificate only costs $100 US). I personally like it a lot as it is based on software that runs over half the www sites in the world and as such getting support/updates/etc. is easy. You can buy Red Hat Secure Server from: http://store.redhat.com/commerce/.

Roxen

Roxen is another commercial www server capable of HTTPS and is GPL licensed. You can freely download it if you are in the European Union or Australia, Canada, Japan, New Zealand, Norway, USA, or Switzerland. A version with “weak” (40 bit) crypto can be downloaded without any problems to any country. Roxen is an extremely solid product and is available from: http://www.roxen.com/.

Zeus

kben10000154 - Zeus webserver

Netscape Enterprise

Currently in beta testing (although it installed and runs fine) for Linux, available from: http://www.iplanet.com/downloads/iwsonlinux.html.

IBM HTTP Server

IBM also makes an HTTP server for Linux (based on Apache) that you can download from here: http://www-4.ibm.com/software/webservers/httpservers/download.html.

References:

 

Notes: