• Sharebar

This article is for anyone who runs a web site professionally or as a hobby.  It doesn’t matter if you use IIS, Apache or SunOne/Iplanet as your web server software, using these basics will help protect your web site from exploit.

I have experience working with many different types of web server software and I work with configuring and securing web server software to some extent.
Tip #1 – Shut Off Directory Indexing
Unless you are running a web site for the sole purpose of serving out files for download, shut off directory indexing.  You do not want someone hitting an empty directory on your site, or a folder without a default index file and seeing a full list of files in that folder.  Directory Indexing can exploit files you did not want publicly available or easily discovered on a web site.

Tip #2 – Run HTTPS if your website has content of any type that has sensitive information

I can’t believe I still run across websites that ask for username and password and are still http instead of https.  Most people use the same usernames and passwords frequently, so if you run a site that collects usernames and passwords and you are not running https, you can compromise that user’s name/password not only for your site but their other sites as well.  I won’t even use a site for login, credit card info, or any type of home address, personal info unless it is secured by SSL certificate.

Tip #3 – If you run SSL Certificate, don’t let it expire.

Keep track of your SSL certificate, nothing is more annoying than when a major company lets its SSL certificate expire.  It looks so unprofessional and makes you wonder what other information they aren’t properly keeping track of?

Tip #4 – Keep your Directory-Root or Context Root somewhere isolated with no vulnerable sub folders.

A web server generally allows access to anything from Document Root and below, so make sure you isolate your document root to an isolated folder or drive with nothing of value in any sub folders below it unless you don’t mind those resources exposed to the web server.

Tip #5 – Shut off all non-essential listen ports on your web site

Shut down telnet, ftp, finger, and any ports you are running that aren’t absolutely essential.  Do a netstat -an | grep -i “listen” on unix, or netstat -an | find “LISTEN” on windows to find what ports your web server is listening on and try to shut it down.

Those are some beginner tips that I have for this post.  I will follow up with future posts with some additional techniques and basic tips.

No related posts.

Enjoy This Article? Subscribe to DragonBlogger.com via Email:

Enter your email address:

Written by  (1518 Articles Published)

Working in the IT Industry for over 10 years and specializing in web based technologies. Dragon Blogger has unique insights and opinions to how the internet and web technology works. An Avid movie fan, video game fan and fan of trying anything and everything new.

Follow Justin Germino on Twitter @dragonblogger