Web Server Hardening
Now that we have a secure, stable, bastionized host to begin with we can look at the web server itself. First, you are going to have to decide which web server to use. Ubuntu came with Apache2—at least that is what was installed after I chose the install LAMP option—so, I am going to start there. But several web servers are available, some part of larger frameworks like application servers.
The following are some general guidelines to protecting web servers/traffic:
Run SSL. Probably one of the best security things you could do is invest in a digital certificate (http://www.verisign.com) for your web server. In an age where Internet attacks are on the rise, it is hard to tell a secure site from an insecure one. SSL goes a long way toward solving that problem.
Require that all cookies going to the client are marked secure.
Authenticate users before initiating sessions.
Do server monitoring.
Read the logs.
Validate fire integrity.
Review web application for software flaws and vulnerabilities.
Consider running web applications behind a web proxy server, which prevents requests from directly accessing the application. This creates a place where content filtering can be done before data reaches the application.
Now, let's look at the specific web servers and see what we can do to secure them.
Apache HTTP Server
The Apache HTTP Server is the most popular web server on the Internet, which helps explain why it comes as the default web server on so many systems. The Apache HTTP ...