Web servers are vulnerable to all of the normal security problems that are discussed in Chapter 12, "Security." But they also have their own special security considerations. In addition to all of the normal threats, such as network break-ins and denial of service attacks, web servers are responsible for protecting the integrity of the information disseminated by the server and for protecting the information sent by the client to the server.
Access to the server information is protected by access controls. Through the httpd.conf file, you can configure host-level and user-level access controls. Access control is important for protecting internal and private web pages, but most web information is intended for dissemination to the world at large. For these global web pages, you don't want to limit access in any way, but you do want to protect the integrity of the information on all pages.
One of the unique security risks for a web server is having an intruder change the information on the web pages. We have all heard of high-profile incidents when intruders get in and change the home page of some government agency, inserting comical or pornographic material. These attacks are not intended to do long-term harm to the server, but they are intended to embarrass the organization that runs the website.
Use the Linux file permissions discussed in Chapter 9 to protect the files and directories in which you store web documents. The server does not need write permissions, but it needs to read and execute these files. Executable files, if they are poorly designed, are always a potential security threat.
Was this article helpful?