Security features
Can we host a site safely?
When we start our web server and test local pages, we are the only ones accessing our website with port 80. However, as soon as deploy a site online, we need to take security more seriously since our router will forward port 80, so outside users can access the site. Let’s do a quick run-through of our web servers and see what changes we need to make.
With a default Apache installation, we should make several changes; like installing the mod_security module and making several changes to the /etc/apache2/conf-enabled/security. conf and /etc/apache2/apache2.conf files. With the /etc/ apache2/conf-enabled/security.conf file, we should uncomment ServerSignature Off and ServerTokens Prod. We can also edit the apache2.conf file to turn off directory browsing and limit large requests to protect from denial-of-service attacks.
With Nginx, we can open the file /etc/nginx/nginx.conf and set server_tokens off to hide the server version. In addition, we have the ability to restrict pages by IP so our admin accounts are bullet-proof. We can also chip away at the default config file.
Openlitespeed is very good at controlling files by default. We had to edit the config file to be able to use subfolders and so on. To add more layers of protection, we can install mod_security module and use bandwidth and connection throttling.
With Lighttpd, we can edit the lighttpd.conf file to our liking. Thus, we can set numbers for max connections, max keep alive, SSL, max connections per IP and prevent image hijacking.
Tomcat needs quite a few configuration adjustments to deploy a live website. We can hide the server header, enable SSL/TLS and enforce HTTPS. We can also not run Tomcat as root, disable the SHUTDOWN port, disable sending of the X-Powered-By HTTP header, disable Tomcat from displaying directory listings and limit the availability of connector.
In addition, we should change our php.ini file with expose_php = Off. For further testing, we can always install wapiti and other monitoring tools like Monit to test and monitor our local websites. Going a step further, we can use Kali Linux and perform penetration testing. VERDICT Apache 8/ 10 Tomcat 7/ 10 Nginx 9/10 Openlitespeed 7/ 10
Lighttpd 9/ 10
Config files for Nginx, Lighttpd and Apache make it easy to add more security.