Loading
Why are you not running Apache? New IIS holes should make you rethink your web server
It has been a while since I have played with Apache, I will admit that. The last time I used it, version 2.0 was the norm, and version 2.2 was just coming out of beta. Today of version 2.2.11 is the current version. What got me thinking about Apache was partially nostalgia and partially head banging and continued frustration with government use of IIS, especially given the exciting events this week.
First, we have reports of the theft and corruption of the Commonwealth of Virginia’s Prescription Monitoring Program web site. The story is that the site had been hacked, the data encrypted or deleted or being held hostage, according to a variety of sites, and the FBI is investigating. As discussed on the latest Search Engine, almost no one is really taking the ransom demand seriously for a variety of reasons. The second topic that got me annoyed was a ComputerWorld article yesterday about new, serious bugs in IIS and Microsoft’s prevailing attitude about the risk. Finally I had to set up an IIS server and kept lamenting that it should not be this hard.
Now, in all fairness, IIS 7 is supposed to be a much better product with text file configuration capability (just like Apache) and it is supposed to be more secure. My question is this. Why, would anyone voluntarily run their web site on IIS? Especially if it was a forward-facing site, connected to the Internet and subjected to attacks every minute of every day?
One of the most outstanding products from the Open Source community is Apache. It is robust, reliable, secure and easily configurable on so many levels. It runs on almost every platform out there, although personally I would only run forward-facing sites with Apache on a stripped and hardened Linux kernel, and it supports a wide variety of plugins for content management, application management and document presentation.
According to Netcraft, the hacked Virginia site is running IIS 5.0 and 6.0 on Windows 2000 and 2003. This violates a number of basic security tenants, patch management being only one of them, but I am continually amazed that government organizations continue to put their citizen’s data at risk this way. More and more, the United States government is collecting your personal data. TSA is about to start collecting your full name, birth date and other personally identifiable information (PII). The current administration is pushing for electronic medical records. Already many government services are only available on-line, and require large amounts of PII to be inputed to get everything from veteran’s benefits to government grants, yet it seems that each of the owners of these sites seems to be less concerned about the security of their customer’s data rather than the perceived ease of operation and cost of ownership by running IIS. There are more stringent security requirements on government laptops than there is on website security.
The Internet, and its interconnection of data, is a good thing. However the front door to these repositories should be as secure and as impenetrable as they can be. Gone are the days of gentlemen hackers who, when finding an unlocked door, would politely tell the site admin about it. This is full scale guerilla warfare, and as administrators and architects, it is our responsibility to make sure the crackers cannot get access to the data that they are not supposed have access to, while the customers can do what they need to do.
Next time we will talk about the data itself, and the databases that it resides on.
______________________
David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- RSS Feeds
- Readers' Choice Awards
- Tech Tip: Really Simple HTTP Server with Python
- BASH script to log IPs on public web server
27 min 21 sec ago - DynDNS
4 hours 3 min ago - Reply to comment | Linux Journal
4 hours 35 min ago - All the articles you talked
6 hours 59 min ago - All the articles you talked
7 hours 2 min ago - All the articles you talked
7 hours 3 min ago - myip
11 hours 28 min ago - Keeping track of IP address
13 hours 19 min ago - Roll your own dynamic dns
18 hours 32 min ago - Please correct the URL for Salt Stack's web site
21 hours 44 min ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
Are you stupid, high or paid?
To the guy defending the piece of trash known as IIS, are you:
a) So stupid that you cant read, understand logic, or basic facts about web servers, or years of evidence
b) Profoundly high or
c) Being paid to spout nonsense.
Zealots... who cares. If
Zealots... who cares. If your running what you want then shut up. I get so sick of the linux community's cry baby attitude all the time... "Billy took my candy..."
If your running apache and think it's great then leave it at that. I mean if your constant bash is MS sucks... linux is better and everyone should use it and your an idiot for not... then just wait until everyone is using it... there will be hacks and security breaches abound discovered for the next little guy to say "XXX is so much better than linux..." Then we will have another little Zealot village... Yippy! I swear reading and listening to this crap is like a womens social club...
Silly little pinguin... simmer down!
MCSE Alert!
I see...so you're both a scared MCSE *and* a chauvinist. Great work, pal. That ol' Ballmer's^H^H^H^H^H^H^H^H^HStockholm's Syndrome sure is working overtime in your head.
Actually, if you choose to remain that ignorant to proper security (i. e. use something other than the horribly buggy IIS), then that's fine by me. I'll see your "pwn3d" Web server launching attacks against my network, and your packets will just get silently...dropped. :-)
For MCSE's like you who are too lazy to read, this article was about ditching IIS, not necessarily Microsoft Windows (that's a separate issue, but also recommended). Apache has been available for Windows Server for many years. Swapping out your IIS for Apache will help your security immensely.
BTW, even though I like Linux, I'm not a Linux zealot. I'm an OpenBSD zealot, thus I'm a silly little *daemon*, not "pinguin". Please, get that right (and learn to spell). And "Billy" can't take my candy, 'cause my candy's Free. But he sure can take yours anytime he wants. :-D
whatever
this article is bullshit, misinformed on so many levels
Ah, but your comment, far
Ah, but your comment, far from being that of the bull, clearly reeks of that of the chicken.
--SYG
I don't run apache
Cause nginx is so much nicer.
I don't run apache at work because...
...I run lighttpd instead :)
I got fed up with the way Gentoo split up the httpd.conf file into (way too) many different files, so I switched to lighty instead. Granted, that's a Gentoo issue (one of the few things I don't like about Gentoo) rather than an Apache issue. At home, I'm still running Apache, but that's only until I replace my Slack machines with Gentoo.
You're forgiven
I haven't played with lighttpd, but the concept is the same. Strip it down, make it efficient and secure, and unencumbered by the junk you don't need.
David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack
Agree with the author
> Apache also suffers from exploits
> (http://blogs.zdnet.com/security/?p=3268).
Hmm. I'm pretty sure the author was referring to Apache web server (not Apache Geronimo Application Server and some other miscellaneous apps, which you cited).
Apache also has exploits
This anti-IIS rant is unjustified.
There's no proof I can find that IIS was the root cause of the Virginia data/website hack.
Apache also suffers from exploits (http://blogs.zdnet.com/security/?p=3268).
The simple fact is that any O/S and web server is as vulnerable as the applications installed upon it. A bad implementation of a PHP app on Apache is as hackable as one on IIS.
Managing risks by not being kept in the dark
>> This anti-IIS rant is unjustified.
Well, it's sticks out like a sore thumb that IIS is found at the scene of the crime at a much higher proportion than is Apache.
>> Apache also suffers from exploits
Yeah, nothing is perfect, but I suppose you have not heard of risk management. Do you keep vipers loose around your house because "you can die of anything?" Do you tell everyone your password because "it will eventually be stolen or hacked?"
>> A bad implementation of a PHP app on Apache is as hackable as one on IIS.
Wrong. With transparency and access to all the information you need on your terms, you can manage risks and discover weaknesses on your terms.
Some applications or businesses don't make security a top concern. These will likely write unsafe PHP (or more likely ASP) and use anything. But those that do care about risk management don't want to have their hands tied or eyes shut. We have enough to worry about. We are the boss. The secrets should be kept from enemies, not from us. See for example http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2204&bl...
When a problem strikes, it usually affects a lot of other users besides yourself. While you may lack expertise in some areas, many others do not. Collectively, the users of software have a lot more money on the line and more resources at their disposal to solve the problem than does the software vendor(s) working with limited help. This is one reason why open source gets patched so much quicker than proprietary software when a problem is made known to most people through an exploit. The users want the problems solved more than does the vendor. The users can collectively spend more to fix such problems.
Eh... That's the Geronimo Application Server
NOT httpd. I believe the comparison the author made was between IIS and apache's httpd. I say "Foo!" to you whilst smacking you with a trout.
Smacking with a trout? That
Smacking with a trout? That ought to bring the discussion to the new intellectual level.
As for the new bugs in IIS - those are not in the http.sys but in the WebDAV. So extensions are taken into account here, from the beginning.
I always prefer discussions based on facts. Linking Virginia security compromise to particular software without supporting facts is a FUD tactic. Linux community can live without that.