Why are you not running Apache? New IIS holes should make you rethink your web server
It has been a while since I have played with Apache, I will admit that. The last time I used it, version 2.0 was the norm, and version 2.2 was just coming out of beta. Today of version 2.2.11 is the current version. What got me thinking about Apache was partially nostalgia and partially head banging and continued frustration with government use of IIS, especially given the exciting events this week.
First, we have reports of the theft and corruption of the Commonwealth of Virginia’s Prescription Monitoring Program web site. The story is that the site had been hacked, the data encrypted or deleted or being held hostage, according to a variety of sites, and the FBI is investigating. As discussed on the latest Search Engine, almost no one is really taking the ransom demand seriously for a variety of reasons. The second topic that got me annoyed was a ComputerWorld article yesterday about new, serious bugs in IIS and Microsoft’s prevailing attitude about the risk. Finally I had to set up an IIS server and kept lamenting that it should not be this hard.
Now, in all fairness, IIS 7 is supposed to be a much better product with text file configuration capability (just like Apache) and it is supposed to be more secure. My question is this. Why, would anyone voluntarily run their web site on IIS? Especially if it was a forward-facing site, connected to the Internet and subjected to attacks every minute of every day?
One of the most outstanding products from the Open Source community is Apache. It is robust, reliable, secure and easily configurable on so many levels. It runs on almost every platform out there, although personally I would only run forward-facing sites with Apache on a stripped and hardened Linux kernel, and it supports a wide variety of plugins for content management, application management and document presentation.
According to Netcraft, the hacked Virginia site is running IIS 5.0 and 6.0 on Windows 2000 and 2003. This violates a number of basic security tenants, patch management being only one of them, but I am continually amazed that government organizations continue to put their citizen’s data at risk this way. More and more, the United States government is collecting your personal data. TSA is about to start collecting your full name, birth date and other personally identifiable information (PII). The current administration is pushing for electronic medical records. Already many government services are only available on-line, and require large amounts of PII to be inputed to get everything from veteran’s benefits to government grants, yet it seems that each of the owners of these sites seems to be less concerned about the security of their customer’s data rather than the perceived ease of operation and cost of ownership by running IIS. There are more stringent security requirements on government laptops than there is on website security.
The Internet, and its interconnection of data, is a good thing. However the front door to these repositories should be as secure and as impenetrable as they can be. Gone are the days of gentlemen hackers who, when finding an unlocked door, would politely tell the site admin about it. This is full scale guerilla warfare, and as administrators and architects, it is our responsibility to make sure the crackers cannot get access to the data that they are not supposed have access to, while the customers can do what they need to do.
Next time we will talk about the data itself, and the databases that it resides on.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Petros Koutoupis' RapidDisk
- The Italian Army Switches to LibreOffice
- ServersCheck's Thermal Imaging Camera Sensor
- Linux Mint 18
- Oracle vs. Google: Round 2
- The FBI and the Mozilla Foundation Lock Horns over Known Security Hole
- Varnish Software's Varnish Massive Storage Engine
- Privacy and the New Math
Until recently, IBM’s Power Platform was looked upon as being the system that hosted IBM’s flavor of UNIX and proprietary operating system called IBM i. These servers often are found in medium-size businesses running ERP, CRM and financials for on-premise customers. By enabling the Power platform to run the Linux OS, IBM now has positioned Power to be the platform of choice for those already running Linux that are facing scalability issues, especially customers looking at analytics, big data or cloud computing.
￼Running Linux on IBM’s Power hardware offers some obvious benefits, including improved processing speed and memory bandwidth, inherent security, and simpler deployment and management. But if you look beyond the impressive architecture, you’ll also find an open ecosystem that has given rise to a strong, innovative community, as well as an inventory of system and network management applications that really help leverage the benefits offered by running Linux on Power.Get the Guide