Web Application Protection
Ways to Protect a Web Application from Hackers
Web applications have grown in use tremendously over the past few years. Companies and individuals alike have turned to web-based software as a means of sharing and collaborating data, and centralizing applications on a single server (instead of installing client software on client computers). With the growing use of web applications, there is an increasing need to protect web applications from hackers. Web application protection is critical, since a web application is available to anyone on the Internet (by default). It is simply not good enough to update every time a security update is released- additional means of protecting a web application from hackers are necessary to prevent security compromises by new exploits. This article will explore some of the more popular means of web application protection, and the benefits that they have for the security of your server, and your data. Linux-based solutions will be explored specifically, but these basic concepts are cross platform.
Control Network Access to your Web Application with Iptables
Web applications are, by default, available to anyone on the Internet that can communicate with your web server. Although sometimes this is desirable, ask yourself a simple question- is it possible to restrict network access to the web application server, without impacting legitimate users? Is it possible, for instance, to only allow traffic to your web server from certain countries? If so, consider blocking access to your web web server from foreign domains (.cn, .ru, .af, etc). In a Linux firewall or server environment, Iptables is the best tool to accomplish this. With Iptables, you can selectively allow or block networks by country code. Although a hacker can bypass this security measure by using a proxy server, this will cut down on automated scans (bot scans), and worm traffic.
Use Encrypted Connections to your Web Application
It sounds simple, but a SSL certificate for your web server will prevent outsiders from being able to intercept user names and passwords that would otherwise be sent to web clients in plain text. In addition, for sensitive web applications (like web-based email clients), this will help protect the contents of email messages as they are transmitted to web clients. SSL certificates can be self generated (and display a warning every time a client connects to your web application), or you can purchase a SSL certificate for your web application. Either way, using at least SSL version 3 encryption will give your server one more defense against outside attackers.
Use mod_security for Web Application Protection
Sometimes, even the best written web applications have security vulnerabilities. Let's face it- software is written by humans, and humans aren't perfect. A good way to protect against an attacker compromising a server (or injecting SQL code) is to use a module for the Apache web server called mod_security. Mod_security acts as a filter, to remove malicious strings from requests to the web server. Mod_security supports the ability to detect credit card numbers, SQL injection attempts, geographical IP resolution, and even automatic updating of attack rules. Mod_security configurations can be as complex or simplistic as you would like, and mod_security can effectively be used to protect a web application from hackers.
Following these ways to protect a web application from hackers can be easy to implement, and save you the frustration of a web application compromise. Using a strict firewall policy, SSL encryption, and a web application firewall, you can prevent most attackers from successfully compromising your web application. Although these above solutions were all Linux-based solutions, similar solutions are available for various platforms. If you would like any of these methods implemented on your Linux server, please do not hesitate to contact me.