Main Nav


I am curious what products some of you might be using to protect your web server(s) directly from vulnerability attacks such as php, perl, sql, etc.    Are you using an appliance? Proxy? Filter system? Added software protection?   Thanks!



Tim Tyler

Network Engineer

Beloit College


********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at


Message from

Tim ~


What platform or OS are you asking about?  Windows protection is a different beast from *Nix protection.  For my *Nix servers I harden the OS plus the AMP stack w/ Shorewall (iptables) + I run OSSEC for HIDS.  Lastly, we only allow port 80/443 to go to and from our web servers w/ logging on our Juniper firewall.





mysteries made known

Aaron Hockett
Network Systems and Securities Manager 

Warner Pacific College
2219 SE 68th Ave.
Portland, OR 97215 





This message is intended for the sole use of the individual to whom it is addressed. It may contain information that is privileged, confidential or exempt from disclosure under applicable laws. If you are not the intended addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone this message or any information contained within this message. If you have received this message in error, please immediately advise the sender by replying to this email and delete this message.




The best protection is to have administrators who have an in depth understanding of all the different software components, OS’s, file and database permissions and networking involved and who understand good security practices such as controlling user input, disabling services not needed, staying up on advisories, patching and change control etc.

Maybe I’m stating the obvious to this group, but while there are definitely additional measures that can be taken, this is the most important and often overlooked.

Pete M.


Aaron, others,

We are running Redhat with Apache.  I believe that the current exploits we are observing are coming in against php holes of which some is 3rd part content.   



Yes, I couldn’t more agree. When we write our own code, we are very serious about restricting user input,  keeping it to a minimum, and thinking about all privileges.  But in a distributed working environment of a web server, a lot of content gets put up that isn’t always well checked.   Even the web manager can’t over-see all content.  Some of the content is 3rd party while some are forms developed by other departments.   It is hard to stay on top of content when it is not centralized.  Maybe what we are looking for is something that might aid us in vulnerability checking to do frequent sweeps for potential holes that web publishers might put up from time to time.   




Message from

SELinux anyone? I briefly played around with it for a past web-server I used to run and it seemed like an impressive defense mechanism against most web exploits. Felt like a burden to up-keep though (have to keep relabeling the context and recognize when it causes permissions issues). -Mike ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at

I spent a small amount of time looking at Vega for scanning web pages for vulnerabilities on our hosted sites.  It looked promising but I haven’t put the time into it yet to verify