This is an English translation of my original article called «Mejoras practicas para implementar sitios web o portales corporativos seguros», I apologize in advance for my English is not my native language.
I want share some good practices i feel are very important at moment implement a website or portal.
- When thinking about an implementation of a web site or portal of high value, it isadvisable to break up in several layers all technological elements, databases,webservers, application servers.
- If possible and enter the project budget should be thinking about redundancy and high availability, as well as production, certification and development environments available.
- If you have public and private elements (database, documents, applications), is highly recommended that these are completely separate.
- When starting a software implementation in 98% of the technicians tend to removekernel-level protections such as SELinux, if possible without removing it (in somecases, the manufacturer sends you to remove such protections).
- As in any server is important to disable all unused services, so why I have CUPS on a computer that is not going to use ? or have a NFS share if not going to be used. Is simple, not used, turn off.
- If in your server you need run an application in PHP, why you need must be able to run scripts in perl or ruby in the webserver ?, so we apply the same as above, do not allow unnecessary interpreters are implemented, not used, is removed.
- A good configuration of each of the components of the IT solution, can save of future headaches, a good partitioning scheme, proper tuning of the database manager, ourwebservers, etc.
- If you are deploying a solution from a third party, it is very important follow the best practices of implementation from manufacturer, setting minimum elements for a production environment, it is always easy to make a chmod-R 777 * and say my solution works «fine. «
- Previous we discussed about possibly run a PHP application, suppose we are using a CMS like Joomla or Drupal, so it is very important as consulter, inform administrators of the site that is essential to keep track of mailing lists and notifications about safety.
- Policy passwords at level Operating System, Database and Application must be strong and recommend that these are different.
- We can have a strong password policies, but if we do not protect our passwords from brute force attacks eventually will fall someday, you should use elements such as fail2ban designed to protect the various services in your technology solution.
- In many cases, organizations implement solutions, but they forget or do not have elements to monitoring in real time, all the components involved in a web solution (Load balancers, Webservers, DB, Application Server, etc.), several Open Source solutions: Nagios ,Zenoss, Zabix.
- One of the happiest moments is when the project reaches an advanced stage and the client begins to see his website and asked when it will be the final publication, in many cases the implementing organization is desperate to finish and collect, but at a high number of projects never make the backup policies, much less define appropriate contingency plans in case of a catastrophe, so we always define it from the start by assessing the costs and resources.
- As a last, it is always advisable to do a complete safety test after the completion of theimplementation, use penetration testing tools, distributions are engaged in this by example: backtrack.