any 100% secure web server?

baskins · Mar 27, 2010

hi,

I'm curious about this.. i'd like to set up a web server.. not doing anything special.. Just people request an image and it sends it. it'll just do that.

But I don't want it broken into! I don't want it to have some buffer overflow problem!

Are there web servers I can install safe in the knowledge that they don't have such a problem?

I don't see why not.. Code doesn't have an infinite number of problems.. surely over time, these things should get ironed out! I don't need a flashy up to date web server with awesome features. An old one will do.. just secure!

xSauronx · Mar 27, 2010

A little extra information may help. Are you looking to serve images often or only from time to time/lightly? Are you doing this as a business for customers, or other businesses or just for you and family and friends?

If you dont have experience setting this kind of thing up, youd probably be better one way or another to pay for a cheap web host, or if its just the random friend and family pics, use picasa or flickr or something similar to handle things.

JackMDS · Mar 27, 2010

No matter what you take a risk, there is No full prove secure.

In addition you can end up in the trouble with your ISP.

And the good news is that you are saving $3 a month. The price of a decnet inexpensive hostig service.

Example, http://www.dixiesys.com/hosting_web.php

baskins · Mar 27, 2010

JackMDS said:
No matter what you take a risk, there is No full prove secure.

In addition you can end up in the trouble with your ISP.

And the good news is that you are saving $3 a month. The price of a decnet inexpensive hostig service.

Example, http://www.dixiesys.com/hosting_web.php

well, I was asking about setting up a web server myself, and it being secure..from buffer overflows.. Maybe it is possible and you don't know?

JackMDS · Mar 27, 2010

baskins said:
well, I was asking about setting up a web server myself, and it being secure..from buffer overflows.. Maybe it is possible and you don't know?

Yap, you are right there is a lot of things that I do not. But I am a superb thinker. :thumbsup:

imagoon · Mar 27, 2010

baskins said:
any 100% secure web server?

No.

baskins · Mar 27, 2010

imagoon said:
No.

Read the whole thing.

A web server that doesn't have have any buffer overflow flaws?

Red Squirrel · Mar 27, 2010

You will want a dedicated server. Shared hosting is the less secure of hosting and it's just the nature of things. With a dedicated server you can secure it quite well depending on your skill. You'll never hit 100% though.

There is a hardware firewall you can get though, that will make it very close to 100% secure. You can even layer them for less chance of data breach.

RadiclDreamer · Mar 27, 2010

Tons of secure websevers....unplugged ones that is

RadiclDreamer · Mar 27, 2010

baskins said:
well, I was asking about setting up a web server myself, and it being secure..from buffer overflows.. Maybe it is possible and you don't know?

There are two types of servers, ones with vulnerabilities and those with vulnerabilities that havent yet been discovered. You are kidding yourself if you think ANY software is 100% secure

baskins · Mar 27, 2010

RedSquirrel said:
You will want a dedicated server. Shared hosting is the less secure of hosting and it's just the nature of things. With a dedicated server you can secure it quite well depending on your skill. You'll never hit 100% though.

There is a hardware firewall you can get though, that will make it very close to 100% secure. You can even layer them for less chance of data breach.

i'm actually only slightly bothered about data being breached.. there won't be anything really important on the web server..

but buffer overflow style attacks , I don't want. 'cos I don't want somebody's arbitrary code to run on it..

what configuration on the firewall would be useful?
suppose I wouldn't want to block any IPs, but I would want to limit access to say, just accessing jpg files. Do you think that is useful to configure a firewall to do that? And can you suggest some good small firewalls I could use? (so I see some options)

imagoon · Mar 27, 2010

baskins said:
Read the whole thing.

A web server that doesn't have have any buffer overflow flaws?

Still: No.

baskins · Mar 27, 2010

imagoon said:
Still: No.

oh really imagoon, you think it's impossible to write a web server without a buffer overflow flaw?

and what is your great technical reasoning behind saying that?

imagoon · Mar 27, 2010

baskins said:
oh really imagoon, you think it's impossible to write a web server without a buffer overflow flaw?

and what is your great technical reasoning behind saying that?

You asked if there was any 100% secure web servers and then specifically asked about no overflows (which is just one small part of 'secure'). However it is impossible to check an infinite amount of variables and data through an infinite number of tests to assure 100% 'no buffer overflows.'

baskins · Mar 27, 2010

imagoon said:
You asked if there was any 100% secure web servers and then specifically asked about no overflows (which is just one small part of 'secure'). However it is impossible to check an infinite amount of variables and data through an infinite number of tests to assure 100% 'no buffer overflows.'

Of course it's impossible to check an infinite amount of variables.

But no software can even have an infinite number of variables.

"Variable (programming), a symbolic name associated with a value and whose associated value may be changed"

Infact, you would find the number of variables a piece of software would have, is substantially less than "infinite".

Red Squirrel · Mar 27, 2010

baskins said:
i'm actually only slightly bothered about data being breached.. there won't be anything really important on the web server..

but buffer overflow style attacks , I don't want. 'cos I don't want somebody's arbitrary code to run on it..

what configuration on the firewall would be useful?
suppose I wouldn't want to block any IPs, but I would want to limit access to say, just accessing jpg files. Do you think that is useful to configure a firewall to do that? And can you suggest some good small firewalls I could use? (so I see some options)

The firewall is the most basic step, block any ports you don't want open, and in cases where only a specific IP needs access to a port, only allow that IP. (ex: a vpn tunnel, or ssh for you to log in)

Buffer overflows are flaws in the software itself (ex: IIS is bad for this, Apache not sure) but as long as you keep up to date with patches and security reports on the software you use, you should be able to plug any holes that pop up.

Also I see what you're saying that there is not an infinite amount of code. That's always been my argument about big companies that constantly have crazy security flaws in their software - with all the resources they have you'd think they would eventually fix all flaws, without introducing new ones. But this is by far from easy though, but still theoretically possible.

Then there's DDoS attacks. Sadly there's not much you can do about those, and they're only illegal against big corporations, which kinda sucks. If an individual gets DDoS, not much you can do but eat it and hope the attacker eventually stops.

baskins · Mar 27, 2010

RedSquirrel said:
That's always been my argument about big companies that constantly have crazy security flaws in their software - with all the resources they have you'd think they would eventually fix all flaws, without introducing new ones. But this is by far from easy though, but still theoretically possible.

Well, big corps, large pieces of software..is something else.. they are running a business and have to churn out lots and lots of code. providing this feature and that feature...

imagoon · Mar 27, 2010

baskins said:
Of course it's impossible to check an infinite amount of variables.

But no software can even have an infinite number of variables.

"Variable (programming), a symbolic name associated with a value and whose associated value may be changed"

Infact, you would find the number of variables a piece of software would have, is substantially less than "infinite".

What gets sent to your program vary so much it could be considered 'infinite'. Overflows are bugs that you didn't plan or test for.

Start talking theoretical, your going to get theoretical answers.

baskins · Mar 28, 2010

imagoon said:
What gets sent to your program vary so much it could be considered 'infinite'. Overflows are bugs that you didn't plan or test for.

Start talking theoretical, your going to get theoretical answers.

If by theoretical answer, you mean like you said earlier, the program with an infinite number of variables. That can't exist in reality.. so no, that is not an answer to anything. And you were trying to say that was the situation with programs..

What you really mean by theoretical, and what anybody would mean, is how things work really. Which you should be dealing with anyway, and it's pathetic that you talk of it like it's just an option. This is a computer forum..You should be technical or to put it a less clear way, theoretical.

You said "infinite amount of variables and data "

What were you doing saying that programs have an infinite amount of variables?

If you want to give technical answers, then well done for making an attempt. But expect technical objections when you're wrong.

I see you've changed your tune a bit.. you're focussing now on the "infinite data", and trying to ignore your remark in the same sentence, about infinite variables.. Still.. it seems to me that data isn't infinite..
you have a number of unicode characters.. neither the number or the range, is infinite.

You say "Overflows are bugs that you didn't plan or test for."

Why don't you tell us about bugs that you do plan?

mloiterman · Mar 28, 2010

Just don't use anything from Microsoft and you'll be fine.

http://httpd.apache.org/
http://www.lighttpd.net/
http://www.acme.com/software/thttpd/
http://www.cherokee-project.com/

Here is a whole page of choices:
http://www.debianhelp.co.uk/apachealternatives.htm

NesuD · Mar 28, 2010

baskins said:
If by theoretical answer, you mean like you said earlier, the program with an infinite number of variables. That can't exist in reality.. so no, that is not an answer to anything. And you were trying to say that was the situation with programs..

What you really mean by theoretical, and what anybody would mean, is how things work really. Which you should be dealing with anyway, and it's pathetic that you talk of it like it's just an option. This is a computer forum..You should be technical or to put it a less clear way, theoretical.

You said "infinite amount of variables and data "

What were you doing saying that programs have an infinite amount of variables?

If you want to give technical answers, then well done for making an attempt. But expect technical objections when you're wrong.

I see you've changed your tune a bit.. you're focussing now on the "infinite data", and trying to ignore your remark in the same sentence, about infinite variables.. Still.. it seems to me that data isn't infinite..
you have a number of unicode characters.. neither the number or the range, is infinite.

You say "Overflows are bugs that you didn't plan or test for."

Why don't you tell us about bugs that you do plan?

Well I understood his meaning right off. Maybe technically infinite wouldn't be correct but the number of variables and combinations of variables is certainly so high that it may as well be an infinite number for all practical purposes. The answer remains the same in either case. There are far to many to test all possibilities. You cannot test for something that you cannot anticipate.

There are no 100% secure webservers. Every webserver has vulnerabilities that will allow among other things for an attacker to execute code. Whatever webserver you decide to use you have to do your due diligence and research the possible vulnerabilities and implement best practices to maintain a reasonable level of security. I have seen some Raps on IIS in this thread that are in reality not fair. IIS at one time was like swiss cheese now not so much and it's known vulnerabilties can be locked down if the administrator does his job correctly. However there is no guarantee. Some bright hacker will always find new exploits, they are impossible to avoid 100%. That is the real world. It is not theoretical it is just the way it really is.

I know only one way to absolutely 100% secure any type of server. That is to totally encase it in concrete and bury it with no connections to it of any kind wired or otherwise. That however would be pointless.

I think you are overly concerned. Take reasonable precautions and the odds of anyone exploiting your server will be pretty low. One other bit of advice. When asking for advice it is best not be a jerk to the people that offer it. If you don't like it you don't have to take it but don't pick a fight over it or pretty soon no one will bother respond.

baskins · Mar 28, 2010

nesuD, the "100% secure" thing, was something in the subject that I can't really change.. I did explain that I want it to not be susceptible to buffer overflows..

And well done nesus for understanding imagoon. It's pretty easy to understand what he's saying. That it's impossible for a program to be free from buffer overflows , because there are an infinite number of variables and an infinite amount of possible data. (or to be generous and ignore his obvious errors... and see some general unbacked up argument, that "a program" just has too many of these things to test). And you've added your own little thing too. That while you're not sure whether a program would have an infinite number of variables.. You think that there are a huge number of "combinations of variables" that it is impossible to test to ensure no buffer overflows. Very good, A star. Creative thinking.

Now, if you read the above, you might realise that you were being silly..

I don't think you have the foggiest idea what a variable is.. imagoon may well have some idea.. But you probably have less. How many variables have you ever defined?

I asked a question in my original post.. which I explained somewhat. And different people gave their responses.. And we can all learn from each other.

But somebody says something silly and keeps defending it, and getting worse, then i'm free to point it out..

Since any person posting a question, can learn, and anybody responding can learn.. we can all learn from each other..

People offer their thoughts.. some good, some bad.. and sometimes those thoughts get criticized..

The thing you wrote about "combinations of variables" , was mumbo jumbo. And indeed, I can assure you that programs can't have an infinite number of variables. Ask any programmer. And yes, I can see the general point you are making but it doesn't mean that you've backed it up properly.. or that you're correct. If you don't like what you say being critiqued, then don't respond.

xSauronx · Mar 28, 2010

baskins said:
If by theoretical answer, you mean like you said earlier, the program with an infinite number of variables. That can't exist in reality.. so no, that is not an answer to anything. And you were trying to say that was the situation with programs..

What you really mean by theoretical, and what anybody would mean, is how things work really. Which you should be dealing with anyway, and it's pathetic that you talk of it like it's just an option. This is a computer forum..You should be technical or to put it a less clear way, theoretical.

You said "infinite amount of variables and data "

What were you doing saying that programs have an infinite amount of variables?

If you want to give technical answers, then well done for making an attempt. But expect technical objections when you're wrong.

I see you've changed your tune a bit.. you're focussing now on the "infinite data", and trying to ignore your remark in the same sentence, about infinite variables.. Still.. it seems to me that data isn't infinite..
you have a number of unicode characters.. neither the number or the range, is infinite.

You say "Overflows are bugs that you didn't plan or test for."

Why don't you tell us about bugs that you do plan?

/facepalm

Your questions have shown that you have little worthwhile knowledge about any of these topics, why do you insist on bickering about these things? If you knew enough to make a valid, worthwhile argument on the topic, you wouldnt be asking most of these questions to begin with.

Some hell of a way to treat people who are trying to answer your questions. Perhaps you should do some research into running a web server, programming a web server, and securing access to a web server before you try to make an argument for why you personally cant understand how one cant be 100% secure.

If it was really as easy as you seem to think it should be, then security wouldnt be such a significant issue to programmers and system administrators.

JackMDS · Mar 28, 2010

OK, this is your new server

http://www.aprelium.com/news/abws26.html

Or this for $3 a month if you prefer online.

http://www.dixiesys.com/hosting_web.php

Fayd · Mar 28, 2010

xSauronx said:
/facepalm

Your questions have shown that you have little worthwhile knowledge about any of these topics, why do you insist on bickering about these things? If you knew enough to make a valid, worthwhile argument on the topic, you wouldnt be asking most of these questions to begin with.

Some hell of a way to treat people who are trying to answer your questions. Perhaps you should do some research into running a web server, programming a web server, and securing access to a web server before you try to make an argument for why you personally cant understand how one cant be 100% secure.

If it was really as easy as you seem to think it should be, then security wouldnt be such a significant issue to programmers and system administrators.

i'm surprised this response took this long to appear.

any 100% secure web server?

Guest

Lifer

Elite Member

Guest

Elite Member

Diamond Member

Guest

No Lifer

Diamond Member

Diamond Member

Guest

Diamond Member

Guest

Diamond Member

Guest

No Lifer

Guest

Diamond Member

Guest

Member

Diamond Member

Guest

Lifer

Elite Member

Diamond Member