1

Suppose my web server is on the public internet.
It's not behind firewall hardware.
It does use HTTPS, and it has its OS firewall software turned on - but this is the only security mechanism in place.

Are there published statistics of such a web server getting hacked?
Feel free to make any assumptions about OS, web server, framework, language, type of site, etc - I am interested in general statistics and information. (Similar to how an unpatched Windows XP would be attacked within 7 seconds of getting online... )

AviD
  • 72,138
  • 22
  • 136
  • 218
Sumedh Chalermkanjana
  • 11
  • 1

2 Answers2

3

Realistically speaking at the moment there aren't a lot of public attacks on web servers (e.g. IIS/Apache/NGINX) themselves (assuming that you're using the latest version of course). The web applications running on top of the servers are far more likely to be the point of attack.

As to statistics for that I'm afraid it's massively variable, as the variety of software running on the system is large.

If you're looking for general statistics on web application hacking and security I'd recommend you look at the WhiteHat statistics or the veracode state of software security reports.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
2

The likelihood of it being hacked is directly proportional to the amount of care and skill you demonstrate in your management of said server. If you turn off unnecessary services, patch regularly, chose strong passwords, run secure web applications and configure them well, the likelihood goes down. The more of these items you neglect, and the likelihood goes up.

There are many servers in the world that use only software firewalls that don't get hacked. It's up to you to care and feed your server properly to minimize the risk that it doesn't end up in this group.

Xander
  • 35,525
  • 27
  • 113
  • 141