Thu 27 Mar 2008
Zone-h published a new statistics report about registered attacks. In 2007, Apache websites were defaced 319,439 times whereas IIS sites (IIS 6.0 + IIS 5.0) were attacked only 137,599 times. Of course, one has to take into account that there are (still) more Apache sites out there. So, I used the latest Netcraft data to calculate what I call the Apache/IIS website security ratio.
According to Netcraft 76,591,442 sites were running on Apache in December 2007 and IIS hosted 55,502,886 which corresponds to a ratio of 1.38. In January 2007 the ratio was 1.95. Despite the fact that IIS is catching up continuously, it also seems that IIS sites are more secure than those running on Apache.
The average Apache/IIS ratio should be about 1.66. I only used January and December to calculate this number because I was too lazy to add all months. But since Apache is continually losing ground against IIS I think that this number should be the mean value for 2007.
So in 2007, there were 1.66 more Apache sites than IIS sites and there were 2.32 times more Apache sites defaced than IIS sites. The Apache/IIS security ratio is just 2.32/1.66=1.40.
This number tells us that the probability of a certain website getting hacked is 1.4 times higher if it is running on Apache. It does not necessarily mean that Apache is more secure than IIS, though. The number one reason why websites get defaced is because of weak passwords. Shares misconfiguration is second.
So one might be tempted to conclude that Apache admins are just sloppier or don’t care that much about security. This might be due to the fact that Apache hosts mostly private sites where IIS is stronger in corporate environments. It could also be that configuring Apache is more complicated, therefore more prone to errors. I personally find password configuration a bit cumbersome with Apache. So my guess is that Apache admins change their passwords less often. Hmm, this reminds me that I didn’t change my Apache passwords for quite a while. 
Leave a Comment | 
Subscribe RSS
| 
Newsletter
|
Loading ...
I agree with you and add another point.
Very few website defacements happen because of the webserver used, much more because of the actual applications used.
Most community and private sites use widely deployed open source software, some of which is very poor when it comes to security (phpbb comes to mind).
In corporate environments, websites are also less likely to use plain off the shelf software, usually with heavy modifications, thus making completely automated exploits as they happened with phpbb completely impossible.
Nevertheless, i’ve seen some very poorly implemented ASP.NET projects but also some very poorly implemented PHP/Apache projects. They just weren’t hacked because nobody cared to.
Nevertheless, IIS6 had a better security track than Apache. Let’s see how IIS7 will fare.
hi,
I can just add the average on a very small base
running both IIS and Apache in a corporate environment for nearly six years now, we got here:
- three servers with apache on debian
- four servers with IIS on NT / windows 2000 server, windows server 2003
three of the four webservers running IIS have been hacked at least once, the three apaches remaining unhacked four over five years now …
very funny: we placed all the IIS-servers behind firewalls (though no application level gateways, I have to admit), whilst two of the apache-boxes are placed direct in the http://www.
and I like to add: running apache on debian is quite straight forward, there is plenty of documentation on the web and a reliable community. running apt-get upgrade once a week, change the passwords now and then (and using really secure passwords!), deny root-access, use tools like chkrootkit, rkhunter - these are our experiences.
Lukas, you’re absolutely right. I didn’t think about this. It is probably not so much of an Apache issue, but more about the whole LAMP platform. I think, these environments suffer from the same problem as Windows on the desktop. Their popularity makes them attractive targets for the bad guys.
Lars, such personal experiences can be deceiving when it comes to security. I don’t remember ever having a virus on my Windows desktop. Yet, I know that Windows is the biggest virus hotbed in the universe.
Interesting. With my experience I would still say that some of this is due to improper patching. I run both, both run fine for me. I have a tendency to shy ware from these simple comparisons. The numbers are too close imo to show one product is better than they other, which frankly you are trying to show. With Microsoft being the top dog shouldn’t this number be higher? You can show people all day that a Acura,BMW,etc is a better car but if I can’t afford it - what’s the point?
James, I am not trying to show that Microsoft has the better product. Actually, I prefer Open Source when it comes to web apps. There are so many great content management systems for LAMP environments. I absolutely agree that comparable systems are often too expensive for the Microsoft platform. My article was just about security. It seems that at least in this field, MS was able to catch up in the last years.