Date: Thu, 12 Jul 2001 12:35:23 +0100 From: Paul Robinson <paul@akita.co.uk> To: Hug Me <hugme@hugme.org> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: gcc on production server Message-ID: <20010712123523.G53408@jake.akitanet.co.uk> In-Reply-To: <20010711123133.A21587@pitr.tuxinternet.com>; from hugme@hugme.org on Wed, Jul 11, 2001 at 12:32:33PM %2B0000 References: <20010711170336.B84178@krijt.livens.net> <20010711123133.A21587@pitr.tuxinternet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 11, Hug Me <hugme@hugme.org> wrote: > The first and best layer of defence for your web server is the network. T= URN > OFF EVERYTHING YOU DON'T USE. don't ever use anything with a password cle= ar > text.. telnet, ftp,pop mail etc...=20 I'm sorry, but for a moment then I thought this was freebsd-isp, but if you're going to take that approach, then you can't be an ISP. Or you must be one with very few/very savvy customers. It just isn't practical to be a commercial ISP and not offer vanilla FTP and POP3. The way to ensure compromising yourself there is to use non-system authentication - e.g. popper and ftpd auth out of a MySQL database. That way, even if a password is snarfed, the attacker can't get a shell via ssh or whatever (unless the same password is being used for a shell account). Incidentally, part of the company I work for does penetration testing, and the most common method of gaining access is guessable passwords. If you have a complicated password and write it on a post-it note stuck to your monitor, you're actually more secure than using a guessable password that an attacker can crack from 3,000 miles away. =20 > secound, make sure none of your services run as root... make sure that th= e web > server runs as one user and your web pages are owned by another.. your we= b server > should not have the rights to write to these pages unless it REALLY needs= them. Again, issues of practicality. What if you really want to get rid of FTP and so instead offer a file upload page? =20 > if everything is turned off it should be hard for someone to get a shell.= I=20 > have shell accounts on my system, I have done somthing simaliar, I changed > the permissions on anything on the system that can compile so that only r= oot > can run it, gcc, c++, cc... etc also everything in the /sbin, /usr/sbin a= nd > /usr/local/sbin directory. then I have gone through and changed ANYTHING > a user wouldn't need to run to execute only by root (-r-x------) Ummmm.... you really don't need to do that. I'm not saying anything. I'm sure somebody else will. That really is not the point of the unix permissions system.... =20 > I do regular scans on my system, run tripwire... things like that... Well done. Have a lollipop. :-) =20 > if you are REALLY worried about security, get a drive that has a jumper y= ou > can change to read only, put your operating system on it, move the jumper Ummmm... that's not clever. That's stupid. So, you're an ISP. If you're running this system, exactly how do you deliver mail, allow users to change webpages, etc? Oh yeah, and just out or curiosity, what happens to /var and /tmp ? As one colleague just replied when I read that paragraph to him "that's not an OS - it's a coaster". I hope it keeps your coffee warm. I understand what you're trying to get at, but there is a LOT more to getting such a system working than you might think. =20 > oh, I have been working on a simple security help section on my page, it'= s not > finished yet, (it should have 6 parts when I am done) but you can check o= ut what=20 > I have so far at http://www.hugme.org/computer/freebsd That URL just plain doesn't work for me over here. --=20 Paul Robinson ,--------------------------------------- Technical Director @ Akita | A computer lets you make more mistakes PO Box 604, Manchester, M60 3PR | than any other invention with the=20 T: +44 (0) 161 228 6388 (F:6389)| possible exceptions of handguns and | Tequila - Mitch Ratcliffe `----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010712123523.G53408>