Re: Phishing - Linux boxes are vulnerable

On Thu, 4 Oct 2007, Ben Mohilef wrote:

After setting up a secure Apache (irrespective of the distribution) a lot of
admins go get a "php-this" or "php-that" web program from a repository.
Unfortunately, they don't ask the question of how this thing will be
automagically updated each time a vulnerability is fixed, so the program
never gets updated.

So so so correct...some basic policies would be to...

1. always run hosts with own user and apache group, set up vhost dirs
permissions accordingly for this
2. always use suexec
3. if possible run php as a cgi
4. lock down php for example:
- open_basedir =/var/www:/var/tmp:/tmp:/usr/local/lib/php
- disable_functions = exec, shell_exec, system, virtual, show_source,
readfile, passthru, escapeshellcmd, popen, pclose, phpinfo
- disable safe_mode

4a. (if tehy say their scripts need access to bin like for uptime etc tell
em to get a better script)
4b. (make absolutely NO exemptions to the lockdowns)

5. never install vhost sites special programs that need root in any way
shape or form

6. use a respected server OS, one that doesnt hack the f#ck out of
programs like RH(CentOS) do

6a. use modern current packages of apache2, php5 and MySQL,Sendmail etc
from the respective sites, and not by use of RPM's because its too
"vendor altered" which is where 90% of the security issues come into
it.

7. ban use of any but most current version of phpnuke (ban totally if you
can) and those frickin image gallery programs.

8. use a decent detection system

9. use something like MailScanner with spamassassin adn a good anti-virus
on your mail server to minimise the exploit opening in the first place

10, follow same rules as you would on winblow$, no running stuff you dont
know what it is, no clicking on links in mesgs you dont know the sender, its all basic sence :)



--

Cheers
Res

Slackware -V- sloooUbuntoooou
http://lxer.com/module/newswire/view/93393/

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • RES: [PHP] Re: Scripts slowing down?
    ... connections and you have to wait to deliver this message and make more ... probably your mail server is looking like a spam engine. ... I have some mailing scripts that take days ... But sendmail still replies swiftly when this problem ...
    (php.general)
  • Re: Craigslist Bouncing Me - Non-generic DNS
    ... block *outgoing* 25. ... Of course you can still send mail, use your ISP's mail server as smart ... its not a matter if you like or done, its a matter of you need, dont ever ... tell anybody they have no clue, when you yourself clearly dont. ...
    (comp.mail.sendmail)
  • Re: Managing Windows from Linux via Ruby
    ... it makes understanding them easier:) ... Do you have a few example scripts for that? ... (If you dont, dont worry, I dont intend to steal anyone's time). ... anysrv.exe and instsrv.exe from the windows resource kit to install it ...
    (comp.lang.ruby)
  • RE: mail server changing machines
    ... Subject: mail server changing machines ... hassle of reconfiguring everything and risk alot of downtime if i dont ... ComputerNick a.k.a. Nick Smith ... To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org ...
    (Debian-User)
  • Re: Automate new Exchange server entry in Outlook
    ... but with the Exprofe tool you have to specify each users X.500 ... > explicitly defines the users mail server. ... > Can you point out where I can make that change in the registry? ...
    (microsoft.public.outlook.general)