topic Re: Another Linux question in Operating System - Linux

Another Linux question

Ragni Singh — Wed, 18 Jan 2006 14:25:09 GMT

Thanks for the time and points will be assigned.

Make security recommendation based on the following assumption. .... Combined web server and database server running Perl scripts in a production environment.

Re: Another Linux question

Ivan Ferreira — Wed, 18 Jan 2006 15:06:17 GMT

I think that first of all, you should separate your web server from the database server, specially if will be accessed from the Internet.

Then, ensure that you are always up to date with web/perl software. Suscribe to security news.

Use a strong firewall configuration. Ensure that the permissions for the files and folders are exactly what needed to run the application.

Disable root access, enable SSH only and use AllowGroups ssh option to allow access to a limited number of persons.

Do not install additional software if won't be used, like compilers, debuggers, samba, and other unused services.

Configure tripwire. Enable logwatch and webalyzer.

Re: Another Linux question

Steven E. Protter — Wed, 18 Jan 2006 16:50:44 GMT

Shalom Sanjit,

Get Bastille, and run it on your server to lock down security. It requires perl and does a lot of the work for you.

Don't use telnet or ftp. Use ssh/secure shell.

You want a strong firewall between you and the public Internet.

SEP

Re: Another Linux question

Stuart Browne — Wed, 18 Jan 2006 17:37:06 GMT

Basic rule of thumb:

Block Everything.

Then only let what you want in.

That being said, if you're not going to be 100% in control of the content, make sure that everything is in jails.

Run Apache in a CHRoot jail to ensure that it can't be bad if it gets eploited.

If you're running CGI's, make sure you're using something like 'cgiwrapd' to run the CGI's as the owning users instead of root/apache.

If you're running PHP, make sure it's running in safe mode (safe_mode = yes).

Depending on what you're using the database server for (i.e. if it's only going to do web server data), make sure it only listens to the loop-back address, or via a Unix socket.

some thoughts.. ;)

Re: Another Linux question

Al_56 — Thu, 19 Jan 2006 00:18:00 GMT

All of the above answers are great.

l would add SELinux for absolute best practices.

Re: Another Linux question

dirk dierickx — Thu, 19 Jan 2006 03:09:34 GMT

don't forget to run perl in 'tainted' mode.

Re: Another Linux question

Andrew Bruce — Thu, 19 Jan 2006 05:17:17 GMT

When configuring your firewall, don't do what many people do and simply block inbound ports. Also block any *outbound* ports that you don't really need.

If an attaker manages to access your system, a common progression for the cracker is to set up a call back system so that your server calls the cracker back providing a shell.

If you block all unnecessary outbound ports, it makes it much harder for the cracker to do this.

It doesn't prevent attacks, but it helps to minimise the vulnerabilities (talking from bitter experience!).

Just my $0.02.

Regards,

Andy Bruce

Re: Another Linux question

Bill Thorsteinson — Thu, 19 Jan 2006 17:48:53 GMT

Make sure the content is not writeable by
the user id apache is running as.
This is particularly important for the
perl code.

As noted use taint mode for all perl.

If the database is on the same server as
the web server, use sockets rather than IP
to connect if possible.

Don't allow user input into dynamically
generated SQL. Use bind parameters and
bind the user input to the query.
This should prevent SQL injection.