HPE Community
Operating System - Linux
1831213 Members
3046 Online
110021 Solutions
New Discussion

Re: Another Linux question

 
SOLVED
Go to solution
Ragni Singh
Super Advisor

‎01-18-2006 06:25 AM

‎01-18-2006 06:25 AM

Another Linux question

Thanks for the time and points will be assigned.

Make security recommendation based on the following assumption. .... Combined web server and database server running Perl scripts in a production environment.
0 Kudos
Reply
7 REPLIES 7
Ivan Ferreira
Honored Contributor

‎01-18-2006 07:06 AM

‎01-18-2006 07:06 AM

Solution

Re: Another Linux question

I think that first of all, you should separate your web server from the database server, specially if will be accessed from the Internet.

Then, ensure that you are always up to date with web/perl software. Suscribe to security news.

Use a strong firewall configuration. Ensure that the permissions for the files and folders are exactly what needed to run the application.

Disable root access, enable SSH only and use AllowGroups ssh option to allow access to a limited number of persons.

Do not install additional software if won't be used, like compilers, debuggers, samba, and other unused services.

Configure tripwire. Enable logwatch and webalyzer.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Steven E. Protter
Exalted Contributor

‎01-18-2006 08:50 AM

‎01-18-2006 08:50 AM

Re: Another Linux question

Shalom Sanjit,

Get Bastille, and run it on your server to lock down security. It requires perl and does a lot of the work for you.

Don't use telnet or ftp. Use ssh/secure shell.

You want a strong firewall between you and the public Internet.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎01-18-2006 09:37 AM

‎01-18-2006 09:37 AM

Re: Another Linux question

Basic rule of thumb:

Block Everything.

Then only let what you want in.

That being said, if you're not going to be 100% in control of the content, make sure that everything is in jails.

Run Apache in a CHRoot jail to ensure that it can't be bad if it gets eploited.

If you're running CGI's, make sure you're using something like 'cgiwrapd' to run the CGI's as the owning users instead of root/apache.

If you're running PHP, make sure it's running in safe mode (safe_mode = yes).

Depending on what you're using the database server for (i.e. if it's only going to do web server data), make sure it only listens to the loop-back address, or via a Unix socket.

some thoughts.. ;)
One long-haired git at your service...
0 Kudos
Reply
Al_56
Regular Advisor

‎01-18-2006 04:18 PM

‎01-18-2006 04:18 PM

Re: Another Linux question

All of the above answers are great.

l would add SELinux for absolute best practices.
Reply
dirk dierickx
Honored Contributor

‎01-18-2006 07:09 PM

‎01-18-2006 07:09 PM

Re: Another Linux question

don't forget to run perl in 'tainted' mode.
Reply
Andrew Bruce
Valued Contributor

‎01-18-2006 09:17 PM

‎01-18-2006 09:17 PM

Re: Another Linux question

When configuring your firewall, don't do what many people do and simply block inbound ports. Also block any *outbound* ports that you don't really need.

If an attaker manages to access your system, a common progression for the cracker is to set up a call back system so that your server calls the cracker back providing a shell.

If you block all unnecessary outbound ports, it makes it much harder for the cracker to do this.

It doesn't prevent attacks, but it helps to minimise the vulnerabilities (talking from bitter experience!).

Just my $0.02.

Regards,

Andy Bruce
I Love it when a plan comes together!
Reply
Bill Thorsteinson
Honored Contributor

‎01-19-2006 09:48 AM

‎01-19-2006 09:48 AM

Re: Another Linux question

Make sure the content is not writeable by
the user id apache is running as.
This is particularly important for the
perl code.

As noted use taint mode for all perl.

If the database is on the same server as
the web server, use sockets rather than IP
to connect if possible.

Don't allow user input into dynamically
generated SQL. Use bind parameters and
bind the user input to the query.
This should prevent SQL injection.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.