* Ray Dillinger wrote on Wed, Sep 26, 2001 at 18:50 -0700:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Hope you have good daily backups of the cvs repository :)
I've gone through the system and shut down all network services I'm not using
1st step succeeded, fine.
I'm using an apache server which I've been through extensive configuration on -- removing most of the modules because I wasn't using them.
Well, there might be hidden buffer overflows inside or other risks. Do you have clients from outside connecting that server? Then I would recommend to use some ISP server as copy, and configure apache to accept really nobody from outside.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Try "/sbin/su" as user, should work if you haven't changed the permissions. Fix it via "chmod 0500 /sbin/su".
I keep copies of my websites offline, on floppy disks.
You trust floppy disks?! Hope you have heaps of them...
Ditto my inetd.conf, httpd.conf, and a few other configuration files. and, finally, my source code -- so if the machine ever gets subverted, I can restore them easily.
If you are really paraniod, imagine what would happend when an attacker integrates an backdoor in a very stable module. You wouldn't notice it, since the module source wasn't modifed by for for ages. Well, after a time, all your backups contain that backdoor...
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
Well, it's a kind of over the top security. If the tcp wrapper have a bug that can be used by an attacker to connect even if not allowed, or apache has some bug i.e. in the ip deny code or whatver, who knows, an attacker could use it to get in. Well, but if you have a strict firewall, an attacker couldn't even sent a single packet to that service which is more secure of course. And if somebody from outside hasn't anything to send to you, then you can block all that "non-existent" traffic :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.