On Thu, 27 Sep 2001, Boris Lorenz wrote:
Hi,
On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Is this a public web server?
Remember, no trusted machines defined. It regards the whole world as public, and it has its own IP address. Yes.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Uhm... That one seems to be a "zip'ped unzip" ;)
I know, but I was worried about the possibility of subvertible- but-unknown-to-me shell-scripts using it.
You did the Right Thing by switching off all these unused services. Unfortunately you didn't state wether this machine is the "outpost" of a LAN connected to the internet or an internal web server with some developement tools
My network does not distinguish internal from external. The DSL bridge is connected directly to an ethernet switch, the ethernet switch is connected directly to all of the machines on my network. Each machine is a separate security configuration issue. Each machine regards its ethernet port as a connection to the whole wide world, and protects itself just as vigorously from its sisters as from strangers. I consider it mistaken to have lax security on a machine because it's "internal" -- that sets up a situation where one subverted machine destroys the security of the whole network. That may be tolerable if you're responsible for a hundred machines and you can't possibly keep idiots off of them, but when you have just six machines and nobody who isn't you ever has the console, it's just lazy. This one box I'm worried about in particular because of the presence of gcc, etc. And firewall config on it is really irritating because of the particular nature of the software I'm developing -- it tends to have fights with the firewall because it has to connect to other machines on pseudo-randomly determined ports.
on it, or just your client PC connected via ISDN/cable/modem. If it is a publicly accessible server I would definitely firewall it, no matter how many backups I'd have to reconstruct the system. There are many ways to "own" (crack) an improperly secured web server,
Agreed. I guess I want to know about properly securing a webserver and where I can read about properly securing webservers. I have done all I know to do to secure it, but what might I have missed? Bear