Re: Phishing - Linux boxes are vulnerable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 5 Oct 2007, Res wrote:


On Thu, 4 Oct 2007, Ben Mohilef wrote:
After setting up a secure Apache (irrespective of the distribution) a lot of 
admins go get a "php-this" or "php-that" web program from a repository.
Unfortunately, they don't ask the question of how this thing will be
automagically updated each time a vulnerability is fixed, so the program
never gets updated.


So so so correct...some basic policies would be to...

1. always run hosts with own user and apache group, set up vhost dirs
  permissions accordingly for this
2. always use suexec
3. if possible run php as a cgi
4. lock down php for example:
- open_basedir =/var/www:/var/tmp:/tmp:/usr/local/lib/php
- disable_functions = exec, shell_exec, system, virtual, show_source,
 readfile, passthru, escapeshellcmd, popen, pclose, phpinfo
- disable safe_mode

4a. (if tehy say their scripts need access to bin like for uptime etc tell
   em to get a better script)
4b. (make absolutely NO exemptions to the lockdowns)

5. never install vhost sites special programs that need root in any way
  shape or form

6. use a respected server OS, one that doesnt hack the f#ck out of
 programs like RH(CentOS) do

6a. use modern current packages of apache2, php5 and MySQL,Sendmail etc
   from the respective sites, and not by use of RPM's because its too
   "vendor altered" which is where 90% of the security issues come into
   it.

7. ban use of any but most current version of phpnuke (ban totally if you
  can) and those frickin image gallery programs.

8. use a decent detection system

9. use something like MailScanner with spamassassin adn a good anti-virus
  on your mail server to minimise the exploit opening in the first place

10, follow same rules as you would on winblow$, no running stuff you dont
know what it is, no clicking on links in mesgs you dont know the sender, its all basic sence :) 


and ..
11. if you are vhosting for some friends home pages, that are plain basic, they do not need php so in the vhost block for them, you would 
also be best to set:

php_value engine off


--

Cheers
Res

Slackware -V- sloooUbuntoooou
http://lxer.com/module/newswire/view/93393/

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux