Re: Phishing - Linux boxes are vulnerable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2007-10-04 at 15:29 -0700, alan wrote:
> On Thu, 4 Oct 2007, Ben Mohilef wrote:
> 
---snip---
> > If the cracked script runs with sufficient authority to add a web page, the
> > phishers job becomes trivial. The solution is for maintainers to make sure
> > that they can notify their customers each time a security fix is made. This
> > can be done in the script or by mandatory registration before a  download.
> > Yum repositories and the equivalent for other distros should be helpful in
> > solving this problem.
> 
> This becomes even worse when you consider hosting sites.  The last one I 
> dealt with had everyone on virtual servers that had no capacity to update 
> the packages installed.  (Yum was not installed. No patches had been 
> applied. You could actually break the system because they had plesk 
> installed and packages would conflict.  A real mess.)
> 
> People think that just because someone set it up for them, it is secure. 
> Rarely is that the case.
> 
> People are trying to do complex things on the cheap.  You are not seeing 
> it done under Windows because doing anything useful is either not cheap or 
> not easy.
> 
> Under Linux they can do what they want, but they are too cheap to hire 
> someone who has clues and can do it securely.

That is a very valid issue. It takes a fair amount of time to design a 
hardened web server. If I remember correctly, the last time we 
developed a web server architecture for customers, it took us quite 
a while to determine all the tricks required to lock web accounts into 
their own storage space including locking down PHP and Perl so that they
could not 'sneak' out. Of course when a web server is locked down 
tightly, you will run into problems with some PHP and Perl scripts that 
break because they are written poorly or contain malicious code, so you 
will need to inspect many scripts before making them executable.


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux