Date: Thu, 12 Jul 2001 18:12:57 -0400 From: Robert Hough <rch@acidpit.org> To: freebsd-isp@FreeBSD.ORG Subject: Re: gcc on production server Message-ID: <20010712181257.A71299@acidpit.org> In-Reply-To: <20010712123523.G53408@jake.akitanet.co.uk>; from paul@akita.co.uk on Thu, Jul 12, 2001 at 12:35:23 %2B0100 References: <20010711170336.B84178@krijt.livens.net> <20010711123133.A21587@pitr.tuxinternet.com> <20010712123523.G53408@jake.akitanet.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 12, 2001, Paul Robinson wrote: > > The first and best layer of defence for your web server is the network. TURN > > OFF EVERYTHING YOU DON'T USE. don't ever use anything with a password clear > > text.. telnet, ftp,pop mail etc... > > I'm sorry, but for a moment then I thought this was freebsd-isp, but if > you're going to take that approach, then you can't be an ISP. Since when does a web server need popper, ftp, or telnet enabled? I'm just going by the paragraph above, as I don't have the original here. However, I'm pretty sure he said the best defense for a web server. > > /usr/local/sbin directory. then I have gone through and changed ANYTHING > > a user wouldn't need to run to execute only by root (-r-x------) > > Ummmm.... you really don't need to do that. I'm not saying anything. I'm > sure somebody else will. That really is not the point of the unix > permissions system.... I would have to agree, and it sounds to me like he is running as root 90% of the time he is on the system. Shame on him! > > I do regular scans on my system, run tripwire... things like that... > > Well done. Have a lollipop. :-) Hmm, what good is a tripwire scan going to do you, if the cracker has "fixed" the database? Take that lollipop away! The "read-only" drive solution works well for this actually. > > if you are REALLY worried about security, get a drive that has a jumper you > > can change to read only, put your operating system on it, move the jumper > > Ummmm... that's not clever. That's stupid. So, you're an ISP. If you're > running this system, exactly how do you deliver mail, allow users to change > webpages, etc? Oh yeah, and just out or curiosity, what happens to /var and > /tmp ? As one colleague just replied when I read that paragraph to him > "that's not an OS - it's a coaster". I hope it keeps your coffee warm. Hmm, maybe you can explain to me why /, /usr, and /usr/local need to be writtable on a production machine? I can't think of any real reason's myself. We actually use this setup here, and it works quite well. YMMV. > I understand what you're trying to get at, but there is a LOT more to > getting such a system working than you might think. Not really, just takes a little thought is all. It *is* however, a pain in the ass to take an existing system and move it to this type of setup though. -- Robert Hough (rch@acidpit.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010712181257.A71299>