Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328
Rep:
E-Commerce Solution Security
Hi all Im currently about to start my MSc dissertation and have chosen to discuss how to secure a publically available E-Commerce Solution that consists of: -
Slack 8.1
Apache 2.0
MySQL
PHP 4
At present I have the following books: -
Linux Security --- Craig Hunt Library
Maximum Linux Security 2nd Edition
Apache Definitive Guide 3rd edition
and will soon have: -
Linux Apache Web Server Administration (Craig Hunt Linux Library)
Hacking Exposed Linux
Hacking Exposed Web Applications (Hacking Exposed)
Hacking Exposed: Network Security Secrets and Solutions, 4th edition
A Complete Hacker's Handbook: Everything You Need to Know About Hacking in the Age of the Web
I feel relatively comfortable with dealing with permissions and chown, chgrp and the hex values for user,group and others, I also have managed to use OpenSSL to create a public/private Key pair (using tldp docs).
However I would like some advice on some automated tools available for testing security, obviously Im aware of John the Ripper and other password cracking tools however I was wondering if anyone can reccomend a simple easy to use test suite that can check Security holes have been closed etc.
Basically looking for something that will tell me "Oi you are still vulnerable to DoS attacks" or "you really shouldnt allow unrestricted telnet access into your MySQL database".
Also if anybody could point me towards a good E-COmmerce oriented security document on the web that would be much appreciated.
Well from the above list I can not see something that is totally insecure. You should not limit the security stuff to the distro, daemons your running. For instance you can configure your sendmail/postfix/qmail to be openrelay and you can configure it pretty well to do not that nasty thing.
Regarding MySQL: I suggest you run it chrooted. If you can manage to run your apache chrooted that would also be good. You have to find a solution for a sendmail compatible mail in the chroot though since PHP requires that.
Also check unspawn's excellent security faq at the head of this forum!
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328
Original Poster
Rep:
hmm I was thinking of dropping sendmail completely, as im not going to set up an e-mail server at all
But from what youre saying you need it for php, is that correct. If so Ive just run tara and sara on my system and identified that sendmail has about 5 vulnerabilities, so I should just install a newer copy then???
The only other vulnerabilities found were related to some accounts having console access etc. and an OpenSSL bug that allows buffer overflows.
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328
Original Poster
Rep:
Okay setup a jail under /var/webroot
added the progs required
added a user called chroot to the jail and it functions okay
Having installed Apache 2.0 with SSL support (working) and PHP support (as a module also working) but no cgi, I have tried copying the Apache2 directory to the jailed area.
I have editted Apacectl in /usr/sbin to point to the jailed Apache but I now get this error, can somebody help please?????
bash-2.05a# apachectl startssl
/var/webroot/usr/local/apache2/bin/httpd: error while loading shared libraries: libaprutil-0.so.0: cannot open shared object file: No such file or directory
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.