LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-28-2003, 04:11 PM   #1
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Rep: Reputation: 30
E-Commerce Solution Security


Hi all Im currently about to start my MSc dissertation and have chosen to discuss how to secure a publically available E-Commerce Solution that consists of: -

Slack 8.1
Apache 2.0
MySQL
PHP 4

At present I have the following books: -

Linux Security --- Craig Hunt Library

Maximum Linux Security 2nd Edition

Apache Definitive Guide 3rd edition

and will soon have: -

Linux Apache Web Server Administration (Craig Hunt Linux Library)

Hacking Exposed Linux

Hacking Exposed Web Applications (Hacking Exposed)

Hacking Exposed: Network Security Secrets and Solutions, 4th edition

A Complete Hacker's Handbook: Everything You Need to Know About Hacking in the Age of the Web

I feel relatively comfortable with dealing with permissions and chown, chgrp and the hex values for user,group and others, I also have managed to use OpenSSL to create a public/private Key pair (using tldp docs).

However I would like some advice on some automated tools available for testing security, obviously Im aware of John the Ripper and other password cracking tools however I was wondering if anyone can reccomend a simple easy to use test suite that can check Security holes have been closed etc.

Basically looking for something that will tell me "Oi you are still vulnerable to DoS attacks" or "you really shouldnt allow unrestricted telnet access into your MySQL database".

Also if anybody could point me towards a good E-COmmerce oriented security document on the web that would be much appreciated.
 
Old 06-29-2003, 06:58 AM   #2
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Well from the above list I can not see something that is totally insecure. You should not limit the security stuff to the distro, daemons your running. For instance you can configure your sendmail/postfix/qmail to be openrelay and you can configure it pretty well to do not that nasty thing.

Regarding MySQL: I suggest you run it chrooted. If you can manage to run your apache chrooted that would also be good. You have to find a solution for a sendmail compatible mail in the chroot though since PHP requires that.

Also check unspawn's excellent security faq at the head of this forum!
 
Old 06-29-2003, 10:47 AM   #3
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
hmm I was thinking of dropping sendmail completely, as im not going to set up an e-mail server at all


But from what youre saying you need it for php, is that correct. If so Ive just run tara and sara on my system and identified that sendmail has about 5 vulnerabilities, so I should just install a newer copy then???

The only other vulnerabilities found were related to some accounts having console access etc. and an OpenSSL bug that allows buffer overflows.
 
Old 06-29-2003, 01:28 PM   #4
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Okay setup a jail under /var/webroot

added the progs required

added a user called chroot to the jail and it functions okay

Having installed Apache 2.0 with SSL support (working) and PHP support (as a module also working) but no cgi, I have tried copying the Apache2 directory to the jailed area.

I have editted Apacectl in /usr/sbin to point to the jailed Apache but I now get this error, can somebody help please?????

bash-2.05a# apachectl startssl
/var/webroot/usr/local/apache2/bin/httpd: error while loading shared libraries: libaprutil-0.so.0: cannot open shared object file: No such file or directory
 
Old 06-29-2003, 04:05 PM   #5
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Okay Ive re-compiled an ssl/php aware Apache 2.0 setup in the actual Jailed path /var/wwwroot

the user for Apache is webuser and group is webgroup, do I need to add these to the chrooted environment?????

If so will that mean the program is jailed???

Also I have MySQL installed under /usr/local/bin/

Will Apache/Php beable to see the database??????
 
Old 07-01-2003, 02:57 PM   #6
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
You might want to look at OWASP.
 
Old 07-01-2003, 04:53 PM   #7
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
cheers, just d/led thier security reccomendation doc to take a look at
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to build a e-commerce website? Jwangk Programming 4 07-01-2004 07:05 AM
Is this a good Security Solution? bjdea1 Linux - Security 12 04-04-2004 10:40 AM
My Simple Security Solution For Linux bjdea1 Linux - Security 10 04-02-2004 06:39 PM
Setting up an E-Commerce server unforgivn Linux - Newbie 0 02-04-2004 12:04 PM
E-Commerce software gbg Linux - Software 7 12-31-2003 10:01 AM


All times are GMT -5. The time now is 09:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration