LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-22-2006, 09:09 AM   #1
hagen00
LQ Newbie
 
Registered: May 2005
Distribution: Debian Sarge, Ubuntu Dapper
Posts: 14

Rep: Reputation: 0
Hosting websites - security and code auditing


Hi there

I was wondering.

People that host websites surely do not audit all the code that they host. But what if they host some poorly written websites that leave backdoors open? How do they ensure that the whole server isn't compromised because of one poorly written website.

If a cracker gains access through one website, what's stopping them from compromising the whole computer?

Thanks for any insight.

H
 
Old 08-22-2006, 11:53 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,558
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
I was wondering.
]# pkill -9 -f "cat.*curiosity" ;-p


People that host websites surely do not audit all the code that they host.
Since even the maintainers of PHP or PHP-based apps don't (in full) we can't expect hosters to either. Hosters usually don't have the right toolkit or programming knowledge or sense of security or time (==money). Hell, some don't even read README's.


But what if they host some poorly written websites that leave backdoors open? How do they ensure that the whole server isn't compromised because of one poorly written website.
0. packet-scrubbing network device that is capable of detecting anomalies and scans (Snort, Prelude, HW),
1. reverse proxy scrubbing requests (Apache),
2. sensor (or mod-security) or Iptables ruleset tripping over repeated bad requests,
3. real-time integrity checking (Samhain)
4. real-time logalerting,
If a cracker gains access through one website, what's stopping them from compromising the whole computer?
5. virtualisation (Xen, Qemu, UML and the Other One)
6. running services as lesser-privileged users,
7. chrooting running services,
8. strict role separation (SELinux, GRSecurity's RBAC, RSBAC)
9. keeping a small footprint and keeping up to date with security fixes,
10. properly configuring about everything,
11. proper access restrictions
12. Running a minimal Apache, Hardened-PHP, secured MySQL,
??. sure I forgot something, you name it:

Last edited by unSpawn; 08-22-2006 at 11:54 AM. Reason: signal.h
 
Old 08-22-2006, 12:26 PM   #3
hagen00
LQ Newbie
 
Registered: May 2005
Distribution: Debian Sarge, Ubuntu Dapper
Posts: 14

Original Poster
Rep: Reputation: 0
Cool thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hosting web and e-mail security risks metallica1973 Linux - Security 8 04-10-2006 10:39 AM
VirtualHost and hosting 2 websites n00bDanimal Linux - General 1 09-25-2005 09:13 PM
linux security/hacker websites t3___ Linux - Security 2 07-12-2004 06:04 PM
Security Auditing on RH9, 2.4.20-8, Aironet 350, RFMON l33tgunr Linux - Newbie 0 04-26-2004 06:28 PM
a forum to discuss apache / linux hosting websites? jago25_98 General 0 11-18-2003 02:47 PM


All times are GMT -5. The time now is 08:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration