LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-01-2012, 09:26 AM   #16
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108

On shared-hosting systems, don't overlook the possibility of another user of that same system! Many shared-hosts make it very easy for group ftpuser to access pretty-much everything anywhere. That means that another user can probably browse all of your source code at their leisure. This can be plenty enough to give them access to your databases ... carte blanche access if you were lazy in setting up your permissions.

Hosting companies also try to make things "easy ... too easy" by offering "convenient" hosting systems like Plesk ... which by definition make it possible for web-users (it's supposed to just be "you") do highly privileged things. They also set up convoluted and non-standard, but very well-known(!), directory structures, use powerful kernel-modules, and so on. These are the subject of intense attack, and when vulnerabilities are found they can be mass-exploited in seconds. A "root kit" is installed and you're none the wiser.

You need to use dedicated servers ... virtual is presumably okay-enough ... and you need to set up minimal configurations of these ... using only what you must have and no more. In fact, I always subscribe to two or more of them. One very-minimal server only runs the HTTP server, and it uses (secured...!) TCP/IP communications to its brethren which, through an interface known variously as PSGI, or Web Server Gateway Interface, or Rack, etc., communicates the actual request to a different computer which has the actual capability to run it.

On these servers, you should use only the web-server extension modules, only the software plugins of any sort, that you actually need. To paraphrase the investment advice given by Peter Lynch: "Know what you run, and know why you run it."

It is most important to consider that (it is my opinion that ...) most server penetration attacks are nothing more or less than "crimes of opportunity." You left the front-door unlocked, and I felt like being an a*shole with your system and, indiscriminately, hundreds more just like yours. The attacker doesn't know you and doesn't care about you. (He's just an a*shole.) A "determined, knowledgeable, deliberate and cunning" attacker is a very different kettle-of-fish, but also much less common.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Sun To Open Source Java System Web Server and Web Proxy Technologies LXer Syndicated Linux News 0 08-03-2008 07:50 PM
Need a less restrictive SMTP account (SBC just became too restrictive) jgombos Linux - Networking 2 04-26-2008 09:30 PM
Possible compromise of Debian (Knoppix) system? easy2bfree Linux - Security 2 08-13-2006 01:11 PM
Possible system compromise (slackware linux 10.2, apache 1.3.33, OpenSSL 0.9.7g) Noido Linux - Security 9 05-11-2006 03:07 PM
compromise linux system using non-root account? cynick Linux - Security 6 04-24-2006 04:32 AM


All times are GMT -5. The time now is 10:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration