Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I installed OpenSSL in which it corrected a few errors when testing the software. A quick background on the application. OpenSSL is an optional install. At the command line the application has the ability to open a browser up to allow user to use the browser instead of command line. The application can serve user logins.
Anyways, my question is with OpenSSL installed even without the intention to use it, is the machine vulnerable to any future issues or do I have to actually configure and enable it?
[root@math1 sage-6.4.1]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Jan 20 17:30:05 UTC 2015
platform: linux-x86_64
As with all crypto resources, you do need to take the time to learn about OpenSSL and how to properly configure and use it. It's present on nearly all machines. No, its presence does not per se represent a vulnerability.
Contrast this, for example, with the SSH daemon, sshd, which might be running on a machine that you never actually intend to secure-login to from the outside. If you never intend to do that, that daemon should never be running, and if it is running, it must be properly configured and secured. SSL is a library, not a daemon.
Last edited by sundialsvcs; 02-06-2015 at 07:48 AM.
As with all crypto resources, you do need to take the time to learn about OpenSSL and how to properly configure and use it. It's present on nearly all machines. No, its presence does not per se represent a vulnerability.
Contrast this, for example, with the SSH daemon, sshd, which might be running on a machine that you never actually intend to secure-login to from the outside. If you never intend to do that, that daemon should never be running, and if it is running, it must be properly configured and secured. SSL is a library, not a daemon.
Got it. Thanks for the clarification. I installed it cause the dam test runs kept on failing. Users who are accessing the Linux machine are going through VNC over SSH. The browser option provides GUI interface (can be opened http or https) but the web service itself is not accessible from any other machine
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
