E-Commerce Solution Security
 

Hi all Im currently about to start my MSc dissertation and have chosen to discuss how to secure a publically available E-Commerce Solution that consists of: -

Slack 8.1
Apache 2.0
MySQL
PHP 4

At present I have the following books: -

Linux Security --- Craig Hunt Library

Maximum Linux Security 2nd Edition

Apache Definitive Guide 3rd edition

and will soon have: -

Linux Apache Web Server Administration (Craig Hunt Linux Library)

Hacking Exposed Linux

Hacking Exposed Web Applications (Hacking Exposed)

Hacking Exposed: Network Security Secrets and Solutions, 4th edition

A Complete Hacker's Handbook: Everything You Need to Know About Hacking in the Age of the Web

I feel relatively comfortable with dealing with permissions and chown, chgrp and the hex values for user,group and others, I also have managed to use OpenSSL to create a public/private Key pair (using tldp docs).

However I would like some advice on some automated tools available for testing security, obviously Im aware of John the Ripper and other password cracking tools however I was wondering if anyone can reccomend a simple easy to use test suite that can check Security holes have been closed etc.

Basically looking for something that will tell me "Oi you are still vulnerable to DoS attacks" or "you really shouldnt allow unrestricted telnet access into your MySQL database".

Also if anybody could point me towards a good E-COmmerce oriented security document on the web that would be much appreciated.

Well from the above list I can not see something that is totally insecure. You should not limit the security stuff to the distro, daemons your running. For instance you can configure your sendmail/postfix/qmail to be openrelay and you can configure it pretty well to do not that nasty thing.

Regarding MySQL: I suggest you run it chrooted. If you can manage to run your apache chrooted that would also be good. You have to find a solution for a sendmail compatible mail in the chroot though since PHP requires that.

Also check unspawn's excellent security faq at the head of this forum!

hmm I was thinking of dropping sendmail completely, as im not going to set up an e-mail server at all


But from what youre saying you need it for php, is that correct. If so Ive just run tara and sara on my system and identified that sendmail has about 5 vulnerabilities, so I should just install a newer copy then???

The only other vulnerabilities found were related to some accounts having console access etc. and an OpenSSL bug that allows buffer overflows.

Okay setup a jail under /var/webroot

added the progs required

added a user called chroot to the jail and it functions okay

Having installed Apache 2.0 with SSL support (working) and PHP support (as a module also working) but no cgi, I have tried copying the Apache2 directory to the jailed area.

I have editted Apacectl in /usr/sbin to point to the jailed Apache but I now get this error, can somebody help please?????

bash-2.05a# apachectl startssl
/var/webroot/usr/local/apache2/bin/httpd: error while loading shared libraries: libaprutil-0.so.0: cannot open shared object file: No such file or directory

Okay Ive re-compiled an ssl/php aware Apache 2.0 setup in the actual Jailed path /var/wwwroot

the user for Apache is webuser and group is webgroup, do I need to add these to the chrooted environment?????

If so will that mean the program is jailed???

Also I have MySQL installed under /usr/local/bin/

Will Apache/Php beable to see the database??????

You might want to look at OWASP.

cheers, just d/led thier security reccomendation doc to take a look at