Re: Am I compromised
On Sat, Dec 03, 2005 at 08:17:33PM +0530, Ritesh Raj Sarraf wrote:
> For now I've disabled php/perl on the server and it's working fine.
>
> I have one question which I think people here can give better ideas on:
> The server is a webserver running multiple Virtual Hosts. I can't/shouldn't
> restrict my users (Virtual Host owners) from uploading any script/program
> to their webroot directory. Now if one of my user is using a vulnerable
> script, say awstats, it effects the whole server.
>
You can and should restrict your customers in the best interests of
your OTHER customers and your own welfare. Put in a clause in your
terms and conditions which provides that any gross security holes
may be patched in the interests of securing the service for all.
Put in a clause that unsafe scripts may be audited and refused in
the wider interests of the server provider. Put in a clause that
running a pornography server or something that is morally inappropriate
will not be tolerated. Put in a clause that people using your service
actively to originate spam WILL be shut down, any amounts owing will be
actively pursued and all records will be willingly forwarded to local
and international law enforcement as appropriate :) It may also be worth
providing, in a prominent place, that services may be monitored by system
administrators and authorised personnel at any point as necessary
and that communications will be regulated by local and international
laws such that you will co-operate with law enforcement officials where
this is appropriate.
> What is the best practise to handle such situations ?
>
It may be worth providing safe/secure alternatives to unsafe software
and to provide some security advice to indicate _why_ scripts are unsafe
if not audited. Charge a small fee for auditing scripts and a larger
fee for modifying them to be script safe??
I got bitten by this sort of thing running a small internet cafe for
a voluntary organisation some years ago. Lack of employee background
checking meant that we inadvertently employed a sex offender in the cafe
- the police were not amused and obliged us to dismiss him. Downloads of
pornography and other inappropriate material in the cafe by a customer
resulted in complaints from staff and other customers - the local police
internet fraud/crime officer advised that the material which had been
downloaded was not necessarily obscene and, more importantly, was not
paedophile material. His suggestion was to draw up
terms and conditions - much as above - to cover use of the internet by
paying customers and to draw them to people's attention.
The monitoring and supervision aspect is particularly important to include
IMHO as is an assertion that you are not a common carrier prepared to provide
a service with no questions asked but are undertaking some basic
filtering/monitoring. This is not advocating restriction or censorship
for the sake of it but is acting responsibly. Legitimate customers won't
care and may even be flattered that you are attempting to take care of
their interests in behaving responsibly: illegitimate customers who
"just want a hosting service" to host problem services will beat a
hasty retreat from your door.
All the above IMHO and YMMV,
Andy
> Regards,
>
> rrs
> - --
> Ritesh Raj Sarraf
> RESEARCHUT -- http://www.researchut.com
> Gnupg Key ID: 04F130BC
> "Stealing logic from one person is plagiarism, stealing from many is
> research."
> "Necessity is the mother of invention."
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFDkbAL4Rhi6gTxMLwRAhXPAJ9BS4YqIQkqh20SiopKQTeGjj+A/QCfatdl
> z7GREwX48MpC0ErKR2oVu2g=
> =hkBW
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: