Re: Advice Needed On Recent Rootings
On Sun, May 25, 2003 at 08:44:29PM +0100, David Ramsden wrote:
> I've found that when running a system were the users can put up their
> web pages.. most insecure.
> It's virtually impossible to know what each user is running under their
> web space.. An exploitable version of PHPNuke for example, leading to
> the web server privs. and from there, who knows.
We do have ~/public_html set up under Apache, but two of the server do
nothing but Firewall, Mail, and Non-User webservice (standard
ultra-small business, all-eggs-in-one-basket setup, we advise against it
but provide it if asked).
> So if you can't think of any service that may have been exploited due to
> being up to date with security.debian.org maybe think about what users
> are running under their webspace.
Acknowledged, though.
> That's a bit of a stab in the dark but something I feel admins.
> overlook (ntoe to self: look at running Apache in chroot jail :-p).
> So maybe they gained access to a system via something like the above,
> then found out a common username/password (root, for example) and is
> able to login to the other machines via SSH - No need to exploit.
Thankfully, we don't have root passwords. In our space, we find root to
more of a concept than a user, so we disable the password and set up a
group that can su to root. That way we have a good handle on things.
Root never logs in, so we know somethings up if we see that. Also, if
it is hacked from a su-able user, we get a log of that too. I highly
recommend this set up (although it wasn't enough in our case :).
> Some things to think about possibly.
> Good luck!
Thanks.
Jayson
Reply to: