On Sun, May 25, 2003 at 08:44:29PM +0100, David Ramsden wrote: > I've found that when running a system were the users can put up their > web pages.. most insecure. > It's virtually impossible to know what each user is running under their > web space.. An exploitable version of PHPNuke for example, leading to > the web server privs. and from there, who knows. We do have ~/public_html set up under Apache, but two of the server do nothing but Firewall, Mail, and Non-User webservice (standard ultra-small business, all-eggs-in-one-basket setup, we advise against it but provide it if asked).
> So if you can't think of any service that may have been exploited due to > being up to date with security.debian.org maybe think about what users > are running under their webspace. Acknowledged, though. > That's a bit of a stab in the dark but something I feel admins. > overlook (ntoe to self: look at running Apache in chroot jail :-p). > So maybe they gained access to a system via something like the above, > then found out a common username/password (root, for example) and is > able to login to the other machines via SSH - No need to exploit. Thankfully, we don't have root passwords. In our space, we find root to more of a concept than a user, so we disable the password and set up a group that can su to root. That way we have a good handle on things. Root never logs in, so we know somethings up if we see that. Also, if it is hacked from a su-able user, we get a log of that too. I highly recommend this set up (although it wasn't enough in our case :). > Some things to think about possibly. > Good luck! Thanks. Jayson
