On 14/03/14 15:51, shawn wilson wrote: > > On Mar 14, 2014 12:13 AM, "Brad Alexander" <stor...@gmail.com > <mailto:stor...@gmail.com>> wrote: >> > >>>> >>>> Due to this experience I would like to know what the best way to > limit such problems is, especially when hosting web servers for users > who may or may not installed unsecure applications on the web server. >>
Web server and system security is a big subject. Regardless of the use case a systematic approach is the best, easiest, and only practically implementable approach. Starting with the Debian security guide. I've included a link at the bottom of this post. >> <snipped> > > As for passwords, The OP has stated that the server was cracked, not the users application (though that is likely to have happened). That's consistent with web shell attack. It's an injection type attack that runs OS commands[*1]. The web shell is able to execute a command/commands either as:- ; a result of insecure application or system (php) settings allowing an uploaded script to be executed directly (file upload) ; unsanitized data - executed php code appended to a link or to file upload URI None of those methods are dependent on password access. The attack can gain elevated permission due to insecure file permissions or poor passwords. Password insecurity is not the means of ingress (it is important though - but don't rely on it). Password security for the server (as distinct from user web applications) *should* be part of any webserver security. Debian provides dnsiff and john the ripper which are used in industry best practice password auditing. By default Debian implements md5 and shadow which are the 'basis' of best practice password security (auditing are other practices add to those things). <snipped> As Brad has pointed out, in business we employ specialized personnel to deal with security (or aspects of it). Please note my point about security requiring a systemic approach. Paint by numbers and/or ad hoc "security" is not security. Kind regards Useful references:- https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html http://httpd.apache.org/docs/current/misc/security_tips.html https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet https://phpbestpractices.org/ http://www.developphp.com/view.php?tid=772 http://demongin.org/blog/829/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5322be29.7010...@gmail.com
