bits & bytes - Ping! Zine Web Tech Magazine
bits & bytes - Ping! Zine Web Tech Magazine
bits & bytes - Ping! Zine Web Tech Magazine
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
[featured article]<br />
the specific task that must be performed.<br />
A server that was compromised will always<br />
be suspect. I always recommend reinstalling any<br />
system where administrator (or root) level access is<br />
compromised, because even if you cleaned up the<br />
apparent damage from the compromise, missing<br />
even one file can quickly land you right back in<br />
the same (leaky!) boat. This includes procedures<br />
when restoring backups; you should never assume<br />
that your previous backup is free of traces of the<br />
compromise. You should ensure that configuration<br />
files don’t contain instructions to allow access<br />
to an outside party. Also, system binaries should<br />
never be restored from backup – the restore should<br />
be limited to user data and system configuration<br />
only. User data should also be reviewed as it is<br />
restored, while all passwords should be changed,<br />
following a compromise. Even if your intruder is<br />
only able to obtain user access to your machine,<br />
that still allows them to get their “foot in the door,”<br />
and may provide further potential exposure to<br />
exploitation.<br />
Another pitfall that is still far too common is the<br />
use of shared accounts (like nobody or apache) to<br />
execute web scripts. Not only does this potentially<br />
allow for the defacement or removal of user data<br />
accessible by the shared account, but it also makes<br />
tracking down the point of entry more difficult in<br />
the event a compromise does occur. <strong>Web</strong> scripts<br />
should run with the privileges of a specific system<br />
user, eliminating both of those issues, and limiting<br />
the damage of a script exploit to the user with the<br />
exploitable script.<br />
Also, check the locations that a potential intruder<br />
may use. I’ve found that on a Linux system /tmp, /<br />
var/tmp, /dev/shm, and Apache’s proxy directories<br />
(all writable by default to anyone) are common<br />
places used to store exploit, scanning, and other<br />
potentially malicious applications. Strange files<br />
in these locations can be a good indicator that<br />
your machine may be compromised – even if the<br />
intruder has not gained root access yet.<br />
There are a number of other security tools that<br />
may or may not be of use to you. Obviously,<br />
everyone has a unique situation, and considering<br />
other solutions such as a hardware-based firewall,<br />
Network IDS, and commercial security software<br />
can be useful. Remember, though – if you just<br />
take a few simple steps, you can easily improve<br />
the security of all your servers. While the time<br />
investment can seem like a lot up front, in the long<br />
run the benefits truly outweigh the associated cost.<br />
Security is a serious concern, but if you consider it<br />
as a factor when making decisions, and take basic<br />
steps to improve your system security, it doesn’t<br />
have to be a huge draw on your time nor does it<br />
have to increase your blood pressure!<br />
P!<br />
PING! ZINE WRITER BIO<br />
Adam C. Greenfield currently serves as Site5’s Chief <strong>Tech</strong>nology Officer. He has<br />
been involved in web hosting for almost 10 years as both a Systems Administrator<br />
and a Developer. Currently his primary focus is leading the Site5 Engineering<br />
Team. He maintains a professional weblog at http://www.adamgreenfield.com/.<br />
Adam can be reached at adam.greenfield@site5.com<br />
26 <strong>Ping</strong>! <strong>Zine</strong> <strong>Web</strong> Hosting <strong>Magazine</strong>