Re: securing a system

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: securing a system
On Wed, Jun 15, 2011 at 9:16 AM, Steve Phariss <> wrote:

> Hi Lisa,
>
> This post was just the very basics. There will be several of us looking at
> the attack vector and logs. There are things I will not have control over
> and I have let my concerns (many of them you mentioned, it's good to know I
> am on the right track <G> )be known to the hiring company. Good point of
> using an alias.
>


Yes, take it from a social engineering specialist. :)

>
> I know that minimizing the attack vectors is generally best, that is why I
> would like to (if possible) eliminate one of the DBs. If not possible,
> secure both as well as possible.



Many shops run many DB's from mysql to oracle to rdb to msql happily serving
it all. It's a poor place to implement a security standardization. The
issues for any database are with code and security specification during
development, not in the DB itself.

As a professional, be VERY careful what bias you implement as a "technical
recommendation"; it's the single most limiting factor to a systems
engineer/administrator's intelligence. This is not POLITICS!

Download Rapid 7 Nexpose Community Edition (free) scanner and setup on
CentOs and see what's exploitable.

>
>
> On Wed, Jun 15, 2011 at 8:17 AM, Lisa Kachold <>wrote:
>
>> Hi Steve!
>>
>> I would be very careful about specifics to a list; especially if you plan
>> to later advertise you work there.
>>
>> Using another name or alias for security questions is generally best.
>>
>> See my suggestions below.
>>
>> On Tue, Jun 14, 2011 at 10:41 PM, Steve Phariss <>wrote:
>>
>>> I may have a job putting a compramised system back into production
>>> (actually we are moving them from Ubuntu to a RHEL VM...)
>>>
>>
>> Be sure to do your feasibility research BEFORE making a technical
>> recommendation. A feasibility plan takes into consideration ALL of the
>> various daemons and services as well as other things which much connect and
>> network (iSCSI for instance). What will you do if one of their programs
>> (Mason-CM) won't work with RHEL VM?
>>
>>>
>>> I am still lacking some details but they are running apache, Mysql AND
>>> Postgres, Drupal, and something called *Mason*-*CM. I am not sure why
>>> the two DBs but if there is not a good reason I will move them off of one or
>>> the other.
>>> *
>>
>>
>> Mason-CM is required for one of their apps. You will break upwards
>> compatibility if you move them. Run both.
>>
>>> *
>>> Anyone have any good docs on securing Apache, Drupal, the DBs, or
>>> Mason-CM?
>>> *
>>
>>
>> That's too blanket of a question. Apache/SSL/postgresql all have
>> insecurities based on version.
>> Everything can be "hacked" or configured just to work, not to work
>> securely.
>>
>> Apache runs with many additional features, for instance mod-proxy.
>> Drupal runs with third party contributed modules -- not all secure as the
>> government learned last year in a famous hack.
>> DB's are only as good as the underlying security model.
>> Read the docs for Mason-CM (but again it's going to be dependent for sql
>> injection protection on the underlying code base or app).
>>
>> The best I can suggest is to run Rapid7 Nexpose security scanner against
>> your configuration and mitigate each thing one by one.
>>
>> But before you rebuild, you might take a minute to determine the "attack
>> vector".
>>
>>> *
>>> Thanks
>>>
>>> Steve
>>> *
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> (602) 791-8002 Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> *
>> *Server Engineer/Security Administrator
>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
*
*Server Engineer/Security Administrator
HomeSmartInternational.com <http://www.homesmartinternational.com>
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss