securing a system

Lisa Kachold lisakachold at obnosis.com
Wed Jun 15 12:15:02 MST 2011


On Wed, Jun 15, 2011 at 9:16 AM, Steve Phariss <sphariss at gmail.com> wrote:

> Hi Lisa,
>
> This post was just the very basics.  There will be several of us looking at
> the attack vector and logs.  There are things I will not have control over
> and I have let my concerns (many of them you mentioned, it's good to know I
> am on the right track <G>  )be known to the hiring company.  Good point of
> using an alias.
>

Yes, take it from a social engineering specialist.   :)

>
> I know that minimizing the attack vectors is generally best, that is why I
> would like to (if possible) eliminate one of the DBs.  If not possible,
> secure both as well as possible.


Many shops run many DB's from mysql to oracle to rdb to msql happily serving
it all.  It's a poor place to implement a security standardization.   The
issues for any database are with code and security specification during
development, not in the DB itself.

As a professional, be VERY careful what bias you implement as a "technical
recommendation"; it's the single most limiting factor to a systems
engineer/administrator's intelligence.  This is not POLITICS!

Download Rapid 7 Nexpose Community Edition (free) scanner and setup on
CentOs and see what's exploitable.

>
>
> On Wed, Jun 15, 2011 at 8:17 AM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>> Hi Steve!
>>
>> I would be very careful about specifics to a list; especially if you plan
>> to later advertise you work there.
>>
>> Using another name or alias for security questions is generally best.
>>
>> See my suggestions below.
>>
>> On Tue, Jun 14, 2011 at 10:41 PM, Steve Phariss <sphariss at gmail.com>wrote:
>>
>>> I may have a job putting a compramised system back into production
>>> (actually we are moving them from Ubuntu to a RHEL VM...)
>>>
>>
>> Be sure to do your feasibility research BEFORE making a technical
>> recommendation.   A feasibility  plan takes into consideration ALL of the
>> various daemons and services as well as other things which much connect and
>> network (iSCSI for instance).   What will you do if one of their programs
>> (Mason-CM) won't work with RHEL VM?
>>
>>>
>>> I am still lacking some details but they are running apache, Mysql AND
>>> Postgres, Drupal, and something called  *Mason*-*CM.  I am not sure why
>>> the two DBs but if there is not a good reason I will move them off of one or
>>> the other.
>>> *
>>
>>
>> Mason-CM is required for one of their apps.  You will break upwards
>> compatibility if you move them. Run both.
>>
>>> *
>>> Anyone have any good docs on securing Apache, Drupal, the DBs, or
>>> Mason-CM?
>>> *
>>
>>
>> That's too blanket of a question.  Apache/SSL/postgresql all have
>> insecurities based on version.
>> Everything can be "hacked" or configured just to work, not to work
>> securely.
>>
>> Apache runs with many additional features, for instance mod-proxy.
>> Drupal runs with third party contributed modules -- not all secure as the
>> government learned last year in a famous hack.
>> DB's are only as good as the underlying security model.
>> Read the docs for Mason-CM (but again it's going to be dependent for sql
>> injection protection on the underlying code base or app).
>>
>> The best I can suggest is to run Rapid7 Nexpose security scanner against
>> your configuration and mitigate each thing one by one.
>>
>> But before you rebuild, you might take a minute to determine the "attack
>> vector".
>>
>>> *
>>> Thanks
>>>
>>> Steve
>>> *
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> (602) 791-8002  Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> *
>> *Server Engineer/Security Administrator
>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
(602) 791-8002  Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
*
*Server Engineer/Security Administrator
HomeSmartInternational.com <http://www.homesmartinternational.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110615/6f06375b/attachment.html>


More information about the PLUG-discuss mailing list