Re: Secure Web-Based Administration

• Previous message: Christian Meier: "Re: Secure Web-Based Administration"
• Maybe in reply to: Ryan: "Secure Web-Based Administration"
• Next in thread: Brennan, Gavin (NIH/NCI): "Re: Secure Web-Based Administration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Marek Bialoglowy" <ultor@systemintegra.com>
To: "Ryan" <ryan@vbnet.net>
Date: Tue, 28 Jan 2003 14:18:49 +0700

Hello,

From my experience I would recommend you developing separate SECURE daemon
which would execute all required administrative commands with root
privileges or other privileges if required. Certainly listening to advices
like "allow the web server user ("apache", maybe) to run those commands"
will result someday in having your server totally compromised due to some
new vulnerability in apache. Also if you use this kind of solution you won't
have ability to do centralized administration. I'm quite sure that using one
administration interface to manage 5 servers is more comfortable than going
on each of them. This solution can be secure if PROPER implemented.

Things which you have to remember while developing it:

- encrypt all connection to daemon with SSL ! (if it's localhost it's
not that critical),
- restrict access to daemon to specific IP address (localhost, admin
server),
- implement authentication on daemon (in example some users can have
access only to /etc/rc.d/),
- don't store any passwords in PHP !!! (send them when authenticating
using PHP form).
- remember about SSL connection to your web interface !!!

Well, also ask a question to yourself if you really need web interface to
manage your servers.

Best Regards,

Marek Bialoglowy [mb@systemintegra.com] [Information Security Consultant]
GROUP: HERT (hert.org) -- PGP: http://www.systemintegra.com/pgp/ultor.asc
JOB: (CTO) System Integra -- Jakarta, Indonesia -- Timezone: JAVT, GMT +7

• Next message: Hal Flynn: "Administrivia: Trimming replies"
• Previous message: Christian Meier: "Re: Secure Web-Based Administration"
• Maybe in reply to: Ryan: "Secure Web-Based Administration"
• Next in thread: Brennan, Gavin (NIH/NCI): "Re: Secure Web-Based Administration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages help: howto to make the machine secure!! ... I'm about to loose my nerves because the data center where my server ... I commented out all rpc services as it is said to be insecure. ... # pass the given daemon an AF_INET6 socket. ... # RLOGIND - rlogin daemon (BSD protocols) ... (comp.unix.solaris) RE: Server Mangement not available ... Because of the administration components corruption, ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... | Thread-Topic: Server Mangement not available ... (microsoft.public.windows.server.sbs) Re: RWW Limitations? ... 'Connect to Server Desktops' ... There is another option IF you have a server operating in TS Applications ... The 'Connect to my computer at work' function allows a remote user to take ... Administration mode TS on the SBS is a different kettle of fish altogether. ... (microsoft.public.windows.server.sbs) Re: hacking from Terminal services or some other means ... Where would I go to configure the ports to accept certain ... >port 3389 for Terminal Services remote administration. ... >the name of the administrator account. ... >> Our mail server is running Windows 2000 server. ... (microsoft.public.win2000.security) Re: linux mini projects for college ... An nntp client that runs as a daemon 24/7, ... you select articles to be downloaded and tell the daemon to ... Daemon should be able to open up one job queue for each nntp server it ... (comp.os.linux.misc)