Re: Secure Web-Based Administration

From: Marek Bialoglowy (ultor@systemintegra.com)
Date: 01/28/03

  • Next message: Hal Flynn: "Administrivia: Trimming replies" 
    From: "Marek Bialoglowy" <ultor@systemintegra.com>
To: "Ryan" <ryan@vbnet.net>
Date: Tue, 28 Jan 2003 14:18:49 +0700

    Hello,

    From my experience I would recommend you developing separate SECURE daemon
    which would execute all required administrative commands with root
    privileges or other privileges if required. Certainly listening to advices
    like "allow the web server user ("apache", maybe) to run those commands"
    will result someday in having your server totally compromised due to some
    new vulnerability in apache. Also if you use this kind of solution you won't
    have ability to do centralized administration. I'm quite sure that using one
    administration interface to manage 5 servers is more comfortable than going
    on each of them. This solution can be secure if PROPER implemented.

    Things which you have to remember while developing it:

    - encrypt all connection to daemon with SSL ! (if it's localhost it's
    not that critical),
    - restrict access to daemon to specific IP address (localhost, admin
    server),
    - implement authentication on daemon (in example some users can have
    access only to /etc/rc.d/),
    - don't store any passwords in PHP !!! (send them when authenticating
    using PHP form).
    - remember about SSL connection to your web interface !!!

    Well, also ask a question to yourself if you really need web interface to
    manage your servers.

    Best Regards,

    Marek Bialoglowy [mb@systemintegra.com] [Information Security Consultant]
    GROUP: HERT (hert.org) -- PGP: http://www.systemintegra.com/pgp/ultor.asc
    JOB: (CTO) System Integra -- Jakarta, Indonesia -- Timezone: JAVT, GMT +7

    Relevant Pages

    • help: howto to make the machine secure!!
      ... I'm about to loose my nerves because the data center where my server ... I commented out all rpc services as it is said to be insecure. ... # pass the given daemon an AF_INET6 socket. ... # RLOGIND - rlogin daemon (BSD protocols) ...
      (comp.unix.solaris)
    • RE: Server Mangement not available
      ... Because of the administration components corruption, ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... | Thread-Topic: Server Mangement not available ...
      (microsoft.public.windows.server.sbs)
    • Re: [PHP] Re: converting a vid with ffmpeg - howto do progress bars?
      ... the encoding as a kind of daemon process/cron job that runs on ... page the user goes to that sees their "job progress". ... kill your server by performing multiple encodes at the same ... time - with the cron job/daemon approach you can control how ...
      (php.general)
    • Re: [PHP] Re: converting a vid with ffmpeg - howto do progress bars?
      ... the encoding as a kind of daemon process/cron job that runs on ... page the user goes to that sees their "job progress". ... kill your server by performing multiple encodes at the same ... time - with the cron job/daemon approach you can control how ...
      (php.general)
    • Re: hacking from Terminal services or some other means
      ... Where would I go to configure the ports to accept certain ... >port 3389 for Terminal Services remote administration. ... >the name of the administrator account. ... >> Our mail server is running Windows 2000 server. ...
      (microsoft.public.win2000.security)
    • Quantcast