Re: Feedback solicited - best way to harden a mail/web server?

From: teddy (mouschi@cheese-head-state.rr.com)
Date: 12/30/02 

From: "teddy" <mouschi@cheese-head-state.rr.com>
Date: Mon, 30 Dec 2002 17:18:12 GMT

"Jim Levie" <jim@entrophy-free.net> wrote :
> That's pretty much "security through obscurity". Changing the HTTPS port
to
> one greater than 1024 doesn't help if you happen to be running a
vulnerable
> version of Apache/OpenSSL. The vulnerabiltiy is in the application and
> changing the port just makes it a bit more difficult to find the
vulnerabilty.
> If I were trying to penetrate such a system it would take only a few
minutes
> to find the port being used for HTTPS and then I'm in if the application
is
> vulnerable.

You're forgetting something... if apache doesn't need root access and
doesn't HAVE root access, then exploiting it will simply give the attacker a
normal shell. Sure, that's bad, but at least it's another layer of crap the
kid would have to get through. and chances are, this guy's getting bitten by
a worm of some sort.

-Ted

Relevant Pages

  • Re: Feedback solicited - best way to harden a mail/web server?
    ... >> use," I've never heard of someone needing bind at home. ... I just realized there's no reason to use port 443, ... The vulnerabiltiy is in the application and ... > what's what and then rerun chkrootkit. ...
    (comp.os.linux.security)
  • Re: Feedback solicited - best way to harden a mail/web server?
    ... The vulnerabiltiy is in the application and ... >> to find the port being used for HTTPS and then I'm in if the application ... > doesn't HAVE root access, then exploiting it will simply give the attacker a ... if and only if you arrainge for apache to be started as other than ...
    (comp.os.linux.security)