Many people seem to have the impression that security=ssl enabled, and in
some ways it does enhance security, but, it's certainly by no means the
end of the game, nor the beginning. security begins with the OS install.
Not adding packages known to be exploitable redhat is the M$ of the linux
workld these days, a kitchen sink of exploitable packages in the defaults
available, closing out un-needed services not using NFS, then trun it
off, disable it via the kernel rebuild process, etc, replacing telnet, ftp
and the R* commands with ssh/scp, setting proper permissions throughout
the directory structure to limit local exposures and abilities. Of course
the game gets tougher once you allow others onto the system, once a person
has a shell on the box, they have many more routes to compromise the
system, so, trust begins to play a larger and larger role. so, to more
directly answer your question, no mod-ssl is not going to fit your needs
completely here. It begins at the administration level. Think of ssl
enabled transactions as more of a secure tunnel for the protection of the
exchange of information i.e. credit card info, other private personal
information in an encryted tunnel over the pulic network. For those with
actual login capqabilites on your system, you have a whole other set of
worms to fish up and out. Even a ssl secured web server with open
exploitable service runnning on other tcp/ip or udp ports will leave you
0w3d in short order. The system you are attempting to secure should not
even touch the internet until *after* it has been properly configured and
secured.
Here's a reading list to get you started:
http://rr.sans.org/
http://www.interhack.net/pubs/fwfaq/
http://geodsoft.com/howto/harden/
http://www.nfr.com/forum/publications.html
http://www.ticm.com/info/insider/members/fwsecfaq/index.html
http://www.avolio.com/columns/15.html
http://www.wilyhacker.com/
http://www.jmu.edu/computing/runsafe/
http://csrc.nist.gov/itsec/guidance_W2Kpro.html
http://www.networkcomputing.com/1120/1120ws1.html
http://www.Linux-Sec.net/Policy/
http://www.pc-help.org/obscure.htm
http://www.monkeys.com/security/proxies/
http://nms-cgi.sourceforge.net/
http://www.cgisecurity.com/articles/
http://www.apacheweek.com/features/security-13
http://www.cgisecurity.net/papers/
Thanks,
Ron DuFresne
On Tue, 30 Jul 2002, Henning, Brian wrote:
Hello,
I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web
server. I downloaded the mod_ssl package from the website. I changed the
port on my apache web server to 443. On a high level what do i need to do to
create a secure web server? I guess my real problem is i don't know what ssl
does for me. What i am looking for is something that can password protect
the files on my server. I want to let specific people to access my site and
that is it. They must have a password to use it. Is mod_ssl what i want or
should i be looking else where?
thanks for any input,
brian
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
--
~~
admin senior security consultant: sysinfo.com
http://sysinfo.com
Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation.
-- Johnny Hart
testing, only testing, and damn good at it too!
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]