Linux Web Server Hardening (LAMP + Wiki)

4 views
Skip to first unread message

Jeffrey Walton

unread,
Jan 25, 2013, 4:31:04 PM1/25/13
to Security Basics List
Hi All,

Is anyone aware of a hardening guide for a Linux LAMP server with a
Wiki component?

I have an older Linux Server hardening book, but nothing recent. I
have not seen a Wiki hardening document.

Thanks in advance,

Jeff

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Eric Furman

unread,
Jan 28, 2013, 3:19:18 AM1/28/13
to Jeffrey Walton, Security Basics List
Don't use Linux. It is insecure. Use Windows or one of the BSDs.
All are much more secure.

Henri Salo

unread,
Jan 28, 2013, 3:39:45 AM1/28/13
to Jeffrey Walton, Security Basics List
On Fri, Jan 25, 2013 at 04:31:04PM -0500, Jeffrey Walton wrote:
> Is anyone aware of a hardening guide for a Linux LAMP server with a
> Wiki component?
>
> I have an older Linux Server hardening book, but nothing recent. I
> have not seen a Wiki hardening document.
>
> Thanks in advance,
>
> Jeff

Setup RBAC, tripwire (or similar), ClamAV, backups and remember to update the wiki. Not trying to put the blame on anyone, but you could learn from this case a lot: http://wiki.python.org/moin/WikiAttack2013

If you need help with updating wiki software please send me an email and I can tell you about my open-source application, which helps this tasks at least for some administrators :)

--
Henri Salo

Arie Claassens

unread,
Jan 28, 2013, 3:46:14 AM1/28/13
to Security Basics List
Hi Jeff,

Have a look at the following sites:

https://benchmarks.cisecurity.org/downloads/multiform/index.cfm
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/oper
ating_systems.shtml
https://www.atomicorp.com/

The Wiki itself needs to be addressed like any other web app, i.e. CAPTCHA
protection on forms, input sanitation, XSRF protection, etc., but if you
harden the OS and specifically Apache, it goes a long way towards reducing
your attack surface. Look at simple things like disabling all Apache modules
that you do not need, installing mod_evasive and mod_security to help reduce
DOS attacks and filter malicious input on your web app. See
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project for more
info.

Years back, http://www.securecentos.com/ had some really nice tips on
hardening your OS on multiple levels and also simplifying the whole process
of hardening and maintaining your server.

http://www.mediawiki.org/wiki/Manual:Security should help with the hardening
of the actual Wiki.

YMMV.

Balakrishnan Nadar

unread,
Jan 28, 2013, 4:40:10 AM1/28/13
to Security Basics List
Hi Jeff,

You can refer the latest CIS Security benchmark on Linux hardening if you are using Redhat

https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Enterprise_Linux_6_Benchmark_v1.0.0.pdf

Similarly for Suse linux from CIS site.


Thanks & Regards, 

Baalakrishnan

Joerg Stephan

unread,
Jan 28, 2013, 5:48:10 AM1/28/13
to Eric Furman, Jeffrey Walton, Security Basics List
> Don't use Linux. It is insecure. Use Windows or one of the BSDs.
> All are much more secure.


Hi there,

so this is really your opinion?

All security issues are mostly against the running service not the os itself and the service didnt change if you use a different OS, on BSD systems it is handwork needed to run the update, most linux OSes have a autoupdate feature.  Therfore you should take a look at hardening the components like 

* Apache : mod_security, su_exec, etc, maybe you wanne chroot the whole webservice ( or jail it)
* MySQL: set listening address to localhost only
* php: use stable release

On Ubuntu (for example) you should use auto updates for critical security updates and try to use the mediawiki from the repository.

General on Linux system you should use a firewall and let services listen only to local ip addresses.

Regards? 

DragonSlay3r

unread,
Jan 28, 2013, 7:09:38 AM1/28/13
to Eric Furman, Jeffrey Walton, Security Basics List
This Could be off topic, but i just wanna ask.
What makes you say BSD is better than linux?

Michael Zoet

unread,
Jan 28, 2013, 7:23:26 AM1/28/13
to securit...@securityfocus.com
Hi,

> Don't use Linux. It is insecure. Use Windows or one of the BSDs.
> All are much more secure.

As I am always interested in security solutions I was wondering where
this analysis comes from? Are there any facts and data to prove this
statement?

Why would it be more secure to use Apache, MySQL, PHP for example on
OpenBSD? You can easily misconfigure any BSD or Windows server as you
can do it on a Linux server...

>
> On Fri, Jan 25, 2013, at 04:31 PM, Jeffrey Walton wrote:
>> Hi All,
>>
>> Is anyone aware of a hardening guide for a Linux LAMP server with a
>> Wiki component?

Why is a Wiki so important? There are several good hardening guides
out there. In general and distribution specific.

Michael

Michael Peppard

unread,
Jan 28, 2013, 10:56:52 AM1/28/13
to securit...@securityfocus.com
You will need to get up to speed on selinux. ACLs, chroot jails and
iptables alone don't cut it.

LAMP is well supported by the default selinux rules on every major Linux
distro. You will have to learn how to tighten the security rules, such
as type enforcement yourself though.

Mike

Emre Tugriceri

unread,
Jan 28, 2013, 9:43:35 AM1/28/13
to securit...@securityfocus.com

is this joke? But yes your are right linux is insecure, if you dont know that how to manage it. Windows is more secure for junior system admins...
You have to check your security perspective.

Emre Tugriçeri

Mikhail A. Utin

unread,
Jan 28, 2013, 11:20:54 AM1/28/13
to Eric Furman, Jeffrey Walton, Security Basics List
Eric wrote: " Don't use Linux. It is insecure. "
It would be funny if not so sad. I Haven't see such statements for years. Could you explain for us your historical statement, or please refer to a source of such deeply thought statement?

Mikhail

-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On Behalf Of Eric Furman
Sent: Monday, January 28, 2013 3:19 AM
To: Jeffrey Walton
Cc: Security Basics List
Subject: Re: Linux Web Server Hardening (LAMP + Wiki)

Don't use Linux. It is insecure. Use Windows or one of the BSDs.
All are much more secure.

On Fri, Jan 25, 2013, at 04:31 PM, Jeffrey Walton wrote:
> Hi All,
>
> Is anyone aware of a hardening guide for a Linux LAMP server with a
> Wiki component?
>
> I have an older Linux Server hardening book, but nothing recent. I
> have not seen a Wiki hardening document.
>
> Thanks in advance,
>
> Jeff
>
CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at http://www.commonwealthcare.org.

Jason M

unread,
Jan 28, 2013, 11:19:46 AM1/28/13
to securit...@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric,

This is a ridiculous piece of FUD and certainly does not help the
gentleman with his question. In the future please keep your baseless
comments to yourself. This list is not the place for your to shill
your preferred OS, but for facts concerning security.

Whew, happy that is out of the way
(and much more polite than I thought it would be)

Having said that:

Hi Jeff, I would start here:

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

This is way overkill for your average LAMP stack, but will give you a
good idea as to how far you can go.

For a more simplified checklist style that will get you most of the
way have a look at:

www.sans.org/score/checklists/linuxchecklist.pdf

Good luck, and happy hardening :)





On 01/28/2013 03:19 AM, Eric Furman wrote:
> Don't use Linux. It is insecure. Use Windows or one of the BSDs.
> All are much more secure.
>
> On Fri, Jan 25, 2013, at 04:31 PM, Jeffrey Walton wrote:
>> Hi All,
>>
>> Is anyone aware of a hardening guide for a Linux LAMP server with
>> a Wiki component?
>>
>> I have an older Linux Server hardening book, but nothing recent.
>> I have not seen a Wiki hardening document.
>>
>> Thanks in advance,
>>
>> Jeff
>>
>> ------------------------------------------------------------------------
>>
>>
Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who
>> needs an SSL certificate. We look at how SSL works, how it
>> benefits your company and how your customers can tell if a site
>> is secure. You will find out how to test, purchase, install and
>> use a thawte Digital Certificate on your Apache web server.
>> Throughout, best practices for set-up are highlighted to help you
>> ensure efficient ongoing management of your encryption keys and
>> digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>>
>>
- ------------------------------------------------------------------------
>>
>
> ------------------------------------------------------------------------
>
>
Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You
> will find out how to test, purchase, install and use a thawte
> Digital Certificate on your Apache web server. Throughout, best
> practices for set-up are highlighted to help you ensure efficient
> ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>
>
- ------------------------------------------------------------------------
>
>

- --
Jason Millette
System Administrator \ Wireless Security Specialist

Datavalet
5275 Queen Mary
Montreal, Quebec
H3W 1Y3

t: (866) 532-4448 x169 f: (514) 385-6660

Notice: This message is confidential and privileged. If you are not
the addressee, please inform the sender by return e-mail immediately
and delete this message and destroy all copies.

Avis : Ce message est confidentiel et prot�g� par le secret
professionnel. Si vous n��tes pas le destinataire, veuillez informer
l�exp�diteur par courrier �lectronique imm�diatement et effacer ce
message et en d�truire toute copie.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJRBqUiAAoJENXxxWMec3nNGAAH/jKU+goK/ZeMA2+8pQoeIO9R
CpKbycyhzYrGpFgbUxpV5LKzH3z/+KKNRnACsYWoqcw/V6b/kiwvQ6OymrYDPbe1
3zKcsmRxjbI8AydNYhzPND3wupfIstWh0Pnia68Qu0/HmuBgqRLac/w4bX5L+2sj
qLeVDyLroVhqR+oyb829YMezU+O85ht6MRKUvKiIxCN0fUXxR5+dJcoDMt6+pBi4
ax426LG7xtfOQScZiXj+IhCoMwAfs9JPA3TkgoINg+insMIZU+8tOGKkdm6/ayNx
fdsc5idqGYrJRhjqMs4Y9ZzapgJJz0v2d8MlR4T/9VAAIv9ZUtyHQBzaa5oaz8w=
=Hm4b
-----END PGP SIGNATURE-----

Ansgar Wiechers

unread,
Jan 28, 2013, 7:53:34 AM1/28/13
to securit...@securityfocus.com
On 2013-01-28 Eric Furman wrote:
> On Fri, Jan 25, 2013, at 04:31 PM, Jeffrey Walton wrote:
>> Is anyone aware of a hardening guide for a Linux LAMP server with a
>> Wiki component?
>>
>> I have an older Linux Server hardening book, but nothing recent. I
>> have not seen a Wiki hardening document.
>
> Don't use Linux. It is insecure. Use Windows or one of the BSDs.
> All are much more secure.

Do you have an argument to go with that opinion?

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

forgaoqiang

unread,
Jan 28, 2013, 9:45:29 AM1/28/13
to nolo...@gmail.com, Security Basics List
I think the default setting of LAMP is safty enough, I check the official site and found nothing new , if any one have it , i would like to have a copy , thanks~

James Thomas

unread,
Jan 28, 2013, 1:48:44 PM1/28/13
to securit...@securityfocus.com
Dear Eric,

Thank you for your note.

On 28/01/2013 03:19, Eric Furman wrote:
> Don't use Linux. It is insecure. Use Windows or one of the BSDs.
> All are much more secure.

I'd argue that none of these are secure, that perfect security is an
illusion, and that technical solutions aren't everything. If there have
been fewer exploits for the BSD's, I'd argue that this is merely because
they, being lesser known, represent a smaller attack surface. I'd be
more concerned about configuring systems properly than with choice of
OS, and training all associates to resist spearphishing, etc.

Security should be seen as a series of layers, any of which might be
breached, and the layer closest to one's skin should be an awareness of
techniques that may be employed by an attacker, and how to mitigate
them. Mitnick's books are a good start for this.

That said, I have no useful answers for Jeffrey's actual question offhand.

James

Jeffrey Walton

unread,
Jan 29, 2013, 1:44:44 AM1/29/13
to Security Basics List
Thanks everyone. I appreciate the help.

On Fri, Jan 25, 2013 at 4:31 PM, Jeffrey Walton <nolo...@gmail.com> wrote:
> Hi All,
>
> Is anyone aware of a hardening guide for a Linux LAMP server with a
> Wiki component?
>
> I have an older Linux Server hardening book, but nothing recent. I
> have not seen a Wiki hardening document.
>
> Thanks in advance,

Littlefield, Tyler

unread,
Jan 28, 2013, 11:09:49 AM1/28/13
to Eric Furman, Jeffrey Walton, Security Basics List
On 1/28/2013 1:19 AM, Eric Furman wrote:
> Don't use Linux. It is insecure. Use Windows or one of the BSDs.
> All are much more secure.

> You have anything to back up the last statement?
--
Take care,
Ty
http://tds-solutions.net
The aspen project: a barebones light-weight mud engine:
http://code.google.com/p/aspenmud
He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave.

Ulm, Matt

unread,
Jan 28, 2013, 11:32:57 AM1/28/13
to Eric Furman, Jeffrey Walton, Security Basics List
Wow, don't use Linux?
Any operating system can be insecure if you don't harden it appropriately.

@Jeff:
Check these out:
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
http://benchmarks.cisecurity.org/


Matthew Ulm
Security Engineer
www.edelman.com
Desk: 312-297-6970 Cell: 773-746-6601


-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On Behalf Of Eric Furman
Sent: Monday, January 28, 2013 2:19 AM
To: Jeffrey Walton
Cc: Security Basics List
Subject: Re: Linux Web Server Hardening (LAMP + Wiki)

Michael Peppard

unread,
Jan 29, 2013, 9:40:35 AM1/29/13
to securit...@securityfocus.com
" I'd argue that this is merely because they, being lesser known,
represent a smaller attack surface"

This is a fallacy. The most interesting servers usually use the more
secure operating systems, therefore they tend to get the most attention.
LAMP for instance runs a great percentage of web servers with shopping
carts and database access. Very high value targets.

The openness of the code for review by anyone with an interest should
make these operating systems open targets, yet somehow it hasn't. In
fact the most paranoid government agencies use a linux offshoot, android
with custom selinux, for their secure servers. Strange huh?

-Mike

Sosa.Angel

unread,
Jan 29, 2013, 10:07:07 AM1/29/13
to Mikhail A. Utin, Eric Furman, Jeffrey Walton, Security Basics List
I have seen a statement so pronounced on Linux!!
LEGAL DISCLAIMER
The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.
By replying to this e-mail, you consent to SunTrust's monitoring activities of all communication that occurs on SunTrust's systems.
SunTrust is a federally registered service mark of SunTrust Banks, Inc.
[ST:XCL]

Tommy Thomas

unread,
Jan 29, 2013, 10:58:23 AM1/29/13
to Security Basics List
ConfigServer is awesome and has recommended security settings/checks and if you are using WHM/CPanel, it plugs into that otherwise you have to use the command line. I use LiquidWeb for my VPS servers and their support is awesome and is one of the few companies I felt comfortable with putting a forward facing linux server online. LW also has a firewall you can control access to your VPS as well as the configserver firewall, so double protection.

http://www.configserver.com/
http://www.configserver.com/cp/cxs.html
http://www.configserver.com/cp/csf.html
http://www.configserver.com/cp/cmc.html
http://wiki.centos.org/HowTos/OS_Protection
http://www.gridvirt.com/blog/beginners-linux-security-guide-centos-6-2/

Thank you,
Tommy Thomas, MCP, Network+, Security+, C|EH, MCSE
Network Systems Administrator -::- Webmaster
Public Affairs Specialist - :: - Photojournalist
Ocala Website Designs LLC
www.OcalaWebsiteDesigns.com
352.454.0321

-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On Behalf Of Jeffrey Walton
Sent: Friday, January 25, 2013 4:31 PM
To: Security Basics List

Tracy Reed

unread,
Jan 29, 2013, 8:11:10 PM1/29/13
to Michael Peppard, securit...@securityfocus.com
On Mon, Jan 28, 2013 at 07:56:52AM PST, Michael Peppard spake thusly:
> You will need to get up to speed on selinux. ACLs, chroot jails and iptables
> alone don't cut it.

I second the use of SELinux. It is a while new security system and rather
complex but well worth learning. I think of it like firewalls for my
applications.

I have compiled the following list of resources for securing RHEL/CentOS:

http://www.nsa.gov/ia/_files/os/redhat/rhel5-pamphlet-i731.pdf

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf

http://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL_5.0-5.1_Benchmark_v1.1.2.pdf

http://web.nvd.nist.gov/view/ncp/repository

Use something like puppet to automate implementation of this stuff
network-wide. That last NIST link even has an awesome puppet config for all of
this! I've been reading through the code for the puppet modules and learned
some neat things, including stuff I had no clue about previously such as how
augeas works and what it is good for.

> LAMP is well supported by the default selinux rules on every major Linux
> distro. You will have to learn how to tighten the security rules, such as
> type enforcement yourself though.

If using SELinux (which I recommend) be sure to know about the booleans related
to http. A simple flip of a setting from off to on can solve most http related
problems and avoid frustration or writing custom SELinux policy:

# /usr/sbin/getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off

--
Tracy Reed

gre...@gremlin.ru

unread,
Jan 30, 2013, 2:57:51 PM1/30/13
to securit...@securityfocus.com
On 28-Jan-2013 12:09:38 +0000, DragonSlay3r wrote:

> This Could be off topic, but i just wanna ask.
> What makes you say BSD is better than linux?

I guess that's the lack of knowledge. *BSD IP stack contains some
not-yet-to-be-published vulnerabilities being used to fight DDoS
attacks (most botnets consist of trojaned PSc running the systems
with *BSD-style IP stack, so they can be dropped to BSoD with just
several packets).

Don't ask me about the details - I'd not tell even if I knew.


--
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin О©╫О©╫О©╫ gremlin О©╫О©╫О©╫ ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

gre...@gremlin.ru

unread,
Jan 30, 2013, 3:23:32 PM1/30/13
to securit...@securityfocus.com
On 28-Jan-2013 22:45:29 +0800, forgaoqiang wrote:

> I think the default setting of LAMP is safty enough,

They are not. Typical settings include old (and thus vulnerable)
apache httpd built with mod_php, which is _not_ safe.

First of all, decide how you'll split your system. I'd recommend
setting one (or more) frontends with nginx and put actual httpd
(recent version, built with suexec support even for PHP) inside
of an OpenVZ VPS (start from http://openvz.org/Download/live_CD).
Setting up virtual HTTP hosts and running them with separate users'
permissions is also a must. Putting MySQL in a separate VPS is
optional, but if you do, don't forget to assign RFC-1918 | RFC-5156
address to it (thus making it inaccessible from outside). Once
you'll need to access MySQL database from outside, use the SSH's
"-L" parameter (see `man ssh` for details).

And don't hesitate to ask questions: looking like a fool is much
better than actually being one.


--
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin О©╫О©╫О©╫ gremlin О©╫О©╫О©╫ ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

Eric Furman

unread,
Jan 31, 2013, 1:39:58 AM1/31/13
to Ansgar Wiechers, Security Basics
On Mon, Jan 28, 2013, at 07:53 AM, Ansgar Wiechers wrote:
> On 2013-01-28 Eric Furman wrote:
> > On Fri, Jan 25, 2013, at 04:31 PM, Jeffrey Walton wrote:
> >> Is anyone aware of a hardening guide for a Linux LAMP server with a
> >> Wiki component?
> >>
> >> I have an older Linux Server hardening book, but nothing recent. I
> >> have not seen a Wiki hardening document.
> >
> > Don't use Linux. It is insecure. Use Windows or one of the BSDs.
> > All are much more secure.
>
> Do you have an argument to go with that opinion?

Yes. I hate all Microsoft products, but they have made serious efforts
to
improve the security of their products. On the other hand, with a few
notable exceptions, Linux hackers not only have no concern for security
some of them even have an open hostility and disdain for it;
http://lmgtfy.com/?q=Linus+Torvalds+security

AAAAAnd everyone runs X. X is quite possibly the most insecure piece
of crap that everybody runs on their systems. The X consortium knows
this and has repeatedly refused to even address the issue. To paraphrase
a well known UNIX security expert, X doesn't act like root. It acts like
the
f*****g Kernal!
Microsoft, on the other hand, has already fixed this issue.
Who's more insecure now?

P.S. You're all crackpots who don't understand security.
//xkcd.com/1166/

Ansgar Wiechers

unread,
Jan 31, 2013, 11:20:31 AM1/31/13
to Security Basics
On 2013-01-31 Eric Furman wrote:
> On Mon, Jan 28, 2013, at 07:53 AM, Ansgar Wiechers wrote:
>> On 2013-01-28 Eric Furman wrote:
>>> Don't use Linux. It is insecure. Use Windows or one of the BSDs.
>>> All are much more secure.
>>
>> Do you have an argument to go with that opinion?
>
> Yes. I hate all Microsoft products, but they have made serious efforts
> to improve the security of their products. On the other hand, with a
> few notable exceptions, Linux hackers not only have no concern for
> security some of them even have an open hostility and disdain for it;
> http://lmgtfy.com/?q=Linus+Torvalds+security
>
> AAAAAnd everyone runs X. X is quite possibly the most insecure piece
> of crap that everybody runs on their systems. The X consortium knows
> this and has repeatedly refused to even address the issue. To
> paraphrase a well known UNIX security expert, X doesn't act like root.
> It acts like the f*****g Kernal!
> Microsoft, on the other hand, has already fixed this issue.
> Who's more insecure now?
>
> P.S. You're all crackpots who don't understand security.
> //xkcd.com/1166/

M-hm, I see. May I humbly request that this troll be removed from the
list?

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Eric Furman

unread,
Feb 1, 2013, 9:11:40 PM2/1/13
to Security Basics
Not OpenBSD

On Wed, Jan 30, 2013, at 02:57 PM, gre...@gremlin.ru wrote:
> On 28-Jan-2013 12:09:38 +0000, DragonSlay3r wrote:
>
> > This Could be off topic, but i just wanna ask.
> > What makes you say BSD is better than linux?
>
> I guess that's the lack of knowledge. *BSD IP stack contains some
> not-yet-to-be-published vulnerabilities being used to fight DDoS
> attacks (most botnets consist of trojaned PSc running the systems
> with *BSD-style IP stack, so they can be dropped to BSoD with just
> several packets).
>
> Don't ask me about the details - I'd not tell even if I knew.
>
>
> --
> Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК

Ansgar Wiechers

unread,
Feb 2, 2013, 5:46:19 AM2/2/13
to securit...@securityfocus.com
On 2013-02-02 Alex Dolan wrote:
> On 01/02/2013 3:35 PM, "Ansgar Wiechers" <bug...@planetcobalt.net> wrote:
>> M-hm, I see. May I humbly request that this troll be removed from the
>> list?
>
> I don't think removed from the list is necessary.
> He went about it poorly in his initial reply, but makes some intriguing
> points in the follow up.

Actually, no, he doesn't. While it's true that X11 does have security
issues, nobody in his right mind would be running X11 on a server
(particularly not on an internet-facing one), because this fact is
already well-known. Besides, if X11 is the issue, the BSDs (or any other
Unix flavor) would be affected just the same.

> I'm new in security so I'm keen to take in as much information as
> possible, and trying not to be a one-eyed Linux user

Don't misunderstand. This isn't a debate pro-Linux or anti-BSD or
something. I'm merely pointing out that Mr. Furman is spreading FUD,
nothing more.

Juan F. Campos - Computalleres.com

unread,
Feb 3, 2013, 1:53:19 AM2/3/13
to securit...@securityfocus.com
KEY: Backup, backup, backup... backup and backup.... later on....
backup....

very important: Keep Updated!!

You should expect been HACKED ... thats why you keep a clean backup...
how so? .... THATS THE REAL QUESTION

--
Best regards,

Juan F. Campos

Steve Elkins

unread,
Feb 2, 2013, 8:25:36 PM2/2/13
to Eric Furman, Ansgar Wiechers, Security Basics

1. It's common knowledge that you don't install X on service based Linux servers, you use the command line and that's it - people who do install X aren't being serious or are still learning
2. Minimal OS install with only the packages required to run the service, administer the box and provide host based protection
3. Follow guides to harden OS and the services (Apache, PHP, MySQL etc)
4. If possible run the services from chroot jail (many guides to do this)
5. Install Apache and PHP security modules
6. Keep system and packages patched and keep informed on security issues with the services through SAN, auscert etc

That's just a small amount of baseline security that should be applied to all your Linux servers - once you understand the service and possible attack points then you can keep going much deeper

While the default install of a Linux server with X and no hardening could be debated to be less or more secure than a similar setup on Windows - saying Linux is not secure is plainly trolling.

________________________________________
From: listb...@securityfocus.com [listb...@securityfocus.com] on behalf of Eric Furman [ericf...@fastmail.net]
Sent: Thursday, 31 January 2013 2:39 PM
To: Ansgar Wiechers
Cc: Security Basics
Subject: Re: Linux Web Server Hardening (LAMP + Wiki)

Jeffrey Walton

unread,
Feb 4, 2013, 3:53:57 PM2/4/13
to Steve Elkins, Security Basics
Hi Steve,

> 1. It's common knowledge that you don't install X on service based Linux servers,
Well, I'm not an X expert (or Linux hardening for that matter), but
this would surprise me if its because "X is insecure" (for some
reasonable definition of secure). I would expect X to be its own
island of security.

> you use the command line and that's it - people who do install X aren't being serious or are still learning
I like point and click because I don't like man pages :) They seem to
have become mutually exclusive.

Jeff

Eric Furman

unread,
Feb 4, 2013, 7:13:25 PM2/4/13
to Ansgar Wiechers, Security Basics
My point was that Microsoft has fixed the security issues with their
windows system while X has refused to even acknowledge there
is a problem. It was to back up my point about how even Microsoft
has taken security more seriously than Linux.
And yes, my initial email was a troll, but it did not change the fact
that
it is true. Security is an attitude. It is not something added after the
fact.
And the prevalent attitude toward security in the vast majority of the
Linux
community is indifference at best and open hostility at worst.
(top posting just to annoy Mr. Wiechers)

On Sat, Feb 2, 2013, at 05:46 AM, Ansgar Wiechers wrote:
> On 2013-02-02 Alex Dolan wrote:
> > On 01/02/2013 3:35 PM, "Ansgar Wiechers" <bug...@planetcobalt.net> wrote:
> >> M-hm, I see. May I humbly request that this troll be removed from the
> >> list?
> >
> > I don't think removed from the list is necessary.
> > He went about it poorly in his initial reply, but makes some intriguing
> > points in the follow up.
>
> Actually, no, he doesn't. While it's true that X11 does have security
> issues, nobody in his right mind would be running X11 on a server
> (particularly not on an internet-facing one), because this fact is
> already well-known. Besides, if X11 is the issue, the BSDs (or any other
> Unix flavor) would be affected just the same.
>
> > I'm new in security so I'm keen to take in as much information as
> > possible, and trying not to be a one-eyed Linux user
>
> Don't misunderstand. This isn't a debate pro-Linux or anti-BSD or
> something. I'm merely pointing out that Mr. Furman is spreading FUD,
> nothing more.

Adam Pal

unread,
Feb 5, 2013, 3:24:28 AM2/5/13
to Eric Furman, securit...@securityfocus.com, bug...@planetcobalt.net
I can agree with only one sentence within your statement:
"Security is an attitude."
So why are you trying then so hard to link the security-topic to an operating system?
It does not depend on the system, more on the knowledge of the person operating it. Period.

We are both OOT since the original poster asked clearly for hardening linux web server, not what the "better" underlying system might be.

best regards,
Adam Pal

-------- Original-Nachricht --------
> Datum: Mon, 04 Feb 2013 19:13:25 -0500
> Von: Eric Furman <ericf...@fastmail.net>
> An: Ansgar Wiechers <bug...@planetcobalt.net>, Security Basics <securit...@securityfocus.com>
> Betreff: Re: Linux Web Server Hardening (LAMP + Wiki)

> My point was that Microsoft has fixed the security issues with their
> windows system while X has refused to even acknowledge there
> is a problem. It was to back up my point about how even Microsoft
> has taken security more seriously than Linux.
> And yes, my initial email was a troll, but it did not change the fact
> that
> it is true. Security is an attitude. It is not something added after the
> fact.
> And the prevalent attitude toward security in the vast majority of the
> Linux
> community is indifference at best and open hostility at worst.
> (top posting just to annoy Mr. Wiechers)
> ------------------------------------------------------------------------
Reply all
Reply to author
Forward
0 new messages