Unix Insider –
Recently, the instances of hackers taking over sites has created a serious interest in Web site security. With the recent hacking of http://www.rootshell.com/, a longtime archiver of security and hacking exploits, there seems to be no sacred place left on the Net. The list of hacked sites ranges from the Department of Justice to the CIA and the New York Times. It's a relative who's-who represented at sites like rootshell and www.2600.com/hacked_pages/.
For some reason, many Webmasters and consultants have the misbegotten belief that their sites are untouchable and invulnerable. Look at the hacked New York Times site (http://www.2600.com/hackedphiles/nytimes/) to see what hackers thought of (and did with) the "invulnerability" being spouted by a security consultant related to that site.
Recent studies show that 67 percent of all break-ins are by employees, ex-employees, and other current and former insiders. (IBM is continually touting this number as well in its media campaigns.) This does not seem to fit the perception by the masses that hackers are in the 13-to-16-year-old age range with lots of time on their hands.
I believe Peter Galvin does a great job on the technicals of Sun security in his columns for Unix Insider, so I won't bother to repeat what you can get from reading his past columns and the Security FAQ. I will also avoid inclusion of previously listed security resources. Columns by my predecessor, Chuck Musciano, detail many security issues that haven't changed since he wrote, "Securing your Web server" (three parts, June to August 1996).
Security, from my practices, is typically 65 percent researching risks, 20 percent researching patches and fixes, 10 percent evaluating what the new changes will impact, and 5 percent actually patching or fixing systems. Some hours must be dedicated by every Webmaster towards this subject. According to several ISPs, the two major Sun issues are:
Suns, as normally configured, come with a lot of active services that, in a security-oriented environment, should be turned off. These include SMTP, telnet, FTP, etc., and all services, such as sysdat, daytime, finger, whois, etc., not directly related to Web hosting.
- Solaris for ISPs, now known as Sun ISP Server, certainly seems to be an option for those with larger IT budgets. Jim Bogard, manager of Unix systems engineering at major ISP, Digex, warns, however, that with the typical out-of-the-box Sun, "Most directory and file permissions are not set properly, unnecessary or undesirable services are often present, and the overall operating system has been tuned for a single-user or trusted-network environment as opposed to that of a Web server."
On to the Q&A
In the table below, I discuss a set of general security risks and provide advice on how you may wish to handle them.