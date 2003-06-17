from the cat-and-mouse-and-dogged-determination dept.
A couple years ago I set up a simple brochure-ware site for the School Board in the district here in Brooklyn, hosted on a VPS instance on Linode, to publicize the dates of public meetings, meeting minutes, etc. The VPS doesn't contain any sensitive information so I locked down the ports to 80, 443, and 22, hardened the SSH with measures like fail2ban, kept the system updated every week or so, and called it a day.
Last week, though, the site was compromised. Blowing the instance away and re-creating it from physical backups is not a problem, but in poring through the system to figure out how it was breached I realized both that my own security chops aren't deep enough and that standard best security practices might not be good enough anymore, anyway, given the many vulnerabilities exposed in the last year and realities like the NSA trove that Shadow Brokers leaked.
So the question for the more experienced security professionals in the Soylent community is, can they recommend a good guide and/or site to hone linux security chops and forensic skills that's current?
(Score: 1) by AlwaysNever on Saturday June 03, @02:40PM
It's obvious your site was p0wned via the web site... Wordpress?, Joomla?, PHP at all?
First rule: the user the web server runs as, should not have write access to any directory [exceptions apply, see below].
Say that your web server runs as "www-data", that your ftp access is with user "ftp-user", and that your web app is at "/var/www/html_public/", then the POSIX permissions for that folder, and its subfolders should be:
ftp-user:www-data,750
And the POSIX permissions for FILES in that folder, and its subfolders, should be:
ftp-user:www-data,640
This way, the vulnerabilities in you web app are much harder for script kiddies to exploit.
Note: for select folder, like "uploads", etc., you may need to give write permissions to the www-data user.
(Score: 0) by Anonymous Coward on Saturday June 03, @03:09PM (1 child)
You just don't need all this overly fancy software. Make a clean, well-styled static web page for announcements; update these pages by hand (e.g., generate them offline, and then post them on the server).
Software is trash, because people are trash; you'll never have something secure in the age of the get-girls-coding Script Monkey.
(Score: 0) by Anonymous Coward on Saturday June 03, @03:29PM
Curious George resembles that remark!
