[2080] in WWW Security List Archive
Re: Macintosh Web Server Issues
daemon@ATHENA.MIT.EDU (Chris Garrigues)
Mon May 13 20:00:45 1996
To: kgmlists@3rdmill.com (Karl Mitze)
Cc: www-security@ns2.rutgers.edu, cwg@deepeddy.DeepEddy.Com
In-Reply-To: Your message of "Mon, 13 May 1996 10:19:04 EDT."
<v01510101adbcef4523f8@[206.119.50.25]>
Date: Mon, 13 May 1996 15:38:17 -0500
From: Chris Garrigues <cwg@DeepEddy.Com>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
Content-Type: text/plain; charset=us-ascii
Unfortunately I don't have the reference handy, but several months ago, a challenge was put out to the net community to break into a WebStar server. The money wasn't paid out.
The fact is that a Mac running WebStar is far easier to secure than a Unix box. The problem with the Unix box is that it starts out listening all over the place and you have to turn all those things off w/o making the system unusable. A mac, on the other hand, starts out listening to *nothing* and you then enable the services that you want to provide.
You don't find very much on securing a mac because there's so little to do.
For me, "Due dilligence" probably means:
1) Running Satan or something like it to see what ports your
system is listening on, and if there's anything you didn't
know was there disabling it. (Note that Satan will *not* get
into your system because it only exploits known unix holes.
However, it will tell you what ports are being listened to.)
2) Vetting any and all CGI scripts to make sure that they do
what you think they do and only what you think they do.
This particularly means making sure that input is never
parsed as a command of any sort. Again, on a Mac, there are
fewer ways for this to happen.
3) If you're also running an FTP server, make sure it's not possible
for an FTP user to put an executable script somewhere that it could
be run as a CGI by your web server. (The easiest way to do this
is to make sure that your web hiearchy and your FTP hiearchy
don't share any folders.) A similar warning holds for any other
combination of "ways to put files on the server" and "ways to run
files on the server".
a mail server is a potential risk, but one thing you have going for you is that anybody trying to crack your site will assume that you're running sendmail on a Unix box and if there are security holes in your mail server, they probably won't look for them. On the other hand, I apparently sent someone's Mac-based mail server into a tail-spin by sending a PGP-signed email message. The rule of thumb is that the more commonly a package is used, the fewer security holes it will have, but the more likely those that it does have are will be known. Make sure you stay in contact with your vendor for any security patches.
Chris
- --
Chris Garrigues O- cwg@DeepEddy.Com
Deep Eddy Internet Consulting +1 512 432 4046
609 Deep Eddy Avenue
Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQB1AwUBMZeds5aQnaaFII2dAQGRgAL/WrcToya5p+zB6KBdcjZ02vOOWhPIOUTu
vXRWnQ/54fvQLHXioFzfGge3PvSBwZIT3yPVXQhD5zKIeDSI3oAyVA2xq72yO9I+
zPmWi09K2X3YqBM5APjtdS3D2sLzc/Zn
=+rvO
-----END PGP SIGNATURE-----
