[Leaplist] Security Audit Advice
Phil Barnett
philb at philb.us
Sat Dec 15 05:40:26 GMT 2007
On Friday 14 December 2007 11:29:00 pm Aaron Morrison wrote:
> On 14 Dec 2007, at 23:15, Randall Perry wrote:
> > On 12/14/07, Aaron Morrison <ae4ko at amsat.org> wrote:
> >> Oh yeah, this is a colocated Linux box[en] running web services.
> >
> > So do you get a shell account for testing too, or just brute force and
> > port scanning?
>
> I'm requesting shell access.
>
> > For a complete audit, you need higher access than just a nmap port
> > scan.
> > Look through passwd to see what accounts are allowed login access.
> > Check sshd config file for which protocols supported, what kind of
> > authentication, root access, etc.
> > Check PHP version and what all is configured..like php globals, funky
> > modules, etc (just upload a phpinfo string in a file and look at
> > feedback).
> > type/version of webserver with what modules loaded. (and cgi limits)
> > Directory security, file security for hosted files.
> > Log level and reporting to uncover events (like coordinated attacks
> > against box).
> > What other services are running (like FTP) that could be better
> > served by scp?
> > If you have to have ports open, consider port-knocking to lock that
> > box out (well, except for 80 and 443).
> > Kernel patches, updates, check other running services that might be
> > exploited or cause other issues.
>
> Good stuff. I've already thought about 95% of what you've posted (I've
> intentionally left the question open to stimulate discussion and to
> make sure I haven't left anything out).
I'd find out who has the root password by changing it. Then I'd decide if they
actually need root or sudo.
More information about the Leaplist
mailing list