[Cc-webedit] Server stuff

Jim Dog theinnercityhippy at riseup.net
Tue Nov 24 13:03:17 GMT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Jut for openness, I've updated some packages today and applied some
urgent security patches (as notified by bugtraq). Here's the packages
that have been upgraded (note-apache was the most critical):

The following packages will be upgraded:
  apache2 apache2-mpm-prefork
  apache2-prefork-dev apache2-utils
  apache2.2-common libcups2
  libcupsimage2 libexpat1
  libexpat1-dev libgd2-xpm
  libgnutls26 libsmbclient
  libwbclient0 linux-libc-dev wget
15 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 5646kB of archives. After unpacking 45.1kB will be used.

All done and everything hunky dory, have restarted apache for good measure

Solidarity

JD

Jim Dog wrote:
> Hi all
> 
> As ever, November has been a bit quiet for everyone (traditionally when
> everyone takes a deep breath from all the summers madness), me included
> as I've had my head buried in a project to build a coin op linux jukebox
> for the 1in12 club (bloody great fun).
> 
> Just wanted people to know though that I have still got one beady eye on
> the server and so wanted to bring up the following couple of things for
> discussion.
> 
> First up, after logging in today as usual there are 30 odd denyhosts
> reports waiting for me. Pretty much every script kiddy on the internet
> seems to have set their sites on our server and it won't be long before
> someone finds a chink in the armour no doubt. With that in mind, I know
> I proposed this before and people agreed (but then life got the better
> of me a bit), but I would like to move the ssh port from the default 22
> to a high random number. This is the easy bit, the hard bit is letting
> everyone know who needs to access the server to change the setttings in
> their clients if for example they are using sftp. So, to make the
> transition smoother, I propose we do the following:
> 
> * Make a list of everyone who has access to the server, their contact
> email, level of privilege and the reason for them having access (admin,
> sftp for photo's, subsite access etc) - This would need to be in a
> secure place, such a a private group on crabgrass.
> * email everyone on this list giving a date a couple of weeks away when
> the change will happen and asking anyone who has questions or needs help
> to get in touch. Me and others can respond to these and get people ready.
> * Send a final reminder a few days before it will happen
> * Change the port
> 
> This won't stop any concerted hacking attempts but it will cut off the
> script kiddies and bots out there and will be a good start.
> 
> I'd also like to propose the following couple of changes to tighten up
> security a little:
> 
> * We set passwords for sudo accounts to expire after 3 months (as in
> they need to be changed after this time) so that anyone who does manage
> to get hold of the shadow password file will only have a limited time to
>  get in. Thiks won't affect anyone other than those with sudo access as
> logging in to the server is only possible with a key and not a plain
> text password anyhow.
> 
> * We look to set up groups with restrictive permissions for various
> levels of admin which don't require the user to have full sudo access.
> This way, we can encourage more people to get involved in an open and
> accessible way without leaving gaping security holes. This could be an
> ongoing skillshare project where we can encourage more people to get
> involved in that side of running the site.
> 
> * We implement some kind of process where security can be audited a
> little better by some kind of working group (at present, there is only
> me doing this which isn't ideal as I'm likely to miss loads, and it's
> unsustainable), which could also advise on changes to the site which
> involves embedding material from elsewhere, or other access policies.
> Maybe this could be a committee on the crabgrass group which anyone is
> free to join.
> 
> * Some kind of record is kept of when the server was last updated, if
> new software has been installed/removed and how/when/by whom
> (tarball/aptitude etc) and any requests to open/close ports can be made
> in a more open way. This information shouldn't be available to the
> general public for obvious reasons but it would be really useful in
> order to identify potential problems if it were available to the working
> group.
> 
> With this in mind (apologies for the long and boring email),  I guess
> what I'm saying is that we have our own server, but we don't seem to
> have any really sound policy of how to use it at present which is
> horizontal, as currently to make a change involves asking off list the
> one or two people who can do this stuff to sort it out. Non-heirarchical
> structures when it comes to server admin are really hard to achieve, so
> It would be really cool if we could all put some thought and effort into
> finding a way to do this which could potentially benefit everyone, and
> leave a route open for getting talented (unlike myself :-) ) new people
> involved in the dark arts of server admin.
> 
> OK, really sorry for the long email. Hope it makes some sense to someone.
> 
> In Solidarity
> 
> JimDog

_______________________________________________
Cc-webedit mailing list
Cc-webedit at lists.aktivix.org
https://lists.aktivix.org/mailman/listinfo/cc-webedit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksL2YcACgkQjI3ttaQQxvZDzQCeKB5F7xNwWOe18OY2Vi0/O0/+
f+EAoJJTUotXml2bgvuwHRuI5CWBWwY+
=I/yS
-----END PGP SIGNATURE-----

More information about the Cc-webedit mailing list