Firewall Wizards mailing list archives
Re: Mac as web server (was: Re: Web Site Hacks)
From: chuck yerkes <Chuck () yerkes com>
Date: Tue, 9 Dec 1997 13:00:00 -0500 (EST)
It is claimed, but unverified, that John Gibbins wrote:
We have someone that insists that if the Web server is a Mac then there is no issue with security. Although most vulnerabilities I see mentioned are UNIX or PC specific, I don't feel completely comfortable with this. Are there any specific issues that relate to making a Mac web server secure? We plan to set up a Mac server with FileMakerPro databases that will be accessed via the web. No doubt various applescripts will be added as well.
There was a long running "crack the webserver" contest run (crack-a-mac). It was brought down twice - both claimed to be a derivative of the same problem. Plugins. Which, unfortunately, make it more useful. Treat the www server as though it has active crackers on it already: - put it on an isolated segment that can't harm any other machines. - run monitoring stuff on it like tripwire to ensure that data is not changed. - replace the data on it regularly from its staging server. - Don't trust anything coming from it (including database updates). - No apple talk (of course, it's on an isolated segment, so who cares) Don't use ANY plugins; don't run scripts on it. Of course this goes for any web server. But Unix servers tend to have better net/local security tools available to it. - I can write far better perl than applescript (but still don't trust it). - I can run tripwire, sshd and filtering on it. - I can run my server in a readonly chrooted area (not to reopen THAT) - which at least keeps my scripts from EASILY grabbing a useful password file (for example) through a trivial mistake (ie. not a total script giveaway). I still view chroot as a first basic security step, if only to slow down the inexperienced. - Biggy: If you get control of my Unix web server, you are not necessarily root. Mac users are always priviledged. - Biggy #2: I can get remote (encrypted) access without allowing Appletalk. No matter what, you HAVE to treat your web server as a hostile machine. It's been cracked. Now plan for it. How do you treat the info coming from it? chuck
Current thread:
- Mac as web server (was: Re: Web Site Hacks) John Gibbins (Dec 08)
- Re: Mac as web server (was: Re: Web Site Hacks) James W. Abendschan (Dec 08)
- Re: Mac as web server (was: Re: Web Site Hacks) Magossa'nyi A'rpa'd (Dec 17)
- Re: Mac as web server (was: Re: Web Site Hacks) chuck yerkes (Dec 09)
- Re: Mac as web server (was: Re: Web Site Hacks) James W. Abendschan (Dec 08)