[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Severe Security Problem Between Sites
- Subject: RE: [cobalt-users] Severe Security Problem Between Sites
- From: LAVERROUX Marc <Marc.LAVERROUX@xxxxxxxxxxxxxx>
- Date: Tue Mar 28 06:52:37 2000
I am agree with Jeff, so that's why, i remove Telnet and use SSH (ssh-2.0.13.tar.gz).
-----Message d'origine-----
De: Jeff Newman [mailto:mjeffn@xxxxxxxx]
Date: mardi 28 mars 2000 16:46
À: cobalt-users@xxxxxxxxxxxxxxx
Objet: RE: [cobalt-users] Severe Security Problem Between Sites
to answere on point one. As far as security goes, linux/unix, NFS and
TCP/IP as well are pretty lame. That is why we need firewalls. If you are
running a public site using a Watchguard is the minimum possible complete
security system. As far as linux goes, that fact that special actions need
to be taken to "harden" the OS has to tell you something.
Cobalt is not trying to provide a hardened platform, only a server. If you
have taken proper security measures to begin with, this thread would not
exist. One of the first things to do is to never, I mean never, allow
telnet from outside your bastion firewall. That's just asking for trouble.
If you need to ptovide this kind of access you should investigate something
that will do a service by service authentication or IPsec. You would spend
about the same amount of money just getting a hardened IP stack.
-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Liz
Sent: Tuesday, March 28, 2000 3:30 AM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] Severe Security Problem Between Sites
On Tuesday - 03/28/2000 (07:35 AM) - Michael Hoennig wrote...
>1. Everybody has Telnet access to ALL sites!
That's precisely why I don't give virtual sites Telnet access. Security
stinks on the RaQ3. This isn't an OpenSource Linux problem, this is a
Cobalt problem with not addressing this security issue. No user should be
able to freely move about the whole server and be able to read another's
directory or files.
>2. Everybody has access to all sites via PHP!
That's an interesting heads up! Which version are you using, PHP3 or PHP4
(beta)?
>4. MySQL root password is not set
MySQL docs use to say you're suppose to set the mysqladmin password after
you've finished installing it. Older MySQL docs included this in the
instructions. Without reading the verbose docs for the latest release I
couldn't say for sure if MySQL included the same instructions.
>Who do you all deal with these problems? Or is all that no problem in
>your way of using the Cobalt?
Considering Cobalt freely waves that "you'll void your warrantee" warning
flag over everyone's heads while not addressing the issues, and now is
charging for support, I would suppose that's the reason why people had
learned to work around the problems which exist on the RaQs.
Something to ponder regarding Cobalt's lack of immediate response times for
addressing current security issues in their software -- could it be that
Cobalt is busying themselves too much with buying up other companies while
not concentrating their efforts on supporting their current product's
software bugs? It makes anyone wonder where this company is heading and
what their long term goals are. After looking at their recent stock's
performance it's a wonder where this company will be in six to ten
months. http://finance.yahoo.com/q?s=COBT&d=3mm
Nose dive?
Liz
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users