[cobalt-users] Various Security Questions & Comments

["Rick Ewart" <cobalt@xxxxxxxxx>]

Hello all... Its amazing - I had my server for 2 whole weeks, installed
everything known to mankind and only crashed it once (not my fault,
surprisingly).

So, I have had quite a week battening down the hatches on my new "toy". Now
that I have all this stuff running, I have a couple of questions that are
somewhat troubling me. Sorry if they come from all ends of the spectrum, but
I plan to post a summarization of what I have learned over the last few
weeks as a ad-hoc FAQ from which we can build a real newbie "how-to" for the
cobalt as it seems that something like that would be REALLY useul - it would
have been for me. Of course, I will expect help from the public as I am no
braintrust - everything I know I learned because someone else figured it out
first and was good enough to help.

1) If I have SSL enabled and am logging into the GUI via
http://domain.com/admin - does Cobalt ask for my password through the SSL
server, or is it plain-text? If plain-text, how can I SAFELY use the GUI -
what else do I need to do?

2) I installed SSH, but realized that it probably isn't used when posting
with FrontPage. So, the FrontPage password appears in plain text, correct?
And is there anything I can do about it? It appears that it probably is a
minimal risk as the webmaster isn't really even a "real" user, but perhaps I
am being naive too.

3) Now that I have SSH installed, I should be able to disable telnet all
together and still get into the system via a SSH "telnet" session, or will
disabling telnet lock me out of SSH also? I am presuming that they are
separate and unrealated - correct or incorrect?

4) I installed iXplorer to do FTP type sessions through the SSH, but when
logging in as admin, I cannot go above the admin user directory... Any ideas
what I should do, or what alternate program would be better?

5) I tried to install the Laurie Duncan's CGI-Wrap modifications that she
put on ftp.cobaltnet.com (referred from message 023300.html of October
2000), put received several file conflict error messages. It appears that
the latest patches to the system must have newer versions - any idea if they
incorporated her modifications or if they have now just rendered her efforts
useless in running cgi through a shared SSL?

6) FrontPage posts sites as the user "nobody". In several of my sites, I
have imported cgis into the site and post them to the site. In order to get
my cgi's to work, I had to chown them to the site admin's username. However,
if I make a configuration change and repost my site, it goes back to nobody.
Other than the obvious - remove them from the FrontPage site, anybody know
of a way to force the permissions to stay as the user and not "nobody"?

7) it seems like standard "locking down" of a cobalt server includes several
things - anybody want to suggest anything else that one should do as
"standard operating procedure"? They include: SSH; SSL; IPChains;
PortSentry; LogCheck; Trip Wire; disabling telnet, FTP, and other unused
services; not giving any users and REAL priveledge, creating a new account
to serve as admin and killing priviledges for admin; and GOOD, LONG
passwords?

Remember I plan to eventually post a FAQ of some sort, or at least a link to
a small site with all the info I learned in one place.

Thanks, in advance, for your brain cycles and work.

Rick Ewart