[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] security question
- Subject: Re: [cobalt-users] security question
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Fri May 31 07:57:09 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
"Peter Masloch" <peter@xxxxxxxxxxx> wrote:
> My Raq 2 will host one domain and the e-mail for this domain. I was just
> wondering what might be the best (and most secure way) to setup one
> domain? If i setup my domain as the main domain, then everybody comes
> very easy to the login window from www.mydoamin.com/admin which makes me
> feel uncomfortable. Would it be a good idea to setup the domain as
> virtual domain with a second IP?
Unless you remove the alias to /admin (in httpd.conf or srm.conf) that
directory accesses the GUI from any site so your solution won't help. You
could always obfuscate the GUI location by changing that alias directive.
There are no negative side affects.
> Also i was thinking about the "admin"
> account. Is it possible to replace the username "admin" with another
> username?
Probably, but you'd have to change *a lot* of hard-coded files so I'd advise
against it. I suggest tunneling your GUI through SSH so your communication
with it is encrypted. You'll need to install SSH, but you should do so
anyway for security reasons and then disable telnet. I'd also setup an
alias for admin to an unprivileged user so you don't have to send admin's
password in plain text to check admin email.
> I actualy didn't see any processes running as "admin". I would
> be thankful for any thoughts, hints or ideas.
The port 80 web server runs as httpd, the admin web server runs as root.
The only processes that will run as admin are processes you run while logged
in as admin or cron jobs you setup to run as admin. Since your subject uses
the word security, I assume you are concerned about security, as you should
be. There are many things you can do to improve security. I would suggest
spending several hours reading/searching the cobalt-security and cobalt-user
archives. Some programs you may want to consider include ipfwadm,
portsentry, logsentry, hostsentry, lionfind, chkrootkit, John the Ripper,
tripwire, snort, gnupg, SSL, SSH, etc.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/