Hi Jan! I like that you are doing your homework! That's a good thing :)
Now on to some various topics that should help you out a bit. If these have been pointed out previously, just consider them confirmation on that topic. I didn't have time to read through all the responses. 1) Linux file system permissions as they pertain to webserver functionality. In practice, it's great to have a layered security approach. Granular permisisons can be burdensome. Especially with resellers who like to have one user own a couple hundred wordpress sites on a server. That wouldn't be so bad, except every plugin they install will eventually lead to an exploited server with hundreds of back doors and shell scripts hidden in every nook and cranny. CMS based sites are already inherently insecure, however with the correct user/permission structure you can limit the blast radius. The webserver user (www-data, apache, nobody) should never own the site. The webserver only needs read-only permission to the site for it to run. All updates should be carried out by an unprivileged user that owns the site. Any directory that shouldn't have php rendered in it, should have an .htaccess directive that prohibits it, image directories for example. Always do a quick security assessment of newly provisioned servers and review their filesystem permissions. Is /root world read/writable? it's shouldn't be. Too often I see simple mistakes like this that can cause quite a few issues for those who use control panel software like cPanel. Get a program in place for hardening all newly provisioned systems. I could go on forever about webserver/system security. So I'll stop here. 2) Learn regex and some other scripting language(s) - you will use it. (bash(required) - perl, python, c#, c++) and it makes you more desirable. 3) When it comes to passwords - I've seen many opinions on this in the responses you've gotten so I'll be brief. In many cases you can't opt for SSO or 2 factor. I tend to encourage end users to pick pass phrases if they must use a password. A passphrase should be multiple terms/digits/special characters. A dictionary attack will generally not be able to crack these. Avoid common phrases and memes. "my2d0NkEy$liKe42baNan@s" Use a password manager software that will generate random passwords if you can't remember them. LastPass or something like that. 4) Keep a KB and/or if you have it a case/ticket system and write things down in detail, because you will forget how you solved that one issue 6 months to a year+ ago. 5) Most organizations get so tunnel-vision on the next great thing, they tend to not keep up with updates/patches/maintenance for existing infra. Don't fall into that habit. Help your organization develop a maintenance program that will roll like clock-work once it's set up. Set aside the time each month to ensure you get it done. This is a compliance requirement!!! 6) Also ensure you audit and test your solutions to ensure they are always doing what they were implemented to do. I can't stress it enough - MONITOR EVERYTHING - use SNMP, use WMI, don't rely on PING for downtime events. Rely on actual processes that enable the functionality of the system. If those processes die due to whatever reason and the system is still up - how long until you notice and resolve? How many things were impacted? You can avoid not having these answers by ensuring you have everything in your arsenal monitored and acted on. 7) PCI - Don't offer information you don't have to. "Oh yeah we have an IDS, we finally got it working after being down for 8 months"
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
