Many people seem to have the impression that security=ssl enabled, and in some ways it does enhance security, but, it's certainly by no means the end of the game, nor the beginning. security begins with the OS install. Not adding packages known to be exploitable <redhat is the M$ of the linux workld these days, a kitchen sink of exploitable packages in the defaults available>, closing out un-needed services not using NFS, then trun it off, disable it via the kernel rebuild process, etc, replacing telnet, ftp and the R* commands with ssh/scp, setting proper permissions throughout the directory structure to limit local exposures and abilities. Of course the game gets tougher once you allow others onto the system, once a person has a shell on the box, they have many more routes to compromise the system, so, trust begins to play a larger and larger role. so, to more directly answer your question, no mod-ssl is not going to fit your needs completely here. It begins at the administration level. Think of ssl enabled transactions as more of a secure tunnel for the protection of the exchange of information <i.e. credit card info, other private personal information> in an encryted tunnel over the pulic network. For those with actual login capqabilites on your system, you have a whole other set of worms to fish up and out. Even a ssl "secured" web server with open exploitable service runnning on other tcp/ip or udp ports will leave you 0w3d in short order. The system you are attempting to secure should not even touch the internet until *after* it has been properly configured and secured.
Here's a reading list to get you started: http://rr.sans.org/ http://www.interhack.net/pubs/fwfaq/ http://geodsoft.com/howto/harden/ http://www.nfr.com/forum/publications.html http://www.ticm.com/info/insider/members/fwsecfaq/index.html http://www.avolio.com/columns/15.html http://www.wilyhacker.com/ http://www.jmu.edu/computing/runsafe/ http://csrc.nist.gov/itsec/guidance_W2Kpro.html http://www.networkcomputing.com/1120/1120ws1.html http://www.Linux-Sec.net/Policy/ http://www.pc-help.org/obscure.htm http://www.monkeys.com/security/proxies/ http://nms-cgi.sourceforge.net/ http://www.cgisecurity.com/articles/ http://www.apacheweek.com/features/security-13 http://www.cgisecurity.net/papers/ Thanks, Ron DuFresne On Tue, 30 Jul 2002, Henning, Brian wrote: > Hello, > I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web > server. I downloaded the mod_ssl package from the website. I changed the > port on my apache web server to 443. On a high level what do i need to do to > create a secure web server? I guess my real problem is i don't know what ssl > does for me. What i am looking for is something that can password protect > the files on my server. I want to let specific people to access my site and > that is it. They must have a password to use it. Is mod_ssl what i want or > should i be looking else where? > thanks for any input, > brian > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
