Aloha,
I hope all you had fun at the conference. Andre is here with us on
Kauai. I'm taking good care of him. What a brain! Day off here so he's
off kayaking...then tomorrow we are all off for a trip to the dry side:
Salt Pond, then up the mountain to Kokee and Kalalau Valley look out
and then back down to Poipu for body surfing before we get back to
coding on Wednesday...
Meanwhile we are setting up a new server. 1 Terrabyte of hard drive
space We upgraded to CentOS5.1 and we switched to a new control panel
called VirtualMin. Andre has installed 2.9 and we are in the middle of
migrating all our content to the new box. Andre tweaking CGI's,
consolidating all the Rev web stack libraries into one location (we use
Revolution for *everything* on our box) and getting our Credit card
processor (monetra) working. We should get thru this tedious stuff in a
few days and get into some fun Rev apps next week
OK my question is: how serious a security risk is opening a port to
PostGreSQL (or MySQL) for remote transactions. Andre has done great work
building CGI and we use POST to do queries and the CGI talks to the
dBase. But that's really "hard work" for some things... Now that I have
Plesk out of the way, I can set up users and access without breaking
anything (Plesk previously broke access control and i couldn't fix it)
and with the 2.9 upgrades to the dBase toolbox I'm "itching" to create
some desktop clients to work with databases on the server. But I'm
interested in everyones opinions and insights on "gotcha's" when
allowing PostGreSQL port to be open... I know it will get flagged by our
PCI (Payment Card Industry) audits but if I keep the other risk factors
low enough I might get by with an open port...
What kind of "bad" things can happen? is a remote login sending the
PostGreSQL user and password in clear text? Can anyone sniff that?
Cheers from Kauai where the "vog" from the volcano on the big island
actually shuts out the sun on some days... eerie...
Sivakatirswami
PS: and Way Off Topic:
If any of you run a dedicated server and wear a webserver admin hat
(Like I do) and are "fed up" with Plesk, Ensim, Cpanel (it doesn't take
long to start banging your head if you use any of those).. then don't
walk but RUN to get VirtualMin... It's a wrapper for WebMin and the GUI
sets up a non-proprietery, standard structured Linux web server. (e.g.
all your virtual domains are just users in /home, which makes so much
sense) and btw you can migrate your Plesk or Cpanel sites with "press
of a button".
The command line junkies on your team can fiddle with httpd.conf and
IpTables and create dbases under the hood and all this is neatly
reflected in the VirtualMin control panel. It's got about ten time the
features and controls for both your web sites and the server admin than
Plesk had. PostGreSQL (and all kinds of other open source tools) are
installed automatically and there is no charge for these modules) and
you get a rich interface for handling all the dBases from the GUI if
you want, while your terminal wizards can work on the command line. In
Plesk, you can't move left or right or you break something...
And, the team behind VirtualMin actually provides *real* support! (I
mean within minutes or hours at the latest)</end New Cool Software advocacy>
_______________________________________________
use-revolution mailing list
use-revolution@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
