Re: [cobalt-security] Securing Admin Pages

[Declan Caulfield <declan@xxxxxxxxxx>]

Duncan

Always switch your root password to something new after setting up your
cobalt. The admin and root passwords are linked by the admin interface
scripts. However, they operate independently.

Change your root password like so:

$ passwd root

This means that the password you use (transmit) during an insecure http
admin session is not your root password.

However, this offers just a little more security, as if you sniff the admin
password and use it to log in to the admin pages via HTTP:81 a would be
hacker can change both the root and admin passwords using the Administrator
button.

Rule of thumb, change your admin password regularly.

./Declan

On 21/2/02 10:05, duncan gray at duncanrobertgray@xxxxxxxxx wrote:

> Hi,
> Ive recently just had one of my websites hacked on my
> server I have know Idea how as I thought my server was
> pretty secure, As I've kept up to date with all the
> latest patches, switched my tellnet over to SSH, and
> so forth, my bigest guess is that you have to pass the
> root password to the machine while logging in over the
> Web admin pages, this scare me some what.  But raises
> some questions in my mind.
> 
> A. is there a way to make the main admin pages work
> off a different user account, If not why not as it
> seems like a huge security hole to me.
> 
> B. Secondly I dont know much about certificates, but
> Is it possible to issue a client certificate or some
> sort of certificate so you can limit only certain
> browsers/users to access that site? and making sure
> that the link between the server and the client is
> secure?
> 
> Thanks
> 
> Duncan.
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>