[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Securing Admin Pages
- Subject: Re: [cobalt-security] Securing Admin Pages
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Thu, 21 Feb 2002 10:42:47 -0800
- Organization: nobaloney.net
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
duncan gray wrote:
> Hi,
> Ive recently just had one of my websites hacked on my
> server I have know Idea how as I thought my server was
> pretty secure, As I've kept up to date with all the
> latest patches, switched my tellnet over to SSH, and
> so forth, my bigest guess is that you have to pass the
> root password to the machine while logging in over the
> Web admin pages, this scare me some what. But raises
> some questions in my mind.
If you use a secure certificate on your main site, you'll automatically
get secure ssl administration through your web-browser. Then your
password will no longer be sent in cleartext.
You can buy a certificate, but you don't have to; you can create a
self-signed certificate.
Your clients will also use your cert when they manage their site, unless
they install their own certificate, so you might want to give them the
longer URL (the one that includes your domain name) to use for site
management, so they don't see the "name is different" warning when they
manage their sites.
> A. is there a way to make the main admin pages work
> off a different user account, If not why not as it
> seems like a huge security hole to me.
I think you'd still have a security hole. While I prefer separate
passwords for admin and root, there's no easy way to do that on the RaQ.
> B. Secondly I dont know much about certificates, but
> Is it possible to issue a client certificate or some
> sort of certificate so you can limit only certain
> browsers/users to access that site?
You can do that with the ipchains firewall which you can install.
> and making sure
> that the link between the server and the client is
> secure?
That's the job of the ssl; see above.
Contact me offlist if you'd like, for additional security suggestions
and options.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484