1 |
Actually, I'd be pretty interested in what you have to rant about PHP. |
2 |
I run apache with php_mod installed and have the http port open. Is |
3 |
there a security risk I should be aware of? |
4 |
|
5 |
Thanks |
6 |
|
7 |
On 2/22/07, Alan McKinnon <alan@××××××××××××××××.za> wrote: |
8 |
> On Thursday 22 February 2007, Michael Sullivan wrote: |
9 |
> |
10 |
> > Also, I've always heard that you shouldn't |
11 |
> > have any ports open on your machine unless you have some server bound |
12 |
> > to that port because hackers can get in through unbound open ports. |
13 |
> > Is this true? If so, how does it work? |
14 |
> |
15 |
> That sounds like something out of Hollywod, perhaps that atrocious movie |
16 |
> called Hackers with Angelina Jolie in it..... |
17 |
> |
18 |
> I fail to see how, in this universe, you can open a port and not have |
19 |
> something listen on it. Let's face it: a process, or the kernel itself, |
20 |
> asks to be informed about packets arriving for port X. What is port X? |
21 |
> It's a number in the TCP/UDP packet so the receiving kernel knows which |
22 |
> process to send the data to. If that process is not listening, the |
23 |
> packets go ... nowhere. They don't have magic Gandalfs inside them that |
24 |
> suddenly sprout up and do l33t h4x0r sh1t to your machine. |
25 |
> |
26 |
> Maybe there's some default behaviour the kernel applies to packets that |
27 |
> are sent to hung/sleeping/absent processes. Maybe that default |
28 |
> behaviour is such that there's a buffer overflow waiting to be |
29 |
> exploited. Maybe... I think I wanna see the code and not some bullshit |
30 |
> posted on an arb blog somewhere. |
31 |
> |
32 |
> You should be much more worried about vulnerabilities in known software |
33 |
> that you don't really use that are running by default. |
34 |
> |
35 |
> By far the most common attack vector is weak user names and passwords |
36 |
> accessed via ssh. Solution is a sensbile password policy, or allow ssh |
37 |
> access only via keys. |
38 |
> |
39 |
> Then there's php, but I don't think you want to get me started on |
40 |
> that... |
41 |
> |
42 |
> alan |
43 |
> |
44 |
> -- |
45 |
> Optimists say the glass is half full, |
46 |
> Pessimists say the glass is half empty, |
47 |
> Developers say wtf is the glass twice as big as it needs to be? |
48 |
> |
49 |
> Alan McKinnon |
50 |
> alan at linuxholdings dot co dot za |
51 |
> +27 82, double three seven, one nine three five |
52 |
> -- |
53 |
> gentoo-user@g.o mailing list |
54 |
> |
55 |
> |
56 |
|
57 |
|
58 |
-- |
59 |
-·=»Ðŧħ«=·- |