Security is a huge and challenging topics, but each is responsible for server-side work everyone should know the basic steps.
Cameron outlined some of your user account and security. Security is a major challenge. It does not set in stone, but it is difficult to know whether it needs to be extended to the extent: If you are not careful, when you boss really want is to not let the janitor saw his annual budget, you will finally believe he needs to understand the security benefits. Whether in all aspects of computing security with trend is so challenging, after all, there are several areas already sufficiently mature to warrant system. For any Linux server, I recommend that he learned the first area is the account management. Note your users in the first devoted to the Linux administration and programming books, many were included on "user management" or "account management" chapter. Their meaning is clear: how to use your host's people set up and maintain the relationship between computing accounts and groups. At that time, the "use" necessarily implies that the "login". Account management for all your work is: uses such as useradd, chsh, etc. commands to configure Linux account so that the sector developers in the majority of the users group. /Etc/passwd and its API is the focus of Linux experts. That time has long gone, I made the most of the server's first recommendation is to clear most of/etc/passwd. I mean: for historical reasons, most e-mail servers, Web servers, file servers, etc, are all used/etc/passwd manage their users. I think this is usually a mistake. In the early days, when there may be ten or twenty engineers share one high-end workstation, this is a sensible way. However, when an e-mail server you might want to handle tens of thousands of users (most of them merely calculated as and drinking fountains or telephone systems utilities) of the mailbox, the traditional way of/etc/passwd is an error. Of course, relying on/etc/passwd is possible. It has undergone sufficient repair and adjustment, be sufficient to meet the amazing amount of work. But is not required to do so. If you move a user account to a specific data store, such as LDAP (Lightweight Directory Access Protocol) or even RDBMS (relational database management system) data storage, you can in the scalability, security, and maintenance benefits. The limit for/etc/passwd few really need to log in to developers and administrators. This practice in the security benefit, because service (email and Web, etc.) to the user's free/busy time and developer of completely different. Once you have set up a new server, its/etc/passwd should not change frequently. Monitor if it is to be updated — especially tampering — is a simple task. However, if you are running a large server, every day there are several new and expired e-mail account changes. You will need to give these accounts from/etc/passwd greater access. Build an alternative account data storage is a serious and serious suggestions? this is the case, this is really amazing. In order for the user without a login account for the majority of very large/etc/passwds work, over the past few years has put a lot of work. If you do decide to write your own account certification, and rely on traditional so as sendmail e-mail program, you may find yourself being as SMTP, POP3 and IMAP4 server to write the changes. Those barriers often enables developers tend to use off-the-shelf software. My habit is to use other people have written and I can reuse solution. However, with the industry's use of the server that is: I often need to customize them — for example, set special message catalog, logging the information or the use of accounting. To me the most important point is that security considerations modular. I hope the developer and the administrator account and end user services to be entirely separate from management. By the latter from/etc/passwd clear, I can easily lock down a party without affecting the other party. Make policy automation and the developer account and user services separate from almost equally important is to make policy automation. To create and delete accounts — including developer (/etc/passwd) also include end users (e-mail, Web and database, and so on) — clear and detailed process. Although these into the executable file is good, but not absolutely necessary. It is important that the process is understandable and clear. Accidentally deleted the account creation and always leave a security vulnerability. Should work with human resources, customer support or other relevant departments to review your processes. If you do not experience the alternative, you hardly realize that this is such a key. When you do not have to add and remove user accounts preparation process, then there's the results: assumes that the new hire reporting on Monday, then he or she may to Friday still cannot access the company file. Or, someone resign, holiday party made a farewell, beginning in February are still searching for a particular purpose of the company assets. Account of the benefits of automation a fringe is that it encourages a more thorough validation. If the developer does not have different characteristics in a convenient way to configure the account, they may very well not be implementing those expected to make configuration changes of the application. I recently experienced this situation. I was a critical event but was called in to, the implementation team is actually in the "correct" allows a Manager to view the employee performance review — even those that do not belong to their management employees! although it sounds ridiculous, but this is typical of security issues. It even in the analysis and design review period was noted for several times. Although each time to decision makers reflects this, but it is huge and confusion of issues as part of the collection, so it is not clearResolution of the case is ignored. Only when a support specialist will ultimately establish a generic instance of concrete example (in this example there are several managers, each manager has more than one copy of the employees report), the error is given due attention. Don't cram; regularly on all types of user account configurations tested thoroughly. Vigilant security the most difficult part, at least for many of us, how to avoid making mistakes. Security is part of the "weakest link" in the event of a vulnerability that can enable you to present all investment (no matter how large, plan how thorough) worthless. To do a security work, you must have the original will not consider things remain vigilant. United States Government website often prove that challenges the seriousness of the best examples. In the "counter-terrorism" security news in a federal institution maintains a website where the user password used to change user preferences page publicly displayed. Many organizations solve frequent lost password question: according to more or less public information specified password (for example, "your password is your place of birth of the first four letters, plus your birth year of the last two digits"). How to avoid such a catastrophic error?, unfortunately, almost no systematic way to "smart" successful realization of such abstract goals. However, the need to take a useful step, on the RISKS Digest of research and strict project check is useful when one of the steps. RISKS are PeterG.Neumann since 1985 has been editing, online newsletters (see following reference). In thinking about things (especially Linux server security) of the cause, read it is a good habit. Neumann the abstracts readable and interesting, of course, occasionally horrifying. You should also be developed for others to test your ideas. You may check that the "software" however is to find the developer's source code misplaced punctuation in a way, but it's actually a very interesting and efficient practice. In particular, checks on the requirements document, Web site and all other products of peer review are excellent. Please check. Through other people's eyes to view your work. You will likely learn a lot about your server's security or no security information.
No comments:
Post a Comment