On Mon, 2006-03-06 at 22:37 -0600, Bruno Wolff III wrote: > On Mon, Mar 06, 2006 at 18:59:49 -0500, > "Michael H. Warfield" <mhw@xxxxxxxxxxxx> wrote: > > > > In the security business, we have and expression for people like you. > > Those people who use the "install everything" button just because they > > "might" want something in the future (and then forget they installed it, > > if they even realize they installed it to begin with). > > > > We dub thee "owned". > > There is a big difference between installing everything and running every > every service that you have installed. > True, but having it installed makes it available to the attacker if the first line of defense gets breached. If it is not installed then it cannot be used. That is why the "owned" moniker applies. > > action. And the firewall defaults definitely help. But what about > > Apache add ons (like PHP et al). If you don't know and decide > > Yes, you do need to pay attention to which Apache modules you use, since they > don't obviously show up as services are easy for a new person to miss and > are potential security problems. However, that is the exception not the rule. > Not limited to just the modules. A recent exploit I became aware of results from php code that allowed global variables and URL injection to access the system. A friend's server became a spam bot for the attacker. Even though the mail server did not allow relaying, they were able to send it from the local host and got around that restriction.. Any path is a possible weakness, and one weakness leads to others. If the door is not there (package not installed) it cannot be opened.