On 11/03/2010 11:56 AM, Tim wrote: > On Wed, 2010-11-03 at 11:27 -0400, Robert Moskowitz wrote: > >> This is NOT a publicly facing server. It is behind my firewall (A >> Juniper SSG5) on a subnet that has very limited outside access. Other >> subnets here have limited access to this subnet. This server is >> running the Amahi.org setup and serves as a PDC to clients on its >> subnet, and some Amahi apps for all local subnets. I am adding the >> repo services for the local devices (on its subnet) and so I can >> rebuild my main repo server. So though I am a bit concerned about >> SELinux being disabled, I am not too worried. >> > Just to remove any ambiguity: If the only outside access to a computer > is via the webserver software on port 80, then the computer is still > *potentially* vulnerable. A computer can be hacked through flaws in the > webserver. Merely blocking off other ports (e.g. SSH) is only being > partially protective. > Yeah. I am aware of that. It would take an island hopping attack. One of my outward facing servers would have to go and it in turn go after this server. I am just a little guy. I am behind on some updates but working to get current. Plus move to DNSEC for my domain... I do have one Amahi server partially open, it runs my mail service and SquirrelMail. So 25, 587, 110 and 443 are open. So I do run SELinux on this one. > Having said that, it would depend on what the webserver could do, as to > whether anybody else could wreak havoc. If it only served flat HTML > files, they'd have to find a security hole in Apache to cause you > problems. The typical Achilles heel is flawed scripts (other programs) > being running through the server (CGI, PHP, et al). > > -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
