|
|
Posted by Jerry Stuckle on 04/06/07 13:42
hansBKK wrote:
> Here's a maybe provocative but certainly unequivocal statement from a lead
> tech at a hosting company, whose opinion on technical matters I've come to
> value:
>
>
>> I've managed well over 2000 servers running apache/php within the past
> few years and never once had a server compromised at root level.
>
>> I didn't use safe_mode and had php installed as an apache module on all
> of them. I did secure things like kernels, firewalls and utilise other
> security features of my own making.
>
>> There is no point in providing a php service and not letting customers
> use the most of it :) Security is layered and we have no security issues
> really at all, sure the odd client scripts get exploited, but they don't
> affect the whole server.
>
>> The rule for me is, if you get your scripts broken into, shame on you, if
> we get our servers rooted, then shame on me :) It's not happened thus far
> and I don't intend it to either :)
>
>
> Makes sense to me!
I've had to deal with computer security since 1984, when working for IBM
and dealing with mainframes. A couple of years later when PC networks
started to become popular I had to deal with it there, also - both
mainframe attached PC's and LAN's. And we had all kinds of servers -
file servers, app servers, database servers... and eventually web
servers, of course.
2,000 servers? A drop in the bucket. Many large hosting companies have
30K+ servers.
You don't have to root a server to affect the sites on it. Without
basic security, any site can get in and affect other sites on that
server. Sure, he's correct that you need layered security. But he
thinks if a server isn't rooted it's not his problem. And he is so wrong.
And he "has no security issues really at all"... So he does have
security issues that he recognizes. And he has some he doesn't
recognize. Not good at all.
Please pass along which hosting company he supports. I want to make
sure I never have any customers hosting with them - and recommend anyone
I know is hosting with them to move ASAP.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|