a liitle wizard of Oz twist hehe.
I have been contemplating security issues on my inherited server.
Issues:
1. At this point all the server passwords are contained in modules that scripts call to access the databases and tables. The modules permissions are set to httpd rwx, webmgnt rwx, and rx. The user and passwords are static in the modules. To me I think that this is a very insecure mothodology.
2. We have SSL set up but I dont think that is hasn't been done right because the scripts can be accessed through http & https which I know isn't right... I think.
3. Cookies are used to maintain state/sessions they are not encrypted either and it seems that the login script fills the login data once you type in the user name.
On the positive side to do anything on any of the servers you have to use ssh.
In your opinion is this enough. If not do you have any suggestions?
I have been contemplating security issues on my inherited server.
Issues:
1. At this point all the server passwords are contained in modules that scripts call to access the databases and tables. The modules permissions are set to httpd rwx, webmgnt rwx, and rx. The user and passwords are static in the modules. To me I think that this is a very insecure mothodology.
2. We have SSL set up but I dont think that is hasn't been done right because the scripts can be accessed through http & https which I know isn't right... I think.
3. Cookies are used to maintain state/sessions they are not encrypted either and it seems that the login script fills the login data once you type in the user name.
On the positive side to do anything on any of the servers you have to use ssh.
In your opinion is this enough. If not do you have any suggestions?