Hello Lars
Quote:
Postnuke has a big credibility problem when it comes to security, especially in Germany.
any specific pointers for this?
yes, pay a visit to Germany's premier forum of (too) serious Linux admins: www.rootforum.de
Just ask there about security and nuke systems (you will get at best laughed at). Or you can also do a search on
PHP-nuke or nukes.
Postnuke is put into the same category as
PHP-nuke, myphpnuke, etc. As soon as you say "nuke", you can forget about credibility. I think the earlier years have left very bad memories of nuke systems.
I even think a name change of Postnuke can be beneficial.
In any case, there is some serious PR work to do.
server stuff is usually beyond the scope of any application forum - there are definitly better places to discuss this kind of stuff...
I partly agree and partly disagree on this one. The
PN community has the advantage of being very hands-on, with a language accessible for all and much people eager to help, because everyone here has the same concern.
Many security forums (much more competent than the
PN community) will snob any question that seems too simple, or reveals that the poster is a newbie (hint at rootforum.de). When you mention you have a nuke system installed, they will just laugh at you, hahaha no wonder you got hacked, and get as an answer "there will never ever be a nuke system installed on one of my servers, get a clue, you noob, if you install a nuke you shouldnt be allowed to own or to run a server, youre a public danger for the internet, we hate people like you". And this is a general opinion there.
I expect most questions to be somehow related to
PN. For example mod_security depends on its configuration to work well, so I can imagine a
PN-specific configuration or a Module-specific config for it. And there are other tools out there that need specific config.
Mods like mod_security, if well configured, can sometimes prevent the exploitation of security holes.
Now that dedicated servers have become more cheap, we also have many noobs with the priviledges and duties of "root". The snob forums will only tell that this is bad and should be forbidden, and not help with any hands-on tutorials or how-tos.
Let's face it: by being relatively easy to install, Postnuke is attractive for the newbies. They will download modules, install them, even write own scripts, deactivate safe mode and other things because otherwise their crap won't work (linux system status requires system access).
And they will get hacked.
And who will they blame, or who will their hoster blame?
"ya know, the guy had some nuke installed and then got r0xx0red 0wn3d" - "hey, no wonder" - "yeah."
It will again be Postnuke's fault.
As a sticky in the security subforum I can imagine the 10 laws for running a secure
PN site, or something like that.
postnuke works under safe_mode=on, magic_quotes_gpc=on and register_globals [38]=off - third party modules *should* also be programmed this way (personally i don't use modules that won't work under those circumstances)
I agree, but you know as me that many
PN modules do not fulfill all these requirements.
The community could discuss about what to change in these modules to make them secure (hey, maybe it is just a function that needs to be tweaked to get improved security?).
Or we can also discuss if a certain server configuration is necessary to get it working. For example, I run gallery in safe mode, and it works, including uploads and image manipulation. I think there would be some interest on this board for this information.
the third party forums are the first place to discuss this kind of stuff - the postnuke team is focused on the core and can't check *all* available modules.
Yes, I agree with you that the
PN team should not have to check third party modules.
But you know that every time someone installs
PN and gets an obscure module from somewhere and gets hacked, he will probably never find out how he was hacked exactly because server logs will be gone. Suspicion will always fall on Postnuke, and that's not what we want, right?
Also, I point out again that there are plenty of
PN modules with no place to discuss their security. Posts in support or third party modules will just disappear in the mass.
I think the security subforum should contain the
PN security announcements as sticky, some how-tos or links to how-tos, and leave the rest to the community. This did work fine in the past in the other forums.
[8]
[18] Posted: 20.07.2005, 14:37
[19]
[20]
