Results 1 to 3 of 3
  1. #1
    Join Date
    Mar 2002
    Location
    Westbury, LI NY
    Posts
    1,705

    Ensims's simplicty vs Security

    Ive been playing around with an Ensim server for a few months now. I like how easy it is to point and click through things as opposed to the old way I used to of command line everything. The automation part is great. But Ensim does hinder you in that you cant just update everything how you want, or you might break something. I installed Webalizer fine on two other servers (non Ensim) and they worked fine. I followed a how to and ended up breaking Apache for 20 minutes trying to undo what I changed. Everything else works great that I have played around with (PHP upgrade, Squirell mail) but things like the apache chunk vulnerability requiring an Ensim make its own version of the patch me think that Ensim may be too proprietary.

    Ive looked at webmin, and it seems to be able to do most of what Ensim can do via a web interface as well, though lacking in the create a new domain/user/database/mail/ftp account all at once. And best of all webmin is just an interface and doesnt modify much (and its free).

    Does the fact that I have Ensim and the way it doesnt allow you to do certain things with out breaking it, make it less secure (as silly as it sounds)? I know security is a relative term and I know everything can be hacked. I dont SSH in as root, I turned off telnet, I firewalled it, etc etc, all the basics. Im no security genious, but Im not a fool either. I realize a few secuirty gurus will tell me right away go get BSD (which I am familiar with) and tell me how much better of a unix it is than linux. Im not looking for Fort Knox. Anyone who has half a clue will get in to anything they want, I just want to keep the script kiddies away.

    Im not looking to store credit cards, I am looking to possibly install OSCommerce, skin it, and add an SSL and possibly use that. How safe am I? Does Ensim make me slightly more vulnerable? Are there other control panels that act more like a GUI to the CLI than a full fledged automated system?

    Or am I just paranoid and need to go to bed?

  2. #2
    I look at it completely the other way. I don't understand how people who use cpanel can stand not putting their users in a chrooted environment. Maybe I'm the one who's paranoid

    I think that perhaps you are confusing security with stability. 'Breaking' a site does not necessarily pose a security risk - it usually is something as benign as an error when editing a site configuration. Also, if you are just worried about script kiddies, I don't think you're gonna have a problem with exploitation of an apache chunk vulnerability unique to an Ensim package.

    I hope you already went to bed, but you can now anyways
    i beat the internet. the end guy is hard

  3. #3
    Join Date
    Mar 2002
    Location
    Westbury, LI NY
    Posts
    1,705
    Originally posted by MadSkilage
    I look at it completely the other way. I don't understand how people who use cpanel can stand not putting their users in a chrooted environment. Maybe I'm the one who's paranoid
    Nah, Im paranoid with you in that aspect.

    Originally posted by MadSkilage
    I think that perhaps you are confusing security with stability. 'Breaking' a site does not necessarily pose a security risk - it usually is something as benign as an error when editing a site configuration. Also, if you are just worried about script kiddies, I don't think you're gonna have a problem with exploitation of an apache chunk vulnerability unique to an Ensim package.
    I know breaking something by using "non-Ensim" stuff isnt the same as security, but it makes me wonder what exactly is different that requires Ensim versions of things and how secure their version is.

    Originally posted by MadSkilage
    I hope you already went to bed, but you can now anyways
    Not only did I go to bed, but now I also woke up.

    I guess bottom line is patch everything, dont do the basic stupid stuff, and try not to make myself a target. And dont store credit card numbers on the actual server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •