3. Apache Web Server
Apache is very popular and is widely used. It is also less vulnerable to hacks than Microsoft's IIS, but that doesn't mean there is no need to update Apache or regularly check for newly discovered vulnerabilities. Some administrators who get hit with Apache hacks may not even be aware it's on their systems because it's often part of the default installation.
This would seem like a no-brainer, but if you don't need the Apache server, don't run it on your system. Of course, between all the legacy systems that admins have to manage and the dozens of patches and other vulnerabilities to deal with on an urgent basis, is it any wonder that there are a lot of older Apache versions out there that either shouldn't be running or that aren't patched?
If you do need to run Apache, there are things you can do to reduce the risk even if you can't patch it every time a new vulnerability is discovered: 1.) Don't run Apache as root, 2.) Disable any scripting languages you don't really need, and 3.) Run Apache in a chroot environment whenever possible.
4. General UNIX Authentication Accounts with No Passwords or Weak Passwords
Now this one really is a no-brainer and many administrators will automatically dismiss this, but the fact is that it's still one of the most exploited vulnerabilities. I believe that my readers are probably too savvy to ignore the threat of weak passwords when configuring new systems, but consider whether you are managing legacy systems configured by someone else. I suspect that one reason so many systems are vulnerable to weak passwords are these legacy installations.
Another reason for this vulnerability is a simple and seemingly reasonable procedure that you probably don't even realise is dangerous. I'm referring to the common practice of using the same password for all new accounts. Even if you enforce a policy of resetting this at the first login, there is still a period when a password that is widely known to many current and former employees will be valid.
5. Clear Text Services
Sniffer attacks are common, and the fact that many Linux/UNIX services such as FTP don't encrypt any part of the session, even the logon information, makes this a popular attack vector. Tcpdump will show you any clear text transmissions, and administrators should use it to look for vulnerabilities; after all, hackers do. To reduce the risk, consider using HTTPS, POP2S, or other encrypted alternatives to replace the common plain text services.
6. Sendmail
The widespread use of Sendmail as a mail transfer agent means that known vulnerabilities in older or unpatched versions are a common target. Other than responsible patching policies, the main ways to reduce the risk from Sendmail are to either disable it when it is not needed or run it in daemon mode when you need it.
With a key base in Warwickshire, my client, a Logistics company, are looking to replace their Legacy WMS. They are planning to implement Red Prairie ...
I am looking for Project Manager with experience of Legacy Systems, you will run specific development, system
upgrades (CRM & ERP) and COBOL / Oracle ...
Featured Talkback
So if you upgrade to XP SP3 you can't uninstall Internet Explorer, I'm quite sure I'm having a Deja-vu feeling about MS preventing people from uninstalling Internet Explorer in other Windows products.
Previous
