Niki Kovacs <contact at kikinovak.net> wrote: >> Thanks for your very detailed response. << Trust me when I say: that wasn't detailed. Nowhere near it. >> - Is it worth the hassle to bother with SELinux? - Is the standard firewall configuration enough << You can go light on all that policy stuff, especially in a small business environment, but you need to give it at least superficial consideration. Until you do, you can't answer those questions, and we certainly can't. Would, say, a web site defacement cause your organization significant embarrassment? Would it cost you your job? Could borrowers' personal information be compromised? Are you storing information like SSN's? At what point does the benefit exceed the costs? The hassle is worth it for defense/government applications involving classified data, obviously. Probably not worth it for a web-surfing home desktop. You're somewhere - where? - in between. Only you can know, and it depends on business considerations. Remember: "Ready! Fire! Aim!". One easy out: the "due diligence" approach. Find out what other libraries are doing, and do the same or better. The Koha, OpenBiblio and other mailing lists could be a help here. I'll let others clue you in on various web vulnerabilities - SQL injection, command injection, cross-site scripting, overflows, etc. - as well as tools like Nessus, Nikto, etc. for vuln scanning. However, your top priority here should be proactive patch management and intrusion detection techniques such as log file monitoring/analysis. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909