*Please note that this is a scan-only version. To remove spyware or viruses and get automatic updates, you will need to subscribe to the full version.
IMPORTANT: If you decide to download and install the Protection Control Center, it will uninstall any current anti-virus software you may have on your computer. Please note that this is an industry standard to prevent any software conflicts. The Protection Control Center is for users of Windows 2000 and XP operating systems only. All others, please see Norton Security Products for alternative software options.
No. Anyone who cracks the web server could potentially gain full access -- and how are you securing the computers that would be allowed FTP access?
Yes. The difficulty of doing so depends upon the operating system. Any reasonably recent Linux would likely make it quite difficult to do. Probably easier to take over one of the control systems and use those to attack the server.
If your site gets popular, then eventually it will likely be subject to a DoS (Denial of Service) attack. Routers aren't usually very good at stopping those.
Is there a good reason to use ftp specifically? sftp or scp would be more secure.
Hee hee. A post that teeters on perpetuating "all i need is a firewall to be sucure" cross posted to 4 newsgroup 2 of which are security....
What could possibly go wrong?
Sorry, Ship... I'll try to be kind and I hope others will take an instructional approach as well.
First question--is it patched? Vulnerabilities to worry about from your description so far include:
MySQL:
formatting link
Apache:
formatting link
Linux:
formatting link
Which is nice... until one of the allowed IP's gets owned. How may IP's are allowed, and how many computers with "average users" at the helm might be coming from them?
More questions: Is your ftp server patched?
formatting link
Is there a specific reason you need FTP (a clear text protocol vulnerable to sniffing of passwords and usernames) vs scp or sftp which are encrypted?
Unfortunately the answer is not "No," it's "Hell no!" :-\\
Depends entirely on how the router is configured, whether it's software is up to date, and if it's maintained by someone who knows what they're doing.
Spoofing IP's is trivial. However, the wrinkle is that with TCP protocols at least (which includes all the protocols you've mentioned thus far--FTP, HTTP), the replies to spoofed TCP packets will go to the IP address that was spoofed, which makes it hard to do too too much.
However, you need to be aware of the metric that something more than
50% of data theft issues or malicious activity originates from inside the the circle of trust, either intentionally or unintentionally. So those "trusted" IP's can't be so trusted. You'd have to know an awful lot about those folks' operations, processes and procedures to get a good comfort level to be reasonably sure that the "trusted" IP boxes (or ones behind them) haven't been owned by something as simple as someone surfing to a myspace site with a vulnerable web browser on their machine, attacker takes over that box, it's in your trusted IP range, and suddenly your site is in the crosshairs with all its warts exposed.
A good firewall only gives you crunchy on the outside, soft and chewy on the inside security, and leaves all the other venues of attack wide wide open.
I strongly advise you contact some hackers or former hackers, and talk to them.
There are a number of good books available, including "Hacker's Challenge" published by Osborne, and "Hack Attacks Revealed" published by Wiley.
I am always reminded of the story of a company who spent a fortune on firewalls and the like, only to be infiltrated when a hacker walked into their premises via the back-door pretending to be a new contractor and was given access to a terminal and login....
Restricting access to only a few specific known IPs is very good. I'm assuming this means no anonymous access whatsoever. Good stuff.
Now... for those specific IPs, you would want to set up a userID logon and complex password to access your network resources. Just as you would do for local LAN users to logon to their own workstations.
Certainly there is much more to security, in total, but here's what some observers fail to understand... if the accessible system has no services available (like most home users should), the risk is minimal. It is when you have services running on the system that the risk escalates. And... access to these services via anonymous transparent logons (i.e. a public web server) is the worst.
You have no anonymous public access. Straight away you have a good start. Next thing would be to "harden" your OS. Meaning... make sure your system is set up to allow system and file access to only the users that need it (on the LAN as well as from the Internet).
Yes, keeing up with OS patches and vulnerability updates is always important, but that risk is always there and not limited to Internet users.
Okay fair enough. We could probably use some other protocol easily enough. I've never heard of either scp or sftp.
But let me clarify where I am coming from. I am a middle-weight techie, not a heavy-weight. I spend most of my time sorting out content, doing graphic design, editing , copywriting, managing staff etc. I am not, and do not pretend to be a heavy weight techie. In fact I dont even write code (shock horror!) - I simply run a website which is becoming quite high profile and needs to be run professionally. With me so far?
Okay so I'm not a heavy-weight techie, but I do need to understand the heavy-weight techie ISSUES! Hence my presence here asking dumb questions. But I need to know what questions to ask our heavyweight techies and I need to be able to make reasonably sensible strategic decisions.
William you seem to know your stuff - in another post, you recommened FileZilla which seems to be quite robust. Thanks for that btw! Anyhow I've got FileZilla in the middle of a huge transfer as I write this, so I dont want to mess with it too much... but does it have the capability to do sFTP or SCP?
To answer some other points raised. The other folks on the IP ranges are so far all employees and/or freelance subcontractors. i.e. just 4 IP numbers so far. So that's not a bad start.
It sounds like sFTP is probably a must (is that just encrypted FTP a bit like httpS: compared to http: ?)
I am told by our techies that MySQL, Apache and Linux are all the latest versions. (Though how do I know our techies are telling the truth?!) Likewise I have the same problem knowing about the Router.
So how do I make sure that all our web-browsers arent vulnerable to attack and being taken over? I guess I need to make sure that they are all behind firewalls or something.
And this is where my knowledge really does run out. There seem to be dedicated firewall boxes and software firewalls ( like those which come free with msWindows). [Aside: Now please dont start ranting about Micro$oft - I disapprove of them as much as the next man, but for now they are a necessary evil in the business world so can we move on...?]
I'm not looking for the ULTIMATE security - just good, sensible stuff. Let's not get too paranoid here - afterall there's nothing particularly interesting on the site in any case, but it might become a tempting target as it grows in profile!
DoS attacks. Gads not sure what one is supposed to do about that. Can dedicated firewall boxes help snuff that out automatically??
Regarding unwanted OUTgoing traffic - that's an interesting point. I'll have to find out. Btw, when everyone talks about firewalls do they mean dedicated hardware boxes or software running on a PC/server... or both?!
I like Matt's idea of contacting hackers to see if they can get it. The only trouble is that I dont know of any - and any that I found I'd need to be able to trust 100%.
Yes we arent allowing any anonymous access to the back end of the server whatsoever. I mean users can read HTML files & JPEGs, GIFs etc and they can also fill in forms (formmail or something??) and they also have access to our PHP forms etc.
But there is no anonymous FTP access allowed for example...
Can any of you good people recommend a site or some freesoftware that you can run to test all the ports on a webserver - which would give a level of reassurance that at least the basics are covered.
What I'm thinking of is that I paste my webserver's IP number into some (reasonably trustworthy!) website and they have a go at breaching the webserver using some automated tools....
Anyone know of such a thing?
Later when we have a budget we might pay for such a thing but not just right now...
For example I'm tempted to submit my website to here:
formatting link
But how can I really trust the authors of the site not to be cheerfully harvesting the information that the software gathers! Thus for example, if it DID turn out that there was a gaping hole in our server, it might be that by the next day half the hacking underworld had come in and had a good sniff around!!
Dunno about a site, but you might want to look into nessus as your security tool:
formatting link
source, public domain security scanner that may be just what the doctor ordered in your circumstance. Does NOT require a rocket scientist to install, configure or use, tho' whether it's available for gatesware is another question and one to which I don't have an answer. Check out the website.
There used to be - maybe still is - a security "scanner" called, variously, SATAN/SANTA which excited a lot of controversy when first released in the public domain. Also caused lots of problems through misuse. This is, of course, a problem with all port scanners, particularly if you don't set the boundaries of the search correctly.
I use Security Space. I use their paid service, but they have a free service. You can only test the IP address that you are connecting from though.
See
formatting link
Scroll down the bottom and note the "No Risk Audit (Free)" option in the Corporate Users section. Clicking on the "No Risk Audit" link will give you more information about that audit.
Disclaimer: I have no connection with Security Space other than being a reasonably satisfied user of various of their paid and free services, mostly paid.
You could use a sniffer program to test out your ports. You could use a free product called "IP Sniffer". It is a suite of IP Tools built around a packet sniffer. You can test any of your ports. You can do IP Spoofing to test..
In some cases, switching to scp or sftp may incur a little learning from the content contributors to your website. The integrated ftp clients in older web authoring packages may not support scp or sftp, for instance. But you mention filezilla down below, so that may not be any sort of issue.
No problemo.
Filezilla appears to support sftp according to
formatting link
How many users are behind those 4 ip numbers though? With NAT, and entire corporation's worth of users could be coming from one just one IP, for instance. All the same, restricting access to specific IP addresses does cut down your exposure by quite a bit, so kudos for that, but all the same, due to the internal threat, you'll still need to pay attention to the other aspects mentioned in my firs treply.
Yeah, sorta. To further confuse things, there are different flavors of ftp over ssl. sftp is different still, and scp different than that. filezilla appears to handle it all except scp. If scp is explicitly needed, there's a freebie called WinSCP that works nicely.
Go to each products download page and take a look at the versions that are the latest. Then cross check that with what's installed. To tell you how to find out what's installed, we'd need to know which distro of linux you're running. I vaguely recall you mentioning ubuntu, and it not being my distro of choice, I don't know the package query commands off hand. apt-SOMETHING or yum I believe might be involved. They have man pages if you have shell access ot the box.
You situation describes a perfect situation where the services of a trusted, experienced penetration testing service can be valuable--when you don't wanna take the sysadmin's word for it,a nd want to do due diligence to get your vulnerabilities identified by good guys before the bad guys find them. A common fallacy of security though is that a firewall cures all, when in fact the task of a secure system is much broader in scope.
DoS remains a tough one. Ultimately, whomever has the most bandwidth available will win that fight. But there are countermeasures available to some degree.
In the context of hosting, we're typically talking in terms of servers, and usually dedicated firewall boxes. Heavy hitters are like, Nokia, Netscreen, Cisco PIX, for example.
Here's one:
formatting link
Not cheap but it's hard to argue with Big Blue's integrity and experience.
Sounds good. However, PHP forms can be big trouble--it's not that PHP is necessarily bad or anything, but it doesn't automagically sanitize user form data either, so vulnerabilities like SQL injection whereby an attacker can dump your entire database contents, or even execute commands on the server are all too common and created by ignorance in web application programming.
Formmail you have to be careful with too. That script has a mile long history of security flaws, and incorrectly configured is known for "use my web server to send spam!" invitation.
If you had bothered to follow my advice you would have ALL your answers.
Now you are just waving a flag internationally alerting every amateur hacker and wannabe that you know bugger all about security, and thus probably about tracing poor attempts to gain access to your systems, and you have or about to have, an insecure server for them to practice on.
FTPs is probably, what you mean. SFTP is SSH with FTP like commands. I'd prefer the latter.
You can't. Just don't use the worst of all, Internet Exploder. And keep the rest up to date.
Many DoS attacks can be successful because of intrinsic design flaws in server software. Many of them you can hardly prevent from. And there even are DDoS attacks, which cannot be prevented at all.
To control outgoing traffic only is sensible in terms of controlling people in your network. Because of the existence of tunneling, it's impossible in theory to prevent every unwanted communication, because it's impossible to detect unknown encoding in general. It can be a good idea to try to detect what's going on, watching network traffic, for example for intrusion detection.
There are different common definitions for the term "firewall". Some people see a controlling point between security zones as a firewall, others think of filtering implementations, when they're talking about firewalls. The implementations usually all are done with hardware and software (only seldomly with hardware only, most of those boxes have firmware).
formatting link
What you mean is called "penetration tests". Nearly every security service provider offers this.
Completely - I have several clients that would say exactly that.
Diligence - examine the processes running on your server. learn to know what each does and why it is running.
sFTP
with several developers it may pay you to investigate subversion.
That's a good working description.
Is this a self managed box? or have you contracted out the daily management?
Do you have a login for the router?
You can't on a distributed development arrangement. You have to manage security at the server. That may mean not trusting the developers with direct access to the server.
Personally, I'd never trust a firewall which runs on the box it is protecting.
:)
Sure - all servers are targets for hacking. The objectives vary but include building a network of drones to launch ddos attacks on other targets.
They can help - but a ddos is expensive to repel.
yes - it's a good measure. if your server suddenly starts sending mail/irc/whatever traffic when it shouldn't be then you know you have a problem.
Personally, I always mean a dedicated box.
Code can be compromised - for example, research: sql injection
You may wish to consider running php in 'safe mode' but be aware this only applies protection within php - other apps may still be vulnerable.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.