|
Posted by Todd H. on May 17, 2006, 4:48 pm
If you were Registered and logged in, you could reply and use other advanced thread options > Hi
>
> I want to get some views on security/vulnerability to hacking.
Hee hee. A post that teeters on perpetuating "all i need is a
firewall to be sucure" cross posted to 4 newsgroup 2 of which are
security....
What could possibly go wrong?
Sorry, Ship... I'll try to be kind and I hope others will take an
instructional approach as well.
> Our ISP has just put our website onto a new dedicated webserver for us.
> It is running Apache (latest) on Linux. And MySQL.
First question--is it patched? Vulnerabilities to worry about from
your description so far include:
MySQL: http://secunia.com/search/?search=mysql
Apache: http://secunia.com/search/?search=apache&w=0
Linux: http://secunia.com/search/?search=linux&w=0
> We have got the thing protected by a router that has IP filtering on
> it.
Which is nice... until one of the allowed IP's gets owned. How may
IP's are allowed, and how many computers with "average users" at the
helm might be coming from them?
> Basically we are only allowing point to point traffic - that is
> traffic a tiny range of precisely specified IP numbers to have FTP
> access.
More questions: Is your ftp server patched?
http://secunia.com/search/?search=ftp&w=0
Is there a specific reason you need FTP (a clear text protocol
vulnerable to sniffing of passwords and usernames) vs scp or sftp
which are encrypted?
> This of course means that everyone who runs the site needs to have a
> dedicated IP number.
>
> This may sound naive but do you think the above will be enough
> to stop hackers from getting in?!
Unfortunately the answer is not "No," it's "Hell no!" :-\
> (e.g.
> - should we buy a separate firewall box or is it enough to
> just rely on the router's filtering?
Depends entirely on how the router is configured, whether it's
software is up to date, and if it's maintained by someone who knows
what they're doing.
> - What other vulnerabilities should we be tackling.
>
> - Is there any way of spoofing IP numbers?
Spoofing IP's is trivial. However, the wrinkle is that with TCP
protocols at least (which includes all the protocols you've mentioned
thus far--FTP, HTTP), the replies to spoofed TCP packets will go to
the IP address that was spoofed, which makes it hard to do too too
much.
However, you need to be aware of the metric that something more than
50% of data theft issues or malicious activity originates from inside
the the circle of trust, either intentionally or unintentionally. So
those "trusted" IP's can't be so trusted. You'd have to know an awful
lot about those folks' operations, processes and procedures to get a
good comfort level to be reasonably sure that the "trusted" IP boxes
(or ones behind them) haven't been owned by something as simple as
someone surfing to a myspace site with a vulnerable web browser on
their machine, attacker takes over that box, it's in your trusted IP
range, and suddenly your site is in the crosshairs with all its warts
exposed.
A good firewall only gives you crunchy on the outside, soft and chewy
on the inside security, and leaves all the other venues of attack wide
wide open.
Best Regards,
--
Todd H.
http://www.toddh.net/
| 
XML site map