Jump to content

Web site haking

jrperry

By jrperry
in Security

 Share

Recommended Posts

digininja Grand Master

digininja

Posted
Posted

Short, slightly sarcastic answer is the biggest mistake is hosting your own website at home.

Longer answer, you have to consider:

Keeping the box fully patched

The application is usually the weakest link so is that fully secure

The server must be fully segmented from your home network otherwise a compromise would give an attacker full run of your home

Does your ISP allow hosting? Some don't on residential contracts

Do you have a static IP or will you be using a dynamic IP service

Whats your bandwidth allowance and will people using the site affect you using the internet

Is the cost in electricity and time maintaining it lower than just paying a small amount of money to a hosting company? If you want to do that have a look at http://cloudatcost.com/ for very cheap servers *

Why are you doing it? To learn, to save money on commercial hosting or for something else?

Sure there are other things to consider but that is what comes off the top of my head.

* discount codes:

20% off all servers AqUVYbUXag
50% off all big dog (whatever that is) 7E9YRUzEZy

Link to comment
Share on other sites
jrperry Newbie

jrperry

Posted
  • Author
Posted

Digininja,

The primary goal of this project is learning if it moves outside of that I have no interest in worrying about keeping it up for anyone outside of family. I am running the server behind a firewall on its DMZ. My service provider does allow hosting and my connection is 4Gb up and 25 down with unlimited usage. I can also bump my upload speed to 10Gb if I want. There is no static IP I spoke to my ISP about that option when I asked about the hosting. My plan is to use an editor till I learn more about PHP (I all ready have an understanding of HTML), then move to Joomla or a similar product after that.

My biggest thing is I choose to be paranoid about security because no one is immune and if I am complacent that is when I will run into problems.

If keeping software up to date is my biggest worry that is reassuring.

Thanks for your help.

If there are any other pointers out in the community I am always interested

Cheers

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

By the sound of it the app itself will be your biggest problem, if you write it yourself then make sure you read as many blogs on secure coding as you can, if you go for something like joomla or wordpress then you have to be on top of it every day checking for updates. All it takes is a vulnerability and a bot that scans IP ranges and you are screwed.

Link to comment
Share on other sites
cooper Newbie

cooper

Posted
Posted

Start with hardening the machine - make your install as minimalistic as possible and deactivate all options the remaining software provides, but which you know you don't need.

Create the app and run it on the machine. Look at *ALL* input handling and assume you're not getting what you want to get. Make the app properly handle all those situations.

Update all the software on the machine to the latest version and verify the hardening is still properly done.

Only now should you consider opening up the app to the outside world. Try to restrict this definition of 'outside world' as much as possible such that it is only those machines that you want to provide access. There are probably only a number of subnets that have a need to access the app, so, for instance, block off China, Russia....

When you've done what you intended to do, take the machine/app offline again. As long as the system is running, keep a close eye on any security updates that may arrive for the various bits of software you have installed. At least once a day.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

Its that last bit that gets people, check updates and logs every day, just in case. We do it for the first few days, maybe a week then have a night off, then "will do it at the weekend", then it just stops happening.

Link to comment
Share on other sites
jrperry Newbie

jrperry

Posted
  • Author
Posted

Thanks for the advise

Some good points I didn't think of, like restricting the geographical area that it is available to. Time restrictions is another good consideration, If I am only looking to have local family members use it does it need to be up at 4am.

My goal is to keep as few ports open as possible. To start only port 80 till my needs move past that. And now that I think of it, I am a big one server one use person but I don't think I really check to see what else is installed other than what I am using.

I have always been big on the updates. my computers get a fresh image of Linux Mint every week after I update, but I guess I will have to get better if I want to do this. good way to start your day though, a cup of coffee and some updates. I am online every morning anyway.

Do you have any good suggestions for secure coding blogs? My experience with the subject is only make sure you satirize ALL your input.

As for the issue of logs am I best to use something like webmin or is there a better solution that throws them in your face on a regular basis?

Also, this is a really beginner question but, does all hardening really mean is to keep things minimalistic and up to date? I have always assumed that it was more rigorous than that.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

Thanks for the advise

Some good points I didn't think of, like restricting the geographical area that it is available to. Time restrictions is another good consideration, If I am only looking to have local family members use it does it need to be up at 4am.

My goal is to keep as few ports open as possible. To start only port 80 till my needs move past that. And now that I think of it, I am a big one server one use person but I don't think I really check to see what else is installed other than what I am using.

I have always been big on the updates. my computers get a fresh image of Linux Mint every week after I update, but I guess I will have to get better if I want to do this. good way to start your day though, a cup of coffee and some updates. I am online every morning anyway.

Do you have any good suggestions for secure coding blogs? My experience with the subject is only make sure you satirize ALL your input.

Almost, it is generally more important to sanitize your outputs as that is where you get caught. Take in whatever is given but then clean it up as required for output, for example HTML encoding when sending to screen but escaping for SQL when putting into a database.

As for the issue of logs am I best to use something like webmin or is there a better solution that throws them in your face on a regular basis?

I run logwatch to get a good overview of what is going on then a quick scroll through the raw log files every now and then (should do more often but lazyness wins). Once you've read through enough you get to be able to spot anomalies.

Also, this is a really beginner question but, does all hardening really mean is to keep things minimalistic and up to date? I have always assumed that it was more rigorous than that.

There are loads of hardening guides but those to things are a very good start. Check out the NIST guides http://csrc.nist.gov/groups/SNS/checklists/

Link to comment
Share on other sites
Ftb Newbie

Ftb

Posted
Posted

Short, slightly sarcastic answer is the biggest mistake is hosting your own website at home.

Longer answer, you have to consider:

Keeping the box fully patched

The application is usually the weakest link so is that fully secure

The server must be fully segmented from your home network otherwise a compromise would give an attacker full run of your home

Does your ISP allow hosting? Some don't on residential contracts

Do you have a static IP or will you be using a dynamic IP service

Whats your bandwidth allowance and will people using the site affect you using the internet

Is the cost in electricity and time maintaining it lower than just paying a small amount of money to a hosting company? If you want to do that have a look at http://cloudatcost.com/ for very cheap servers *

Why are you doing it? To learn, to save money on commercial hosting or for something else?

Sure there are other things to consider but that is what comes off the top of my head.

* discount codes:

20% off all servers AqUVYbUXag

50% off all big dog (whatever that is) 7E9YRUzEZy

That's a great deal, I put in your email address for the referral, you should get a free server.

Thanks,

Bill

Link to comment
Share on other sites
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...