Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??
Lately I was reading a fair amount of articles/web reports on various security issues. As it appears, there really is no web site at this point that could claim to be 100% hacker proof. On the one hand, you see all those unfortunate web masters using at least a few of the Mattís Perl scripts that are known to be somewhat buggy and hence insecure as also proven by the authors of the NMS project here. On the other hand, you get a handful of hardware associated security holes. Of course, there are various means to avoid those by installing proper firewall servers, disabling application features known to contain a number of easily exploitable bugs and etc. The task of safeguarding oneís server that is directly accessible by the Internet public seems to me a much harder undertaking.

Although one could never remain assured that his/her web site/server is completely impenetrable, Iím wondering what are the steps undertaken to make this monastery secure, for example? Sure we all are aware of the common techniques to shield our Perl cgi scripts from random hacker pranks, by making use of the taint feature, filtering user input for any embedded scripts that could run havoc on an unsuspecting clientís machine (especially crucial for sites such as this), and probably controlling who runs your cgi scripts (via the HTTP_REFERER string) amongst a number of other measures. You can read more on CGI security here or here.

Aside from CGI, thereís a great chance of having one of your server side scripts/daemons jeopardized or exploited. Iíve used a number of security scanners on a couple of servers of mine and was amazed at the results. On one occasion I was pointed in the direction of an FTP daemon/server that allowed anonymous access. At my previous company (a small start up), I recall seeing our main server hacked and exploited by a rookie (nearly inapt script kiddie) simply by playing with either our ftp server or telnet! Also, at my current job (a fairly large company), we had a number of intrusions. Some of the things to watch out for are listed here:

  • Anonymous FTP access.
    It is generally recommended to disable anonymous FTP access if it is not needed badly. Anonymous FTP access can allow an intruder to gain crucial information about your system that can possibly help him/her gain access/control of your system.

  • Running a version of FTP server application that has a number of known bugs.
    For example, running NcFTPd version < 2.6.2 opens you to a possibility of this attack.

  • Running Telnet. I always go for just SSH and dump Telnet altogether. The problem with Telnet is that it sends all user names, passwords, and data unencrypted. So, even after successful login (meaning no one noticed how you got into the system) a malicious hacker can eaves drop on any communication taking place between the client (your box) and the server (telnet).

  • Automatic remote process execution.

This list is by far not complete. I would be interested to learn about your experiences as related to server/CGI security. Have you ever had any of your Perl CGI scripts compromised? What about any of your server side scripts? What steps are you taking and would suggest to me/other monks to safeguard your/their system?

Thanks for your participation in this discussion! ;)

Update: oops, I forgot to use the &lt; in place of raw <, which 'deleted' a couple words from my original text. Sorry about that ;).

_____________________
# Under Construction

In reply to Security matters: keep thy doors closed! by vladb

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others about the Monastery: (5)
    As of 2014-12-22 04:09 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      Is guessing a good strategy for surviving in the IT business?





      Results (110 votes), past polls