|P is for Practical|
Security matters: keep thy doors closed!by vladb (Vicar)
|on Jun 14, 2002 at 14:12 UTC||Need Help??|
Lately I was reading a fair amount of articles/web reports on various security issues. As it appears, there really is no web site at this point that could claim to be 100% hacker proof. On the one hand, you see all those unfortunate web masters using at least a few of the Mattís Perl scripts that are known to be somewhat buggy and hence insecure as also proven by the authors of the NMS project here. On the other hand, you get a handful of hardware associated security holes. Of course, there are various means to avoid those by installing proper firewall servers, disabling application features known to contain a number of easily exploitable bugs and etc. The task of safeguarding oneís server that is directly accessible by the Internet public seems to me a much harder undertaking.
Although one could never remain assured that his/her web site/server is completely impenetrable, Iím wondering what are the steps undertaken to make this monastery secure, for example? Sure we all are aware of the common techniques to shield our Perl cgi scripts from random hacker pranks, by making use of the taint feature, filtering user input for any embedded scripts that could run havoc on an unsuspecting clientís machine (especially crucial for sites such as this), and probably controlling who runs your cgi scripts (via the HTTP_REFERER string) amongst a number of other measures. You can read more on CGI security here or here.
Aside from CGI, thereís a great chance of having one of your server side scripts/daemons jeopardized or exploited. Iíve used a number of security scanners on a couple of servers of mine and was amazed at the results. On one occasion I was pointed in the direction of an FTP daemon/server that allowed anonymous access. At my previous company (a small start up), I recall seeing our main server hacked and exploited by a rookie (nearly inapt script kiddie) simply by playing with either our ftp server or telnet! Also, at my current job (a fairly large company), we had a number of intrusions. Some of the things to watch out for are listed here:
This list is by far not complete. I would be interested to learn about your experiences as related to server/CGI security. Have you ever had any of your Perl CGI scripts compromised? What about any of your server side scripts? What steps are you taking and would suggest to me/other monks to safeguard your/their system?
Thanks for your participation in this discussion! ;)
Update: oops, I forgot to use the < in place of raw <, which 'deleted' a couple words from my original text. Sorry about that ;).