| Todd H. 2006-05-19, 1:26 am |
| "ship" <shiphen@gmail.com> writes:
> Okay fair enough. We could probably use some other protocol easily
> enough. I've never heard of either scp or sftp.
Hi Ship,
In some cases, switching to scp or sftp may incur a little learning
from the content contributors to your website. The integrated ftp
clients in older web authoring packages may not support scp or sftp,
for instance. But you mention filezilla down below, so that may not
be any sort of issue.
> But let me clarify where I am coming from. I am a middle-weight techie,
> not a heavy-weight. I spend most of my time sorting out content, doing
> graphic design, editing , copywriting, managing staff etc. I am not,
> and do not pretend to be a heavy weight techie. In fact I dont even
> write code (shock horror!) - I simply run a website which is becoming
> quite high profile and needs to be run professionally. With me so
> far?
No problemo.
> William you seem to know your stuff - in another post, you recommened
> FileZilla which seems to be quite robust. Thanks for that btw! Anyhow
> I've got FileZilla in the middle of a huge transfer as I write this, so
> I dont want to mess with it too much... but does it have the capability
> to do sFTP or SCP?
Filezilla appears to support sftp according to
http://filezilla.sourceforge.net/documentation/
> To answer some other points raised. The other folks on the IP ranges
> are so far all employees and/or freelance subcontractors. i.e. just 4
> IP numbers so far. So that's not a bad start.
How many users are behind those 4 ip numbers though? With NAT, and
entire corporation's worth of users could be coming from one just one
IP, for instance. All the same, restricting access to specific IP
addresses does cut down your exposure by quite a bit, so kudos for
that, but all the same, due to the internal threat, you'll still need
to pay attention to the other aspects mentioned in my firs treply.
> It sounds like sFTP is probably a must (is that just encrypted FTP a
> bit like httpS: compared to http: ?)
Yeah, sorta. To further confuse things, there are different flavors
of ftp over ssl. sftp is different still, and scp different than
that. filezilla appears to handle it all except scp. If scp is
explicitly needed, there's a freebie called WinSCP that works nicely.
> I am told by our techies that MySQL, Apache and Linux are all the
> latest versions.
> (Though how do I know our techies are telling the truth?!)
Go to each products download page and take a look at the versions that
are the latest. Then cross check that with what's installed. To tell
you how to find out what's installed, we'd need to know which distro
of linux you're running. I vaguely recall you mentioning ubuntu, and
it not being my distro of choice, I don't know the package query
commands off hand. apt-SOMETHING or yum I believe might be
involved. They have man pages if you have shell access ot the box.
> Likewise I have the same problem knowing about the Router.
>
> So how do I make sure that all our web-browsers arent vulnerable to
> attack and being taken over? I guess I need to make sure that they are
> all behind firewalls or something.
You situation describes a perfect situation where the services of a
trusted, experienced penetration testing service can be valuable--when
you don't wanna take the sysadmin's word for it,a nd want to do due
diligence to get your vulnerabilities identified by good guys before
the bad guys find them. A common fallacy of security though is that
a firewall cures all, when in fact the task of a secure system is much
broader in scope.
> And this is where my knowledge really does run out. There seem to be
> dedicated firewall boxes and software firewalls ( like those which
> come free with msWindows). [Aside: Now please dont start ranting
> about Micro$oft - I disapprove of them as much as the next man, but
> for now they are a necessary evil in the business world so can we
> move on...?]
>
> I'm not looking for the ULTIMATE security - just good, sensible stuff.
> Let's not get too paranoid here - afterall there's nothing particularly
> interesting on the site in any case, but it might become a tempting
> target as it grows in profile!
>
> DoS attacks. Gads not sure what one is supposed to do about that. Can
> dedicated firewall boxes help snuff that out automatically??
DoS remains a tough one. Ultimately, whomever has the most bandwidth
available will win that fight. But there are countermeasures
available to some degree.
> Regarding unwanted OUTgoing traffic - that's an interesting point. I'll
> have to find out.
> Btw, when everyone talks about firewalls do they mean dedicated
> hardware boxes or software running on a PC/server... or both?!
In the context of hosting, we're typically talking in terms of
servers, and usually dedicated firewall boxes. Heavy hitters are
like, Nokia, Netscreen, cisco PIX, for example.
> I like Matt's idea of contacting hackers to see if they can get it. The
> only trouble is that I dont know of any - and any that I found I'd
> need to be able to trust 100%.
Here's one:
http://www-1.ibm.com/services/us/in...ng/bcs/a1002382
Not cheap but it's hard to argue with Big Blue's integrity and experience.
> Yes we arent allowing any anonymous access to the back end of the
> server whatsoever. I mean users can read HTML files & JPEGs, GIFs etc
> and they can also fill in forms (formmail or something??) and they also
> have access to our php forms etc.
Sounds good. However, php forms can be big trouble--it's not that PHP
is necessarily bad or anything, but it doesn't automagically sanitize
user form data either, so vulnerabilities like SQL injection whereby
an attacker can dump your entire database contents, or even execute
commands on the server are all too common and created by ignorance in
web application programming.
Formmail you have to be careful with too. That script has a mile long
history of security flaws, and incorrectly configured is known for
"use my web server to send spam!" invitation.
Best Regards,
--
Todd H.
http://www.toddh.net/
|