| William Tasso 2006-05-19, 7:18 am |
| Fleeing from the madness of the http://groups.google.com jungle
ship <shiphen@gmail.com> stumbled into
news:alt.www.webmaster,comp.security.firewal...p.security.misc
and said:
> Okay fair enough. We could probably use some other protocol easily
> enough. I've never heard of either scp or sftp.
ok - a little research would be a good thing.
> But let me clarify where I am coming from. I am a middle-weight techie,
> not a heavy-weight. I spend most of my time sorting out content, doing
> graphic design, editing , copywriting, managing staff etc. I am not,
> and do not pretend to be a heavy weight techie. In fact I dont even
> write code (shock horror!) - I simply run a website which is becoming
> quite high profile and needs to be run professionally. With me so far?
Completely - I have several clients that would say exactly that.
> Okay so I'm not a heavy-weight techie, but I do need to understand the
> heavy-weight techie ISSUES! Hence my presence here asking dumb
> questions. But I need to know what questions to ask our heavyweight
> techies and I need to be able to make reasonably sensible strategic
> decisions.
Diligence - examine the processes running on your server. learn to know
what each does and why it is running.
> William you seem to know your stuff - in another post, you recommened
> FileZilla which seems to be quite robust. Thanks for that btw! Anyhow
> I've got FileZilla in the middle of a huge transfer as I write this, so
> I dont want to mess with it too much... but does it have the capability
> to do sFTP or SCP?
sFTP
> To answer some other points raised. The other folks on the IP ranges
> are so far all employees and/or freelance subcontractors. i.e. just 4
> IP numbers so far. So that's not a bad start.
with several developers it may pay you to investigate subversion.
> It sounds like sFTP is probably a must (is that just encrypted FTP a
> bit like httpS: compared to http: ?)
That's a good working description.
> I am told by our techies that MySQL, Apache and Linux are all the
> latest versions.
> (Though how do I know our techies are telling the truth?!)
Is this a self managed box? or have you contracted out the daily
management?
> Likewise I have the same problem knowing about the Router.
Do you have a login for the router?
> So how do I make sure that all our web-browsers arent vulnerable to
> attack and being taken over? I guess I need to make sure that they are
> all behind firewalls or something.
You can't on a distributed development arrangement. You have to manage
security at the server. That may mean not trusting the developers with
direct access to the server.
> And this is where my knowledge really does run out. There seem to be
> dedicated firewall boxes and software firewalls ( like those which come
> free with msWindows).
Personally, I'd never trust a firewall which runs on the box it is
protecting.
> [Aside: Now please dont start ranting about Micro$oft - I disapprove of
> them as much as the next man, but for now they are a necessary evil in
> the business world so can we move on...?]
> I'm not looking for the ULTIMATE security - just good, sensible stuff.
> Let's not get too paranoid here - afterall there's nothing particularly
> interesting on the site in any case, but it might become a tempting
> target as it grows in profile!
Sure - all servers are targets for hacking. The objectives vary but
include building a network of drones to launch ddos attacks on other
targets.
> DoS attacks. Gads not sure what one is supposed to do about that. Can
> dedicated firewall boxes help snuff that out automatically??
They can help - but a ddos is expensive to repel.
> Regarding unwanted OUTgoing traffic - that's an interesting point. I'll
> have to find out.
yes - it's a good measure. if your server suddenly starts sending
mail/irc/whatever traffic when it shouldn't be then you know you have a
problem.
> Btw, when everyone talks about firewalls do they mean dedicated
> hardware boxes or software running on a PC/server... or both?!
Personally, I always mean a dedicated box.
> I like Matt's idea of contacting hackers to see if they can get it. The
> only trouble is that I dont know of any - and any that I found I'd
> need to be able to trust 100%.
>
> Yes we arent allowing any anonymous access to the back end of the
> server whatsoever. I mean users can read HTML files & JPEGs, GIFs etc
> and they can also fill in forms (formmail or something??) and they also
> have access to our php forms etc.
>
> But there is no anonymous FTP access allowed for example...
Code can be compromised - for example, research: sql injection
You may wish to consider running php in 'safe mode' but be aware this only
applies protection within php - other apps may still be vulnerable.
In any event, good luck.
--
William Tasso
http://williamtasso.com/words/what-is-usenet.asp
|