Jump to content
The Uniform Server Community

Security Testing?


rustyp
 Share

Recommended Posts

Once we get our Uniform Server up and running and looking the way we want it, put together some sort of web page and web applications no doubt we will want to show it off to our friends and family members, but I worry about security holes and dont want someone from the outside (bots on the web) owning my computer system or snooping around my computer, is their some sort of testing software we can run on our web sites to see if we have any security issues?

 

I was planning on running a web site off my home computer would it be more secure if I ran it in a Windows XP virtual machine, is their a way a hacker could access the data outside the virtual machine?

 

Thanks in advance, thanks so much for the Uniform Server and the constant updating.

Link to comment
Share on other sites

hi you can install mod_security2 apache module

 

for system you can install firewall and try using hardenit to block the bot you can use robots.txt or you can use ipfilter program to block known search engine you can use .htaccess to block also

 

if you run in virtual machine i doubt they can access it .. :)

 

*notes*

i use US for my private server also and have no problem with it :) ( i block some problem country and search engine and my site is invisible from Mr G and other search engines

I'm not a coder nor a programmer. I just love learning from error :P

Link to comment
Share on other sites

Thanks for the reply it seems pretty advanced for me.

 

I took a quick look at the mod_security2 apache module that looks like a pretty complex install for my skill level, any reason why its not already installed on the Uniform Server?

 

Are their any open source programs that are like Harden-It ? After reading about Harden-It it sounds like something that should have came with XP heh

 

Can you expand on the "US" I am not sure what your talking about.

 

Thanks much for the reply.

Link to comment
Share on other sites

Hi rustyp :)

 

US = Uniform Server :)

 

mod_security2 is a lil complex, but once you know the basic it so easy :) ( i personally use it to block UA agent and common XSS attack and nothing else )

 

I agree with you :) Harden-It is easy to setup or you can use SafeXP just to patch syn attack :)

 

you can use ZBBlock with your script to add some protection

 

or you can you .htaccess for simple protection :)

 

:) all the best

I'm not a coder nor a programmer. I just love learning from error :P

Link to comment
Share on other sites

  • 1 year later...

Any other thoughts on this I am currently running UniServer 8.0.0 on WinXP with all current updates would like to take it live on the web but not sure how to check and see if I have a big security leak, no doubt I am no match for the dumbest hackers lol

 

Any step by step instructions for taking UniServer 8.0.0 live?

 

Thanks in advance, great site, great people, really great product UniServer 8.0.0 is bravo!

Link to comment
Share on other sites

Rustyp,

First off, well wishes for your new site. The Uniform Server is a good starting point.

 

As traxxus says, make sure you have only port 80 open and aimed at the proper machine. I expect that you have a NAT router in front of it. Consider it like a DMZ and don't have any other stuff running on it. That way you can back it up and restore in case of an attack. This may rule out using your "home computer", unless you have a second one for all your important information. If someone hacks through to the machine, you want to be able to kill and reload it.

 

I'm not suggesting that breaches happen all the time. It's just that there are bots looking for easy targets. I run an ftp server at home, and the log shows daily probes for common user name logon attempts. These are from bots at work.

 

The WinXP firewall isn't as secure as the Vista/Win7 version, which can be secured enough to forgo mod_security, which is likely overkill at this point. I'll look it over to see how it can be set up as a plugin.

 

One thing you didn't mention is the audience type for your server, and whether you expect it to be open to everyone or just a select few. Will you need it to be found by search engines?

 

Regards,

BobS

Link to comment
Share on other sites

Hi thanks for the replies.

 

The site will be used to run phpbb3 message board.

Regular html web pages.

probably a photo album like Gallery3 or Coppermine.

 

It will be running on a dedicated machine, XP all the latest MS upgrades, P4 3.0 ghz 2 gig ram

 

traxxus, any details on the .htaccess file mods I am pretty ignorant when it comes to .htaccess. Maybe let me have a peak at the settings your using. Maybe others can also suggest mods I need to make to the file?

 

BobS I dont know anything about NAT. The computer will be connected to the web using a cable internet access, it runs first through a cable modem then through a router that is both wired and wireless. Not sure right now if I will be running this computer with the wireless or with the LAN not sure if it matters.

 

It would be nice to be secure enough I could register it on Google.

 

The docs with the uniform server are really really good. It would be nice if we could develop instructions on taking the server online then how to secure it along with a HUGE disclaimer on the user getting hacked no doubt lol just step by step instructions to get us started then include key words and phrases for us to search the web and research further.

 

Thanks again.

Link to comment
Share on other sites

Right,

That article is a good start (but needs to be updated), and we're in the process of developing more info along the lines of "going live".

 

NAT (Network Address Translation) is what your little home router is doing to get you private addresses like 192.168.x.x.

 

I would suggest you NOT tell Google about this page, since that would create far too much traffic for your home connection. Your local ISP would frown on that much traffic. That's why there are hosting services instead.

 

The ideal way to use The Uniform Server is as an off-line test and development environment. Then the site info can be ftp'd to the live location. You can use The Uniform Server in a live test, but don't tell the world about it. Think of it like learning to drive in a protected large parking lot or quiet residential street, and not on the expressway.

 

Regards,

BobS

Link to comment
Share on other sites

 

traxxus, any details on the .htaccess file mods I am pretty ignorant when it comes to .htaccess. Maybe let me have a peak at the settings your using. Maybe others can also suggest mods I need to make to the file?

 

 

Hi

 

Look at these things @htaccess:

 

Security:

Disable hotlinking on pictures

Disable directory listing with add this line: Options -Indexes

 

Performance:

Your page loading faster when you add this to the htaccess:

#------------------------------------------------------------------------------
# Expire setzen - Seite baut schneller auf, da der Browser den Cache nutzt
#------------------------------------------------------------------------------
ExpiresActive On
ExpiresDefault "now"
ExpiresByType text/html "now"
ExpiresByType text/xml "now"
ExpiresByType text/php "access plus 1 years"
ExpiresByType text/css "access plus 1 years"
ExpiresByType text/javascript "access plus 1 years"
ExpiresByType application/javascript "access plus 1 years"
ExpiresByType application/x-javascript "access plus 1 years"
ExpiresByType text/ecmascript "access plus 1 years"
ExpiresByType image/gif "access plus 1 years
ExpiresByType image/png "access plus 1 years"
ExpiresByType image/jpeg "access plus 1 years"
ExpiresByType image/ico "access plus 1 years"
ExpiresByType image/icon "access plus 1 years"
ExpiresByType image/x-icon "access plus 1 years"
ExpiresByType video/x-flv "access plus 1 years"
ExpiresByType video/quicktime "access plus 1 years"
ExpiresByType application/x-shockwave-flash "access plus 1 years"
ExpiresByType application/pdf "access plus 1 years"
<FilesMatch "\.(png|jpg|gif|css|flv|ico)$">
Header set Cache-Control "max-age=290304000, public"
</FilesMatch>
<FilesMatch "\.(php|html)$">
Header set Cache-Control "max-age=0, must-revalidate"
</FilesMatch>

 

 

Here yo ucan find very useful information to build your own htaccess file:

http://perishablepress.com/press/2006/01/1...taccess-tricks/

Link to comment
Share on other sites

Thanks for the replies and help any update on the "going live" idea?

 

I found this in the wild what do you think?

 

Protect Your Site with a Blackhole for Bad Bots

http://perishablepress.com/press/2010/07/1...khole-bad-bots/

 

Also take a look at http://perishablepress.com/5g-firewall-beta/

 

Just cut and paste it into the htacess file located in the root of the www dir?

 

Thanks.

Link to comment
Share on other sites

As the phrase goes, "Some assembly required." BTW, Perishable Press is reputable and been around a while.

 

It looks like you need to implement ths very carefully, since it can have seriously adverse effects, which would be hard to debug if done all at once.

So, no, don't just cut and paste. Better to snip and glue small, incremental parts. :)

 

Regards,

BobS

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...