Security Testing?

rustyp · April 1, 2010

Once we get our Uniform Server up and running and looking the way we want it, put together some sort of web page and web applications no doubt we will want to show it off to our friends and family members, but I worry about security holes and dont want someone from the outside (bots on the web) owning my computer system or snooping around my computer, is their some sort of testing software we can run on our web sites to see if we have any security issues?

I was planning on running a web site off my home computer would it be more secure if I ran it in a Windows XP virtual machine, is their a way a hacker could access the data outside the virtual machine?

Thanks in advance, thanks so much for the Uniform Server and the constant updating.

TeduhDulu · April 2, 2010

hi you can install mod_security2 apache module

for system you can install firewall and try using hardenit to block the bot you can use robots.txt or you can use ipfilter program to block known search engine you can use .htaccess to block also

if you run in virtual machine i doubt they can access it ..

*notes*

i use US for my private server also and have no problem with it ( i block some problem country and search engine and my site is invisible from Mr G and other search engines

rustyp · April 2, 2010

Thanks for the reply it seems pretty advanced for me.

I took a quick look at the mod_security2 apache module that looks like a pretty complex install for my skill level, any reason why its not already installed on the Uniform Server?

Are their any open source programs that are like Harden-It ? After reading about Harden-It it sounds like something that should have came with XP heh

Can you expand on the "US" I am not sure what your talking about.

Thanks much for the reply.

TeduhDulu · April 5, 2010

Hi rustyp

US = Uniform Server

mod_security2 is a lil complex, but once you know the basic it so easy ( i personally use it to block UA agent and common XSS attack and nothing else )

I agree with you Harden-It is easy to setup or you can use SafeXP just to patch syn attack

you can use ZBBlock with your script to add some protection

or you can you .htaccess for simple protection

all the best

rustyp · December 21, 2011

Any other thoughts on this I am currently running UniServer 8.0.0 on WinXP with all current updates would like to take it live on the web but not sure how to check and see if I have a big security leak, no doubt I am no match for the dumbest hackers lol

Any step by step instructions for taking UniServer 8.0.0 live?

Thanks in advance, great site, great people, really great product UniServer 8.0.0 is bravo!

traxxus · December 22, 2011

As i know, Coral is very secure from default.

I have a server live in the web, and my security steps are:

Firewall:

Only port 80 is open

Apache:

Im using the .htaccess - there is a LOT you can do for security and performance

BobS · December 22, 2011

Rustyp,

First off, well wishes for your new site. The Uniform Server is a good starting point.

As traxxus says, make sure you have only port 80 open and aimed at the proper machine. I expect that you have a NAT router in front of it. Consider it like a DMZ and don't have any other stuff running on it. That way you can back it up and restore in case of an attack. This may rule out using your "home computer", unless you have a second one for all your important information. If someone hacks through to the machine, you want to be able to kill and reload it.

I'm not suggesting that breaches happen all the time. It's just that there are bots looking for easy targets. I run an ftp server at home, and the log shows daily probes for common user name logon attempts. These are from bots at work.

The WinXP firewall isn't as secure as the Vista/Win7 version, which can be secured enough to forgo mod_security, which is likely overkill at this point. I'll look it over to see how it can be set up as a plugin.

One thing you didn't mention is the audience type for your server, and whether you expect it to be open to everyone or just a select few. Will you need it to be found by search engines?

Regards,

BobS

rustyp · December 22, 2011

Hi thanks for the replies.

The site will be used to run phpbb3 message board.

Regular html web pages.

probably a photo album like Gallery3 or Coppermine.

It will be running on a dedicated machine, XP all the latest MS upgrades, P4 3.0 ghz 2 gig ram

traxxus, any details on the .htaccess file mods I am pretty ignorant when it comes to .htaccess. Maybe let me have a peak at the settings your using. Maybe others can also suggest mods I need to make to the file?

BobS I dont know anything about NAT. The computer will be connected to the web using a cable internet access, it runs first through a cable modem then through a router that is both wired and wireless. Not sure right now if I will be running this computer with the wireless or with the LAN not sure if it matters.

It would be nice to be secure enough I could register it on Google.

The docs with the uniform server are really really good. It would be nice if we could develop instructions on taking the server online then how to secure it along with a HUGE disclaimer on the user getting hacked no doubt lol just step by step instructions to get us started then include key words and phrases for us to search the web and research further.

Thanks again.

rustyp · December 23, 2011

The following is a step-by-step guide how to secure MySQL server on Uniform Server.

http://wiki.uniformserver.com/index.php/MySQL_Security

BobS · December 24, 2011

Right,

That article is a good start (but needs to be updated), and we're in the process of developing more info along the lines of "going live".

NAT (Network Address Translation) is what your little home router is doing to get you private addresses like 192.168.x.x.

I would suggest you NOT tell Google about this page, since that would create far too much traffic for your home connection. Your local ISP would frown on that much traffic. That's why there are hosting services instead.

The ideal way to use The Uniform Server is as an off-line test and development environment. Then the site info can be ftp'd to the live location. You can use The Uniform Server in a live test, but don't tell the world about it. Think of it like learning to drive in a protected large parking lot or quiet residential street, and not on the expressway.

Regards,

BobS

traxxus · December 30, 2011

traxxus, any details on the .htaccess file mods I am pretty ignorant when it comes to .htaccess. Maybe let me have a peak at the settings your using. Maybe others can also suggest mods I need to make to the file?

Hi

Look at these things @htaccess:

Security:

Disable hotlinking on pictures

Disable directory listing with add this line: Options -Indexes

Performance:

Your page loading faster when you add this to the htaccess:

#------------------------------------------------------------------------------
# Expire setzen - Seite baut schneller auf, da der Browser den Cache nutzt
#------------------------------------------------------------------------------
ExpiresActive On
ExpiresDefault "now"
ExpiresByType text/html "now"
ExpiresByType text/xml "now"
ExpiresByType text/php "access plus 1 years"
ExpiresByType text/css "access plus 1 years"
ExpiresByType text/javascript "access plus 1 years"
ExpiresByType application/javascript "access plus 1 years"
ExpiresByType application/x-javascript "access plus 1 years"
ExpiresByType text/ecmascript "access plus 1 years"
ExpiresByType image/gif "access plus 1 years
ExpiresByType image/png "access plus 1 years"
ExpiresByType image/jpeg "access plus 1 years"
ExpiresByType image/ico "access plus 1 years"
ExpiresByType image/icon "access plus 1 years"
ExpiresByType image/x-icon "access plus 1 years"
ExpiresByType video/x-flv "access plus 1 years"
ExpiresByType video/quicktime "access plus 1 years"
ExpiresByType application/x-shockwave-flash "access plus 1 years"
ExpiresByType application/pdf "access plus 1 years"
<FilesMatch "\.(png|jpg|gif|css|flv|ico)$">
Header set Cache-Control "max-age=290304000, public"
</FilesMatch>
<FilesMatch "\.(php|html)$">
Header set Cache-Control "max-age=0, must-revalidate"
</FilesMatch>

Here yo ucan find very useful information to build your own htaccess file:

http://perishablepress.com/press/2006/01/1...taccess-tricks/

rustyp · January 7, 2012

Thanks for the replies and help any update on the "going live" idea?

I found this in the wild what do you think?

Protect Your Site with a Blackhole for Bad Bots

http://perishablepress.com/press/2010/07/1...khole-bad-bots/

Also take a look at http://perishablepress.com/5g-firewall-beta/

Just cut and paste it into the htacess file located in the root of the www dir?

Thanks.

BobS · January 10, 2012

As the phrase goes, "Some assembly required." BTW, Perishable Press is reputable and been around a while.

It looks like you need to implement ths very carefully, since it can have seriously adverse effects, which would be hard to debug if done all at once.

So, no, don't just cut and paste. Better to snip and glue small, incremental parts.

Regards,

BobS

Security Testing?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation