Main » 2011 » Март » 16 » Why do I need firewall on Web projects
12:45
Why do I need firewall on Web projects
Hello, usually when you create projects on the Internet with the security issue more attention is given to a Web application, and the protection of the server to forget, namely firewall'e. I understand that the server configuration, including firewall, should do a special person - a sysadmin, but in many situations, it turns out that a programmer myself admin. To tune the firewall, even a programmer will take only about 1 day - this will eliminate the potential problems. Which? I'll tell a little story "hacking."

In my city, the provider who takes the leading position, a local tracker, rather large (do not mention the illegality, we are only interested in the issue of security of the project). Because I am developing another tracker I'm interested in different opportunities, and I periodically I go to different trackers, including him.
Once I saw error 502 Bad Gateway on nginx, and later decided to go directly to the apache. Usually outweigh the apache on port 8080. Gone - hence firewall is not configured, looked at the response headers - was FreeBSD. I think that those who raise fryahu, should be quite experienced in setting up and simply forgot to close the port when installing nginx as frontend and backend as apache'a.
So I decided to check out:) Nmap to verify that all ports that applications use open: 21, 22, 25, 80, 3306, 8080, and several other ports.
Because I also engaged in development, I knew that this engine tracker (torrentpier) has the ability to use a caching memcached. Checked the standard port memcached - the port was opened. Posted prostetsky script connections to memcached. Having studied the sources torrentpier, I learned the names of keys, which is a write cache. Of them have been interesting 2 values: an array of settings, tracker and full-html-code of the main page for nezaloginennogo user.
The settings I learned tracker login, password and address of the smtp server, ie a potential attacker can already send spam (smtp is not too close).
I tried the password from the smtp as the administrator password tracker - turned out I got administrative access to the tracker.
I understand that it was "good" set of circumstances, but simply to close the ports would have helped.

Conclusions


In addition to the security of the web application (php, python, ruby, etc), but also about the security of the server (eg firewall) and all instruments used in parallel. Just need to make a different password for everything (mail, database, ftp), even at level 1 of the project.

PS: He did it I did not order anything to break, but just "sport" of interest. Administrator of the tracker was almost immediately notified of the possibility of "hacking", including on each step.
% Username%, and you have configured firewall?
Views: 495 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: