WEReveal

More Changes Coming

Some may have noticed that I changed my theme. Chasing ButterfliesMy old one basi­cal­ly broke and this new one was handy, i.e., it was already sit­ting on my com­put­er and I could install it quick­ly. Obviously, I made a cou­ple changes to it (added a bit of green to the oth­er­wise grayscale theme) but in gen­er­al, I didn’t want to dink around with it since I am still try­ing to decide what to do next for a CMS. I am still lean­ing towards Drupal heav­i­ly since WordPress is stuck in MySQL land. But inter­est­ing­ly enough, I keep wan­der­ing back to Django despite Python (or maybe inter­est­ing­ly, because it does use Python?). But, while installing the theme, I noticed some­thing dis­turb­ing.…

It appeared based on the log files that some­one had been try­ing to hack into the data­base. Fortunately, I had been keep­ing up on WordPress updates so the attempts didn’t work. But it got me to think­ing I need­ed to look a bit more at my secu­ri­ty. That think­ing kind of wan­dered off, get­ting dis­tract­ed by “pret­ty flow­ers.”

Unfortunately, the hack­ers didn’t wan­der off. Not only are they tying to attack my web serv­er but also my mail serv­er. Their attempts real­ly got my mail serv­er cranky and it com­plained loud­ly so that my “think­ing” stopped chas­ing but­ter­flies in the pret­ty flow­ers and refo­cused on the prob­lem.

Basically, there are two or three main types of attacks that real­ly bug me. DDoS attacks are annoy­ing but don’t nor­mal­ly affect data. But attacks that try to get/modify/delete data, be it in files or in a data­base real­ly bug me. Web pages with forms are one vec­tor that is used to attack, the oth­er is open ports. Since I close almost all ports on my servers to the out­side world, attacks from that vec­tor are man­age­able nor­mal­ly since there is only a few ports that the hack­ers can come through. As long as data being sub­mit­ted via a web form are “san­i­tized” it reduces that vec­tor to a minor annoy­ance as well.

So what was caus­ing me dis­tress? Paranoia, which is a sys­tem administrator’s best friend. Trust No One (TNO) is the mantra that SAs live by. TNO means that even when you let some­one in a cer­tain way, you do so with nukes hang­ing over their head. The hacker’s attacks came both through ports direct­ly and through web forms. And so I start­ed look­ing at my serv­er set­up.

First, I didn’t set my servers up in what I con­sid­er to be a more secure way, one that I use for my clients but didn’t for myself. I start­ed with my mail serv­er. I shut down all ser­vices that isn’t need­ed. I don’t need ftp on that serv­er so, not only did I shut it off, I delet­ed the ftpd from the serv­er. I don’t need Apache on that serv­er so I did the same with that, mov­ing cer­tain web based tools over to the web serv­er which has and needs Apache (and/or oth­er http dae­mon). At this point, the only ports open on the mail serv­er are ports used for the han­dling of mail. Makes me feel a bit bet­ter.

As to my web serv­er, the main attacks are actu­al­ly attempts to change info in the data­base. The hack­ers can’t access the data­base direct­ly through ports since I have those data­base ports closed off to the out­side world (local­host only). And like I said, WordPress does a pret­ty good job at san­i­tiz­ing form data so that vec­tor is closed.

But the hack­ers are sneaky. I noticed that they were com­ing into the serv­er via port 80, I believe via tel­net and try­ing all kinds of things. No joy for them but I was growl­ing all the same. What caught my atten­tion was some attempts which were try­ing to open up an out­go­ing con­nec­tion via the data­base port, assum­ing I used some state­ful fire­wall rules, using some php com­mands. Didn’t work, shouldn’t work, but it pushed me to take one final step in my secu­ri­ty set­up, one that we used at Internet Revealed and one that I use for my clients.

What is that secu­ri­ty set­up? Well, I am only start­ing it and the only rea­son I am men­tion­ing it is because as I migrate to this new secu­ri­ty set­up, the web site and maybe even my mail serv­er will be tem­porar­i­ly unavail­able. I fig­ure secu­ri­ty through obscu­ri­ty sort of works so I am not going to give full details but lets just say that direct data­base access on the web serv­er is a sore point with me. If a hack­er can some how com­pro­mise my web serv­er (or mail serv­er) they could then access the data­bas­es. I haven’t imple­ment­ed these secu­ri­ty steps ful­ly yet, it will take me a while to slow­ly roll every­thing into it but when done I will sleep a bit bet­ter… who am I kid­ding, this nev­er both­ered my sleep… it only both­ered me when I was awake and not chas­ing but­ter­flies in a field of pret­ty flow­ers.

Leave a Reply