WEReveal

More Changes Coming

Some may have noticed that I changed my theme. Chasing ButterfliesMy old one basically broke and this new one was handy, i.e., it was already sitting on my computer and I could install it quickly. Obviously, I made a couple changes to it (added a bit of green to the otherwise grayscale theme) but in general, I didn’t want to dink around with it since I am still trying to decide what to do next for a CMS. I am still leaning towards Drupal heavily since WordPress is stuck in MySQL land. But interestingly enough, I keep wandering back to Django despite Python (or maybe interestingly, because it does use Python?). But, while installing the theme, I noticed something disturbing….

It appeared based on the log files that someone had been trying to hack into the database. Fortunately, I had been keeping up on WordPress updates so the attempts didn’t work. But it got me to thinking I needed to look a bit more at my security. That thinking kind of wandered off, getting distracted by “pretty flowers.”

Unfortunately, the hackers didn’t wander off. Not only are they tying to attack my web server but also my mail server. Their attempts really got my mail server cranky and it complained loudly so that my “thinking” stopped chasing butterflies in the pretty flowers and refocused on the problem.

Basically, there are two or three main types of attacks that really bug me. DDoS attacks are annoying but don’t normally affect data. But attacks that try to get/modify/delete data, be it in files or in a database really bug me. Web pages with forms are one vector that is used to attack, the other is open ports. Since I close almost all ports on my servers to the outside world, attacks from that vector are manageable normally since there is only a few ports that the hackers can come through. As long as data being submitted via a web form are “sanitized” it reduces that vector to a minor annoyance as well.

So what was causing me distress? Paranoia, which is a system administrator’s best friend. Trust No One (TNO) is the mantra that SAs live by. TNO means that even when you let someone in a certain way, you do so with nukes hanging over their head. The hacker’s attacks came both through ports directly and through web forms. And so I started looking at my server setup.

First, I didn’t set my servers up in what I consider to be a more secure way, one that I use for my clients but didn’t for myself. I started with my mail server. I shut down all services that isn’t needed. I don’t need ftp on that server so, not only did I shut it off, I deleted the ftpd from the server. I don’t need Apache on that server so I did the same with that, moving certain web based tools over to the web server which has and needs Apache (and/or other http daemon). At this point, the only ports open on the mail server are ports used for the handling of mail. Makes me feel a bit better.

As to my web server, the main attacks are actually attempts to change info in the database. The hackers can’t access the database directly through ports since I have those database ports closed off to the outside world (localhost only). And like I said, WordPress does a pretty good job at sanitizing form data so that vector is closed.

But the hackers are sneaky. I noticed that they were coming into the server via port 80, I believe via telnet and trying all kinds of things. No joy for them but I was growling all the same. What caught my attention was some attempts which were trying to open up an outgoing connection via the database port, assuming I used some stateful firewall rules, using some php commands. Didn’t work, shouldn’t work, but it pushed me to take one final step in my security setup, one that we used at Internet Revealed and one that I use for my clients.

What is that security setup? Well, I am only starting it and the only reason I am mentioning it is because as I migrate to this new security setup, the web site and maybe even my mail server will be temporarily unavailable. I figure security through obscurity sort of works so I am not going to give full details but lets just say that direct database access on the web server is a sore point with me. If a hacker can some how compromise my web server (or mail server) they could then access the databases. I haven’t implemented these security steps fully yet, it will take me a while to slowly roll everything into it but when done I will sleep a bit better… who am I kidding, this never bothered my sleep… it only bothered me when I was awake and not chasing butterflies in a field of pretty flowers.

Leave a Reply