|Posted on 21-Oct-2001 11:50 GMT by Christian Kemp||6 comments|
Jack Meihauf wrote:
Is there such a thing these days? With the word that amiga.org was hacked, maybe we should be securing our web sites? Well, theres always one thing that comes first.
And that is Backups. It also pays to not keep back ups on the same server.|
The administrooskis should pay more attention to security, and also the security of the backups.
An example. Don't named backups yoursite2, yoursite3 etc.., if you're going to leave them on the server. I truely hope Amiga.Org didn't name their backups ao2, ao3 etc. That would be truely silly.
Anyway, best of luck in getting the site up and running, you'll need it with these types pf people around,. Hmm. Maybe you should offer them a job securing the site?
|Secure Websites : Comment 1 of 6||ANN.lu|
|Posted by Anonymous on 21-Oct-2001 15:52 GMT|
|I have heard from people on IRC since the attack that apparently amiga.org used a version of PHPNuke with well publicised security holes in it.|
So, don't just backup, install all the latest security patches. So many NT servers get hacked because administrators don't bother installing the latest service pack, or patch - therefore there is a well-publicised hole that they haven't done anything about. But as ANN is purpose-built it shouldn't suffer from this problem.
|Secure Websites : Comment 2 of 6||ANN.lu|
|Posted by mbpark on 22-Oct-2001 00:32 GMT|
|In reply to Comment 1 (Anonymous):|
What it comes down to is having a group of admins that really know what they are doing.
I feel bad for Wayne, because he's got so much more going on that he needs to concentrate on, as well as a website.
Running a secure website means being totally paranoid. It's insane how much work you have to do, no matter what the OS, to make sure that things are straight.
Especially in the Amiga community, where several people like to create wars because of their products, and because these selfsame people ruin it for the rest of us by making the Linux crowd look tame by comparison with their zealotry and hatred. Theo DeRaadt should take lessons from some of the people in the Amiga community.
I do a lot of work with several secure websites, and it's a bitch. I have to be absolutely sure I am doing everything right and then double-check myself again. I've been owned before on my servers, and any admin who isn't a total overconfident ass will tell you the same. We learn each time.
Incidents like this make me think that Bill McEwen and Fleecy Moss must love what they are doing more than anything else, especially with some of the hatred present in this community, and the large amount kicked up by DE and 4.0 apparently.
I want amiga.org back up, as do my Amiga-using friends. We can't let the idiots bring us down.
fggh on #c-64 (efnet)
|Secure Websites : Comment 3 of 6||ANN.lu|
|Posted by Solar (BAUD) on 22-Oct-2001 05:11 GMT|
|In reply to Comment 1 (Anonymous):|
Amiga.org was already undertaking efforts to replace PHPNuke, since they had other problems (performance, consistency) with it also. They only kept the old database online so they could continue their service instead of showing a "under construction" banner for the next few months.
If the product is discontinued, you usually donīt spend that much time keeping it in mint condition.
|Secure Websites : Comment 4 of 6||ANN.lu|
|Posted by Anon User on 22-Oct-2001 08:29 GMT|
|What it comes down to is having a group of admins that really know what they are doing.|
fggh on #c-64 (efnet)
Though the blame the admin statement is something that many companies would like to believe I've rarely seen that the case. When companies have website outages there's specific reasons for this. Yes, at times having an admin w/o knowledge or not doing their job is an issue. However, as an admin myself I've gone to management with various projects to improve the security and stability of a website. However, management has to cut or minimize IT budgets and spending. Thus, many of the purposals we've done to improve things do not get approved.
Clustering and/or local load balancing multiple servers together. This will create a failover server that will take over when the first one dies. Unfortuantely, this doubles and a bit more the cost of the original website. Turned down due to capital restrictions.
Geographic load balancing. This will create a failover server on the west coast to help handle more traffic and take activity when our server on the east coast dies. Once again this doubles cost (2 server) plus there's the additional cost of the geographic load balancers (double cost again.) Turned down due to capital restrictions.
Firewalling - Important to increase network security and create a DMZ. Turned down due to capital restrictions. Management just desires ACL lists on the switch to prevent traffic other then port 80 (http) to be allowed into the server. Turned down due to capital restrictions.
I take offense at people believing that the only reason web servers/services do not function or have been hacked is due the admin's inadequate ability. Many of these are admins that have the ability have made purposal's to tighten security, create failover services, and want to make the Web Service better for the company. Instead we're sited reasons why the company cannot make that move.
If you've worked on Web Services for a company you'll know what I mean. Nothing is better then having a server crash due to hardware issues. Work on auditing procedures and processes by an internal company task force because the company claims they lost over $1,500,000 for the two day period the server was down. To turn around and hand them a project you created over a year ago that had the company spent $10-15,000 would have helped to eliminate the outage of the service. It's amazing how that $15,000 opens up. However, when you bring up the other possible problems and solutions you've created you get push back again because of costs.
So, I agree there are those admin's that mess up. (Hey, there's doctors, lawyers, and pilots that mess up.) But, that's not the only reason for an issue on the web. Other reasons are things that companies cite they didn't do because of X,Y, or Z.
|Secure Websites : Comment 5 of 6||ANN.lu|
|Posted by mbpark on 23-Oct-2001 00:58 GMT|
|In reply to Comment 4 (Anon User):|
Yes, I work as an admin and architect on some VERY high-traffic sites. I have experience with everything needed to put together some very large-scale networks.
I'm a paranoid SOB because I've worked on larger sites.
Admins, especially when you work on extremely large sites that have a staff of 20 on them as just administrators, and items like Solaris, Veritas, Oracle, EMC Symmetrix disk arrays, WebLogic, and some bad-ass iPlanet web servers, need to be extra-vigilant about patches and security.
When you start talking about sites that get Slashdot-level page views, you've got to have a large level of process and someone monitoring BUGTRAQ on a regular basis, as well as one heck of an IDS in place.
Even if you don't, you need process and procedures in place to check these things out. Admins are the ones responsible for it. I spend a lot of my time "templating" what I know to share it with the other admins.
And don't use "budgetary constraints" to explain away a lack of process :). If ya need load balancing so bad, Linux does a fine job and you can use plenty of recycled hardware to do so. It also makes a darn decent firewall and IDS and costs $0.00 when you use the old Pentium boxes from HR. It also works quite well as a VPN with pptpd if you're in a bind and can't afford Checkpoint or Cisco.
|Secure Websites : Comment 6 of 6||ANN.lu|
|Posted by alan on 24-Oct-2001 21:18 GMT|
|of course there such a thing as a secure site. its one where you|
dont run any services......not exciting really.
as soon as you add ANY server-side scripts you run into issues...
its not only your OS and server you have to worry about
(and believe me, if you're running Solaris you've got lots
of patches to worry about....Apache aint too bad as a server..
we ALL know how bad IIS is! ;-) )
I was wondering why amiga.org havent moved to usingthe Slashdot
software package for their site? its VERY powerful and VERY cool
|Anonymous, there are 6 items in your selection ||