Solved

Network design for web hosting with security in mind

Posted on 2012-04-09
7
309 Views
Last Modified: 2012-06-27
Hello there,

I've been having a lot of trouble with people who does not have anything useful to do with their time and go around disrupting other people's businesses by cowardly hacking and defacing small business websites.

It made me adopt a different position, trying to avoid as much as posible the invasions with the least cost/effort.

Most of the time, the issue was related to the fact that some weak security against sqlinjection and writable folders and files on the acoounts.

I only host websites that were designed with our framework, which has quite a few hands on the coding and might still have a few security holes. On top of that, I do not provide FTP access to the client, only me and my crew have access to the server. The panel is Plesk and no client has access to it, only me and a few guys from my crew.

Supposedly, I am in a very comfortable position, different from hosts that host applications done by third party, offer ftp access and panel access.

Based on that I am facing two issues:
1 - My network design must be rethought considering maximum security againg hackers and the sort.

2 - I need a complete audit on the actual websites to learn of possible holes that can be patched.

Lets explore issue 2 first.
I was thinking of publishing the website on a shared hosting account at any host and post a project either on elance or rent a coder or else to have other people find out the security issues so I can patch them.

What is your take on as how to proceed?

Regarding issue number 1, I was wondering if hosting all the website digital files (images mostly and files like pdf, doc, zip etc) on a separate server, maybe Amazon Cloud Drive and having no writable directories or files on the website itself would be a considerable move to prevent hackers from running scripts under the domain.
Aditionally, backups would be a breeze for me if content from hundreds of websites were stored under one single account.

On top of that I'd make sure my websites are completely sqlinjection free, if theres such a thing.

Id really appreciate someones view into that.

Thanks!

Eder
0
Comment
Question by:Ederwainer
  • 4
  • 2
7 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37826361
first the network should be done by your ISP due to a proepr installed network firewall, while the system security is either your job or that of the ISP too depending on your type of contract
if this is done, your system (network ports, file permissions, etc.) is proper protected according common standards
then you only have your web application with vulnerabilities which may be exploited to gain access to your data, your system or missuse your system
this means that you have to ensure that your application is proper coded according doing a good input validation of all data, encoding all output according the destination system (HTML for output to the browser, proper escaping to avoid SQL injections when send to database, etc.) and, if appropriate, a good access control
most of this should be done by source code ananlyses or at least a source code review

If you're unsure where to start according threats, vulnerabilities and risks, I'd suggest to start with OWASP top 10
  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
0
 

Author Comment

by:Ederwainer
ID: 37826955
When you say my ISP you mean the datacenter where I have servers, in this case Godaddy.
I run dedicated servers with pre-installed OS and control panel for web hosting. However, datacenters usually offer lots of service and I have to pick what is best for me and design it accordingly, or pay top dollars for third party to do so, but I'm not there yet as my revenue is still short.

Most of the problems took place due to write permission to folders, so I thought If I end the write permission, even if they get to the database they wont be able to delete/replace/add files.

The distance also plays a big role on this, as backing up data locally takes ages due to all the network nodes the connection goes through. So I thought of hiring S3 service from Amazon and have all the digital files to be stored and retrieve from their servers, as amazon has servers in my country (Brazil)

Im putting my framework to test by posting a project at elance so coders and technicians can find holes for me, as it is quite large application.

Comments are much appreciated
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37826966
> Most of the problems took place due to write permission to folders, ..
hmm, setting more restrictive permissions is just a second line of defence, defence in depth, or name it ...
the problem is the code which writes, you need to identify and fix that code

when you you have no resources for paied services, then you simply can setup your own network firewall; as you use linux for your servers, iptables is on board and will protect yll unvanted access if configured proper (i.g. you only need port 80 and 443 open for incoming requests and anyting else closed)
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:Ederwainer
ID: 37826981
That is very clear to me now, so I'll focus on securing the application.
Do you happen to know any online service that can scan/navigate the framework, locate input fields and test it for vulnerabilities?

Thanks

Eder
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 300 total points
ID: 37827013
there're various online services, but the quality depends (no further comment:)
for tools start here:
https://www.owasp.org/index.php/Phoenix/Tools
http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List
0
 
LVL 33

Assisted Solution

by:Slick812
Slick812 earned 200 total points
ID: 37828666
greetings  Ederwainer, , , Web host settings and server security is a very very LARGE subject, and has several very different parts (like "Linux security",  "Apache security", "php security", "mySQL security", "SQL injection vulnerability", "file upload vulnerability" and several others, along with those that have parts of several of these combined). My first suggestion would be for you to consider "Narrowing" your security questions down , by separating what you ask about, like ask two different questions about "file permission security" and  "SQL injection vulnerability", these two are (to me) widely different in their problems and solutions. Also by separating your security concerns in to different categories, you may be able to get better "Professional" help for your site's reviewers-consultants , , as an "Apache security" consultant, may not know very much about the "SQL injection vulnerabilities". And looking at your entire site for all of it (instead of ONE security aspect) would take too much time, and not have a good Focus.

- - - - - - - - - - - - -
You ask about security for - "write permission to folders", without saying much of your problems, Anyway, I will say that for file access for client-user uploaded file, I never have these in web-accessed folders, I store these in folders below the HTTP access level, and then I use a PHP access point to retrieve all of the "User" files as -
http://www.domain.com/user.php?log=123&file=fHj7Jk2Rz6Jl
you can then check many things (logged in, file exists, security, etc.) with user.php and then get the correct file (image, zip, pdf) to send to the browser . Although I may have misunderstood your problem. But as already stated, changing the write permissions seems like a secondary effort, maybe not addressing the primary problem.

AS to SQL injection, please consider using the more recent and secure "MySQL Improved" php API , , mysqli was added in PHP ver 5, and is Improved in several ways, most important to me is the "Support for Prepared Statements" which uses TWO different input channels to the MySQL functioning, one for the actual SQL instructions  (SQL statement string) and another data transfer channel for the Data blocks to use in that statement.


There are advantages to using a cloud file service like "Amazon Cloud Drive", but also some disavantages, I tried the "Amazon Cloud Drive" as a test, but I did not use it in production, In my case It was way too time consuming to to redesign my site and all database tables and access methods for the Cloud Drive with sign-in and access requests, but maybe if you started with a "New Fresh" web site you could not have to re-write alot of you code. But my concerns for the Cloud Drive was NOT security, so that may be good for you?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37828868
> ... then I use a PHP access point to retrieve all of the "User" files as ..
hmm, why the risk of a script for simple read-only access?
you don't need any script or program on any server for just delivering static content, that's a core web server functionality
KISS - keep it stupid secure :-)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now