Overclock.net banner

1 - 15 of 15 Posts

·
Premium Member
Joined
·
7,161 Posts
Discussion Starter · #1 ·
Setting up my first Untangle box (going well) and I asked the tech his recommendations on port 80 protection for the home hosted web site. He did not give much encouragement to me in accomplishing this task. Basically he said port 80 protection for a website that is open to the world is a constant checking and changing (meaning software) exercise and if I want to offer my website to the world is is best to let a hosting service deal with site protection.

The tech did offer if I wanted to present my site to "less than the entire world" there were many different ways to do this (and thus remain "unhacked"). My question is, is it so difficult (to the extreme) to protect port 80 if it is open to the world? The Untangle rep. was not the only person I have spoken to that felt if I want to be protected I must be restrictive in who I offer myself too.
 

·
Linux Lobbyist
Joined
·
3,744 Posts
Whether you get "hacked" or not is dependent on the software you're using to host your website, and how secure its configuration is. For example, there is no way I would expose IIS to the global Internet, but a huge portion of the web is run on the Apache HTTP Server, running on Linux. If it was hugely vulnerable, every website on the 'Net would have been defaced a long time ago.

The trick is to:

a) Limit the number of ports open to the Internet, aside from port 80.

b) Pick an OS for the hosting machine that's known to be reasonably secure (not Windows), and learn where the vulnerabilities are, and how to close them up.

c) Pick a web server and do the same as b). Apache HTTP Server is the number one choice of course, but Apache Tomcat also delivers good performance as a web server.

A good option might be to run the web site inside a virtual machine, which will allow you to contain its running environment even further. Additionally, you may want to run the site on a different port other than 80, and run a "honey trap" site on port 80. Most attacks seem to be done by robots, and they will naturally target port 80.

Lastly, learn to read logs, so that you spot the signs of an attack. Keep continuous back ups of your site. Sign up to security mailing lists and watch for notices concerning the software you use.

Basically, you are now a system administrator.
 
  • Rep+
Reactions: PCCstudent

·
Premium Member
Joined
·
14,051 Posts
Also, typically you want to place any WAN facing service inside of a DMZ.
Devices in a DMZ cannot initiate connections into your 'inside' network.

Therefore, if your box becomes compromised, your entire internal LAN is not.
 

·
Premium Member
Joined
·
7,161 Posts
Discussion Starter · #4 ·
parti, I like the new job description. It will be pretty neat to learn how to interpet the log. Using a non-windows OS as your first line of defense makes sense (this is explained in a CISCO ASA book I just got, Author Richard Deal). It makes sense that if you present an appliance with an OS that most have little knowledge of (like the OS in an ASA) it will be much harder to get hacked.

When I get back with Untangle for "best practices" when using their version of a DMZ I will get some info on the port manlipulation as I do want to employ this tactic. I am comming to the conclusion that site security is surely not a "set it up and forget it" type thing. i am getting the Preminum Package with support from Untangle. The way I look at it is I have a Networking Instructor available whenever I want for 50.00 a month. I will take this deal for some months (until I pick their brains clean).+rep.

EDIT: I wanted to mention how much of a tool the Untangle box is. The setup is not as complicated as an ASA setup (I have only done CISCO routers in Packet Tracer but I have been told an ASA setup is similar). The difficult part with the CISCO appliance (at least for me) is I find the language cryptic and there is no "hand-holding" at all. Untangle is not at all intimidating and if you know your basic Networking concepts (not even so high as a CompTIA grad.) you can do Untangle. I really recommend it to others who want to get their feet wet in Networking.
Beers,Thank You and +rep also.

The photo is my website (the Dell) and in the middle is my Untangle and on the end is my "internal" client. I am using XP Pro, Apache,a bridged Actiontech 1000 modem and some static IP's. There I have broken a major rule of site security and showed my hand.
 

·
Linux Lobbyist
Joined
·
3,744 Posts
Quote:
Originally Posted by beers;12015191
Also, typically you want to place any WAN facing service inside of a DMZ.
Devices in a DMZ cannot initiate connections into your 'inside' network.

Therefore, if your box becomes compromised, your entire internal LAN is not.
I was going to mention DMZs, but I read somewhere recently that DMZs have fallen out of favour (can't remember the reason why). One thing to note with a DMZ is that the box is completely isolated from your internal network, so if you want to transfer files to it, it's sneakernet or nothing.
 

·
Premium Member
Joined
·
7,161 Posts
Discussion Starter · #6 ·
I was wondering how file transfer went with a box in a DMZ. File transfer techniques was/is one of my questions when I make contact with Untangle on Monday. I know most use Filezilla (myself currently) but I have been looking at at company (pay for) called Serve-U for FTP host. Serve-U is darn expensive and I need to look at why,they do put out a great technical newsletter every month.
 

·
Premium Member
Joined
·
4,484 Posts
I still think setting up two separate subnets is the way to go - with a perimeter network, and an internal LAN... You can then control routing between the two networks AND control what actually faces the internet..
 

·
Linux Lobbyist
Joined
·
3,744 Posts
Quote:


Originally Posted by ComGuards
View Post

I still think setting up two separate subnets is the way to go - with a perimeter network, and an internal LAN... You can then control routing between the two networks AND control what actually faces the internet..

Yeah but...you work in a datacentre...you're spoiled.
It would be a good exercise for the OP though.
 

·
Premium Member
Joined
·
4,484 Posts
Quote:
Originally Posted by parityboy;12032948
Yeah but...you work in a datacentre...you're spoiled.
tongue.gif
It would be a good exercise for the OP though.
smile.gif
I have a perimeter network at home... easily created using DD-WRT routers...
biggrin.gif
 

·
Premium Member
Joined
·
7,161 Posts
Discussion Starter · #10 ·
ComGuards,can you draw out a rough topology for me (maybe others would like to se also). Untangle just emailed me on Sunday? they want me to sign up for Preminum Support. In my last "security" thread it was suggested I get the 871 router to go with the 5505 ASA appliance. Now I will have to look up what a DD-WRT router means. Just got word my Saturday CCNA class got canceled,low enrollment. I was really looking forward to this lecture.

Really, I have not seen the phrase DD-WRT.

EDIT: DD-WRT=Linux firmware applicable for relacement in certain routers.
 

·
Linux Lobbyist
Joined
·
3,744 Posts
Quote:


Originally Posted by PCCstudent
View Post

I was wondering how file transfer went with a box in a DMZ. File transfer techniques was/is one of my questions when I make contact with Untangle on Monday. I know most use Filezilla (myself currently) but I have been looking at at company (pay for) called Serve-U for FTP host. Serve-U is darn expensive and I need to look at why,they do put out a great technical newsletter every month.

Technically, if the host resolution is set right on source and destination boxes, you should be able to contact your DMZ box from inside your network - the connection should go outwards to your ISP's router(s) and then back in, and vice versa (assuming an inbound hole is opened in your router).
 

·
Premium Member
Joined
·
7,161 Posts
Discussion Starter · #12 ·
Untangle informs that default settings allow for file transfers both in and out of DMZ. This is a highly configurable feature.
 

·
Premium Member
Joined
·
4,484 Posts
Quote:


Originally Posted by PCCstudent
View Post

ComGuards,can you draw out a rough topology for me (maybe others would like to se also). Untangle just emailed me on Sunday? they want me to sign up for Preminum Support. In my last "security" thread it was suggested I get the 871 router to go with the 5505 ASA appliance. Now I will have to look up what a DD-WRT router means. Just got word my Saturday CCNA class got canceled,low enrollment. I was really looking forward to this lecture.

Really, I have not seen the phrase DD-WRT.

EDIT: DD-WRT=Linux firmware applicable for relacement in certain routers.

See this link for explanation of a perimeter network:
http://msdn.microsoft.com/en-us/library/bb680878.aspx



Alternatively:
http://technet.microsoft.com/en-us/l.../bb694250.aspx
 

·
Linux Lobbyist
Joined
·
3,744 Posts
@ComGuards

What tool do you use to draw network topologies? Does such a tool exist for Linux?
 

·
Premium Member
Joined
·
4,484 Posts
Quote:
Originally Posted by parityboy;12094171
@ComGuards

What tool do you use to draw network topologies? Does such a tool exist for Linux?
lol. I did not draw those. I liberally copied the link to the image file from the Microsoft article.

But those icons and symbols look just like Microsoft Visio, which is what I use...
 
1 - 15 of 15 Posts
Top