| Re: I've reached in my pocket again.
[Re: Robi]
#118409 09/28/07 12:54 AM 09/28/07 12:54 AM |
Joined: Jul 2003 Posts: 121 Valencia - Spain aestela
member
|
member
Joined: Jul 2003
Posts: 121 Valencia - Spain | In case that it helps... At Tacticat we use a not-too-old version of PHP-nuke as CMS. No hacking so far, after some 18 months. Nuke is not Joomla but it works for us.
No firewalls, the only precaution we've added is to restrict the web site to russian and another country IP addresses (can't remember which other country). No russian sailors at Tacticat.
We're being probed everyday and have had a couple of DoS (Denial of Service attacks) that were solved by our provider.
Maybe we are just lucky (crossing fingers).
Amando.
Last edited by aestela; 09/28/07 01:05 AM.
| | | Re: I've reached in my pocket again.
[Re: aestela]
#118410 09/28/07 01:15 AM 09/28/07 01:15 AM |
Joined: May 2003 Posts: 4,451 West coast of Norway Rolf_Nilsen
Carpal Tunnel
|
Carpal Tunnel
Joined: May 2003
Posts: 4,451 West coast of Norway | I know two simple CMS which has not been hacked yet. The two I wrote <img src="http://www.catsailor.com/forums/images/graemlins/grin.gif" alt="" /> 'Hackers', or more likely, the script kiddies, targets the large systems which they can get the most "cred" for cracking. I suppose that's why the systems I did have not been cracked to date.
Using HTML is OK for one, two or three skilled operators, but even then it is a bother. There will be problems with consistency, messed up pages and concurrency. When the current operator(s) move on, you need someone skilled at HTML as replacement and this person can be hard to find. A CMS is great for allowing several people to cooperate on running a website, from anywhere in the world. No client software except a browser is needed unlike what you do with pure HTML.
There is no easy solution. The obvious thing to do is to upgrade our Joomla version as soon as new versions are available. Switching CMS will be a lot of work, and we might be off just as bad as with the current CMS (PHP-nuke used to be cracked a lot earlier, when I looked at it). The safest solution is to SSH to the server and use vi for editing. I would not want to do that, even if it is what I usually have to when things break down. Putting the webserver behind a firewall, preferably a proxy firewall, seems to help a lot.
There are no clear answers to this. If possible, I would suggest an upgrade and a firewall. Even the buildt in packet filtering in Linux these days do OK for protection. | | | Re: I've reached in my pocket again.
[Re: Rolf_Nilsen]
#118411 09/28/07 02:19 AM 09/28/07 02:19 AM |
Joined: Sep 2007 Posts: 7 Topscan
stranger
|
stranger
Joined: Sep 2007
Posts: 7 | As a suggestion you could setup a virtual Web development desktop, let multiple web authors connect to this desktop using Remote Desktop client from there home computer, map local drives for simple file and picture transfer, use MS Expression to mange the website, Expression can be coded in HTML, ASP, JS and many other technologies. What to use exactly would depend on how many collaboration web authors there are and what functionality you would like to have, blogs, vlogs, picture gallery, video, RSS, forums etc. You would achieve a central content storage that single or multiple web authors can access and build there part of the web site from, also simple to backup remotely.
In a nutshell the web development tools, library of content should be avaible online to the authors. That means many authors can work on it and also take turns, I guess you will have many people queued up for this well paid job…
Said all that; the most important thing is to choose a solution/technology that suits the main content creators to make it as easy as possible for them to keep the site up & alive, well organised and good looking a distant 2nd and 3rd
That was my 2 cent
Cheers Chris | | | Re: I've reached in my pocket again.
[Re: Topscan]
#118412 09/28/07 03:07 AM 09/28/07 03:07 AM |
Joined: May 2003 Posts: 4,451 West coast of Norway Rolf_Nilsen
Carpal Tunnel
|
Carpal Tunnel
Joined: May 2003
Posts: 4,451 West coast of Norway | Chris, my experience is that you really dont want RDP open to the Internet. Uploading any kind of file to a server on the internet using the MS filesystem (CIFS) seem to be slow. It's not a fast protocol (CIFS) suitable for anything but work on a LAN in my opinion. Further, the more advanced technology you put on a website, the harder it becomes both to manage and to secure. Programmers and developers are human and make mistakes. These mistakes are what crackers use to compromise security. More code equals more errors and more paths into your system. Agree that the tools, libraries etc. should be accessible online. That is what a CMS do, besides taking control of how things are presented. With a CMS, like Joomla, the authors dont break the design of the website like no doubt would happen with Expression. Expression is a tool for designing sites, while a CMS is a tool for filling the website with content. That is an important difference. Said all that; the most important thing is to choose a solution/technology that suits the main content creators to make it as easy as possible for them to keep the site up & alive, well organised and good looking a distant 2nd and 3rd
Spot on! | | | Re: I've reached in my pocket again.
[Re: Rolf_Nilsen]
#118413 09/28/07 07:04 AM 09/28/07 07:04 AM | Anonymous
Unregistered
| Anonymous
Unregistered | Said all that; the most important thing is to choose a solution/technology that suits the main content creators to make it as easy as possible for them to keep the site up & alive, well organised and good looking a distant 2nd and 3rd
Spot on! The developer is more important than the user? That would defeat the purpose of the site. There are plenty of extremely amateurish sites around, obviously created without a CMS, that drive me crazy. Not to minimize the significance of the security issues, but at least the F16 site looks good - and imo is appealing to people wanting to learn about the class. One positive with Joomla is that there is an active user/developer community. If there are security problems (and assuming the problem actually lies there and not with mysql or something) at least there is a mechanism for getting these fixed eventually. Anyhow, to come back to the original point - thanks again Paul for all your work on this. | | | Re: I've reached in my pocket again.
[Re: Topscan]
#118414 09/28/07 07:27 AM 09/28/07 07:27 AM |
Joined: Jul 2005 Posts: 465 Oxford, UK pdwarren
addict
|
addict
Joined: Jul 2005
Posts: 465 Oxford, UK | Behind a Firewall if you want (=less risk of being hacked). Nope. Doesn't make any difference if it's the web application itself that is vulnerable. We've been running this particular web server for 7 years and it hosts hundreds of websites. In this time we've seen a handful of hacking attempts and the vast majority of them are down to poorly written PHP. Paul | | | Re: I've reached in my pocket again.
[Re: Rolf_Nilsen]
#118416 09/28/07 07:37 AM 09/28/07 07:37 AM |
Joined: Jul 2005 Posts: 465 Oxford, UK pdwarren
addict
|
addict
Joined: Jul 2005
Posts: 465 Oxford, UK | 'Hackers', or more likely, the script kiddies, targets the large systems which they can get the most "cred" for cracking. I suppose that's why the systems I did have not been cracked to date.
Unfortunately, it's not always exposure they're after. Often they just want access to a box to add to their botnets. Using HTML is OK for one, two or three skilled operators, but even then it is a bother. There will be problems with consistency, messed up pages and concurrency. When the current operator(s) move on, you need someone skilled at HTML as replacement and this person can be hard to find.
That's true. For some other websites I do, I've got a very long way using Template Toolkit which can take care of many of the consistency issues. If done right, it can also provide a good way to run a staging server to preview the site after any changes, and obvious feature which most content "management" systems seem to lack. A CMS is great for allowing several people to cooperate on running a website, from anywhere in the world. No client software except a browser is needed unlike what you do with pure HTML. The downside is that you know HTML, doing anything in a CMS seems painfully cumbersome, and you get the bonus risks of being hacked because your CMS was written by people who don't have a clue. There is no easy solution. The obvious thing to do is to upgrade our Joomla version as soon as new versions are available.
Yep, and that was last done less that two weeks ago... Putting the webserver behind a firewall, preferably a proxy firewall, seems to help a lot.
Won't help at all with this type of exploit, but may reduce the damage that they do as a result. Even the buildt in packet filtering in Linux these days do OK for protection.
Yep - we've been using that for years. Our policy prevents opening up listening ports, which is what the second stage of many exploits rely on. You're right that there are no easy answers. I intend to stick with Joomla for the moment, and when it gets hacked I'll just rant to the forum and get laughed at by my colleagues <img src="http://www.catsailor.com/forums/images/graemlins/grin.gif" alt="" /> The site's still off-line, I'm afraid. I'll probably collapse from jet lag this evening (although I might just get drunk first), but hopefully I'll have some time to fix it tomorrow. Paul | | | Re: I've reached in my pocket again.
[Re: pdwarren]
#118417 09/29/07 08:16 AM 09/29/07 08:16 AM |
Joined: Jul 2005 Posts: 465 Oxford, UK pdwarren
addict
|
addict
Joined: Jul 2005
Posts: 465 Oxford, UK | The site is back online. If anyone cares, here's what happened:
PHP comes with one of the worst security risks known to man, "register globals". When this is turned on, any parameters you pass in the URL overwrite global variables with the same name in your PHP. Now, imagine that your CMS relies on a global variable that specifies a directory where it can find its config from, and that this location can also be a URL (i.e. can reference a file on another webserver). Yep, that's right: simply specify a URL parameter and you can execute arbitrary PHP on the webserver.
So, everyone turns off register globals. Unfortunately, this breaks a lot of poorly written Joomla components. So the clever people at Joomla invented register globals emulation, and turned it on by default, because obviously having some components not working is far far worse than leaving a gaping security hole in your CMS.
Paul | | | Re: I've reached in my pocket again.
[Re: Robi]
#118419 09/29/07 11:23 AM 09/29/07 11:23 AM |
Joined: Jun 2001 Posts: 9,582 North-West Europe Wouter
Carpal Tunnel
|
Carpal Tunnel
Joined: Jun 2001
Posts: 9,582 North-West Europe |
I agree, Paul you are the man !
Many thanks thanks !
Wouter
Wouter Hijink Formula 16 NED 243 (one-off; homebuild) The Netherlands
| | | Re: I've reached in my pocket again.
[Re: Wouter]
#118420 09/29/07 02:27 PM 09/29/07 02:27 PM |
Joined: Jan 2005 Posts: 6,049 Sebring, Florida. Timbo
Carpal Tunnel
|
Carpal Tunnel
Joined: Jan 2005
Posts: 6,049 Sebring, Florida. | Soo...what's the link?? I can't find it on google.
Blade F16 #777
| | | Re: I've reached in my pocket again.
[Re: scooby_simon]
#118422 09/29/07 04:26 PM 09/29/07 04:26 PM |
Joined: Jan 2005 Posts: 6,049 Sebring, Florida. Timbo
Carpal Tunnel
|
Carpal Tunnel
Joined: Jan 2005
Posts: 6,049 Sebring, Florida. | Thanks! BTW, they have 3 Blades and 3 Spitfires here in Dubai, along with many other cats, and a great cat club on the beach!
Blade F16 #777
| | | Re: I've reached in my pocket again.
[Re: Robi]
#118424 09/29/07 10:51 PM 09/29/07 10:51 PM |
Joined: Jan 2005 Posts: 6,049 Sebring, Florida. Timbo
Carpal Tunnel
|
Carpal Tunnel
Joined: Jan 2005
Posts: 6,049 Sebring, Florida. | Yes, I have both the 6th and 20th off so I plan on being there for both of those races. See you there.
Blade F16 #777
| | | Re: I've reached in my pocket again.
[Re: Timbo]
#118426 09/30/07 02:55 AM 09/30/07 02:55 AM |
Joined: Aug 2002 Posts: 545 Brighton, UK grob
addict
|
addict
Joined: Aug 2002
Posts: 545 Brighton, UK | Thanks! BTW, they have 3 Blades and 3 Spitfires here in Dubai, along with many other cats, and a great cat club on the beach! I thought the "cat club" in Dubai had shut down or was about to shut down, which club are you talking about. Gareth | | |
|
0 registered members (),
142
guests, and 110
spiders. | Key: Admin,
Global Mod,
Mod | | Forums26 Topics22,405 Posts267,058 Members8,150 | Most Online2,167 Dec 19th, 2022 | | |