Announcements
New Discussions
Previous Thread
Next Thread
Print Thread
Rate Thread
Hop To
Page 2 of 3 1 2 3
Re: I've reached in my pocket again. [Re: Robi] #118407
09/27/07 11:36 PM
09/27/07 11:36 PM
Joined: Sep 2007
Posts: 7
T
Topscan Offline
stranger
Topscan  Offline
stranger
T

Joined: Sep 2007
Posts: 7
If you need somewhere to house the website let me know.
That is on IIS, FTP or HTTP upload/editing. Behind a Firewall if you want (=less risk of being hacked).
Server located in Australia so it may have some lag for European users...
Cheers Chris

--Advertisement--
Re: I've reached in my pocket again. [Re: Topscan] #118408
09/27/07 11:54 PM
09/27/07 11:54 PM
Joined: Jul 2004
Posts: 2,718
St Petersburg FL
Robi Offline
Carpal Tunnel
Robi  Offline
Carpal Tunnel

Joined: Jul 2004
Posts: 2,718
St Petersburg FL
Hosting is not an issue, the issue is content management.

Re: I've reached in my pocket again. [Re: Robi] #118409
09/28/07 12:54 AM
09/28/07 12:54 AM
Joined: Jul 2003
Posts: 121
Valencia - Spain
aestela Offline
member
aestela  Offline
member

Joined: Jul 2003
Posts: 121
Valencia - Spain
In case that it helps...
At Tacticat we use a not-too-old version of PHP-nuke as CMS.
No hacking so far, after some 18 months. Nuke is not Joomla but it works for us.

No firewalls, the only precaution we've added is to restrict the web site to russian and another country IP addresses (can't remember which other country). No russian sailors at Tacticat.

We're being probed everyday and have had a couple of DoS (Denial of Service attacks) that were solved by our provider.


Maybe we are just lucky (crossing fingers).

Amando.

Last edited by aestela; 09/28/07 01:05 AM.
Re: I've reached in my pocket again. [Re: aestela] #118410
09/28/07 01:15 AM
09/28/07 01:15 AM
Joined: May 2003
Posts: 4,451
West coast of Norway
Rolf_Nilsen Offline

Carpal Tunnel
Rolf_Nilsen  Offline

Carpal Tunnel

Joined: May 2003
Posts: 4,451
West coast of Norway
I know two simple CMS which has not been hacked yet. The two I wrote <img src="http://www.catsailor.com/forums/images/graemlins/grin.gif" alt="" /> 'Hackers', or more likely, the script kiddies, targets the large systems which they can get the most "cred" for cracking. I suppose that's why the systems I did have not been cracked to date.

Using HTML is OK for one, two or three skilled operators, but even then it is a bother. There will be problems with consistency, messed up pages and concurrency. When the current operator(s) move on, you need someone skilled at HTML as replacement and this person can be hard to find. A CMS is great for allowing several people to cooperate on running a website, from anywhere in the world. No client software except a browser is needed unlike what you do with pure HTML.

There is no easy solution. The obvious thing to do is to upgrade our Joomla version as soon as new versions are available. Switching CMS will be a lot of work, and we might be off just as bad as with the current CMS (PHP-nuke used to be cracked a lot earlier, when I looked at it). The safest solution is to SSH to the server and use vi for editing. I would not want to do that, even if it is what I usually have to when things break down.
Putting the webserver behind a firewall, preferably a proxy firewall, seems to help a lot.

There are no clear answers to this. If possible, I would suggest an upgrade and a firewall. Even the buildt in packet filtering in Linux these days do OK for protection.

Re: I've reached in my pocket again. [Re: Rolf_Nilsen] #118411
09/28/07 02:19 AM
09/28/07 02:19 AM
Joined: Sep 2007
Posts: 7
T
Topscan Offline
stranger
Topscan  Offline
stranger
T

Joined: Sep 2007
Posts: 7
As a suggestion you could setup a virtual Web development desktop, let multiple web authors connect to this desktop using Remote Desktop client from there home computer, map local drives for simple file and picture transfer, use MS Expression to mange the website, Expression can be coded in HTML, ASP, JS and many other technologies. What to use exactly would depend on how many collaboration web authors there are and what functionality you would like to have, blogs, vlogs, picture gallery, video, RSS, forums etc.
You would achieve a central content storage that single or multiple web authors can access and build there part of the web site from, also simple to backup remotely.

In a nutshell the web development tools, library of content should be avaible online to the authors. That means many authors can work on it and also take turns, I guess you will have many people queued up for this well paid job…

Said all that; the most important thing is to choose a solution/technology that suits the main content creators to make it as easy as possible for them to keep the site up & alive, well organised and good looking a distant 2nd and 3rd

That was my 2 cent

Cheers Chris

Re: I've reached in my pocket again. [Re: Topscan] #118412
09/28/07 03:07 AM
09/28/07 03:07 AM
Joined: May 2003
Posts: 4,451
West coast of Norway
Rolf_Nilsen Offline

Carpal Tunnel
Rolf_Nilsen  Offline

Carpal Tunnel

Joined: May 2003
Posts: 4,451
West coast of Norway
Chris,

my experience is that you really dont want RDP open to the Internet.
Uploading any kind of file to a server on the internet using the MS filesystem (CIFS) seem to be slow. It's not a fast protocol (CIFS) suitable for anything but work on a LAN in my opinion. Further, the more advanced technology you put on a website, the harder it becomes both to manage and to secure. Programmers and developers are human and make mistakes. These mistakes are what crackers use to compromise security. More code equals more errors and more paths into your system.

Agree that the tools, libraries etc. should be accessible online. That is what a CMS do, besides taking control of how things are presented. With a CMS, like Joomla, the authors dont break the design of the website like no doubt would happen with Expression. Expression is a tool for designing sites, while a CMS is a tool for filling the website with content. That is an important difference.

Quote

Said all that; the most important thing is to choose a solution/technology that suits the main content creators to make it as easy as possible for them to keep the site up & alive, well organised and good looking a distant 2nd and 3rd


Spot on!

Re: I've reached in my pocket again. [Re: Rolf_Nilsen] #118413
09/28/07 07:04 AM
09/28/07 07:04 AM

A
Anonymous
Unregistered
Anonymous
Unregistered
A



Quote

Quote

Said all that; the most important thing is to choose a solution/technology that suits the main content creators to make it as easy as possible for them to keep the site up & alive, well organised and good looking a distant 2nd and 3rd


Spot on!


The developer is more important than the user? That would defeat the purpose of the site. There are plenty of extremely amateurish sites around, obviously created without a CMS, that drive me crazy. Not to minimize the significance of the security issues, but at least the F16 site looks good - and imo is appealing to people wanting to learn about the class.

One positive with Joomla is that there is an active user/developer community. If there are security problems (and assuming the problem actually lies there and not with mysql or something) at least there is a mechanism for getting these fixed eventually.

Anyhow, to come back to the original point - thanks again Paul for all your work on this.

Re: I've reached in my pocket again. [Re: Topscan] #118414
09/28/07 07:27 AM
09/28/07 07:27 AM
Joined: Jul 2005
Posts: 465
Oxford, UK
pdwarren Offline
addict
pdwarren  Offline
addict

Joined: Jul 2005
Posts: 465
Oxford, UK
Quote
Behind a Firewall if you want (=less risk of being hacked).


Nope. Doesn't make any difference if it's the web application itself that is vulnerable. We've been running this particular web server for 7 years and it hosts hundreds of websites. In this time we've seen a handful of hacking attempts and the vast majority of them are down to poorly written PHP.

Paul

Re: I've reached in my pocket again. [Re: ] #118415
09/28/07 07:27 AM
09/28/07 07:27 AM
Joined: May 2003
Posts: 4,451
West coast of Norway
Rolf_Nilsen Offline

Carpal Tunnel
Rolf_Nilsen  Offline

Carpal Tunnel

Joined: May 2003
Posts: 4,451
West coast of Norway
Mark,

I think both Chris and I agree that the primary goal is to build the best end user experience and put the best content on the website. What we were discussing was the best way for those to who fill in the content to do it.

I think the formula16.org website looks very good and have very good contents. It is a credit to the work done by Paul and the others who have contributed. I especially like the visualization of the box rule!

Re: I've reached in my pocket again. [Re: Rolf_Nilsen] #118416
09/28/07 07:37 AM
09/28/07 07:37 AM
Joined: Jul 2005
Posts: 465
Oxford, UK
pdwarren Offline
addict
pdwarren  Offline
addict

Joined: Jul 2005
Posts: 465
Oxford, UK
Quote
'Hackers', or more likely, the script kiddies, targets the large systems which they can get the most "cred" for cracking. I suppose that's why the systems I did have not been cracked to date.


Unfortunately, it's not always exposure they're after. Often they just want access to a box to add to their botnets.

Quote

Using HTML is OK for one, two or three skilled operators, but even then it is a bother. There will be problems with consistency, messed up pages and concurrency. When the current operator(s) move on, you need someone skilled at HTML as replacement and this person can be hard to find.


That's true. For some other websites I do, I've got a very long way using Template Toolkit which can take care of many of the consistency issues. If done right, it can also provide a good way to run a staging server to preview the site after any changes, and obvious feature which most content "management" systems seem to lack.

Quote
A CMS is great for allowing several people to cooperate on running a website, from anywhere in the world. No client software except a browser is needed unlike what you do with pure HTML.


The downside is that you know HTML, doing anything in a CMS seems painfully cumbersome, and you get the bonus risks of being hacked because your CMS was written by people who don't have a clue.

Quote

There is no easy solution. The obvious thing to do is to upgrade our Joomla version as soon as new versions are available.


Yep, and that was last done less that two weeks ago...

Quote

Putting the webserver behind a firewall, preferably a proxy firewall, seems to help a lot.


Won't help at all with this type of exploit, but may reduce the damage that they do as a result.

Quote

Even the buildt in packet filtering in Linux these days do OK for protection.


Yep - we've been using that for years. Our policy prevents opening up listening ports, which is what the second stage of many exploits rely on.

You're right that there are no easy answers. I intend to stick with Joomla for the moment, and when it gets hacked I'll just rant to the forum and get laughed at by my colleagues <img src="http://www.catsailor.com/forums/images/graemlins/grin.gif" alt="" />

The site's still off-line, I'm afraid. I'll probably collapse from jet lag this evening (although I might just get drunk first), but hopefully I'll have some time to fix it tomorrow.

Paul

Re: I've reached in my pocket again. [Re: pdwarren] #118417
09/29/07 08:16 AM
09/29/07 08:16 AM
Joined: Jul 2005
Posts: 465
Oxford, UK
pdwarren Offline
addict
pdwarren  Offline
addict

Joined: Jul 2005
Posts: 465
Oxford, UK
The site is back online. If anyone cares, here's what happened:

PHP comes with one of the worst security risks known to man, "register globals". When this is turned on, any parameters you pass in the URL overwrite global variables with the same name in your PHP. Now, imagine that your CMS relies on a global variable that specifies a directory where it can find its config from, and that this location can also be a URL (i.e. can reference a file on another webserver). Yep, that's right: simply specify a URL parameter and you can execute arbitrary PHP on the webserver.

So, everyone turns off register globals. Unfortunately, this breaks a lot of poorly written Joomla components. So the clever people at Joomla invented register globals emulation, and turned it on by default, because obviously having some components not working is far far worse than leaving a gaping security hole in your CMS.

Paul

Re: I've reached in my pocket again. [Re: pdwarren] #118418
09/29/07 09:59 AM
09/29/07 09:59 AM
Joined: Jul 2004
Posts: 2,718
St Petersburg FL
Robi Offline
Carpal Tunnel
Robi  Offline
Carpal Tunnel

Joined: Jul 2004
Posts: 2,718
St Petersburg FL
Thanks Paul you are the man!

Re: I've reached in my pocket again. [Re: Robi] #118419
09/29/07 11:23 AM
09/29/07 11:23 AM
Joined: Jun 2001
Posts: 9,582
North-West Europe
Wouter Offline
Carpal Tunnel
Wouter  Offline
Carpal Tunnel

Joined: Jun 2001
Posts: 9,582
North-West Europe


I agree, Paul you are the man !

Many thanks thanks !

Wouter


Wouter Hijink
Formula 16 NED 243 (one-off; homebuild)
The Netherlands
Re: I've reached in my pocket again. [Re: Wouter] #118420
09/29/07 02:27 PM
09/29/07 02:27 PM
Joined: Jan 2005
Posts: 6,049
Sebring, Florida.
Timbo Offline
Carpal Tunnel
Timbo  Offline
Carpal Tunnel

Joined: Jan 2005
Posts: 6,049
Sebring, Florida.
Soo...what's the link?? I can't find it on google.


Blade F16
#777
Re: I've reached in my pocket again. [Re: Timbo] #118421
09/29/07 02:38 PM
09/29/07 02:38 PM
Joined: Feb 2004
Posts: 3,528
Looking for a Job, I got credi...
scooby_simon Offline
Hull Flying, Snow Sliding....
scooby_simon  Offline
Hull Flying, Snow Sliding....
Carpal Tunnel

Joined: Feb 2004
Posts: 3,528
Looking for a Job, I got credi...


F16 - GBR 553 - SOLD

I also talk sport here
Re: I've reached in my pocket again. [Re: scooby_simon] #118422
09/29/07 04:26 PM
09/29/07 04:26 PM
Joined: Jan 2005
Posts: 6,049
Sebring, Florida.
Timbo Offline
Carpal Tunnel
Timbo  Offline
Carpal Tunnel

Joined: Jan 2005
Posts: 6,049
Sebring, Florida.
Thanks! BTW, they have 3 Blades and 3 Spitfires here in Dubai, along with many other cats, and a great cat club on the beach!


Blade F16
#777
Re: I've reached in my pocket again. [Re: Timbo] #118423
09/29/07 08:53 PM
09/29/07 08:53 PM
Joined: Jul 2004
Posts: 2,718
St Petersburg FL
Robi Offline
Carpal Tunnel
Robi  Offline
Carpal Tunnel

Joined: Jul 2004
Posts: 2,718
St Petersburg FL
Tim are you coming to GYC next week?

Re: I've reached in my pocket again. [Re: Robi] #118424
09/29/07 10:51 PM
09/29/07 10:51 PM
Joined: Jan 2005
Posts: 6,049
Sebring, Florida.
Timbo Offline
Carpal Tunnel
Timbo  Offline
Carpal Tunnel

Joined: Jan 2005
Posts: 6,049
Sebring, Florida.
Yes, I have both the 6th and 20th off so I plan on being there for both of those races. See you there.


Blade F16
#777
Re: I've reached in my pocket again. [Re: Timbo] #118425
09/30/07 12:55 AM
09/30/07 12:55 AM
Joined: Jul 2004
Posts: 2,718
St Petersburg FL
Robi Offline
Carpal Tunnel
Robi  Offline
Carpal Tunnel

Joined: Jul 2004
Posts: 2,718
St Petersburg FL
Sweetbeans, want to sail both days? I mean like saturday and sunday?

Re: I've reached in my pocket again. [Re: Timbo] #118426
09/30/07 02:55 AM
09/30/07 02:55 AM
Joined: Aug 2002
Posts: 545
Brighton, UK
grob Offline
addict
grob  Offline
addict

Joined: Aug 2002
Posts: 545
Brighton, UK
Quote
Thanks! BTW, they have 3 Blades and 3 Spitfires here in Dubai, along with many other cats, and a great cat club on the beach!


I thought the "cat club" in Dubai had shut down or was about to shut down, which club are you talking about.

Gareth

Page 2 of 3 1 2 3

Moderated by  Damon Linkous, phill, Rolf_Nilsen 

Search

Who's Online Now
0 registered members (), 142 guests, and 110 spiders.
Key: Admin, Global Mod, Mod
Newest Members
Darryl, zorro, CraigJ, PaulEddo2, AUS180
8150 Registered Users
Top Posters(30 Days)
Forum Statistics
Forums26
Topics22,405
Posts267,058
Members8,150
Most Online2,167
Dec 19th, 2022
Powered by UBB.threads™ PHP Forum Software 7.7.1