|
webinfoguy25
|
 |
« Reply #15 on: September 29, 2009, 06:46:17 AM » |
|
Nah, I would use a hypervisor. ESXi is decent but I use Xen for production systems unless the client specifically wants a paid solution (in which case, it's ESXi and VMWare's virtualsphere or wtfever it's called).
You can make your hypervisor so that it isn't even aware that you have an ethernet NIC, much less open ports.
EDIT: for those unfamiliar with virtualization concepts, a hypervisor is a "host OS" on which all your guest OSes reside. The key difference is that a hypervisor is really just setup to run virtual machines and nothing else. It doesn't need anything but a Kernel, and the Xen kernel is a stripped-down brick when it comes to security. Alternatively, you can use any linux kernel you want on Xen (or other OSes if you use ESXi or similar). The box that runs the VMs may as well not exist, it's just there for when you need to switch a VM on or off, and you can restrict that so that only physical access to the machine has those privs.
Vsloathe - thanks for the input, now could you break this down into laymens step by step process on how to set this up. I think my client is going to go the cost effective route. I don't believe he will want me to host the website so I don't know if that will create problems or not. He has it setup on a paid hosting. I might have to get him to switch over to a dedicated IP. Thanks, |
|
|
|
|
Logged
|
|
|
|
|
vsloathe
|
|
« Reply #16 on: September 29, 2009, 07:39:06 AM » |
|
It's um...an adventure. I can try to equip you but I can't take the journey for you. You saw the post prior where I explained a couple concepts to Perk, right? That's Perk. Having concepts explained to him. That you're asking me to expound on here, for you. Just making sure everyone understands what's going on. Here is Sun's ESXi documentation: http://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esxi40_i_vc40.htmlI like Xen and openVZ is pretty good too, but the documentation will be a bit more esoteric: http://wiki.xensource.com/xenwiki/XenDocstl;dr --SKIP TO THIS PART IF YOU WANT AN EASY SOLUTION WITHOUT HAVING TO LEARN MUCH-- But just be warned that not learning much means you'll pay for it later in support costs or headaches. It's always best to just learn what you need to learn to be proficient. That said here's a simple tutorial I found if you learn better by doing and being a bonehead (I do). http://www.howtoforge.com/ubuntu-8.04-server-install-xen-from-ubuntu-repositoriesI am more of a fan of using the Xen kernel because like I said previously, it's more stripped down. But if you want ease of use and maintenance, you can't go wrong with installing the latest Ubuntu server release and following the instructions. |
|
|
|
|
Logged
|
|
|
|
|
webinfoguy25
|
|
« Reply #17 on: September 29, 2009, 07:54:36 AM » |
|
From what I have read, this Vmware vSphere requires Windows server. Even if it allows for Ubuntu, I have never installed Ubuntu on a paid hosting account. Looks like the hosting provider supports Xen, so I guess I am good to go. As for now I am off to read about this stuff. I hope he likes it, and I hope the hosting provider supports all this stuff.
Thanks guys huge huge help.
Do you have to have VPS, or just dedicated IP?
|
|
|
|
« Last Edit: September 29, 2009, 08:34:54 AM by webinfoguy25 »
|
Logged
|
|
|
|
|
vsloathe
|
|
« Reply #18 on: September 29, 2009, 11:45:36 AM » |
|
You need a box of your own.
If you're not going to have physical access to your box, none of our solutions will do you all that much good imo.
|
|
|
|
|
Logged
|
|
|
|
|
webinfoguy25
|
|
« Reply #19 on: September 29, 2009, 11:57:30 AM » |
|
Ok, so then isn't there a paid hosting provider that will provide good security? I mean I really don't think he will want to have me house the website on a box where I live.
So basically when I talk to him this afternoon I should say "If you want to have security, then you need to buy me a Ubuntu Server Box, and Dedicated IP Address??
|
|
|
|
« Last Edit: September 29, 2009, 11:59:27 AM by webinfoguy25 »
|
Logged
|
|
|
|
|
vsloathe
|
|
« Reply #20 on: September 29, 2009, 12:33:25 PM » |
|
No, you can buy rack space anywhere, I'm just pointing out that it's harder to have real security if you're trusting some sysadmin you've never met to be competent enough to be your *real* sysadmin.
|
|
|
|
|
Logged
|
|
|
|
|
herbacious
|
|
« Reply #21 on: September 29, 2009, 01:21:40 PM » |
|
awesome thread  one thing to point out though - all this security isnt going to help protect against SQL injection attacks etc modified osCommerce (etc) sites aren't exactly bullet proof in that sense what do you guys do to protect against that? you rate mod_security? |
|
|
|
|
Logged
|
|
|
|
|
vsloathe
|
|
« Reply #22 on: September 29, 2009, 01:36:13 PM » |
|
I guess mod_security is an acceptable fix if you have to run 3rd party software.
Really, that's why it's so important that my boxes run open source apps. First thing I do is look at the layer that connects the app to the DB. If they haven't thought to add that layer, well then I uninstall the app lol
|
|
|
|
|
Logged
|
|
|
|
|
perkiset
|
|
« Reply #23 on: September 29, 2009, 01:55:32 PM » |
|
@ SQL Injections et al: I don't trust any outside mechanism to do the whole job, but if you're stuck with simply using OPC then you may have no choice. Personally, I have a set of things I always do when talking to my database to make sure that I'm clean. It takes discipline to make sure I do it/them, but it is vital. Nuts has a technique, for example, where he simple stores the hex equivalent of (whatever was sent to him) so that he NEVER has code that could be dereferenced into an injection attack. It's not *that* tough to hold the line - but it is painful, sometimes, to always do The Right Thing and not get lazy. Some very, very simple tricks: |
|
|
|
« Last Edit: September 29, 2009, 01:58:19 PM by perkiset »
|
Logged
|
It's the things you learn after you know it all that really count.
-John Wooden
|
|
|
|
nutballs
|
|
« Reply #24 on: September 29, 2009, 02:30:07 PM » |
|
wow perk remembered my little trick. Cool, made an impression.
Base64 works also, and is a bit smaller often, but requires more cycles to unfurl the encoded text. Plus, you cannot search for "part" of a text.
Hex is a straight translation, so thats why I landed there. Disks are basically Free, so storage size fall into the who-gives-a-shit category. And you can search by partials, you know "like '%balls%', but with balls hex coded. You cant do that in the b64 version.
I LOVE doing it that way because it is 100% worry free. Makes Database Diving by the owners much harder for them, so they dont do it.
Still need to validate for HTML injections if you ever display it to a webpage.
Still need to validate non-string types, but that severely limits your problems.
|
|
|
|
|
Logged
|
|
|
|
|
vsloathe
|
|
« Reply #25 on: September 30, 2009, 06:21:58 AM » |
|
I've used a lot of base64 in the past as well.
|
|
|
|
|
Logged
|
|
|
|
|
herbacious
|
|
« Reply #26 on: October 14, 2009, 12:44:54 PM » |
|
for the OP though we are talking about securing an existing open source app...
if you had to do it and you weren't about to rewrite every db query in the entire app, what woudl you do?
lets say you've got four hours that the client is prepared to pay for and you aren't prepared to work a minute more
any special moves?
|
|
|
|
|
Logged
|
|
|
|
|
nutballs
|
|
« Reply #27 on: October 14, 2009, 01:03:00 PM » |
|
wow that blows.  I didnt notice that little detail, sorry. hmmmmmm.... I got nothing. Obviously we drifted into Injection territory specifically, but overall, not sure. There is a new Mysql Proxy, that you can run between your app and the database. It can be used for a lot of stuff, like load balancing, query re-writing, etc. But i have no experience with it, nor do I know at all if its anything short of a pain in the ass to deal with. |
|
|
|
|
Logged
|
|
|
|
|
|
|
nutballs
|
|
« Reply #29 on: October 14, 2009, 01:35:38 PM » |
|
interesting. gonna check that out.
|
|
|
|
|
Logged
|
|
|
|
|
