While DPF is great, is there a forum dedicated or semi dedicated to linux and window server security? The occasional one of good questions come up on DPF but looking for something with a lot more focus on things like APF, IPChains, Windows Security, Linux Server Security, etc, etc. Thanks All!
the host of my root server has a closed forum just for server owners - that's the place we solve security issues secluded from public ( hackers ) may be your host has something similar ?
I'm not aware of anything that's any good. The comments section of Bruce Schneier's blog is popular amongst people who want to talk about the fine detail of security. Most forums I have seen end up being full of l33t 5p34k1ng h4x0r5 boasting about the number of websites they have defaced or newbie website owners panicking about what to do because their website has been defaced. The trouble seems to be that security forums just don't get much usage. Even here on Digital Point, which is a fairly popular forum, the security section will only get a few posts per day. If you try to moderate the forum so that you only have security experts talking about the more advanced topics then you end up with only one post a week. I tend to have a large collection of blogs in my RSS reader and treat the entire internet as my security forum. When someone posts a blog entry on something security related, their comments section becomes the rest of the thread. Apart from that method, I guess trying the IPChains development forums/mailing list or the Ubuntu forums might be worth a try... If you do find something, let us know here. I know I'd be interested in that sort of thing and I'm sure there are some others here who would be as well.
on the search for security solutions - I just found below site http://www.securiteam.com/askus.html They offer: may be worth of trying ? I never tested - I have my "own" security team available by cellphone or LICQ when needed ... but the articles on security relevant topics the SecuriTeam experts offer online seem fine and knowledgeable.
securityfocus is pretty decent (can't post link yet). Also forums on the OS you are using may have a security section.
at least a partial but highly valid security help is a full run of nessus on your server IF YOU own that server. if any security risks are found, then a link to precise and in all known cases highly detailed help is provided with every risk-alert on your detailed nessus report. often even precise copy and paste correction methods are inclded in the docs to nessus errors. install the newest version - NOT the old nessus versions that are included in most dists. current is something like 2.1.5 beta
I have recently discovered a couple of quite good security based forums and I'm actually a little embarrassed that I didn't find them sooner. The two forums are: Critical security and sla.ckers.org.
Nessus has both client and server parts. It has it's own front-end. I use the Windows client to connect to the Linux version of the server on another machine. That machine then actually does the scanning. There's also an open-source fork of it called OpenVAS (which is not as good a name as Nessus, but what can you do ?) I'm not aware of any other front-ends for Nessus other than the official one and OpenVAS.
Static HTML pages can't be coerced into doing something they're not meant to because they don't do anything. Login scripts are one of the most frequent areas for security breaches in my experience. Luckily, they are rarely very complicated and can usually be quite limited in what they do. The easiest way to avoid SQL injection attacks is to severely limit what user input can be used in the database. Use a regex to restrict the usernames to alphabetic characters and md5() the passwords before they're sent to the database. To avoid XSS, don't echo any user input back to the page or wrap htmlentities() around it first. If you are not writing software yourself then the only risk you face is out of your control anyway. If a new flaw is discovered in the software you run and there is no patch available, there may be nothing you can do. Good security is not just about avoiding being hacked. It is also about knowing what to do when it happens. Make sure you have good backups and good documentation for everything you need to do a full restore of your system. Automate everything you do frequently and automate as much of the install/restore process as you can. Have plenty of monitoring and logging in place so you can analyse the situation later. Keep on top of patches/upgrades for all the software you run and monitor security alert mailing lists like Secunia. If you do all that, then you can be comfortable that even if something does happen, you will already know what to do and you will know exactly how long it will take to get back online. Thanks to your logs and monitoring, you will also be able to figure out what happened and how to prevent it from happening again.
Thanks for the suggestions. I always backup the entire site's pages each day. Your advice has validated a few of my concerns that I solved by relying on security dedicated third parties who are offsite to handle security of a customer's personal data. technical question- I am not clear on something simple. Using ftp through a secure port to the host. Should we use added things like SSL to ftp? I might not be asking this right ( I read about 'listeners' on a port, etc.) we sell our content, so it has the value that someone might want to hack into the site to view. Once inside the secure area, is it possible to have access without us knowing that they are there? There is so much about security of websites that probably 97% of internet entrepreneurs have no idea about or value for the damage that can be done to their business and to their customers. Somebody should write a book, or compile their blog, into words and terms that direct a webmaster and business owner on what to do, like basics, then intermediate, etc. I only know of one guy who has written about it but it isn't very thorough or instructive. And he's selling it for $100 or more. I appreciate your time helping. TB
It never ceases to surprise me how many hacked accounts / servers I see that started with a brute forced ssh login. * If people used strong passwords and didn't reuse them I would have a lot less business.