Securing tips needed

Discussion in 'Security' started by -Ace-, Oct 13, 2009.

Thread Status:
Not open for further replies.
0
  1. #1
    Hello,

    I am about to launch a file hosting site just like rapidshare and i need some help securing my site the best i can.

    Can someone please give me a list of dangerous file extensions to block on my file hosting site that could do damage?

    Also, what are some other suggestions i can do to protect and secure my site?


    Best Regards,
     
    -Ace-, Oct 13, 2009 IP
  2. Asako

    Asako Peon

    Messages:
    266
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    The only thing I can think of now is block all file like html, php etc to prevent the file to be executed from your file server. The rest is just a basic firewall config. Do you use control panel for this file server? If you do what is your control panel?

    If not then you can check your php.ini and disable function that can execute shell command as well as securing your ssh port.
     
    Asako, Oct 13, 2009 IP
  3. -Ace-

    -Ace- Peon

    Messages:
    244
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Hello,

    Thanks for your help.

    I am currently using Plesk as a control panel on my server. Server side should be ok, as i secured it and everything looks good. Now just looking to protect the main site from any sort of attacks.

    Here is the list of extensions i blocked.

    .html.htm.bat.cmd.php.mht.mhtm.lnk.ins.hta.ASP.BIN.CHM.BTM.crt.css.eml.email.ini.oxc.sys.url.vb.vbe.vbs.vxd.wsc.wsf.wsh.xl.smm.smb.sct.scr.rpt.pif.ppt.pgm.pcd.ov.ojb.mst.msp.msi.msc.js.jse.fon.drv.dot.doc.dll.csc.cpl.com.cla.class.cbt.bas.386.key
    Code (markup):

    If you know of any other dangerous file extensions that i did not list, please do let me know.

    If you have any server side tips please let me know.

    Best Regards,
     
    -Ace-, Oct 14, 2009 IP
  4. organicCyborg

    organicCyborg Peon

    Messages:
    330
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #4
    It may sound like a pain, but it's better to specify what file extensions you want to allow versus those you want to deny. That is, create a whitelist, not a blacklist.

    Worst case is the user will have to zip the file before they upload it. But, it's much more secure.

    This is really done more for the users protection than that of your server. If a malicious file gets on to the server, it can still be executed if something isn't in your system isn't secured.
     
    organicCyborg, Oct 14, 2009 IP
  5. SecureCP

    SecureCP Guest

    Messages:
    226
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #5
    perl extensions should be blocked.
     
    SecureCP, Oct 14, 2009 IP
  6. nikb

    nikb Peon

    Messages:
    93
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I am would think about execute permissions for your upload dirs.
    Also file.txt can contain executable code and can be included in buggy php scenario.
    If somebody can upload .htaccess file he can tell in this file to server that .gif files shuld be executed as php or perl files.
    There are many ways to hack an upload engine. So you should think not only about file extensions.

    PS: You must add to your list phtml and php3
     
    nikb, Oct 17, 2009 IP
Thread Status:
Not open for further replies.