Welcome to HostingForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Is known IP-number filtering pretty much all that is neede..

  
   Web Hosting Problem Solving Community! (Home) -> Webmaster RSS
Next:  Recommend a good website security/vulnerabiliy te..  
Author Message
ship

External


Since: Aug 22, 2005
Posts: 129



(Msg. 1) Posted: Wed May 17, 2006 12:55 pm
Post subject: Is known IP-number filtering pretty much all that is needed for website security/vulnerability?
Archived from groups: alt>www>webmaster, others (more info?)
Hi

I want to get some views on security/vulnerability to hacking.

Our ISP has just put our website onto a new dedicated webserver for us.
It is running Apache (latest) on Linux. And MySQL.
We have got the thing protected by a router that has IP filtering on
it.

Basically we are only allowing point to point traffic - that is traffic

a tiny range of precisely specified IP numbers to have FTP access.

This of course means that everyone who runs the site needs to
have a dedicated IP number.

This may sound naive but do you think the above will be enough
to stop hackers from getting in?!

(e.g.
- should we buy a separate firewall box or is it enough to
just rely on the router's filtering?

- What other vulnerabilities should we be tackling.

- Is there any way of spoofing IP numbers?



Ship
Shiperton Henethe
(webmaster)

 >> Stay informed about: Is known IP-number filtering pretty much all that is neede.. 
Back to top
Login to vote
Walter Roberson

External


Since: May 17, 2006
Posts: 1



(Msg. 2) Posted: Wed May 17, 2006 8:40 pm
Post subject: Re: Is known IP-number filtering pretty much all that is needed for website security/vulnerability? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
In article <1147895738.336806.144280 DeleteThis @y43g2000cwc.googlegroups.com>,
ship <shiphen DeleteThis @gmail.com> wrote:
>Our ISP has just put our website onto a new dedicated webserver for us.
>It is running Apache (latest) on Linux. And MySQL.
>We have got the thing protected by a router that has IP filtering on
>it.

>Basically we are only allowing point to point traffic - that is traffic
>a tiny range of precisely specified IP numbers to have FTP access.

>This of course means that everyone who runs the site needs to
>have a dedicated IP number.

>This may sound naive but do you think the above will be enough
>to stop hackers from getting in?!

No. Anyone who cracks the web server could potentially gain full
access -- and how are you securing the computers that would be allowed
FTP access?

>- Is there any way of spoofing IP numbers?

Yes. The difficulty of doing so depends upon the operating system.
Any reasonably recent Linux would likely make it quite difficult
to do. Probably easier to take over one of the control systems and use
those to attack the server.


If your site gets popular, then eventually it will likely be
subject to a DoS (Denial of Service) attack. Routers aren't usually
very good at stopping those.


Is there a good reason to use ftp specifically? sftp or scp would
be more secure.

 >> Stay informed about: Is known IP-number filtering pretty much all that is neede.. 
Back to top
Login to vote
Frankster

External


Since: Jun 08, 2005
Posts: 79



(Msg. 3) Posted: Thu May 18, 2006 7:14 am
Post subject: Re: Is known IP-number filtering pretty much all that is needed for website security/vulnerability? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
All the negative replies notwithstanding...

Restricting access to only a few specific known IPs is very good. I'm
assuming this means no anonymous access whatsoever. Good stuff.

Now... for those specific IPs, you would want to set up a userID logon and
complex password to access your network resources. Just as you would do for
local LAN users to logon to their own workstations.

Certainly there is much more to security, in total, but here's what some
observers fail to understand... if the accessible system has no services
available (like most home users should), the risk is minimal. It is when you
have services running on the system that the risk escalates. And... access
to these services via anonymous transparent logons (i.e. a public web
server) is the worst.

You have no anonymous public access. Straight away you have a good start.
Next thing would be to "harden" your OS. Meaning... make sure your system is
set up to allow system and file access to only the users that need it (on
the LAN as well as from the Internet).

Yes, keeing up with OS patches and vulnerability updates is always
important, but that risk is always there and not limited to Internet users.

-Frank

"ship" <shiphen RemoveThis @gmail.com> wrote in message
news:1147895738.336806.144280@y43g2000cwc.googlegroups.com...
>
>
> Hi
>
> I want to get some views on security/vulnerability to hacking.
>
> Our ISP has just put our website onto a new dedicated webserver for us.
> It is running Apache (latest) on Linux. And MySQL.
> We have got the thing protected by a router that has IP filtering on
> it.
>
> Basically we are only allowing point to point traffic - that is traffic
>
> a tiny range of precisely specified IP numbers to have FTP access.
>
> This of course means that everyone who runs the site needs to
> have a dedicated IP number.
>
> This may sound naive but do you think the above will be enough
> to stop hackers from getting in?!
>
> (e.g.
> - should we buy a separate firewall box or is it enough to
> just rely on the router's filtering?
>
> - What other vulnerabilities should we be tackling.
>
> - Is there any way of spoofing IP numbers?
>
>
>
> Ship
> Shiperton Henethe
> (webmaster)
>
 >> Stay informed about: Is known IP-number filtering pretty much all that is neede.. 
Back to top
Login to vote
ship

External


Since: Aug 22, 2005
Posts: 129



(Msg. 4) Posted: Thu May 18, 2006 7:17 pm
Post subject: Re: Is known IP-number filtering pretty much all that is needed for website security/vulnerability? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Can any of you good people recommend a site or some freesoftware
that you can run to test all the ports on a webserver - which would
give a level of reassurance that at least the basics are covered.

What I'm thinking of is that I paste my webserver's IP number
into some (reasonably trustworthy!) website and they have a go
at breaching the webserver using some automated tools....

Anyone know of such a thing?

Later when we have a budget we might pay for such a thing but not
just right now...


Ship
Shiperton Henethe
 >> Stay informed about: Is known IP-number filtering pretty much all that is neede.. 
Back to top
Login to vote
Frankster

External


Since: Jun 08, 2005
Posts: 79



(Msg. 5) Posted: Fri May 19, 2006 6:31 am
Post subject: Re: Is known IP-number filtering pretty much all that is needed for website security/vulnerability? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
> Can any of you good people recommend a site or some freesoftware
> that you can run to test all the ports on a webserver - which would
> give a level of reassurance that at least the basics are covered.

Well, not to be picky, but, webservers cannot "control" ports anyway, only
firewalls can.

I have assumed all along that your network has an operational and well
configured firewall (configured by your "techies", I suppose). Anyway, a
network firewall (not personal firewall) is an absolute necessity, not a
luxury. Any outside utility you use to check your ports will be checking the
ports on your firewall, not your local machine and not your web server.

-Frank
 >> Stay informed about: Is known IP-number filtering pretty much all that is neede.. 
Back to top
Login to vote
David Kerber

External


Since: Mar 16, 2006
Posts: 13



(Msg. 6) Posted: Fri May 19, 2006 7:27 am
Post subject: Re: Is known IP-number filtering pretty much all that is needed for website security/vulnerability? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
In article <1148005057.967260.143130.DeleteThis@j73g2000cwa.googlegroups.com>,
shiphen.DeleteThis@gmail.com says...
> Can any of you good people recommend a site or some freesoftware
> that you can run to test all the ports on a webserver - which would
> give a level of reassurance that at least the basics are covered.
>
> What I'm thinking of is that I paste my webserver's IP number
> into some (reasonably trustworthy!) website and they have a go
> at breaching the webserver using some automated tools....
>
> Anyone know of such a thing?
>
> Later when we have a budget we might pay for such a thing but not
> just right now...

grc.com

That is Gibson Research, the guy who wrote spinrite and some other
fantastic utilities. I've been using his site for years to test new
machine setups.

--
Remove the ns_ from if replying by e-mail (but keep posts in the
newsgroups if possible).
 >> Stay informed about: Is known IP-number filtering pretty much all that is neede.. 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting Problem Solving Community! (Home) -> Webmaster All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]