|
romeo (m)
|
eno7 is a well known turkish hacker and they are only mass defacing sites for the sake of record and nothing more, they are usually good in defacing php sites, maybe lagbaja's was php
|
|
|
|
|
|
oasis
|
eno7 is a well known turkish hacker and they are only mass defacing sites for the sake of record and nothing more, they are usually good in defacing php sites, maybe lagbaja's was php What do you mean by "php sites"? Some forum softwares written in php have had security issues in the past. But that has nothing to do with php. Rather, it has to do with the coders. The forum could have been written in any language by these poor programmers. |
|
|
|
|
|
sbucareer (m)
|
Not even that, most commonly mistake self-host web designer do is to install software and leave it with the same default setting it came with. If you are using Apache from version 2.0, you MUST change and configure your httpd.txt file. If you are running it with PHP, you MUST configure the default setting of php.ini. If your platform is Windows, MUST run at least service pack 2.
And, disable all you directory listing. Always configure your Apache server with a password. When you finished installing Apache server with admin account log out and login with user account.
You must have just one computer for your web server, from the router open port 80 and block all other ports to that web server. If you are serving only Nigeria customers, in your httpd.txt accept IP address from all known Nigeria ISP. If your business is global leave that and make sure your window is running at least service pack 4.
If you use Unix flavor, I don't think they would be able to hack you. Still in Unix do the above issue, changing the httpd and php files. Read about Unix iptables and configure your firewall and router.
If all these are done, the only way a hacker can hack you is by phising, when when it happens start looking at people close to you like your friends and girlfriend you'd dump with vulgar.
|
|
|
|
|
|
alexis (m)
|
Too bad his site was hacked, I guess his webmasters learnt their lesson the hard way. First of all, there are unix hosting plans out there that give you extra application layer filtering in addition to normal router filtering on the network layer, they usually come with an extra price tag, check them out. Secondly - If you decide to be a web host for serve your site to the public, you have to pay attention to details, you have to know what you are doing, you have to understand the fundamentals of the platform and softwares you are going to use. Security is a continious process and you have to be a step ahead of the game or you will be majorly screwed. We had a prospective client here in Ghana that wanted to run their Online-banking system and co-locate on our shared web hosting server. They were very conscious about security and as a result hired 3 indian consultants. I went into the meeting before my first class at school, a meeting I thought would have spent 30 minutes took over 3 hours just to convince these guys that we could host their web app. Trust the Indian guys (I guess they were doing their jobs), they asked all the questions in this world and I told them that nothing security wise could penetrate our web server - was I right? - yes. I did my home work and had my company buy the SAGE - BrickServer, a server that has never been broken into, check it out http://www.sage-inc.com/cgi-bin/products_bservii.php. Hacking is very possible, it takes time if you know what you are doing. |
|
|
|
|
|
sbucareer (m)
|
It is a wrong move for any bank to out source their web hosting, especially if they plan to do e-banking. They should consult you to help them build there own web hosting and employ application developer to write the e-banking.
I am not saying your host is not secure, Note that. What I am saying is that it is a very wrong move. If you like the bank go back and ask them to help build and secure their host server for them.
If I were customer of the bank and find out the bank is out-sourcing there host server processing the e-bank to another public host company. I'd close my account straight away.
I don't know of any but there are host companies that specializes in hosting banks apps. They don't host for any other people apart for banks.
Can you tell me how much you paid for that 1U rack server?
|
|
|
|
|
|
oasis
|
I did my home work and had my company buy the SAGE - BrickServer, a server that has never been broken into, That is good news to know some banks in Africa are planning on automating their operations. It's about time. And I don't blame them for wanting assurance of the highest level of security. I guess a SAGE - BrickServer is worth it if it's not overly expensive. But you can achieve the same level of security with linux. Besides, SAGE - BrickServer is only as secure as the software you run on it. With linux: 1. Install enterprise version. 2. Turn off absolutely ALL unncecessary services. 3. Configure your software firewall (ipchains). 4. Get a router with built in hardware firewall. 5. Put yourself on security mailing lists. 6. Slap 32+ xter password on your root account. Basically, a very strong password. 7. Visit hackers' lounges and have them try to penetrate your machine. Crackers/hackers can be useful too.  8. Do your own hacking, and benchmarking. Looking out for possible buffer overlows. 9. Visit sites like https://www.grc.com/ to check your sheilds. 10. Have logWatch email you daily activity report. 11. etc. With adequate testing, you'd have a solid machine that is virtually impenetrable. |
|
|
|
|
|
oasis
|
It is a wrong move for any bank to out source their web hosting, especially if they plan to do e-banking. They should consult you to help them build there own web hosting and employ application developer to write the e-banking.
It should be fine to outsource hosting, if: 1. The hosting company is reputable. 2. The server is dedicated (colocated). At the end of the day, outsourcing may be the only way to go in Nigeria, since hosting in-house could get really expensive. Stable electricity, physical security, high speed Internet lines, etc, all are expensive to provide. These things are already available in the isp's facility. |
|
|
|
|
|
alexis (m)
|
The bank is concentrating on it's local customers. We are a member of the Ghana Internet Exchange, an association that connects all ISPs in Ghana to one another, this means that any body on any ISP network in Ghana trying to get to the bank e-banking system will access it at local traffic which is extrememly fast.
For security - Try hacking into the SAGE-Brick Server - if any one can get in - I personally will give that person $200, it doesn't even have a shell.
The bank outsourced the development of the e-banking portal to an Indian firm, we are hosting the stuff. The SAGE server is between $3000 - $4000.
The hosting is colocated and dedicated.
|
|
|
|
|
|
sbucareer (m)
|
I would need to speak with you Alexis. Email me your Mobile or Phone number here I will call you later. Otherwise if you are on skype by handle is sbucareer.
Latest!
|
|
|
|
|
|
alexis (m)
|
check your email, sent you my details
|
|
|
|
|
|
oasis
|
For security - Try hacking into the SAGE-Brick Server - if any one can get in - I personally will give that person $200, it doesn't even have a shell.
A machine is only as secure as the software you run on it. |
|
|
|
|
|
alexis (m)
|
oasis,
Check out the SAGE Brickserver website - they even have a sage brickserver you can try to hack but you will have to register and they will give you about 3-5 days or so.
don't take my word for it - try it yourself
|
|
|
|
|
|
oasis
|
I understand what you are saying about the SAGE Brickserver OS being secure. But my point is that you still have to run servers on it such as web, email, ftp, scripting, etc. Weakness can be introduced into the machine that way. I don't see how the SAGE Brickserver can prevent bad code from running, and hence from being being hacked. For example, if I write a php code that allows a user to delete his own directory based on his username: system("rm -fr $username"); What happens if the user decides to choose a username such as /htdocs, and I don't have anything in my code to prevent that? The code then comes out as: system("rm -fr /htdocs"); Now, assuming that /htdocs is where all my web documents are served from. Suddenly, you've allowed a user to delete your whole website due to sloppy code. |
|
|
|
|
|
alexis (m)
|
I get your point but you see every user has his own directory he has access to.
|
|
|
|
|
|
oasis
|
That's true. But you're assuming that the permissions would be set correctly always. People make mistakes, and that is what crackers are looking for.
Besides, my example is only one example. There are tons of mistakes that programmers make when writing code, not realizing the security implications.
So, going back to my point, your machine is only as secure as what you put into it.
|
|
|
|
|
|
alexis (m)
|
Oasis,
look at this, I create a user say oasis
useradd oasis -d /home/oasis/
Under /home/oasis you have other directories i.e
/home/oasis/mail - for mails
/home/oasis/htdocs - for you webfiles and ftp access
There are other users i.e /home/alex but oasis doesn't have access to alex directory because of the permissions as set by unix by default or you can add them yourself.
So what ever oasis does it will only affect his directory, if he decides to create a php script and run rm- rf /root, it would work because he doesn't have that permission. BrickServer takes care of all these.
|
|
|
|
|
|
oasis
|
You mean brickserver wouldn't allow root to change /home permission to 0777?
If it would, then it is possible for someone to inadvertently change the permission to 0777. Agree?
|
|
|
|
|
|
alexis (m)
|
root has all priviledges - but you don't log into the system like that - there is no shell dude. There is a root user all right and once you create normal users, their email, web, ftp and other services account are created. Read about it and you will understand the structure
|
|
|
|
|
|
oasis
|
That is interesting.
I would like to know how applications are installed on it without a shell.
I know that sometimes in order to install an application, you have to change permissions for files/directories. Does brickserver let you change permissions? Please answer that.
|
|
|
|
|
|
alexis (m)
|
I can't answer that because I don't have an authritative answer, I can find out if you like. Secondly - it comes with a special program you install on your windows or mac and manage the server.
|
|
|
|
|
|
oasis
|
I can't answer that because I don't have an authritative answer Fair enough. But my point is clear. Irrespective of how you interact with the machine, you still interact with it anyway. That leaves room for configuration errors, which in turn opens the door for vulnerabilities. There is nothing SAGE Brickserver can do for you in cases of human errors. I don't think I can explain it any clearer than that. |
|
|
|
|
|
|
|
Eastcoast (f)
|
they have also hacked ait's website.
|
|
|
|
|
|
|
|
Gkings (m)
|
I think our website developers need more training on web design.
|
|
|
|
|
|
Eastcoast (f)
|
the ait website is now ok
|
|
|
|
|
|
kellorah (f)
|
WHAT'S A TURKISH PERSON GAINING FROM HACKING LAGBAJA'S WESITE? HMMM  JOBLESS PEOPLE |
|
|
|
|
|
![Nairaland [Nigerian Forum] Home](http://www.nairaland.com/Themes/default/images/english/home.gif)
Author
