Server and HTPC webconsole (2 Viewers)

joz · April 7, 2009

thank you Pilehave, my thoughts exactly;

It's not the homelandsecurity

I know stuff but I can't say I know everything especially not when it comes to security.

for removing the doubts I had after jsimmons post (and some others I'd seen, posted this idea on multiple forums to get some kind of projectgroup going).

jsimmons · April 7, 2009

pilehave said:
Putting a web-server online from your LAN isn't really a high-security-risk, I don't see how anyone would inject code that is anything but your script-language + SQL/MySQL-queries. Now, while PHP in theory can be used to do file-uploads and downloads (FTP-functions built-in) then you'll still need a running FTP-server with proper rights. Not even a buffer-overflow will expose anything else but your web-application.

I think it's a bit paranoid, sorry. The risk of being hacked from your personal storage medias like portable harddrives or USB-drives is much bigger. If I REALLY wanted access to something a planted root-kit in a mail or a USB-device is so much easier.

It's better to be paranoid and safe rather than care-free and a hazard to those around you.

The inexperienced really shouldn't be exposing any part of their LAN to the outside. I have THOUSANDS of hack attempts every day. It starts as a harmless port probe, but if they find a way in, you're royally screwed. Everyone that is so cavalier (or just plain clueless) about security is just begging for trouble.

Should you be scared? I am, and I've been running my own web server for about four years. Should you think twice about doing something like that? Most certainly. In fact, you should think a 3rd and 4th time. I've been a developer for almost 30 years, and I can tell you from experience that *nobody* is immune from attack, and no website is so insignificant that it should be considered uninteresting to a hacker.

Oh, and since the OP mentioned database access, I recommend that he read up on and become VERY familiar with a little thing known as SQL injection. This can truly ruin your day.

Yes, I'm trying to scare the guy.

My HTPC will be in no way connected to the LAN (much less the internet) during normal use. The network adapter will be disabled, and I'll have to manually enable it to transfer files to/from it. Oh yeah - I *am* paranoid.

joz · April 7, 2009

Sorry but I'm not going with you, which in my opinion is just plane paranoia.

I'm a webdev, and yes I know about injection (you forgot to mention javascript injection

), so what's the big deal here? Just escape user input. Just another one of those tricks.

I still haven't had any concrete example of what can go wrong in this particular situation. Please do not see this as some sort of personal attack. I'd just want to nail this on the head before proceeding any further.

I truly believe Pilehave's statement. As long as the server software you're running does not have any known and serious security issues there's not that much that can totally go wrong and even have hackers infiltrating further then the server.
Especially that last bit is kinda impossible from my point of view. Yeah sure most things are possible, it's just very unlikely.

If the softwre does have issues it's most likely to be restricted to within the programs domain. For example Apache is not allowed to delete any system files/folders. That's not handled by apache like this, just how Windows works.

I know I'm not immune, and as you said yes, nobody's immune. Again you should however consider the likeliness of a security failure and the importance of the data stored on the machine.
The likeliness is I guess above average with this portal however the data bit pulls it down again (from my perspective). So yes security is important, also for this webapp, however to me, no deal breaker.

jsimmons · April 7, 2009

As long as you're going in with your eyes open...

I've seen too many people just jump in and then wonder why their server immediately develops Tourrette Syndrome.

joz · April 7, 2009

jsimmons, I will!

First things first, this already runs on my machine for 2 weeks straight now (it started off smaller of course) and have not had any serious issues yet(knock on wood).
I will keep running this most likely for another couple of months before ever considering a release. This way I can kinda see how it keeps up before exposing any (ignorent) user to possible threads. Any alpha testers can apply if they like, this will be by request (read PM) basis on alpha, public on beta.
If it comes to a release I will make sure people know about the possible consequences.

A release will need an installer, really. No experience with that yet. If a installer is created it can have selections for turning off all shell access for example which will already elimanate a huge possible thread.

p.s.
I develop commercial (somteimes big, at least for netherlands) websites, it's my job, so I'm supposed to know what I'm doing, which I think I am (but who isn't thinking that of themselves

).
The injection bit that got pointed out by jsimmons is like natural to me. It's just automatic and never had issues with any of the websites I developed, except when I just started I created a JS injection vulnarability (which I also fixed and cleared upon first time notice).
However I know much less about how to configure your webserver safely. I'm on the fast track atm learning about that. As it is always with the small personal projects I do, I pick a subject I wanna learn. This seems to contribute.

btw

for the response so far. I know security is the first thing popping up in your tech savy brains out there but some suggestions/features are welcome too

SpudR · April 7, 2009

You are kinda missing the point - getting access to your server will be through the security exploits inherent in the version of the software you are using.
There are known exploits in Apache for instance that can give you access to the entire server as an admin (or root), and access ALL files on the system...

Not sure if this link will get deleted, but have a read of this:
Web Server Defacements (Part 1)
If it doesn't scare the pants off you I don't know what will..!

Once your server has been compromised, there is no end to the mayhem - Zombie PC anyone?
Zombie computer - Wikipedia, the free encyclopedia

I'm with jsimmons - minimize exposure!!

pilehave · April 7, 2009

SpudR said:
You are kinda missing the point - getting access to your server will be through the security exploits inherent in the version of the software you are using.
There are known exploits in Apache for instance that can give you access to the entire server as an admin (or root), and access ALL files on the system...

Not sure if this link will get deleted, but have a read of this:
Web Server Defacements (Part 1)
If it doesn't scare the pants off you I don't know what will..!

Once your server has been compromised, there is no end to the mayhem - Zombie PC anyone?
Zombie computer - Wikipedia, the free encyclopedia

I'm with jsimmons - minimize exposure!!

What are you doing browsing the web? Your browser (be it Firefox, Internet Explorer or whatever) is also vulnerable to several security-issues

Well...it all comes down to risk-management. Every real-life action is an assessment between gain and cost/risk.

joz · April 8, 2009

Yep, I asessed it and for me it's not really a big risk. At least I can live with a failure of the server.
Again, the infiltrating of my home LAN I find hard to believe and I do not think/see that anything else then my server get's screwed over.

Besides that, you're talking about something all webhosters live with. These guys can do it, so I think I can do it too.
If running Apache on it's own (which I have been doing for the last 2/3 years I think) is already a big security risk I should have been screwed over ages ago.

p.s.
Besideds the point a bit but I think of IIS as of more of a security risk. I run the out of date version that comes with XP (IIS 5.1)
and SpudR, thx for the links I'll read 'em tonight after work.

SpudR · April 8, 2009

Kinda agree about the risk thing - it's a personal choice.
You could always remove the locks from your home and car, but I guess you wouldn't!
People NEED a certain amount of security - else you become a danger to yourself and the people around you. Getting hacked and allowing malicious software to run on your PC is the reason there is so much spam and crime on the Internet.
Protecting yourself protects others too

Getting a bit OT though...

joz · April 8, 2009

I will notice when my machine is part of some botnet for spamming and malicious bandwith heavy traffic on this server. If I wanted too I could even write a cron (or task for windows use) to check that (with maybe even excludes of certain behaviour or filesharing ports).
I've read spudR's article which is insightful, thanks. However it did not convince me to cancel the project. I feel confident enough I can manage this securely enough however I'm thinking not to release this. I do not want to be responsible for the billions of variables out there

Server and HTPC webconsole (2 Viewers)

joz

Portal Pro

jsimmons

Portal Pro

joz

Portal Pro

jsimmons

Portal Pro

joz

Portal Pro

SpudR

Retired Team Member

pilehave

Community Skin Designer

joz

Portal Pro

SpudR

Retired Team Member

joz

Portal Pro

Users who are viewing this thread