home
products
contribute
download
documentation
forum
Home
Forums
New posts
Search forums
What's new
New posts
All posts
Latest activity
Members
Registered members
Current visitors
Donate
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Search titles only
By:
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
MediaPortal 1
MediaPortal 1 Talk
Server and HTPC webconsole
Contact us
RSS
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="joz" data-source="post: 401780" data-attributes="member: 70244"><p>yeah it is, I know, so that part should be taken seriously.</p><p></p><p>But people tend to say such things before even considering what they are securing. it's just my htpc. It's not the homelandsecurity or something. I have an image lying around, run daily backups, so hack aways I say. I'm back up and running in no-time.</p><p>I know that's no solution though. For now it's protected behind basic authenticication but will move to an php/mysql based login with md5 encryption or SHA1.</p><p></p><p>Besides that, programming the scripts right, especially the ones doing shell_exec's will be important. That's the part of it now that kinda exposes the whole underlying machine to the net. The rest of what runs on it really doesn't.</p><p></p><p>I was thinking about detection of hack attacks, through analyzing apache logs btw. Say every 15 minutes check if there's an IP trying to bruteforce the login. If so then deny access to all shell_exec till the admin comes along and turns it back on.</p><p></p><p>The apache module Mod Deny could also be something that could work. Besides that if you are really paranoid you can flip the black list idea of mod deny and create a white list. Just allow access from a couple pre defined IPs.</p><p></p><p>p.s.</p><p>I already subdued a hackattack couple days ago. Just some random guy trying to brute force it. Bruteforcing logins, even basic autehnticiation ones take time (this guy was going at it for 2 days till I stopped him dead in his tracks). A script could pick that up before something serious is going on (the bruteforce succeeds <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite2" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" />)</p><p></p><p>---EDIT----</p><p></p><p>SpudR you made me think (arg, the pain <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite1" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" />), another idea;</p><p>Allow logins only every 5 to 10 minutes. That will make brute forcing unbarable slow.</p><p></p><p>I would like to know more of your opinions about security. What can be done to keep the threads to a minimum?</p><p>I will continue down this path even if it's proven to be too unsecure to realese to the public.</p><p>A release will be hard anyways as I have set this up on Apache and PHP, so that will be a minimum requirement.</p></blockquote><p></p>
[QUOTE="joz, post: 401780, member: 70244"] yeah it is, I know, so that part should be taken seriously. But people tend to say such things before even considering what they are securing. it's just my htpc. It's not the homelandsecurity or something. I have an image lying around, run daily backups, so hack aways I say. I'm back up and running in no-time. I know that's no solution though. For now it's protected behind basic authenticication but will move to an php/mysql based login with md5 encryption or SHA1. Besides that, programming the scripts right, especially the ones doing shell_exec's will be important. That's the part of it now that kinda exposes the whole underlying machine to the net. The rest of what runs on it really doesn't. I was thinking about detection of hack attacks, through analyzing apache logs btw. Say every 15 minutes check if there's an IP trying to bruteforce the login. If so then deny access to all shell_exec till the admin comes along and turns it back on. The apache module Mod Deny could also be something that could work. Besides that if you are really paranoid you can flip the black list idea of mod deny and create a white list. Just allow access from a couple pre defined IPs. p.s. I already subdued a hackattack couple days ago. Just some random guy trying to brute force it. Bruteforcing logins, even basic autehnticiation ones take time (this guy was going at it for 2 days till I stopped him dead in his tracks). A script could pick that up before something serious is going on (the bruteforce succeeds ;)) ---EDIT---- SpudR you made me think (arg, the pain :)), another idea; Allow logins only every 5 to 10 minutes. That will make brute forcing unbarable slow. I would like to know more of your opinions about security. What can be done to keep the threads to a minimum? I will continue down this path even if it's proven to be too unsecure to realese to the public. A release will be hard anyways as I have set this up on Apache and PHP, so that will be a minimum requirement. [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
MediaPortal 1
MediaPortal 1 Talk
Server and HTPC webconsole
Contact us
RSS
Top
Bottom
