Why do you need a firewall on web projects
Hello, usually when creating projects on the Internet, when it comes to security, they pay more attention to the web application, and they forget about protecting the server itself, namely, the firewall. I understand that a special person, a sysadmin, should be involved in setting up a server, including a firewall, but in many situations it turns out that the programmer is an admin himself. It will take only about 1 day for a firewall to set up a firewall, which will eliminate potential problems. From what? Now I will tell a little story of "hacking".
In my city, the provider, who occupies a leading position, has a local tracker, pretty big (let's not talk about illegality, we are only interested in the security of the project). Because I am developing another tracker. I am interested in various new features, and I periodically go to different trackers, including him.
Once I saw the error 502 Bad Gateway from nginx, and later decided to go straight to apache. Usually apache is outweighed on port 8080. Logged in - it means the firewall is not configured, I looked at the response headers — there was FreeBSD. I think that those who install it should be quite experienced in setting up and simply forgot to close the port when installing nginx as a frontend, and apache as a backend.
And I decided to check :) Nmap checked that all ports that use applications are open: 21, 22, 25, 80, 3306, 8080 and a few more ports.
Because I am also developing, I knew that this tracker engine (torrentpier) has the ability to use caching through memcached. I checked the standard memcached port - the port was open. I wrote a simple connection script to memcached. Having studied the torrentpier sources, I recognized the names of the keys in which the cache is written. Of these, 2 values ​​turned out to be interesting: an array of tracker settings and the full html-code of the main page for a non-logged in user.
From the tracker settings, I learned the login, password and smtp address of the server, i.e. A potential hacker can already send spam (smtp is also not closed).
I tried the password from smtp as the tracker administrator password - it turned out, I got admin access to the tracker.
I understand that this was a “lucky” coincidence, but simply closing the ports would have helped.
In addition to the security of the web application itself (php, python, ruby, etc), but also about the security of the server itself (in particular, the firewall) and all tools used in parallel. You also need to make different passwords for everything (mail, database, ftp) even at the level of 1 project.
PS: I did this not in order to break something, but simply from the "sports" interest. The tracker administrator was notified almost immediately of the possibility of “hacking”, including every step.
% Username%, and you have configured a firewall?
In my city, the provider, who occupies a leading position, has a local tracker, pretty big (let's not talk about illegality, we are only interested in the security of the project). Because I am developing another tracker. I am interested in various new features, and I periodically go to different trackers, including him.
Once I saw the error 502 Bad Gateway from nginx, and later decided to go straight to apache. Usually apache is outweighed on port 8080. Logged in - it means the firewall is not configured, I looked at the response headers — there was FreeBSD. I think that those who install it should be quite experienced in setting up and simply forgot to close the port when installing nginx as a frontend, and apache as a backend.
And I decided to check :) Nmap checked that all ports that use applications are open: 21, 22, 25, 80, 3306, 8080 and a few more ports.
Because I am also developing, I knew that this tracker engine (torrentpier) has the ability to use caching through memcached. I checked the standard memcached port - the port was open. I wrote a simple connection script to memcached. Having studied the torrentpier sources, I recognized the names of the keys in which the cache is written. Of these, 2 values ​​turned out to be interesting: an array of tracker settings and the full html-code of the main page for a non-logged in user.
From the tracker settings, I learned the login, password and smtp address of the server, i.e. A potential hacker can already send spam (smtp is also not closed).
I tried the password from smtp as the tracker administrator password - it turned out, I got admin access to the tracker.
I understand that this was a “lucky” coincidence, but simply closing the ports would have helped.
Conclusion
In addition to the security of the web application itself (php, python, ruby, etc), but also about the security of the server itself (in particular, the firewall) and all tools used in parallel. You also need to make different passwords for everything (mail, database, ftp) even at the level of 1 project.
PS: I did this not in order to break something, but simply from the "sports" interest. The tracker administrator was notified almost immediately of the possibility of “hacking”, including every step.
% Username%, and you have configured a firewall?
')
Source: https://habr.com/ru/post/69436/
All Articles