Home
>
WinDev Forum
>
Topic
Internet Security Discussion
Posted by Jeff Graham
|
Internet Security Discussion August 22, 2019 05:11PM |
Registered: 5 years ago Posts: 74 |
Continuing the security discussions in topic "WebService question" : [www.wxforum.info]
I wanted to install a WebService at my long time client. I already have port 4900 open for SCM use there so I asked to have port 80 and FTP port 21 opened. The network consultant for my client highly recommended not doing so for FTP which I can understand. So I asked for port 80 only. Here are his private comments to me:
So I changed the port for Apache and the webervice to be 3999 and that did not satisfy him. His response:
I have the highest respect for the network consultant as we have worked together on many projects. He has set up our servers over the years. I started this thread for the purpose of sharing information and hopefully blocking some attacks. The security of the internet seems to me a very important issue that just adds work to our development.
Please share your comments, suggestions and let us all learn.
Jeff Graham
Cascade Consulting
I wanted to install a WebService at my long time client. I already have port 4900 open for SCM use there so I asked to have port 80 and FTP port 21 opened. The network consultant for my client highly recommended not doing so for FTP which I can understand. So I asked for port 80 only. Here are his private comments to me:
Quote
With all due respect to your talents and wisdom, I can’t recommend opening port 80 to the outside on the type of router presently installed. I am not sure if you are aware of just how bad the internet is currently, but I can tell you that within an hour of opening that port there will be between 10 and 50 attempts to break in every hour there after and the chances of them succeeding are pretty strongly in favor of the bad guys. My sonicwall registers as many as 5 - 10 port scans a minute and the bad guys will ponce on an open port to a Windows based version of Apache like hawks on a rat.
Even if you do everything right and implement it exactly as recommended, the odds are likely only about 2 / 10 that you could make it a year without being clobbered unless protected by a firewall.
There are currently new vulnerabilities discovered every couple of weeks and that means failure to regularly update makes you vulnerable. We simply don’t have the resources or hardened operating systems to cope with this level of attack vectors.
Your system would be fine accessed via a VPN but an almost sure compromise if allowed via an open port 80 on a consumer level router. Windows servers are not very strong by internet standards and port 80 is the center of the bulls eye for hacking remote systems. An interested attacker can almost immediately get what version of Apache you are running and the base OS that is hosting it. As soon as they see windows server the race is on to crack it and take over the server.
What kind of mobile devices are you using. Changes are if they are apple or Android they will support Sonicwall SSL VPN, and that would be a lot better way to access your portal.
So I changed the port for Apache and the webervice to be 3999 and that did not satisfy him. His response:
Quote
More discouraging news there as well… changing the port means that someone would need to be more interested, but if the port is open they will very shortly determine that it’s an apache server running on Windows and then the race will be on to crack it. Modern blackhat port scanners can do some pretty amazing port diagnostics. They can identify the server verion, possible exploit vectors and check for patch levels that might allow an attack. They can finger print the server in less than a minute in most cases and produce a report that helps a lot in determining what exploits to use to gain root access. Where its running on the PDC any break to root gives them unlimited attack access to start stealing or encrypting.
Less dangerous than FTP, but unless its running on a separate PC in a DMZ its too likely to be cracked IMHO.
I have the highest respect for the network consultant as we have worked together on many projects. He has set up our servers over the years. I started this thread for the purpose of sharing information and hopefully blocking some attacks. The security of the internet seems to me a very important issue that just adds work to our development.
Please share your comments, suggestions and let us all learn.
Jeff Graham
Cascade Consulting