Why do I need a firewall on web projects

    Hello, usually when creating projects on the Internet with a security question, more attention is paid to the web application, and they forget about protecting the server itself, namely the firewall. I understand that the server, including the firewall, must be configured by a special person - the system administrator, but in many situations it turns out that the programmer is his own admin. Even a programmer will only need about 1 day to set up a firewall - this will eliminate potential problems. From what? Now I’ll tell you a little story about the hack.

    In my city, the provider, which occupies a leading position, has a local tracker, which is quite large (let's not talk about illegality, we are only interested in the issue of project security). Because I’m developing another tracker, I’m interested in various new features, and I periodically visit different trackers, including it.
    Once I saw error 502 Bad Gateway from nginx, and decided to go directly to apache later. Usually apache is outweighed on port 8080. I went in - it means the firewall is not configured, looked at the response headers - it was FreeBSD. I think that those who put the frayha should be quite experienced in setting up and just forgot to close the port when installing nginx as a frontend and apache as a backend.
    And I decided to check :) Nmap checked that all ports that use applications are open: 21, 22, 25, 80, 3306, 8080 and a few more ports.
    Because I am also involved in development, I knew that this tracker engine (torrentpier) has the ability to use caching via memcached. I checked the standard memcached port - the port was open. Wrote a simple script to connect to memcached. Having studied the sources of torrentpier, I found out the names of the keys in which the cache is written. Of these, 2 values ​​turned out to be interesting: an array of tracker settings and a full html-code of the main page for an unauthorized user.
    From the settings of the tracker, I learned the login, password and address of the smtp server, i.e. a potential cracker can already send spam (smtp is also not closed).
    I tried the password from smtp as the password for the administrator of the tracker - it turned out, I got administrator access to the tracker.
    I understand that this was a “fortunate” set of circumstances, but simply closing the ports would already help.

    Conclusion


    In addition to the security of the web application itself (php, python, ruby, etc), but also about the security of the server itself (in particular the firewall) and all the tools used in parallel. You also need to make different passwords for everything (mail, database, ftp) even at the level of 1 project.

    PS: I did this not in order to break something, but simply out of "sports" interest. The administrator of the tracker was almost immediately notified of the possibility of “hacking,” including every step.
    % Username%, and you have a firewall configured?

    Also popular now: