[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hacking, security and Pi3Web [was More Questions]

> Well, with my previous problem fixed(I forgot to update the shortcut for
> the new installation, so it was running the old version instead of the
> new one); some more questions came up:
>     Can people hack my Pi3Web and get access to my hard drive?  This
> would be terrible because I have no way to keep backups, and have some
> very, very important data.

Pi3Web has incorporated the current best anti-hacking practices
including validation of all buffer lengths, parsing of all network
data (and headers) received and URL parsing to remove (.. and .)
sequences. This makes it (IMHO) as secure as any other commercial
or free web server avialable. 

However security is a nebulous issue which can't really
be summarised. If you want your webserver as secure as it can
be do this:

	- Don't allow any CGI programs

	- If you do allow CGI programs inspect every line for an
	exploitable bug

	- Change the version stamp of the server in Config.pi3
	(from Pi3Web/1.0.3) this is the only way a hacker can tell
	what server (and hence which known bugs) to exploit.

	- Run the server as a dedicated user with access only to
	certain directories and services.

	- On UNIX systems always set the 'User' and 'Group' 
	parameters in Config.pi3 - don't let the server run as root

	- Monitor CERT adviseries.

	- Be a little paranoid. Understand whats going on. Adopt
	the opinion that 'any system can be hacked'.

In general there's two risks from being hacked, i) someone
can take down your machine (denial of service), ii) someone
can gain control of the machine. In general you can avoid
the second by following the above and other good security
tips. These days its a little difficult to avoid the first, 
especially given operating system and TCP stack bugs that
can be exploited with programs like tear-drop.

Now referring to backups. From your e-mail I would suggest
that the greatest risk to your (very very important) data on
your HD is HD failure. I used to be someone who 
thought that HD failure could not happen to my little 
home system.

Then one morning for no apparent reason my hard disk
became toast and I lost a weeks work. Now I do backups.


>     Also:  can I set up POP3 accounts that would go to my server?  I'm
> not on 24/7, and that could be a problem.  Is there any way around not
> being on at all times when talking about POP3s?  Whether or not there is
> a way around it, how do I set them up?
> Answers,  comments, etc. are greatly appreciated.
> Adam Fast