Re: Update Databases from Webserver
Peter, Thanks for your response. In response to You don't say why you'd want to do this. If you want to allow customers of an e-commerce site to avoid repeating their details whenever they want to buy, perhaps consider basing the payment backend around PayPal. The need for users to authenticate in order to make a payment hasn't brought e-Bay to its knees. Pretty much the end result would be Amazon like with the customer being able to choose a previously used card. Is this possible without storing credit card numbers or using paypal? Anyway thanks everyone for their replies thus far any input helps. -Troy -Original message- From: Peter Risdon [EMAIL PROTECTED] Date: Tue, 7 Sep 2004 07:18:22 -0600 To: FreeBSD Mail Lists [EMAIL PROTECTED] Subject: Re: Update Databases from Webserver I'm afraid the awful truth is that if you need to ask this question here, you shouldn't be storing other people's credit card details on your server. If you want to use the numbers to confirm identity or something, you could store an encrypted version of the number and use that for comparison. But to start storing plaintext CC details on your system without being deeply expert in all the security issues raised would be very dangerous. And the high degree of monitoring needed for such a system would make it uneconomical without commensurately high volumes of business. Peter. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Update Databases from Webserver
Hello, I would like to see how other people are updating backend databases (postgresql on FreeBSD, internal network) from a webserver (apache,php on FreeBSD, dmz network) through a firewall. Pretty much what I am trying to learn is how to take private information (credit card numbers, etc.) and write it to a backend database without leaving any huge holes for hacking. Should this be done or am I barking up the wrong tree, should there be an intermediary step? I have been trying to find information books/web that gives a real nuts and bolts way of trying to do this stuff and am not having a lot of luck. Any pointers books or sites would be appreciated. Thanks for your time. Troy ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Update Databases from Webserver
Richard, Thanks for your reply. I thought there was something terribly wrong with that logic. So I thought I would ask in this mail list since people have been great here in the past about everything else I wanted to know. Are there any security lists in relation to ecommerce that you would recommend? So I can stop annoying everyone else here. I just don't want to make anymore mistakes than I have to starting down this road. Thanks again, Troy -Original message- From: Richard Lynch [EMAIL PROTECTED] Date: Mon, 6 Sep 2004 17:22:54 -0600 To: FreeBSD Mail Lists [EMAIL PROTECTED] Subject: Re: Update Databases from Webserver FreeBSD Mail Lists wrote: I would like to see how other people are updating backend databases (postgresql on FreeBSD, internal network) from a webserver (apache,php on FreeBSD, dmz network) through a firewall. Pretty much what I am trying to learn is how to take private information (credit card numbers, etc.) and write it to a backend database without leaving any huge holes for hacking. Should this be done or am I barking up the wrong tree, should there be an intermediary step? I have been trying to find information books/web that gives a real nuts and bolts way of trying to do this stuff and am not having a lot of luck. Any pointers books or sites would be appreciated. The most common answer is Don't do that 99.9% of e-commerce sites have absolutely no business storing credit card numbers on any hardware they own. They should simply run the transaction through their Merchant Account (bank) computer using a secure connection, and the software provided by their Merchant Account (bank). If you need a recurring charge, you can run your charge through the Merchant Account as a recurring charge (whoda thunk it?) and the Merchant Account software will give you back a unique transaction # to refer to if you ever need to cancel THAT particular recurring charge. You would store only that transaction number, and *NOT* the customer's credit card charge. In the unlikely event that you really *ARE* in the 0.01% of servers that needs to store credit card info... Well, it's kinda scare that you're asking here, rather than a security mailing list, but here is *ONE* solution that may be worth considering. I am posting to the list so that others can tell us just how inadequate this is. You should also be aware that by no means am I an expert -- I am simply describing what has been described to me as the right way (tm) to do this. My information may be out of date. (It's been awhile.) I chose to let the Merchant Account (bank) worry about keeping credit card numbers safe, rather than do all of the following. You probably should too. Depending on the current interpretation of existing laws, you, the web developer, may or may not be held responsible for *ANY* damages that result from your work -- no matter how faultless you may be in reality. We're talking legalities here, not reality. Did I mention that you really shouldn't be doing this at all? Good. First, your servers *MUST* be in a physically secure location, with access limited to *ONLY* people you really really really trust. No software in the world will do you any damn good if a not-so-honest person can waltz in and play around with the hardware! If you *CANNOT* guarantee that the hardware in question can *ONLY* be accessed by trusted individuals, than you should stop reading right here and now. This rules out shared servers, co-location (IMHO), and almost all corporate servers, which need too many people of limited trust value to be able to access them to keep them up. Next, you need a SECOND server which will be used to hold credit card info, and that second computer will *NOT* be connected to the Internet (directly) You put an extra NIC in your web-server, and run a cross-over cable to the SECOND server, the extra one, which will hold the credit card numbers. You limit ethernet access to that second computer which will hold credit cards so that *ONLY* the one computer connected to it via the cross-over cable will be allowed to connect. The extra NIC in the web-server and the SECOND server are both on a separate sub-net from everything else in your system. IE, the only interface cards in your entire organization that utilize the IP address space in question are those two (2) NICs. You then make 100% sure that you simply cannot get to that SECOND box from anywhere else in the organization. What is quite well-documented is that you use SSL (and ONLY SSL) to allow the customer to get their credit card info to your web-server. You then write some routines to get the credit card numbers from your web-server through your second NIC to the second server. These routines get the fine-tooth code-review treatment, by multiple people. They should be mind-numbingly simple, clearly documented
Re: savemail: cannot save rejected email anywhere on recent 4.9-STABLE
A late response, but I've seen this happen with certain blacklist problems (like when the localhost address got put in one of the blacklists). On Thu, 29 Jan 2004, Clint Gilders wrote: This server is running 4.9-STABLE built from new sources on Jan 24, 2004, and upgraded (via 4.6-RELEASE and 4.8-RELEASE) from 4.3-RELEASE. This is a very busy busy mail server and in my /var/log/messages I'm seeing lots of messages like: Jan 29 08:03:48 ns2 sm-mta[91987]: i0TE3TnC091987: SYSERR(root): savemail: cannot save rejected email anywhere Does this mean that sendmail can't put mail in /var/spool/mqueque? I've compared mail settings on this server to a new server running 4.9-STABLE and I can't see any differences in the permissions on the files I've looked at. I'm using the default setting from /etc/defaults/rc.conf and simply have sendmail_enable=YES in /etc/rc.conf I've looked on google, but none of the results I looked at helped. Any suggestions on where to look? Anymore info from me that would help? Thanks -- Clint Gilders [EMAIL PROTECTED] Director of Technology Services OnlineHobbyist.com, Inc. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Samba over SSH
I want to use PuTTY and ssh to port forward and map a samba share across the internet. From what I have read on the net it almost seems possable. Does anyone know how this can be done? If it cant I guess I will have to use some VPN thing.. Thanks in advance Richard Puga [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Samba over SSH
I am using FreeBSD 4.8 and Samba 2.2.8 as the server, I would like to use any windows operating system for the client side, but probably XP. (I want to map the samba share to the windows box) Thanks for your Help Richard Puga [EMAIL PROTECTED] On Sat, 2003-09-20 at 08:25, FreeBSD MAIL wrote: I want to use PuTTY and ssh to port forward and map a samba share across the internet. From what I have read on the net it almost seems possable. i guess u have to set up ssh port forwarding for the ports 137,138 and 139. which box shall provide the share (windows, fbsd, linux...) ? what kind of OS is used on the client boxes ? seb Does anyone know how this can be done? If it cant I guess I will have to use some VPN thing.. Thanks in advance Richard Puga [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Samba over SSH
I guess the problem I am having is with PuTTY, I am forcing ssh 2 and putting in the ports and addresses for the client and server as best I can, I have been able to get VPN to work over pptp, which is cool but I would prefer using ssh. If you have a copy of putty laying around would you mind trying it? Or even teraterm-ssh, I am reluctant to use cygwin and such because of the user interface. Thanks again. Richard Puga [EMAIL PROTECTED] PS Have you gotten this to work with cygwin or somthing before? I am using FreeBSD 4.8 and Samba 2.2.8 as the server, I would like to use any windows operating system for the client side, but probably XP. (I want to map the samba share to the windows box) so one idea could be to start three ssh tunnels from client side. which command line u may wonna do something like this: $ ssh -L 137:localhost:137 -N -f [EMAIL PROTECTED] $ ssh -L 138:localhost:138 -N -f [EMAIL PROTECTED] $ ssh -L 139:localhost:139 -N -f [EMAIL PROTECTED] (putty should be able to do something similar. but i guess u will need some scripting so that these ssh commands will be executed on startup of the client systems or at least before the shares will be mounted of course.) now u should be able to connect ur clients to any share on server side with \\localhost\share-name i am not familiar with VPN. possibly its a better solution (?) seb Thanks for your Help Richard Puga [EMAIL PROTECTED] On Sat, 2003-09-20 at 08:25, FreeBSD MAIL wrote: I want to use PuTTY and ssh to port forward and map a samba share across the internet. From what I have read on the net it almost seems possable. i guess u have to set up ssh port forwarding for the ports 137,138 and 139. which box shall provide the share (windows, fbsd, linux...) ? what kind of OS is used on the client boxes ? seb Does anyone know how this can be done? If it cant I guess I will have to use some VPN thing.. Thanks in advance Richard Puga [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ddclient + apache
Bryan; It could be helpful to READ the README file? I dont have usr/ports/net/ddclient on 4.8-STABLE recently synced with ports tree. I do although see a ports/net/ddc folder. Check that. -Jason On Wed, 17 Sep 2003, Bryan Cassidy wrote: Hello, I'm trying to install ddclient but when I make install make clean in net/ddclient it says doesn't know how to make install and there is only a read me in that directory. What should I do to install this package? Never had this problem before with this port. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Patching Openssh on 4.9 PRERELEASE
David; You need to edit version.h within /usr/src/crypto/openssh/version.h and change the FreeBSD-20030201 to be FreeBSD-20030916. The patch doesnt update the date. Only patches the security issue. On Tue, 16 Sep 2003, David Wagenheim wrote: The other day I cvsup'd using the stable supfile, did buildworld, installworld and built and installed a new kernel. All of that went fine and I now have a 4.9-PRERELEASE box. Today, I went to patch OpenSSH and I did: # cd /usr/src # patch /root/buffer46.patch # cd /usr/src/secure/lib/libssh # make clean # make depend make all install # cd /usr/src/secure/usr.sbin/sshd # make clean # make depend make all install # cd /usr/src/secure/usr.bin/ssh # make clean # make depend make all install Everything went fine but when I checked the version of the newly built sshd, it said: sshd Version OpenSSH_3.5p1 FreeBSD-20030201 but according to the advisory, for 4.8, it should be: OpenSSH_3.5p1 FreeBSD-20030916 (For all versions of FreeBSD mentioned in the advisory, the version # of OpenSSH reflects 20030916, so I assume mine should as well). Now I know that I don't have 4.8 but rather 4.9, but does the fact that the version number doesn't reflect September 16 mean that there currently isn't a way to update sshd on a 4.9 system? If it is helpful, output from uname -a is: FreeBSD db.mydomain.com 4.9-PRERELEASE #0: Sun Sep 14 17:38:58 EST 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC Thanx, David __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]