> 1. Security through obscurity is your first mistake. There is no such thing.
Interesting.... It does not exist, but it have article on wikipedia. Sounds like UFO or Yetti... > 2. Assuming that nobody is writing CGI scripts on Windows Servers is your > next mistake. A lot of systems still do this, a lot of old systems still use > this technique and some new ones, The attack vector is not necessarily > through your CGI script itself but through the Windows Web server. Unless you > have patched and patched and patched your web server, you will be attacked. Of course I keep my web server software up-to-date, why do you think I do not did it? I am talking here about my scripts, not about the server SW. But the server SW is relatively rare too... > 3. You assume that nobody is interested in your machine. Wrong. A lot of > people are very interested as they can add your hacked server to their bonnet > and sell your resources on. Your machine does not have to be publicised at > all. As an example, I have a private server which I use. It has no DNS entry > (a common way to search for machines), so is only accessible through an IP > address which has never been published. It only has a single ssh port open > and port 80 for a private web server running some software there rest of the > machine is locked down as best I can. The lock down took me a day to do. It > is not trivial. My last weekly report showed over 200,000 attempts to break > into the machine via ssh, http, and various CGI exploits. Thats 200,000 robot > attempts, the most prevalent was an ssh attempt from a single machine which > accounted for 72,000 goes. A public web server I have has over 1M hacking > attempts per week. This is for a low usage machine. Script kiddies starting codes writen to attack widely spreaded systems, otherwise it will be not much fun. Some of this codes could be specialized to intrude minor systems, but I have doubts there are number of working scripts to successfuly intrude systems with rare occurance. Real hackers, those who are experienced in writing WORKING code targeted to intrude one specific rare system, need a REAL reason to did such job. My system does not offer such reason.... > I give your machine less than 24 hours once it is live on the internet if you > put it on without taking security seriously. You need to get the OS patched > up, the ports closed down, the web server patched up and correctly > configured. Out of the box the security on a Windows server (depending on the > version) is poor. You need to learn what you need to do (and there are loads > of guides on the internet) otherwise your server will be owned by somebody > else very quickly. As I already wrote, not using IIS. OS is protected by manualy configured firewall. By concept Security through obscurity using this one http://wipfw.sourceforge.net/ Intruding script perform OS detection first, but do not expect BSD firewall on Windows... Simple as it. Did you understand STO concept now? L. BTW: There is smile next this "trust me" this obviously means: Do not took it too seriously.... > To be blunt you have misunderstood computer security, Saying ?trust me? > doesn?t work. > Best of luck, > Rob >> On 11 Sep 2015, at 13:42, Petr L?z?ovsk? <lazna at volny.cz> wrote: >> There is a major difference: You are talking about SSH and Linux, this >> combination running on hundred milions of network devices accross whole >> internet. Thus develop intruding scripts does make sense. But I am using >> Windows shell scripts as CGI, which is EXTREMELY rare. Who will study this >> technique to intrude my (or very few another) systems? No one.... trust me >> ;-) >> L. >> BTW: If someone did it anyway, I will give him medal and start experinces >> sharing to him >>> You'd be surprised by what is out there trying to get into your system. >>> I had port 22 open on my home router to go to a Linux machine so I could >>> SSH into my home network from anywhere in the world, even though I rarely >>> ever leave the 519 area code. One day I went to look at my messages log >>> file and noted numerous brute force attempts to get into my machine. >>> Fortunately, the machine is setup so that you can't SSH in as root, and the >>> single login name that has any kind of access root capable access is >>> intentionally camel cased to thwart name dictionary attacks. The attacks >>> were automated at their end, obviously, but if you have a machine exposed, >>> someone is going to have software that will do anything and everything to >>> gain access through whatever weakest link you have. >>> I'm on a residential cable line, with an IP that changes periodically, >>> however, I'm still subject to attacks. SSH is a common thing, and what you >>> have written may not be interesting to the hacker space as a whole, >>> however, there is that one idiot out there that WILL take the time to break >>> into your system for jollies. >>> On Fri, Sep 11, 2015 at 6:12 AM, Petr L?z?ovsk? <lazna at volny.cz> wrote: >>> Never heard about this. Thinked about this a bit, but have no idea how it >>> could menace my CGI application. But as far I am a beginner, expecting it >>> could be a menace but rely on Security by obscurity. Some time a go, when I >>> start writing CGI powered by windows shell scripts, I have serched (almost >>> whole) internet for some examples or informations, but I found nothing..... >>> That means I am lonely with this technique ;-) No hacker will study such >>> weird technique to intrude only one system on whole internet ;-) >>> L. >> _______________________________________________ >> sqlite-users mailing list >> sqlite-users at mailinglists.sqlite.org >> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
