[TriLUG] Protecting from SSL Vulnerabilities - iFolder

Matt matt at noway2.thruhere.net
Thu Apr 29 05:47:44 EDT 2010


Moving the port falls into the category of "security through obscurity",
which can help to cut down on the noise.  Moving the port would stop the
script kiddies that specifically target port 443, but anybody who runs a
port scan would quickly find the new location.

Since you are running apache, you may want to consider using browser
certificates in addition to passwords.  This would require that each
client has a server issued (signed) certificate installed in their
browser to access the page.  If they present the certificate they can
then be prompted for their password which would help in case someone
gains physical access to the client's machine.  Using the certificate
would help to eliminate the security loop hole of client passwords which
are typically very weak.  According to the IT consultant at work, who
worked at a bank, over 80% of the people used one of three passwords:
"password", "Jesus", and their first name.

Installing fail2ban is a great suggestion.  It will greatly slow down
anyone who tries to guess at the log in.  If you are really paranoid,
you could install an intrusion detection system, but be aware that it
will need to be fine tuned to eliminate false positives.

On Wed, 2010-04-28 at 21:27 -0400, Ron Kelley wrote:

> Greetings all,
> 
> I am in the process of rolling out Novell's "iFolder" app
> (http://ifolder.com/ifolder) on a machine in the data center.  iFolder
> is a free version of DropBox and includes the server code as well as
> Linux, Mac, and Windows clients.  Essentially, the end-user simply has
> a folder on his desktop with contents that stay in sync with the
> server.   If anything changes locally, the server automatically gets
> updated.  The beauty of iFolder (and similar paid/free apps) is the
> ability to have shared folders with other people and keep multiple
> machines in sync.  Plus, I don't have to pay for storage costs, and I
> keep all my data *private*.   After playing with it for a couple of
> days, I am satisfied with the reliability and stability of the app.
> Very cool!
> 
> I was able to get a VMWare appliance version (based upon OpenSUSE vers
> 11.1) installed and running in short order.  The server-side runs
> openSUSE v11.1 with apache v2.2.10 and communicates with the clients
> via SSL (port 443).  Being security conscience, I tried changing the
> SSL port to something completely random and also tried using NAT on my
> firewall (outside port XXXXX xlates to internal 443).  However, it
> appears this software is brain-dead and MUST run on port 443 without
> any NAT rules.  Hacking the apache.conf , listen.conf, and vhosts.conf
> files have been useless.  Using anything other than port 443 causes
> the clients to disconnect or not connect at all.
> 
> So my question is -- how vulnerable is apache and SSL when open to the
> internet?  Given 443 is a very common port, I can only imagine hackers
> routinely pound the snot out of these types of machines.  What can I
> do to lock this thing down to limit my exposure?  Since this is a VM,
> I have console access and have already disabled sshd.  What else can I
> do?  Are there tools I can run to check the security of the server
> from the outside?
> 
> 
> 
> Thanks for any pointers,
> 
> -Ron


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20100429/beffde02/attachment.pgp>


More information about the TriLUG mailing list