protecting against cracking into filesystem

I am trying to secure sites I am developing, and I am especially
concerned about intruders gaining command-line access to my sites by
penetrating my PHP code. I have no idea how someone would do that.

My sites are in a shared hosting environment, and I know that is an
intrinsically insecure situation. I guess I will just have to live
with it. However, what methods would someone visiting my site use to
get to the command line, without having an account on the same server?
How can I guard against such intrusions?

Re: protecting against cracking into filesystem

On Jan 12, 10:15 am, firewood...@yahoo.com wrote:
> I am trying to secure sites I am developing, and I am especially
> concerned about intruders gaining command-line access to my sites by
> penetrating my PHP code. I have no idea how someone would do that.
>
> My sites are in a shared hosting environment, and I know that is an
> intrinsically insecure situation. I guess I will just have to live
> with it. However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?

This all depends on your site (what it does) and how you've programmed
it. One can simply use method's like code injection to gain access but
again this depends on your site and it's practices.

Re: protecting against cracking into filesystem

On Jan 12, 10:15 am, firewood...@yahoo.com wrote:
>... However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?

There are many on-line guides to PHP security, I would recommend every
PHP guy to check them out, and keep up to date on PHP news regularly.
Mainly what you wnt to guard against is someone doing making your site
do things it wasn't intended to do. None of them are overly hard to
implement mainly a case of doing good coding practices.

One of the more popular are the "Top 7 PHP Security Blunders"
http://www.sitepoint.com/article/php-security-blunders

and the Zend PHP Security Tips are good too:
http://devzone.zend.com/tag/Security_Tips

The main points of vulnerability are:

- GET, POST, COOKIE data, (anything that could potentially come from
the user) make sure it is clean, not only from bad code that could
compromise PHP/HTML or bad URLS that will redirect output, but also
from code that might comprimise your SQL databases (if you use any).

- The next one is how pages interact with each other - sure everything
works fine when Page A calls or includes Page B but what happens if
outside Badguy Page X tries to call Page B?

- Authentication - make sure you know who you are dealing with and
don't let them have the opportunity to do more then what you want them
to.

- Other websites on shared servers pose other risks in that they may
have an advantage of being on the same webhost and able to mess with
things on the inside (Session data).

Re: protecting against cracking into filesystem

On Sat, 12 Jan 2008 22:02:24 +0100, wrote:

> On Jan 12, 10:15 am, firewood...@yahoo.com wrote:
>> ... However, what methods would someone visiting my site use to
>> get to the command line, without having an account on the same server?
>> How can I guard against such intrusions?
>
> There are many on-line guides to PHP security, I would recommend every
> PHP guy to check them out, and keep up to date on PHP news regularly.
> Mainly what you wnt to guard against is someone doing making your site
> do things it wasn't intended to do. None of them are overly hard to
> implement mainly a case of doing good coding practices.
>
> One of the more popular are the "Top 7 PHP Security Blunders"
> http://www.sitepoint.com/article/php-security-blunders
>
> and the Zend PHP Security Tips are good too:
> http://devzone.zend.com/tag/Security_Tips
>
> The main points of vulnerability are:
>
> - GET, POST, COOKIE data, (anything that could potentially come from
> the user) make sure it is clean, not only from bad code that could
> compromise PHP/HTML or bad URLS that will redirect output, but also
> from code that might comprimise your SQL databases (if you use any).

Add a lot of the items of $_SERVER data to the list, and don't forget the
session id is derived from one of the request variables...
--
Rik Wasmus

Re: protecting against cracking into filesystem

On 12 Jan, 18:15, firewood...@yahoo.com wrote:
> I am trying to secure sites I am developing, and I am especially
> concerned about intruders gaining command-line access to my sites by
> penetrating my PHP code. I have no idea how someone would do that.
>
> My sites are in a shared hosting environment, and I know that is an
> intrinsically insecure situation. I guess I will just have to live
> with it. However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?

These might be helpful as an introduction to PHP security:

http://www.owasp.org/index.php/PHP_Top_5
http://shiflett.org/
http://www.hardened-php.net/

But as you observed, with a hosted server, indeed a *shared* hosted
server, you don't have any real security.

C.

Re: protecting against cracking into filesystem

On Jan 12, 6:15 pm, firewood...@yahoo.com wrote:
> I am trying to secure sites I am developing, and I am especially
> concerned about intruders gaining command-line access to my sites by
> penetrating my PHP code. I have no idea how someone would do that.
>
> My sites are in a shared hosting environment, and I know that is an
> intrinsically insecure situation. I guess I will just have to live
> with it. However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?

The short of it, follow the Fox Mulder approach when it comes to
handling user input and trust no one

The long of it, there are plenty of ways a PHP script could be
breached but what may happen depends on the script itself and what
it's doing. Here are a few tips that can be applied in general:

Never trust user input. Always check that form variables are in the
correct format and are valid for what you'er attempting to do with
them. One tip to do this quickly for integer values is to simply
apply intval() to them. Any invalid input will evaluate to 0

Never pass an unsanitized string to a database query. The vast
majority of cracks in PHP apps occur this way. A malicious user could
potentially use a script that doesn't check its input before passing
it to a database to do almost anything - Insert malicious data, expose
sensitive information, delete tables, anything. PDO prepared
statements are one way to limit the possibility of damage, but don't
depend on them as your only line of defence. Validate your data
first.

Give permission to your script to do what it has to to work and
nothing else. If your script writes to the filesystem allow it to
write only to locations you condone by chmodding directories.
Directories with a chmod value of 0777 are wide open. Create database
users for your application to use that have access only to what they
need.

Keep as much of your application out of web-facing locations as
possible. Of course the scripts that generate web page output must be
visible from teh web but there's no reason includes have to be.

don't use filesystem commands (rmdir, unlink, fopen etc) in your
scripts unless you absolutely have to. Unvalidated input passed to
commands that access or modify the filesystem can have dire
consequences. You risk exposing sensitive files like /etc/passwd or
damage to the filesystem that will prevent the machine from
rebooting.

Under no circumstances should you use eval (), exec () or any
derivative thereof! ABSOLUTELY DON'T USE THEM WITH USER INPUT! Eval
and Exec are probably the most dangerous commands in the PHP command
set. I've managed in years of coding to never use either, if you think
you do need them then think very carefully about your design as it
might be a code smell that there's something fundamentally wrong with
what you're trying to do.

Re: protecting against cracking into filesystem

C. (http://symcbean.blogspot.com/) wrote:
> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>> I am trying to secure sites I am developing, and I am especially
>> concerned about intruders gaining command-line access to my sites by
>> penetrating my PHP code. I have no idea how someone would do that.
>>
>> My sites are in a shared hosting environment, and I know that is an
>> intrinsically insecure situation. I guess I will just have to live
>> with it. However, what methods would someone visiting my site use to
>> get to the command line, without having an account on the same server?
>> How can I guard against such intrusions?
>
> These might be helpful as an introduction to PHP security:
>
> http://www.owasp.org/index.php/PHP_Top_5
> http://shiflett.org/
> http://www.hardened-php.net/
>
> But as you observed, with a hosted server, indeed a *shared* hosted
> server, you don't have any real security.
>

At a slight tangent..I looked into hosting, and for the few sites I have
developed - low bandwidth,small scale businesses - frankly it was far
more cost effective to host them on a properly set up and maintained
machine at the end of my broadband line, using a fixed IP address.

If any or all of them get to be supremely profitable.high bandwidth,
then I will stick my own machine in a hosting center.

The 'in between' of actually hosting on a shared machine, seems to me to
get less and less attractive.

Its better for backups I guess..


> C.

Re: protecting against cracking into filesystem

The Natural Philosopher wrote:
> C. (http://symcbean.blogspot.com/) wrote:
>> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>>> I am trying to secure sites I am developing, and I am especially
>>> concerned about intruders gaining command-line access to my sites by
>>> penetrating my PHP code. I have no idea how someone would do that.
>>>
>>> My sites are in a shared hosting environment, and I know that is an
>>> intrinsically insecure situation. I guess I will just have to live
>>> with it. However, what methods would someone visiting my site use to
>>> get to the command line, without having an account on the same server?
>>> How can I guard against such intrusions?
>>
>> These might be helpful as an introduction to PHP security:
>>
>> http://www.owasp.org/index.php/PHP_Top_5
>> http://shiflett.org/
>> http://www.hardened-php.net/
>>
>> But as you observed, with a hosted server, indeed a *shared* hosted
>> server, you don't have any real security.
>>
>
> At a slight tangent..I looked into hosting, and for the few sites I have
> developed - low bandwidth,small scale businesses - frankly it was far
> more cost effective to host them on a properly set up and maintained
> machine at the end of my broadband line, using a fixed IP address.
>
> If any or all of them get to be supremely profitable.high bandwidth,
> then I will stick my own machine in a hosting center.
>
> The 'in between' of actually hosting on a shared machine, seems to me to
> get less and less attractive.
>
> Its better for backups I guess..
>
>
>> C.
>

What happens when you have a power outage? Or when your broadband line
goes down? And what if you're on vacation for two weeks when the system
crashes and needs rebooting?

Hosting centers have backup power and communications, people on site
24/7 for emergency work, etc. Hosting hobby sites in your home may be
fine. But I'd never put a business site there.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: protecting against cracking into filesystem

The Natural Philosopher wrote:
> C. (http://symcbean.blogspot.com/) wrote:
> At a slight tangent..I looked into hosting, and for the few sites I
> have developed - low bandwidth,small scale businesses - frankly it
> was far more cost effective to host them on a properly set up and
> maintained machine at the end of my broadband line, using a fixed IP
> address.
You must have a good upload speed them. Most BB in my country is ADSL.

Re: protecting against cracking into filesystem

Jerry Stuckle wrote:

> The Natural Philosopher wrote:
>> C. (http://symcbean.blogspot.com/) wrote:
>>> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>>>> I am trying to secure sites I am developing, and I am especially
>>>> concerned about intruders gaining command-line access to my sites by
>>>> penetrating my PHP code. I have no idea how someone would do that.
>>>>
>>>> My sites are in a shared hosting environment, and I know that is an
>>>> intrinsically insecure situation. I guess I will just have to live
>>>> with it. However, what methods would someone visiting my site use to
>>>> get to the command line, without having an account on the same server?
>>>> How can I guard against such intrusions?
>>>
>>> These might be helpful as an introduction to PHP security:
>>>
>>> http://www.owasp.org/index.php/PHP_Top_5
>>> http://shiflett.org/
>>> http://www.hardened-php.net/
>>>
>>> But as you observed, with a hosted server, indeed a *shared* hosted
>>> server, you don't have any real security.
>>>
>>
>> At a slight tangent..I looked into hosting, and for the few sites I have
>> developed - low bandwidth,small scale businesses - frankly it was far
>> more cost effective to host them on a properly set up and maintained
>> machine at the end of my broadband line, using a fixed IP address.
>>
>> If any or all of them get to be supremely profitable.high bandwidth,
>> then I will stick my own machine in a hosting center.
>>
>> The 'in between' of actually hosting on a shared machine, seems to me to
>> get less and less attractive.
>>
>> Its better for backups I guess..
>>
>>
>>> C.
>>
>
> What happens when you have a power outage?

Hoy... The UPS kicks in?
My UPS will last for 48+ hours, A triplite with 12 automotive batteries in
parallel.

> Or when your broadband line
> goes down?

It switches to a DSL backup line?

> And what if you're on vacation for two weeks when the system
> crashes and needs rebooting?

What crashes?

I use my own scratch built Linux servers and they have not crashed in 4+
years.

>
> Hosting centers have backup power and communications, people on site
> 24/7 for emergency work, etc.

Some ISPs in the USA ie: time warner have business class and provide this.

> Hosting hobby sites in your home may be
> fine. But I'd never put a business site there.
>

I would if it is cost effective.

--
Dancin in the ruins tonight
Tayo'y Mga Pinoy

Re: protecting against cracking into filesystem

Baho Utot wrote:
> Jerry Stuckle wrote:
>
>> The Natural Philosopher wrote:
>>> C. (http://symcbean.blogspot.com/) wrote:
>>>> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>>>>> I am trying to secure sites I am developing, and I am especially
>>>>> concerned about intruders gaining command-line access to my sites by
>>>>> penetrating my PHP code. I have no idea how someone would do that.
>>>>>
>>>>> My sites are in a shared hosting environment, and I know that is an
>>>>> intrinsically insecure situation. I guess I will just have to live
>>>>> with it. However, what methods would someone visiting my site use to
>>>>> get to the command line, without having an account on the same server?
>>>>> How can I guard against such intrusions?
>>>> These might be helpful as an introduction to PHP security:
>>>>
>>>> http://www.owasp.org/index.php/PHP_Top_5
>>>> http://shiflett.org/
>>>> http://www.hardened-php.net/
>>>>
>>>> But as you observed, with a hosted server, indeed a *shared* hosted
>>>> server, you don't have any real security.
>>>>
>>> At a slight tangent..I looked into hosting, and for the few sites I have
>>> developed - low bandwidth,small scale businesses - frankly it was far
>>> more cost effective to host them on a properly set up and maintained
>>> machine at the end of my broadband line, using a fixed IP address.
>>>
>>> If any or all of them get to be supremely profitable.high bandwidth,
>>> then I will stick my own machine in a hosting center.
>>>
>>> The 'in between' of actually hosting on a shared machine, seems to me to
>>> get less and less attractive.
>>>
>>> Its better for backups I guess..
>>>
>>>
>>>> C.
>> What happens when you have a power outage?
>
> Hoy... The UPS kicks in?
> My UPS will last for 48+ hours, A triplite with 12 automotive batteries in
> parallel.
>
>> Or when your broadband line
>> goes down?
>
> It switches to a DSL backup line?
>
>> And what if you're on vacation for two weeks when the system
>> crashes and needs rebooting?
>
> What crashes?
>
> I use my own scratch built Linux servers and they have not crashed in 4+
> years.
>
>> Hosting centers have backup power and communications, people on site
>> 24/7 for emergency work, etc.
>
> Some ISPs in the USA ie: time warner have business class and provide this.
>
>> Hosting hobby sites in your home may be
>> fine. But I'd never put a business site there.
>>
>
> I would if it is cost effective.
>

The last major power outage her was over 5 days.

And even if your UPS handles the power - what about your communications
link?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: protecting against cracking into filesystem

Jerry Stuckle wrote:

[putolin]

> The last major power outage her was over 5 days.

Well even in Philippines we don't get that kind of outage....well unless a
typhoon comes thru. But I was really talking about my "personal data
center" in the USA.

>
> And even if your UPS handles the power - what about your communications
> link?
>

It is on the UPS as all the networking stuff. I the past 3 years my
USA "personal data center" has been down at least 0 hours and the uptime
has been 100%. :)
So much for 5 nines. :)

--
Dancin in the ruins tonight
Tayo'y Mga Pinoy

Re: protecting against cracking into filesystem

Baho Utot wrote:
> Jerry Stuckle wrote:
>
> [putolin]
>
>> The last major power outage her was over 5 days.
>
> Well even in Philippines we don't get that kind of outage....well unless a
> typhoon comes thru. But I was really talking about my "personal data
> center" in the USA.
>

It happened all over the D.C. area here when Hurricane Isabelle came
through a few years ago. We were lucky. Some were out for seven days.

>> And even if your UPS handles the power - what about your communications
>> link?
>>
>
> It is on the UPS as all the networking stuff. I the past 3 years my
> USA "personal data center" has been down at least 0 hours and the uptime
> has been 100%. :)
> So much for 5 nines. :)
>

And you control the ONE communications line, also? I doubt it. Even
here, we get cable outages of 2-3 hours at least a couple of times a year.

Sounds like you've been lucky to not have any outages in five years. It
is not the norm. Communications outages happen all of the time. That's
why major data centers have redundant links through different providers.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: protecting against cracking into filesystem

Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> C. (http://symcbean.blogspot.com/) wrote:
>>> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>>>> I am trying to secure sites I am developing, and I am especially
>>>> concerned about intruders gaining command-line access to my sites by
>>>> penetrating my PHP code. I have no idea how someone would do that.
>>>>
>>>> My sites are in a shared hosting environment, and I know that is an
>>>> intrinsically insecure situation. I guess I will just have to live
>>>> with it. However, what methods would someone visiting my site use to
>>>> get to the command line, without having an account on the same server?
>>>> How can I guard against such intrusions?
>>>
>>> These might be helpful as an introduction to PHP security:
>>>
>>> http://www.owasp.org/index.php/PHP_Top_5
>>> http://shiflett.org/
>>> http://www.hardened-php.net/
>>>
>>> But as you observed, with a hosted server, indeed a *shared* hosted
>>> server, you don't have any real security.
>>>
>>
>> At a slight tangent..I looked into hosting, and for the few sites I
>> have developed - low bandwidth,small scale businesses - frankly it was
>> far more cost effective to host them on a properly set up and
>> maintained machine at the end of my broadband line, using a fixed IP
>> address.
>>
>> If any or all of them get to be supremely profitable.high bandwidth,
>> then I will stick my own machine in a hosting center.
>>
>> The 'in between' of actually hosting on a shared machine, seems to me
>> to get less and less attractive.
>>
>> Its better for backups I guess..
>>
>>
>>> C.
>>
>
> What happens when you have a power outage?

Sites down for an hour or two.

Or when your broadband line
> goes down?

Never has. Not for more than an hour.


And what if you're on vacation for two weeks when the system
> crashes and needs rebooting?
>

I have a technical friend to house sit. Its a nice house.

> Hosting centers have backup power and communications, people on site
> 24/7 for emergency work, etc. Hosting hobby sites in your home may be
> fine. But I'd never put a business site there.
>

Well I am on site 24x7 for emmergency work.

I've seen whole ISP's go down for as long as I have been of line.


Risk analysis show I am not that much worse off. If at all.

Re: protecting against cracking into filesystem

Paul Lautman wrote:
> The Natural Philosopher wrote:
>> C. (http://symcbean.blogspot.com/) wrote:
>> At a slight tangent..I looked into hosting, and for the few sites I
>> have developed - low bandwidth,small scale businesses - frankly it
>> was far more cost effective to host them on a properly set up and
>> maintained machine at the end of my broadband line, using a fixed IP
>> address.
> You must have a good upload speed them. Most BB in my country is ADSL.
>
>
>
400Kbps.
Its enough.

I remember hosting a huge machine on only 265Kbps once...

If the traffic ever exceeds that, time to move the sites..

Re: protecting against cracking into filesystem

Jerry Stuckle wrote:
> Baho Utot wrote:
>> Jerry Stuckle wrote:
>>
>>> The Natural Philosopher wrote:
>>>> C. (http://symcbean.blogspot.com/) wrote:
>>>>> On 12 Jan, 18:15, firewood...@yahoo.com wrote:
>>>>>> I am trying to secure sites I am developing, and I am especially
>>>>>> concerned about intruders gaining command-line access to my sites by
>>>>>> penetrating my PHP code. I have no idea how someone would do that.
>>>>>>
>>>>>> My sites are in a shared hosting environment, and I know that is an
>>>>>> intrinsically insecure situation. I guess I will just have to live
>>>>>> with it. However, what methods would someone visiting my site use to
>>>>>> get to the command line, without having an account on the same
>>>>>> server?
>>>>>> How can I guard against such intrusions?
>>>>> These might be helpful as an introduction to PHP security:
>>>>>
>>>>> http://www.owasp.org/index.php/PHP_Top_5
>>>>> http://shiflett.org/
>>>>> http://www.hardened-php.net/
>>>>>
>>>>> But as you observed, with a hosted server, indeed a *shared* hosted
>>>>> server, you don't have any real security.
>>>>>
>>>> At a slight tangent..I looked into hosting, and for the few sites I
>>>> have
>>>> developed - low bandwidth,small scale businesses - frankly it was far
>>>> more cost effective to host them on a properly set up and maintained
>>>> machine at the end of my broadband line, using a fixed IP address.
>>>>
>>>> If any or all of them get to be supremely profitable.high bandwidth,
>>>> then I will stick my own machine in a hosting center.
>>>>
>>>> The 'in between' of actually hosting on a shared machine, seems to
>>>> me to
>>>> get less and less attractive.
>>>>
>>>> Its better for backups I guess..
>>>>
>>>>
>>>>> C.
>>> What happens when you have a power outage?
>>
>> Hoy... The UPS kicks in?
>> My UPS will last for 48+ hours, A triplite with 12 automotive
>> batteries in
>> parallel.
>>
>>> Or when your broadband line goes down?
>>
>> It switches to a DSL backup line?
>>
>>> And what if you're on vacation for two weeks when the system crashes
>>> and needs rebooting?
>>
>> What crashes?
>> I use my own scratch built Linux servers and they have not crashed in 4+
>> years.
>>
>>> Hosting centers have backup power and communications, people on site
>>> 24/7 for emergency work, etc.
>>
>> Some ISPs in the USA ie: time warner have business class and provide
>> this.
>>
>>> Hosting hobby sites in your home may be fine. But I'd never put a
>>> business site there.
>>>
>>
>> I would if it is cost effective.
>>
>
> The last major power outage her was over 5 days.
>

never more than 3.

> And even if your UPS handles the power - what about your communications
> link?
>

powered indepenmdently of te mains poqwer.

Re: protecting against cracking into filesystem

Baho Utot wrote:
> Jerry Stuckle wrote:
>
> [putolin]
>
>> The last major power outage her was over 5 days.
>
> Well even in Philippines we don't get that kind of outage....well unless a
> typhoon comes thru. But I was really talking about my "personal data
> center" in the USA.
>
>> And even if your UPS handles the power - what about your communications
>> link?
>>
>
> It is on the UPS as all the networking stuff. I the past 3 years my
> USA "personal data center" has been down at least 0 hours and the uptime
> has been 100%. :)
> So much for 5 nines. :)
>
Ye, in the end you have to balance the factors. What I like is being
able to directly edit the pages via SAMBA mounts, behind My
firewall..run any scripts I want, and have the hardware under my
control. I can simply cp Mysql databases between sites if I want..

I exchange flexibility, almost zero opportunity cost, probably better
security, and ease of maintenance for a slightly greater chance of
being offline longer, and obviously much lower bandwidth.

These are not high volume sites..they are small businesses with very
little traffic and very little in the way of large data objects. If they
WANT videos or suchlike, put in a link to a hosted server..

I am not recommending it as a one size fir all approach. Its just worthy
of consideration for small sites under a lot of development.

Re: protecting against cracking into filesystem

Jerry Stuckle wrote:
> Baho Utot wrote:
>> Jerry Stuckle wrote:
>>
>> [putolin]
>>
>>> The last major power outage her was over 5 days.
>>
>> Well even in Philippines we don't get that kind of outage....well
>> unless a
>> typhoon comes thru. But I was really talking about my "personal data
>> center" in the USA.
>>
>
> It happened all over the D.C. area here when Hurricane Isabelle came
> through a few years ago. We were lucky. Some were out for seven days.
>

We had a load of lines down for three days, but then so did half the
country, and a surprising number of websites went out as well. But we
find that people thinking about e.g. interior design, tend to do it much
less, when they are cooking on camping stoves by candle light.



>>> And even if your UPS handles the power - what about your communications
>>> link?
>>>
>>
>> It is on the UPS as all the networking stuff. I the past 3 years my
>> USA "personal data center" has been down at least 0 hours and the uptime
>> has been 100%. :)
>> So much for 5 nines. :)
>>
>
> And you control the ONE communications line, also? I doubt it. Even
> here, we get cable outages of 2-3 hours at least a couple of times a year.

Its not MY fault you live in a third world country with dodgy
infrastructure. Since I have been on broadband, I have had one time a
lorry snapped the phone cable, one time for about 1/2 day when the ATM
backhaul went into overload due to kit failure, and one time when the
radius servers were flaky for a day.

Most of the commercial sites I frequent, have more frequent and longer
outages than that.

My WORST outage was down to a brownout situation that tripped the
circuits here while I was out. The server was down overnight. I forgot
to reboot it when we got power back on. No one complained.


>
> Sounds like you've been lucky to not have any outages in five years. It
> is not the norm. Communications outages happen all of the time. That's
> why major data centers have redundant links through different providers.
>

I think its more that you have been, if not unlucky, unfortunate to live
somewhere where the local infrastructure is basically third world.

Re: protecting against cracking into filesystem

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> Baho Utot wrote:
>>> Jerry Stuckle wrote:
>>>
>>> [putolin]
>>>
>>>> The last major power outage her was over 5 days.
>>>
>>> Well even in Philippines we don't get that kind of outage....well
>>> unless a
>>> typhoon comes thru. But I was really talking about my "personal data
>>> center" in the USA.
>>>
>>
>> It happened all over the D.C. area here when Hurricane Isabelle came
>> through a few years ago. We were lucky. Some were out for seven days.
>>
>
> We had a load of lines down for three days, but then so did half the
> country, and a surprising number of websites went out as well. But we
> find that people thinking about e.g. interior design, tend to do it much
> less, when they are cooking on camping stoves by candle light.
>
>

Interestingly enough, we have a lot of websites in the area - a couple
of major data centers in the Reston, Va. area, for instance. And none
of them went down. Sure, they lost power. And at least one lost part
of their communications link. But none of their sites were down.

>
>>>> And even if your UPS handles the power - what about your communications
>>>> link?
>>>>
>>>
>>> It is on the UPS as all the networking stuff. I the past 3 years my
>>> USA "personal data center" has been down at least 0 hours and the uptime
>>> has been 100%. :)
>>> So much for 5 nines. :)
>>>
>>
>> And you control the ONE communications line, also? I doubt it. Even
>> here, we get cable outages of 2-3 hours at least a couple of times a
>> year.
>
> Its not MY fault you live in a third world country with dodgy
> infrastructure. Since I have been on broadband, I have had one time a
> lorry snapped the phone cable, one time for about 1/2 day when the ATM
> backhaul went into overload due to kit failure, and one time when the
> radius servers were flaky for a day.
>

Bullshit. Single lines go down all the time. Work needs to be done on
the cable, for instance. Or an amplifier goes out. Or a car hits a pole..

> Most of the commercial sites I frequent, have more frequent and longer
> outages than that.
>

It's not MY fault the sites you visit are in a third world country with
dodgy infrastructure. My customers' sites are hosted by reliable
companies in datacenters with reliable backup.

> My WORST outage was down to a brownout situation that tripped the
> circuits here while I was out. The server was down overnight. I forgot
> to reboot it when we got power back on. No one complained.
>
>

Sorry to hear no one noticed. I just took down a server Friday to
update some software. It took less than 5 minutes, but before I
finished, they were on the phone asking why the system was down.

>>
>> Sounds like you've been lucky to not have any outages in five years.
>> It is not the norm. Communications outages happen all of the time.
>> That's why major data centers have redundant links through different
>> providers.
>>
>
> I think its more that you have been, if not unlucky, unfortunate to live
> somewhere where the local infrastructure is basically third world.
>
>
>

I have never lived anywhere that you don't get occasional outages.
Nothing is 100% reliable. Too bad you don't notice.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: protecting against cracking into filesystem

The Natural Philosopher wrote:

> Jerry Stuckle wrote:
>> Baho Utot wrote:
>>> Jerry Stuckle wrote:
>>>

[putolin]

> My WORST outage was down to a brownout situation that tripped the
> circuits here while I was out. The server was down overnight. I forgot
> to reboot it when we got power back on. No one complained.
>
>
>>
>> Sounds like you've been lucky to not have any outages in five years. It
>> is not the norm. Communications outages happen all of the time. That's
>> why major data centers have redundant links through different providers.
>>
>
> I think its more that you have been, if not unlucky, unfortunate to live
> somewhere where the local infrastructure is basically third world.

I do live in a third world country (Philippines) and I don't have that many
outages, only when a typhoon comes thru and that is understandable :)

--
Dancin in the ruins tonight
Tayo'y Mga Pinoy

Re: protecting against cracking into filesystem

The Natural Philosopher wrote:

[putolin]

>>> I would if it is cost effective.
>>>
>>
>> The last major power outage her was over 5 days.
>>
>
> never more than 3.
>
>> And even if your UPS handles the power - what about your communications
>> link?
>>
>
> powered indepenmdently of te mains poqwer.

If the power outage is longer than my UPS will provide I just get on my
bicycle-generator and pedal away till the power is restored.

I am kept in good shape that way and have lost several pounds that way :)

Could the folks at Rackspace do the same?

--
Dancin in the ruins tonight
Tayo'y Mga Pinoy

Re: protecting against cracking into filesystem

The responses to my original message have been mostly out of standard
textbook advice (I have 5 of them). Thanks for trying, but it still
leaves my original question unanswered. Here is the situation:

I have a set of scripts that include several forms in which users
submit information that eventually winds up on a website. One of
those forms includes a WYSIWYG textarea editor, tinyMCE. However,
there are plenty of input (single line) elements that present similar,
if smaller, opportunities to inject malicious code. Add to that the
problem of tampered GET and POST data and you have the usual CMS-like
environment in which so many bad guys get their jollies.

I know all the rules about filtering input and escaping output, but I
want to focus especially on blocking attacks that could wind up giving
an intruder control of my site's command line or otherwise executing
malicious code in my filesystem's environment. Is it possible to
actually penetrate PHP code and wind up with a blinking cursor on a
command line, logged in as the user/owner of the site? If so, do you
do that through SQL injection?, command injection via a system
command?, XSS? ...

The WYSIWYG editor presents a special problem, because filtering data
from it is so complicated, but if it does not actually give access to
the command line, I think I can figure out a way to live with
unfiltered input by other means. I just can't live with giving
someone the opportunity to rummage around in my filesystem.

Any comments?