homepage Welcome to WebmasterWorld Guest from 23.22.217.122
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Professional Webmaster Business Issues
Forum Library, Charter, Moderators: LifeinAsia & httpwebwitch

Professional Webmaster Business Issues Forum

    
Testing, testing testing
Testing assumptions is critical to security
richlowe




msg:792289
 3:22 pm on May 15, 2002 (gmt 0)

I've been busy lately. Every few months I like to spend a few days testing my web, email and DNS server security and performance. This has been very fruitful, and I usually learn a bit more about security, and sometimes find another hole.

I run both an apache and an IIS web server so can write articles comparing the two platforms. It's interesting finding the differences, especially in the area of security.

Anyway, I installed a new email web server and decided (wisely) to spend some time making sure it was not an open relay. I was going to just assume it was fine ... good thing I didn't.

I went to abuse.net and ran their open relay checker. To my surprise, the email server failed the check! Spent two days pulling my hair out trying to figure out why unchecking the "relay mail" box still allowed email to be relayed.

Turned out I had SMTP loaded on my IIS server, and because it was a "trusted" source, it could receive emails, then forward them to my new email server, which assumed that since it was trusted it must know what it was talking about. Thus, the interplay between two email servers introduced a very unsuspected vulnerability...

Just thought this would be of interest. I always like to test my assumptions, and I further reinforced that concept in the last two days. The last thing I need is to have an open relay...

Thanks, RIchard Lowe

 

Filipe




msg:792290
 6:00 pm on May 15, 2002 (gmt 0)

Hmmm, I don't know a whole lot about advanced (?) security topics like that. Where can I find more tools and information on server security issues?

brotherhood of LAN




msg:792291
 6:34 pm on May 15, 2002 (gmt 0)

heh,

Security is paramount....its something I want to learn much more about.

OT, I go into yahoo chat, and the software that yahoo uses + IE makes me a sitting duck. Im sick of it ! In light these petty crimes against me, I'd love to see more about security on WMW, or related links :)

Rich...it sounds very interesting .....amazing to see how something along the lines of "a checked box" can mean life or death for a server.

richlowe




msg:792292
 5:17 pm on May 16, 2002 (gmt 0)

Yes, it's very important and all webmasters need to be actively looking at their security for all that they control. Why? Not just from dangers of hacking and such, but robots and automated programs can do thing unintentionally.

I remember one kid started a website downloaded on a swimsuit site, and the downloader somehow got into a poorly protected admin area, and wound up deleting the entire customer database. The swimsuit company tried to sue him, but the judge decide it was not the kids fault. They, after all, left open an admin page...

Richard Lowe

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Professional Webmaster Business Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved