oh yes, I've been all over google for the last hour. Lots of people there with problems I don't understand the terms for. What is SPI -- I don't see it anywhere in my Setup GUI. And the one you mentioned is a BEFW11S4, mine is BEFSR41. Must have different things to set?
well, something worked
I upgraded the firmware (something I saw on a lot of people's problems on forums, and something I was nervous to do. I've been sorry a couple of times for doing upgrades ...)
Anyway, a different user interface for the Setup, and the nice Help that was on every page is gone, replaced by a single pdf user's guide that is not very good, so I groaned.
But I filled in all the boxes, and when I tried 80 as the forward port, all I could get was the login to the Linksys, which was something of a step backward, but ... drum roll ... when I went back to idea #1, forwarding port 8123 external to 192.168.1.10 port 8123 (which is now possible with the new Setup), bingo!
I'm reporting from next door, where I can now access my app from the web
All -- thanks for the tips. Together, we did it.
F
I upgraded the firmware (something I saw on a lot of people's problems on forums, and something I was nervous to do. I've been sorry a couple of times for doing upgrades ...)
Anyway, a different user interface for the Setup, and the nice Help that was on every page is gone, replaced by a single pdf user's guide that is not very good, so I groaned.
But I filled in all the boxes, and when I tried 80 as the forward port, all I could get was the login to the Linksys, which was something of a step backward, but ... drum roll ... when I went back to idea #1, forwarding port 8123 external to 192.168.1.10 port 8123 (which is now possible with the new Setup), bingo!
I'm reporting from next door, where I can now access my app from the web
All -- thanks for the tips. Together, we did it.
F
Google is your friend!
CONGRATULATIONS!!!
Using 8123 internally is just 5 extra characters you always have to type. 8123 externally helps to keep the "script kiddies" away.
Congrats, now when you code your links just do them in the form:
<a href="http://24.X.Y.Z:8123/webapps/blah">my app</a>
<a href="http://24.X.Y.Z:8123/webapps/blah">my app</a>
yup
Now that I know what works for that, though, I've pulled the page off since I feel like I don't know squat about security. Couldn't any port scanner eventually find that 8123 or whatever number i use (0 to 65535, right?) was an entry to my server? As a complete amateur, I think to myself - well, that gets my app's home page and it's all jsp's and servlets from there, so what is anyone going to do? But it must be a big question, since there's so much bad stuff going on everywhere.
Anyone got a link to a good beginner's tutorial on how to secure a home webserver? The link above has some on it, but points off to other sites. He mentioned a firewall. I understood the router to be a firewall, but there are software firewalls, too? I should have something on the server?
Now that I know what works for that, though, I've pulled the page off since I feel like I don't know squat about security. Couldn't any port scanner eventually find that 8123 or whatever number i use (0 to 65535, right?) was an entry to my server? As a complete amateur, I think to myself - well, that gets my app's home page and it's all jsp's and servlets from there, so what is anyone going to do? But it must be a big question, since there's so much bad stuff going on everywhere.
Anyone got a link to a good beginner's tutorial on how to secure a home webserver? The link above has some on it, but points off to other sites. He mentioned a firewall. I understood the router to be a firewall, but there are software firewalls, too? I should have something on the server?
here's the deal, you basically are firewalled.
Because your router is only forwarding that one port to your server machine, thats pretty much the only service you have to worry about. In this case what you would want to do is sign up for the tomcat mailing list, and make sure to skim over it every few days looking for security-related problems.
http://jakarta.apache.org/site/mail.html
Overall for your purposes the 'weakest link' would be your actual web application. If you don't know how to write secure applications you could expose something that someone could exploit. For instance, a lot of times I see people who don't understand session's passing variables as hidden inputs. If they're not smart enough to validate those properly, I could easiliy fake them to different values and cause trouble.
Security is not something you can just set out to learn as a topic. You need to know tcp/ip, routing, ethernet, etc to deal with network security. You need to know unix permissions, proccess management, and daemons to deal with unix security. You need to know input validation, buffer overflows, proper modularization, etc to deal with application security.
The funny thing is, 90% of the time the "security tips" are either obvious, or way over generalizations once you really know what they're dealing with. What i'm trying to say is, learn the systems to truely understand them, and the security knowledge will follow effortlessly.
That said, I consider this site: http://www.learntcpip.com/ to be one of the greatest 'get up to speed fast' on networking there is. The videos take a while to sit through, and often feel slow and repititious, but the stuff they cover is extremely fundamental.
Once you understand tcp/ip and routing, then learning firewalling is very easy. Here's a site for learning linux's firewalling system: http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
A great introduction to unix 'basics' is the third chapter of the FreeBSD Handbook. It applies almost exactly to nearly every unix derived OS: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/basics.html
Redhat provides a nice security guide for setting up their distro and services on it: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ (thats 9, its available for every other version too)
Debian has one too, though you have to be a little careful of the way-overboard security people: http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
So... that should be a start
Because your router is only forwarding that one port to your server machine, thats pretty much the only service you have to worry about. In this case what you would want to do is sign up for the tomcat mailing list, and make sure to skim over it every few days looking for security-related problems.
http://jakarta.apache.org/site/mail.html
Overall for your purposes the 'weakest link' would be your actual web application. If you don't know how to write secure applications you could expose something that someone could exploit. For instance, a lot of times I see people who don't understand session's passing variables as hidden inputs. If they're not smart enough to validate those properly, I could easiliy fake them to different values and cause trouble.
Security is not something you can just set out to learn as a topic. You need to know tcp/ip, routing, ethernet, etc to deal with network security. You need to know unix permissions, proccess management, and daemons to deal with unix security. You need to know input validation, buffer overflows, proper modularization, etc to deal with application security.
The funny thing is, 90% of the time the "security tips" are either obvious, or way over generalizations once you really know what they're dealing with. What i'm trying to say is, learn the systems to truely understand them, and the security knowledge will follow effortlessly.
That said, I consider this site: http://www.learntcpip.com/ to be one of the greatest 'get up to speed fast' on networking there is. The videos take a while to sit through, and often feel slow and repititious, but the stuff they cover is extremely fundamental.
Once you understand tcp/ip and routing, then learning firewalling is very easy. Here's a site for learning linux's firewalling system: http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
A great introduction to unix 'basics' is the third chapter of the FreeBSD Handbook. It applies almost exactly to nearly every unix derived OS: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/basics.html
Redhat provides a nice security guide for setting up their distro and services on it: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ (thats 9, its available for every other version too)
Debian has one too, though you have to be a little careful of the way-overboard security people: http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
So... that should be a start
All that stuff is stuff I am eager to learn more about, I'm in this stuff hoping to find a career. I'm adding every one of the links to my hotlist. But I wonder when I'll find the time to go deeply enough into it. Is it dangerous enough that I should not do anything with it until I'm that well informed? I hate to sound like "Hey, that's way too much at one time, can't you just tell me in a couple of sentences?" I sometimes have people ask me questions about something I do know a lot about, and I know when my answer needs to have some substance and detail, and I know what it's like when the asker says, I can't handle all that explanation, just tell me WHAT TO DO.
Session variables -- that's something I wouldn't think of. You mean you could doctor up the html and send it back different than what was sent out, and since the form is calling a servlet back on the server, you could pass in dangerous stuff? So I need to code to check that what comes in matches with what should come in before I let the servlet use it?
I appreciate your input a great deal.
I work as an intern for a software company, I'm in school working on my degree, got a wife and kids, yadda yadda. I huff and puff 7 days a week, and long days ... sigh ...
The webapp I did was an extension of my Final Project at school last term, in a Webserver Database Applications course. When I started this thread by saying I'm learning on my own, the reality is that this project has gone way beyond the toy things we were taught. I asked for permission to do this one because the course was in C#, ASP.net, MS SQLServer, and my company (Sybase) does all java. I built it with Sybase's ASA database, bought the books for j2ee, html (none of the gorgeous MS RAD tools to use where I was going), javascript, tomcat. All stuff I didn't know before I started. I can say that 98% of what I know about webapps is what I've dug out on my own. It has become a genuinely useful business application at my wife's school and you can tell I'm proud of it.
But my own school year has started again, and I hope to get this thing up and presentable on the web without too much more digging and learning before I can put it into the resume. I have to sleep at least some. In the current job environment, this is my big hope, with one year on the job versus all the job openings asking for "minimum 5 years experience ...". I appreciate the opportunity my internship gives me, but I'm eager to get something better.
Again, thanks a lot to you and all in this one. I'm very hopeful now
F
Session variables -- that's something I wouldn't think of. You mean you could doctor up the html and send it back different than what was sent out, and since the form is calling a servlet back on the server, you could pass in dangerous stuff? So I need to code to check that what comes in matches with what should come in before I let the servlet use it?
I appreciate your input a great deal.
I work as an intern for a software company, I'm in school working on my degree, got a wife and kids, yadda yadda. I huff and puff 7 days a week, and long days ... sigh ...
The webapp I did was an extension of my Final Project at school last term, in a Webserver Database Applications course. When I started this thread by saying I'm learning on my own, the reality is that this project has gone way beyond the toy things we were taught. I asked for permission to do this one because the course was in C#, ASP.net, MS SQLServer, and my company (Sybase) does all java. I built it with Sybase's ASA database, bought the books for j2ee, html (none of the gorgeous MS RAD tools to use where I was going), javascript, tomcat. All stuff I didn't know before I started. I can say that 98% of what I know about webapps is what I've dug out on my own. It has become a genuinely useful business application at my wife's school and you can tell I'm proud of it.
But my own school year has started again, and I hope to get this thing up and presentable on the web without too much more digging and learning before I can put it into the resume. I have to sleep at least some. In the current job environment, this is my big hope, with one year on the job versus all the job openings asking for "minimum 5 years experience ...". I appreciate the opportunity my internship gives me, but I'm eager to get something better.
Again, thanks a lot to you and all in this one. I'm very hopeful now
F
As long as you're only forwarding that one port, and tomcat is up to date, you're fine.
More fun links:
Buffer Overflows (this is what 98% of the security exploits you here about are)
http://www.enderunix.org/docs/eng/bof-eng.txt
http://destroy.net/machines/security/P49-14-Aleph-One
http://www.cultdeadcow.com/cDc_files/cDc-351/page1.html
Important things to remember about buffer overflows:
- they occur because of programmer errors
- interpreted (scripting) languages pretty much never have them
- java pretty much never has them
- come to think of it, its pretty much C. C is the devil.
- if I exploit a buffer overflow in your tomcat server running as "bob" on port 8123, I can do anything "bob" can do. This is why you have services run as their own user. Typically there's not a whole lot that user can do. However in cases like OpenSSH (which runs as root) if there's a buffer overflow, I own your machine (fortunatly thats a lot less likely now).
More fun links:
Buffer Overflows (this is what 98% of the security exploits you here about are)
http://www.enderunix.org/docs/eng/bof-eng.txt
http://destroy.net/machines/security/P49-14-Aleph-One
http://www.cultdeadcow.com/cDc_files/cDc-351/page1.html
Important things to remember about buffer overflows:
- they occur because of programmer errors
- interpreted (scripting) languages pretty much never have them
- java pretty much never has them
- come to think of it, its pretty much C. C is the devil.
- if I exploit a buffer overflow in your tomcat server running as "bob" on port 8123, I can do anything "bob" can do. This is why you have services run as their own user. Typically there's not a whole lot that user can do. However in cases like OpenSSH (which runs as root) if there's a buffer overflow, I own your machine (fortunatly thats a lot less likely now).
Well, it runs on windows, and it's nothing but java and html.
The tomcat is 4.1.24
So I'm probably ok as is? There's nothing to overflow?
How would you create an overflow anyway?
[later - I see that's in your link - I'm at work and sneaking a peek, couldn't help myself]
And -- "running as bob" -- is my server running under a name? That's unix, isn't it?
Careful - I'm curious as anything and I'll stick with this as long as you want to pump out answers ;~)
The tomcat is 4.1.24
So I'm probably ok as is? There's nothing to overflow?
How would you create an overflow anyway?
[later - I see that's in your link - I'm at work and sneaking a peek, couldn't help myself]
And -- "running as bob" -- is my server running under a name? That's unix, isn't it?
Careful - I'm curious as anything and I'll stick with this as long as you want to pump out answers ;~)
Unfortunatly when it comes to windows server-type-questions I'm at a pretty hefty loss. However i'm pretty sure that windows still follows the basic "proccess run as users" concept, usualy whoever started the program (thats why you sometimes need to use 'runas' to get a program to run as the administrator).
Tomcat's up to 4.1.27, but I read the release notes here:
http://www.apache.org/dist/jakarta/tomcat-4/RELEASE-NOTES
and I don't see anything you should be concerned with.
Thanks so much.
And I just learned today that my company is going to be terminating the intern program at the end of the year. So I'm out, and definitely have to hope that this will be some help on the resume.
Reality check - if you were an employer thumbing through the stack of applications, would you bother to swing over to your machine and go to an applicant's website to see what he says he can do? Is this just dreaming? I see all the jobs (all? the very few I see, I should say) requiring 5+ years, or 10+ years. What can I hope for with 2 years and a go-getter attitude? I know the lead engineer at our office told me that he would write me an awesome reference. But who will even look?
Sigh. Gotta get going on getting it up there.
Interestingly, I saw a talk being given at a local Linux User Group last night, on internet security - a guy who works as SA for a college Nuclear Physics Program - he puts up honeypots to track attackers, and he gave a talk. I talked with him after, about my security concern, and he pretty much echoed your thoughts.
And I just learned today that my company is going to be terminating the intern program at the end of the year. So I'm out, and definitely have to hope that this will be some help on the resume.
Reality check - if you were an employer thumbing through the stack of applications, would you bother to swing over to your machine and go to an applicant's website to see what he says he can do? Is this just dreaming? I see all the jobs (all? the very few I see, I should say) requiring 5+ years, or 10+ years. What can I hope for with 2 years and a go-getter attitude? I know the lead engineer at our office told me that he would write me an awesome reference. But who will even look?
Sigh. Gotta get going on getting it up there.
Interestingly, I saw a talk being given at a local Linux User Group last night, on internet security - a guy who works as SA for a college Nuclear Physics Program - he puts up honeypots to track attackers, and he gave a talk. I talked with him after, about my security concern, and he pretty much echoed your thoughts.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter