Web servers are vulnerable machines

2012-07-12

in Geek stuff, Internet matters, Rants, Security

Imagine you have rigged up an unusual machine, like a home-made steam engine or a centrifuge. Even if it seemed to be working smoothly, it’s not the sort of thing you would want to leave unattended. It’s quite likely that doing so would break the machine, and quite probably cause damage to nearby property or people.

It’s important to remember that a web server is a pretty sophisticated machine. An entry served up by a WordPress blog is quite a different thing from a printed newspaper article or even a static HTML page. When you view a WordPress page, there is a dynamic interplay between your web browser and the web server. You request particular content and WordPress uses PHP scripts to pull together the necessary data from MySQL databases. The same is true for other dynamic content management systems (CMS), like Joomla or MediaWiki. Underneath all this, there is Apache HTTP Server and whatever operating system the server is running.

All this PHP and MySQL work creates openings for attackers. These can never be completely eliminated, though maintaining an updated version of your CMS and being careful about things like passwords and file permissions is important.

What may be most important, I think, is changing the perception of what kind of machine a web server is. You cannot assume that it will continue to obediently do what you want if you leave it alone. It is quite possible that some malicious human or robot will find a crack, take control of it in whole or in part, and then use it for nefarious tasks like sending spam or joining a botnet. If you aren’t paying any attention to things like your server logs, you might never even know that your site has been compromised.

In short:

  1. If you run a webserver, be aware that it is a constant target for attack.
  2. It is wise to take precautions, like promptly updating software and choosing strong passwords.
  3. Keep an eye open for unauthorized activity.
  4. Have backups in place for recovery after an attack.

Practice safer blogging!

Report a typo or inaccuracy

{ 1 comment… read it below or add one }

. April 4, 2013 at 6:06 pm

If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.

https://www.torproject.org/download/download-easy.html#warning

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: