Placeholder Image

字幕列表 影片播放

  • Hey, welcome back.

  • Tackle it here today.

  • I wanted to talk about the various ways that I have been had throughout the years, running my own websites and servers.

  • And though this is not an invitation for you to try to hack me, I'm sure you probably could just lunch.

  • Adidas distributed denial of service attack on my servers, and that's one easy way to just take down anybody's projects.

  • Although you know hacking generally is illegal.

  • But when you start operating a Web site and you put essentially a public I p address website on through the network, then you're exposing that machine to the world to both good and bad people You can see.

  • Actually, when I tried to look into my server, there have been 6162 failed attempts just within the last day, pretty much.

  • And, you know, these are essentially just Boston, just trying every single passenger combination that they can.

  • And on my other server, there were over 186,000 failed attempts in just three weeks.

  • So this is going to be a bit of a technical talk, but could be useful if you ever plan on running your own Web servers, so let's get into it.

  • Quick pause This video sponsored by Dash Lane Bash Lane.

  • There's a password manager endorsed by The Wall Street Journal, New York Times Forbes A wired and more.

  • They make it easy to manage everything and fills your personal info like addresses, credit cards and passwords, their top rated on the Iowa's APP store and recommended by both Apple and Google.

  • The 10% of premium for the 1st 200 people at bash late dot com slash tech lead.

  • All right, so the first question you may have is what our Attackers actually trying to accomplish here.

  • Do they just want to bring down your website your random, small little stupid project?

  • Probably not.

  • Do they just want your additional computing power?

  • Maybe they're gonna run some crypto currency mining bots?

  • No, they can just buy that.

  • What they're really after here is your i P address in order to send mail to other people.

  • In my opinion, many of them have been male spammers.

  • If they're trying to take control of many other Web servers out there and then use those to just send spam mail and so by sending spam mail through your reputable I P address, they're able to get better deliver ability under emails, and that is where a lot of value has been.

  • And so this is the first way I've been hacked and consistently.

  • Almost every time I tried to set up a custom mail server using programs like Sand Male Ex Um, some attacker always happens to try to find the way to gain access into it.

  • Usually, if I miss configured the passwords authentication far, Walls reports, then someone manages to start sending tons of spam mail through those.

  • Then I get a notice from my server company accusing me of abuse, and they give me 24 hours to either fix the situation or they shut everything down.

  • So this is usually what happens when you try to run your own mail server.

  • I don't generally recommend it, and so these days, usually what I do is I just go through Amazon SCS simple email service and let them take care of all the security and authentication.

  • Descending limits the reputation and just let them handle all of the security issues with that.

  • So let's get to the second hacked that I've dealt with, and this was a pretty tricky one, and this was an SS H hat.

  • Now it's still not entirely clear to me how the attacker gained access to the system.

  • There could have been a zero day exploit.

  • Maybe they managed to get into the password.

  • I'm running tons of scripts on my website.

  • Maybe one of them was not secured properly.

  • They gained access somehow, but I found at the bottom of several of my PHP scripts There's a piece of code.

  • Just add it there that I did not write and it was quite obscure.

  • But it seemed like it could have provided the attacker a backdoor access into the system, and I would have to patch every single one of these scripts.

  • Otherwise, the attacker could just use any of these to gain access.

  • And so that's why did I just did they find on all of the system files?

  • Look for anything that was weird and fix all the scripts?

  • And so I thought that fixed it.

  • But the next thing I knew next time I logged into the system, it was there again and I thought, OK, what?

  • That's where Let me just fix everything again.

  • But every time I looked into the system, I realized that the scripts would be upended.

  • And so that's when I realized that the whole S S H.

  • Damon that I was using had been compromised.

  • I took a look around the system, and I realized there was a zero day exploit in which the attacker could install a fake version of SS H.

  • Damon so that every time I loved in it would grant the attacker access.

  • And not only that, they had access the password file E T.

  • C slash password and added themselves as a user.

  • And this system, the name was something like essence HD.

  • It didn't sound very bad at all.

  • So unless you have a very good understanding of other processes and under working something, the Knicks and UNIX, we look at these and start looking for issues.

  • It's not immediately clear to you where the issue may be what's good, what's bad.

  • So here's what I did to try to remedy the situation.

  • First I said that, but dashboard is like a website, a script that would just check a bunch of internal files, systems processes and make sure everything was running smoothly and that I could just glance that quickly to make sure that there were no malware running.

  • Now, this is a good practice tohave.

  • Anyways, I have a dashboard.

  • I still attracted this day every single day.

  • Just to make sure all of my websites and projects are running smoothly.

  • I changed the ports that you can log in through to usually us sensation through, say, port 22 by default.

  • I love these malware machines.

  • They're just checking on these certain ports.

  • So I just changed that to another random port.

  • I made this so you can only access the machine from a surgeon i p address, which is just the area within my vicinity.

  • And I disabled password access instead using private and public key files, which are stronger and cannot be guest as easily.

  • And then if this is helped by the server being 10 years old by then I had acquired it a long time ago.

  • I didn't keep things up to date, and so over time, what I eventually did was I just got rid of the server, upgraded it to a brand new one, got the latest security updates and the OS locked down all the ports that sshh access disabled the pastor authentication system.

  • And through that, I was finally rid of that stubborn hack.

  • Now, the third hack I've seen has to do with security through obscurity, where you may not see certain files voters, your L paths, but an attacker contract to guess as certain your l's and gain access into assistant that way.

  • So one common practice I've seen is that usually there's like a thought.

  • Get path within your directory.

  • If you're using to get the revision in control system and the tackle would just go to your euro and access slash stock it.

  • And if you did not secure your ghetto depository, then they'll be able to get access to all of the source code.

  • And I've received security reports from thankfully friendly researchers who I think what they do is they just can't the Internet for all the your l's and check for the security exploits and email the Web administrator about these so that they could get those fixed throughout the Internet.

  • Now the fourth hack I've seen, maybe something you're familiar with as well is sanitizing user input.

  • So any time you have, like a website or project where you're allowing the user to and put something, maybe they can tweet something.

  • Well, if you don't sanitize the input, then you could be allowing anyone to input code into your system.

  • It could be as simple as, say, some HTML close to just both or italicize some text.

  • A user could try the issue a sequel injection attack, where they use a quote to escape out of the user input area and then upend additional commands to modify the database or gain access into it.

  • And I've seen some people they can actually get in terminal access.

  • Sshh access into a system.

  • If the user input is used for some internal shall commend.

  • The best way to secure yourself against this is the make sure that you're sanitizing all user inputs, but even that that rate you could be forgetful.

  • You could miss one line here and there, and then your whole entire system could be compromised, which is why you may opt them for, like a Web framework that will sanitize all user inputs for you automatically.

  • So there would be less of a risk movie onto our fifth security hack.

  • This is about passwords, and it's really more of a tip that if you're storing passwords, you should not be storing them in plain text.

  • Usually, what you want to do is hash them such that if your database ever becomes compromised, you're not just leaking the raw, playing tax passwords of all of your users.

  • When you hash it, you can at least obscure some of the details, and especially if you're using a password salt.

  • So you first append some string that you know to the user's password, and then you hash that whole set together that really obscures that.

  • Such that even if the hashes get leaked and another Web site somewhere else is using the same hashing algorithm that the password.

  • So at least we'll be unique to your own domain, your own project and so that will protect the user's credentials from being licked, at least elsewhere beyond your own website.

  • And even if you have a pastor authentication system, Attackers may sometimes try to just brute force their way in by randomly guessing a number of common passwords.

  • So in this scenario, you can either rate limit the passwords or implement like a cap chest system over, although my recommendation maybe to not even implement a user authentication system if it works for a project just used, like Google Fire Base authentication, Apple I.

  • D.

  • Facebook connect something like that.

  • And then you don't have to deal with headaches of securing your authentication system.

  • Now, my six security too passive do with making a website more secure for your users, especially any time you're trying to collect payment, you want to make sure that that connection is encrypted over https.

  • So these days many websites are served over https.

  • But if they're not just using standard http, then the Internet traffic is unencrypted and any attacker can be sniffing on that network and read all of the Internet traffic you're sending like your passwords.

  • Credit card details.

  • So one way to quickly secure your Web application is again SSL certificate.

  • Personally, I used this open source project get SSL, and they just get free certificates from lesson crypt.

  • So then you can enable your Web application for https encryption over the Internet.

  • Now moving on to the Seventh Way I've been hacked, and this may have happened to some of you as well, as if you've ever and start your own WordPress blogging website that you know that word press has so many security issues.

  • And every now and then one of your WordPress websites or Bloods, they just get compromised, and then they usually issue some security patch.

  • But it's a lot of maintenance, and especially if you install some work press blogger Web site and then you forget about that.

  • You don't go back to it.

  • You've essentially installed a security lupo into your system.

  • What I've done is I've found through and scrapped my entire system of WordPress blog's websites and plug ins and any other projects like free bulletin board systems, free block websites.

  • And so my overall recommendation here is we can also just pay what process mafi and they'll host your block for you, and they'll make sure that it is completely secure.

  • You don't necessarily want to be the person managing, running and updating all of your own email servers, your websites, your blog's chat servers, because that could be a security risk.

  • And if you do run, these service is, then you need to be willing to put in the time to keep these updated and maintained.

  • And one more tip.

  • Since you never really know ifyou're secured, there could be zero day exploits.

  • It may help to make backups, so get another machine.

  • Copy all of your data user data project files over to this machine such that even if one machine is compromised, then you're still going to have your data and you'll be able to restore it.

  • In the worst case scenario, your data is one of your most important asset, so secure it with dash leg atop Password Manager endorsed by The Wall Street Journal and New York Times, Ashley generates super secure passers, plus out the pastor to store our encrypted making a super safe place to store your information.

  • Here's what's so secure Dash Lane stores and decrypt your information locally on your device using your master password.

  • So even if someone did manage to hack it, Ashley in itself, it would be like breaking into a bank but not being able to open any of the votes because not even dash late has the keys on Lee.

  • You have the key to the vote, so unless you go around publishing your master password, your information is always safe.

  • This is their patented zero knowledge architecture.

  • They also have a VP and so you won't be tracked when you're browsing the Internet and can access content in any country.

  • And they monitor the dark Web for passwords leaks alerting you if any of your personal information may be available to spammers and hackers, so check them out and get 10% of premium for the 1st 200 people at national dot com slash tech.

  • Lead So that do for me for now.

  • And I would appreciate if you don't try to hack me because I don't need the additional work and let me know if you've ever been hacked or have any good security tips.

  • If you enjoyed the episode, please give the like and subscribe.

  • Followed me over on Instagram at tackling HD, and I'll see you next time.

Hey, welcome back.

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

B1 中級

我是如何被黑客...7次(網絡應用的安全提示 (How I got hacked... 7 times (security tips for web applications))

  • 6 0
    林宜悉 發佈於 2021 年 01 月 14 日
影片單字