HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Help needed with file permissions on Windoz box

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#107792 (In Topic #21015)
TQ
Avatar

Honoured member

Hi All,

I absolutely love OCP and find it does just about everything I could want straight out of the box but there is one thing that has perplexed me from the get-go, file/folder permissions on a Windoz server.

My site gets routinely hacked (or at least they try to hack it) for. I assume, the 8k plus email addresses stored in the mysql database. I suspect I get about 20-30 hackers visit me per month (and literally 100's of spammers trying their luck every week). Every one of their IP's are banned at firewall level as soon as I'm aware of it.

Mine is a hobby site run on my own Windoz 2003 server and, before you remind me that it's well out of date, I don't have the funds to replace it nor the experience to run a *nix box.

Last night it was successfully broken again, this is only the third time it's been destructively penetrated and fortunately nothing like the first 2 times when it took many 10's of hours to put the site or server back together again.

So, to the relevant part. If I use OCP's permissions checker it reports that all of the permissions are OK. After twigging that the fixperms.bat batch file needed a minor change to make it work ie. changing set user=IUSR to SERVERNAME\IUSR_SERVERNAME I got that to work OK but it doesn't fix everything.

The problem is, if I change permissions in some area's to blatantly wrong parameters like write access where it shouldn't be, OCP's permissions checker doesn't see the error of my ways.

I did at one time set the entire site to read only then laboriously traverse the site causing it to present a stack report for every read-only error and then fixing it. This took hours and hours and nearly drove me insane and made me consider giving the whole project up! The problem with this approch is that every update or patch screws with my permissions.

The latest trend is for potential hackers to try to traverse the folder structure, this is part of last nights email response:

Code

Reason: Tried to use a file path redirection to get outside the intended directory
IP address: 192.240.166.195
Member ID: 1
Username: Guest
User Agent (typically, the web browser):
Referrer:
Operating System:
Date and time: 12:26 AM
URL: /index.php?page=../../../../../../../../../../../../../../et
c/group%00

When I checked the sites home page this morning I was presented with this:

Code

Unfortunately a query has failed [SELECT *
FROM ocp_cache WHERE (lang='EN'
AND cached_for='side_stored_menu'
AND the_theme='Golden'
AND identifier='f09a5d5357983ab154d788e98daaxxxx')
LIMIT 1] [Table '.\hamfiles\ocp_cache' is marked as crashed
and should be repaired] (version: 9.0.19,
PHP version: 5.3.24, URL: /)

Repairing the db sorted the problem but my site is becoming ever more popular (since I created a Facebook group for new additions) and it was down for 8 hours before I was aware of it.

I have been unsuccessful in getting IIRF to work correctly so I'm advertising the real URL's in the browser which I know isn't helping me.

What I am seeking is some advice (within the parameters I've set ie no cash to splash) on how I should approch this ever growing problem without having to check the site ever few hours to find out if it's been hacked or otherwise disabled from normal running (IIS frequently grinds to an almost halt or the server reboots itself after being flooded).

Thanks in advance for any and all input.

TQ
Back to the top
 
Posted
Rating:
#107793
Avatar

Hi,

Thanks for your comments about loving ocPortal :).

Windows permissions are tricky to us to check/communicate, as PHP is very much based around POSIX (unix-like) permissions, and Windows permissions vary greatly between machines. But at the end of the day, if we document something as needing write access, that logic applies to both Linux and Windows, it's just the mechanism for specifying it is different. I don't think permissions themselves will be a huge nightmare. If fixperms.bat is missing some permissions that you find are needed, please point it out and we can correct that.

I think actually there are a few other conflated issues here:
  • MySQL crash
  • Hack attacks
  • Old version of Windows

The MySQL crash was likely an unclean server reset, not a hacker. MySQL tends to be quite fragile to this. I'm not actually aware of any way a hacker can specifically cause a MySQL table to crash. You can usually get MySQL to repair it's tables quite easily by running the right repair command.

The auto-detected hack attacks happen on almost all sites and you shouldn't get too paranoid about them. We block them very effectively, and the ocPortal framework is written in a very robust way.

An old version of Windows (I guess 2003 is EOL?) is likely a bigger issue. I'm not a Windows admin so I don't want to comment on that one myself.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#107795
TQ
Avatar

Honoured member

Hi Chris,

I still remain impressed at how OCP has a solution for so many of the new requests I make of it as I get more involved with my site. I will post some 'How do I' requests on this forum in the near future for things I would like to do and I feel confident that it will be a case of 'I haven't discovered that option' rather than finding a feature or function it can't do out of the box. Well done to all those that have made OCP what it is today.

You are right, I'm getting paranoid about having my site wiped out again, mainly because I failed in my diligence a few months ago and some kind hackers managed to corrupt most of my sites with 'F***ed by 7 sign' and 'defaced by TUNISIAN FALLAGA TEAM' in the same night. I simply don't have the skills to compete with these guys so I have to do my best to keep them out.

I am aware of what an unclean server reset can do to a mysql db as I also run an internet radio station at another location which almost continuously writes to the db so it has to be repaired on every (occasional) crash. I do this manually for the radio station but do you think it would be safe (or would it be unwise) to do this with a script on every reboot for the OCP site? I do backup the site every night, I backup the backups every week and I also do a separate backup of both the site and database every week to yet another HD so I would have something to recover from (this time).

Talking about permissions and backups reminds me that I now do the backups outside of OCP because I never resolved the permissions issue you spoke of in that post even though I've done everything mentioned in my previous post in this thread (and tried so much more).

What can I say about running and old version of Windows other than 'it's about time I learnt one of the many *nix O/S's' and grew a pair :P If I do, I will only run it as a web-server for OCP, maybe a mail server and possibly an Icecast server so, if you would suggest which variant an MS-O/S old-school'r should go for I'd be obliged.

Thanks for your feedback and it's good to know you're always there (do you ever sleep?).

TQ
Back to the top
 
Posted
Rating:
#107799
Avatar

Sorry to hear of the hacking.

do you think it would be safe (or would it be unwise) to do this with a script on every reboot for the OCP site?

Yeah, I've never seen a MySQL repair trash a DB.

Thanks for your feedback and it's good to know you're always there (do you ever sleep?).

I get a decent amount of sleep, but I am exhausted a lot ;).


You may want to try messing about with a free tier Amazon EC2 'machine'. Nothing to break, no cost.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#107835

Fan in action

I second what Chris said re a cloud based server.
Don't know where OP is located, but we are moving one of our test boxes to Rackspace. AWS free tier is a good option for a low traffic web site. It will be less headache for you to keep up, and you can save a virtual instance to resort to immediately.

HTH
Dean
Back to the top
 
Posted
Rating:
#107838
TQ
Avatar

Honoured member

Thanks for your feedback Dean, I'm looking into it.

TQ
Back to the top
 
Posted
Rating:
#107839
TQ
Avatar

Honoured member

A quick follow-up question, does:

Apr 2015
Unique visitors: 6,900
Number of visits: 11,462
Pages: 67,798
Hits: 701,913

Additional 'Not viewed traffic' (BOTS etc)
Pages: 98,669
Hits: 132,049

... fall in the category of a 'Low traffic site' ?

TQ
Back to the top
 
Posted
Rating:
#107897
TQ
Avatar

Honoured member

TQ said

A quick follow-up question, does:

Apr 2015
Unique visitors: 6,900
Number of visits: 11,462
Pages: 67,798
Hits: 701,913

Additional 'Not viewed traffic' (BOTS etc)
Pages: 98,669
Hits: 132,049

... fall in the category of a 'Low traffic site' ?

TQ

No replies to this… O_o

This is a serious question as I think it is quite high but I also know I'm a small fish in a big sea.

I looked at the AWS free tier pages and concluded that my usage would be too high for the free service but I don't trust myself to make this assumption.

Anyone?

TQ
Back to the top
 
Posted
Rating:
#107899
Avatar

I can only speak for what I said, but I mentioned a free cloud server to experiment with. I wouldn't recommend one to host with for any site receiving real visitors.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#107901
TQ
Avatar

Honoured member

Chris Graham said

I can only speak for what I said, but I mentioned a free cloud server to experiment with. I wouldn't recommend one to host with for any site receiving real visitors.

Thanks again Chris.

I found an old box which I've installed Ubunta Server onto, to see if I can get to know it well enough to commit it to the specific IP I have for my OCP site.

I asked the question as a result of Dean's post. I read it as suggesting that I move my OCP site to the free service.

TQ
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: