Alpha DevCon 2018
Results 1 to 8 of 8

Thread: SSL and Alpha Web Server security

  1. #1
    VAR
    Real Name
    Mike Reed
    Join Date
    Apr 2000
    Location
    Phoenix, AZ
    Posts
    627

    Default SSL and Alpha Web Server security

    I have had some discussions with another Alpha Developer about SSL certificates and security of the Alpha Web Server. It is a question some customers have asked lately and I have given the same reply.
    So I have two questions for the Developer community....

    One:
    This is basically my statement:
    When you combine an SSL certificate with the built-in robust security of Alpha Anywhere, I believe you have security on the web as that is as good as most sites have. No, it is not DOD secure, but that is not needed. I have never heard of an Alpha server being hacked. (that doesn't include passwords that were shared or left on posit note)

    What do you folks thinks and what have you heard?


    Two:
    I found this link about SSL certificates https://www.sslshopper.com/why-ssl-t...tificates.html

    It did make me wonder about the 'cheap' SSL certificates. Does anyone have any thoughts or ideas on that?

    Thanks,

    Mike
    Mike Reed
    Phoenix, AZ

  2. #2
    Member
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    778

    Default Re: SSL and Alpha Web Server security

    1) SSL and HTTPS are not protecting your server, they are just trying to protect the data as it is in transit between the server and client. You should have other software, like RDP Guard and firewalls that are protecting your server against the barrage of attacks.

    2) Slapping on an SSL certificate and making all your users go through https is not enough. Assuming you are communicating across the Internet, you (or your client) are probably worried about "man-in-the-middle" hackers "listening" to traffic and scraping off useful information. You have to look deeper into how the SSL certificate and https protocol work to encrypt data in transit. First, you have to make sure you are operating with current DLL's for OpenSSL on your AlphaServer. Then you have to look at what cipher suites your AlphaAnywhere Server allows. This can be found on the AA server console window under the "SSL" tab. Many cipher suites have been compromised by hackers and should probably be removed from the default Cipher list on your server. You will find some of the ciphers that were developed with larger key sizes are actually quite easily decrypted by hackers and you are sometimes better off with smaller key sizes when there is no larger key size alternative that both your server and client can use.

    Also, be sure to search the Internet for 'Google distrust Symantec'.

  3. #3
    Member
    Real Name
    Nate Battles
    Join Date
    Dec 2015
    Posts
    4

    Default Re: SSL and Alpha Web Server security

    SSLs come in a few flavors and are offered by a few vendors.

    Some people just want a green lock displayed on their site for that a simple DV - domain validated cert is adequate. Others need to display organizational information on the cert - in the browser. For those you need OV - organization validated or extended validation EV certs - with those they do a multi-step verification to call a business number, prove a business address and etc... They are also very expensive. Different SSLs also have varying levels of warranty protection as well.

    Rich is correct - Security is an onion - there are many layers. SSL is one part of that.

    Chrome (and others will follow) will be requiring SSLs on sites. Otherwise they're going to warn visitors that the site is not trusted. 99% of the time - that visitor will leave your site.

    As for Google distrusting Symantec - if you had an older SSL issued - chances are it wasn't up to the level of encryption that Google wants. Those are being -reissued by the company that took over the certs from Symantec.

    Comodo - was the only issuer exempt from the SSL debacle Rich was referring to. Geotrust, RapidSSL, Thawte, Symantec - were all affected (depending on when they were issued)

  4. #4
    VAR
    Real Name
    Mike Reed
    Join Date
    Apr 2000
    Location
    Phoenix, AZ
    Posts
    627

    Default Re: SSL and Alpha Web Server security

    Any other thoughts on question 1 with the assumption that a proper firewall, RDP Guard and SSL are in place?

    Thanks
    Mike Reed
    Phoenix, AZ

  5. #5
    Member
    Real Name
    Nate Battles
    Join Date
    Dec 2015
    Posts
    4

    Default Re: SSL and Alpha Web Server security

    You can add anti-malware/virus services, system monitoring to alert you that you don't have a runaway server. We've had reports from clients who've received shocking bandwidth bills (with 4 zeros attached) from public clouds due to a runaway server chewing up bandwidth.

    Having all that in place is great, but if you don't have a good backup in place - security aside - won't do you much good.

    I'd also add getting your domain on a secure DNS service like CloudFlare which will harden your DNS and protect you from the possibility of a DDoS attack

    If DNS ain't happy, nobody is happy.

  6. #6
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,775

    Default Re: SSL and Alpha Web Server security

    You need an IP blocker to stop or at least slow down rogue hits. I block millions of packet hits to my iadn.com website by selectively blocking IPs based on blacklists from https://www.iblocklist.com/lists.php?category=country.

    I use IP Blocker Firewall 3.2. It takes a bit of knowledge to set it up but it runs forever after configuration.

    I still do get ocassional SQL Injections attackes from USA-based IPs which are harder to block. It is on my task list to write a routine that automatically blocks IP if the result is a 404 (page not found) X times in a row.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  7. #7
    "Certified" Alphaholic DaveM's Avatar
    Real Name
    Dave Mason
    Join Date
    Jul 2000
    Location
    Hudson, FL
    Posts
    5,857

    Default Re: SSL and Alpha Web Server security

    I have hosting that provides free Comodo SSL and DDOS protection. Spammers are checked against Honeypot and if positive, get blocked. I have built in ability to block countries/regions of choice which is 95% effective. Site protection catches sql attacks and blocks the IP automatically. MUA attacks are also caught. Most is done by using Joomla as an entryway to applications Akeeba Admintools add on even watches certain files for changes. I don't use cloudflare except for a few clients that need it. Paid Cloudflare is too expensive for my 20-30 sites/apps. Cloudflare will require their own dns setup when fully implemented. I have my own DNS, so do not wish more redirects. CloudFlare is great for one app on a server that has little/no built in security.
    Akeeba Admintools has a plug in called geoip that is upated often for Country and region ip's.

    Here is a notice of a caught problem on a site:


    Hello,

    We would like to notify you that a security exception was detected on your site, Auto Classifieds, with the following details:

    IP Address: 185.86.13.213 (IP Lookup: IP Lookup)
    Reason: Admin Query String

    If you are the administrator of this site and have blocked yourself on accident please visit http://lotrun.com/administrator/inde...ave@lotrun.com where dave@lotrun.com is the email address of your (Super User) account.

    If this kind of security exception repeats itself, please log in to your site's back-end and add this IP address to your Admin Tools's Web Application Firewall feature in order to completely block the misbehaving user.

    Best regards,

    The Auto Classifieds team

    Hope This helped a little?
    Last edited by DaveM; 01-02-2018 at 01:50 PM.
    Dave Mason
    dave@aldaweb.com

    Skype is dave.mason46

  8. #8
    Member
    Real Name
    Nate Battles
    Join Date
    Dec 2015
    Posts
    4

    Default Re: SSL and Alpha Web Server security

    Cloudflare uses a GeoIP database to map IP address to countries. “Unknown” means that there wasn’t a record for in our geolocation database for an IP address.

    I would disagree that it's just for one app - non hardened servers. I'm not affiliated with CF, but I do think it's a good product.

Similar Threads

  1. Web Security Tables in-house Server vs Remote Server
    By lvasic in forum Mobile & Browser Applications
    Replies: 8
    Last Post: 12-18-2015, 12:14 PM
  2. Application Server Security
    By johnfletchertt in forum Mobile & Browser Applications
    Replies: 2
    Last Post: 04-28-2015, 02:30 PM
  3. Security and SQL Server
    By StevenMcLean in forum Alpha Five Version 10 - Desktop Applications
    Replies: 1
    Last Post: 01-10-2010, 11:07 PM
  4. Server Security
    By Keith Hubert in forum Application Server Version 9 - Web/Browser Applications
    Replies: 10
    Last Post: 08-04-2009, 04:29 PM
  5. Level Security and Group Security on single server
    By den1s in forum Application Server Version 8
    Replies: 4
    Last Post: 09-04-2007, 06:40 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •