On Mar 14, 2014 12:13 AM, "Brad Alexander" <stor...@gmail.com> wrote: >
>>> >>> Due to this experience I would like to know what the best way to limit such problems is, especially when hosting web servers for users who may or may not installed unsecure applications on the web server. > > > Auditing your security is probably your best bet. As I said above, maybe some web app testing tools, run scans against your server regularly with Nessus or OpenVAS, plus the security best practices...Good password hygene, bastion hosts (only one type of app on a machine), turning off/uninstalling unneeded apps, especially those with a network presence, etc. I'm not sure how your customers may feel about you scanning their apps. What do you do if you find something they don't want to fix? It will probably even cause legal issues. If you do want to do scans, might want to start with someone like nikto (it's free) and see what you find. Idk how well Nessus does web scans either - idk that's their core business (I think that would be AD and compliance). Burp is the tool most use for this. Though, give a baby your car keys and if you're lucky nothing will happen - if you're not... A better solution for sites you host and don't own might be a WAF. Something free like mod_security (some used to sell a rule subscription - can't remember who). Or a PaloAlto box. As for passwords, among other things, the company I work for is kinda known for password auditing so, take it off list if you want a contact for that type of thing. If you don't own the data though...
