On Saturday 29 October 2005 14:44, Marc Weustink wrote:
> ik wrote:
> > On Saturday 29 October 2005 13:18, Marc Weustink wrote:
> >
> >>ik wrote:
> >>
> >>>On Saturday 29 October 2005 11:11, Marc Weustink wrote:
> >>>
> >>>
> >>>>Thomas Zastrow wrote:
> >>>>
> >>>>
> >>>>>Florian Klaempfl wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Lv wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>This is getting annoying..
> >>>>>>>
> >>>>>>>Cant you guys just use Linux or BSD with ipchains or iptables.
> >>>>>>>If you want a firewall script let me know.
> >>>
> >>>
> >>>What is the connection to firewall exactly ?! Firewall is only a filter
of
> >>>packets, not an "IPS" and it is not created to be one.
> >>>
> >>>Defacement is made using security holes such as SQL Injection, Buffer
> >>>Overflows (that exists on the server for example), and any other type of
> >>>access to the system (File uploading as another example).
> >>>
> >>>There are also possibilities that someone installed non standard program
> >
> > that
> >
> >>>opened a backdoor at the system itself. BTW If the "backdoor" is using
> >
> > port
> >
> >>>80 for example, then firewall will not block it.
> >>>
> >>>
> >>>
> >>>>>>The problem is probably postnuke but not the OS.
> >>>>>>
> >>>>>
> >>>>>Then send Postnuke to hell .... if you need some help transforming the
> >>>>>content from Postnuke to a new solution, let me know.
> >>>>
> >>>>The problem is not to create a static site, but the probmlem is to
> >>>>update and maintain it. Lazarus used to have a simple DB generated
> >>>>pages, but it missed some functionality which Postnuke offered.
> >>>>We had 2 choices, spent time to develop yet another system (and do't
> >>>>spend the time for Lazarus), or use something what is aready there.
> >>>
> >>>
> >>>Why not to use Drupal ? it's much better then PostNuke, and it's existed
> >>>Content Manager, with many more things to offer then PostNuke that have
> >
> > more
> >
> >>>holes then Swiss cheese ?
> >>
> >>Who guarantiees that ?
> >
> > Who guaranty me that Lazarus is bug free ? that's why we have malling list
and
> > bug tracking systems.
> >
> >
> >>If I look at the drupal site, it was at its early development when we
> >>switched to postnuke (and maybe postnuke was as well)
> >>So IMO it is yet another system, but does it mean that we need to change
> >>whenever something else, maybe better looking, maybe more secure is
> >>released ?
> >>It takes a lot of time to migreate a site from one system to another. If
> >>all was so easy, then all would have been done.
> >
> >
> > Well if it's more secure then the answer is yes! To say that because it's
hard
> > to move from one type of content manager to another, and therefor you keep
on
> > suffering from defacement, and the attackers may even found access to the
svn
>
> Which svn, where is the svn at the lazarus site ?
>
> > with write privileges, make fixing almost impossible, and therefor the
move
> > for a new content manager is much better then staying with the current
one,
> > and try to find out what was changed and fix that IMHO.
> >
> > We (at www.securiteam.com) stopped reporting about issues with PostNuke
and
> > phpBB because there are more holes then code... BTW phpBB creators claims
> > that in order to make better coding, they must rewrite everything from
> > scratch, without supporting older versions. I don't know if that the case
for
> > PostNuke (if they are welling to rewrite it and how it will react with
older
> > versions).
> >
> > BTW Drupal comes with skins, so you can select something that is not
looking
> > very good, if that's what bothering you :P
> >
> > Don't keep your head in the dirt and hope for the best... try to make it
> > better.
>
>
> it al requires time, time and yet more time, which isn't there.
>
> Why, use drupal, it may be good, but before you switch you want to know
> if there isn't anything better. This research costs *time*
> Then if something better is found, then all the content has to be
> migrated, this costs *time* to find out how, to test it etc.
> Everybody can say what to do is these cases, we take t as advice, but in
> the end there is only one who does the job (and thats not me)
I will not argue with you. But everything is about time. Fixing over and over
again web site that was attacked, is usually harder to fix that.
First of all you do not know when the attacker actually gained access. You
only know when the attacker choose to show you that he/she have access to the
site/server.
Drupal is not the only choice, but the last time I did the research (for
myself BTW), it was the best choice out there for Dynamic Content manager.
There is also a possibility of using static approach, and that using the
PostNuke Database and render static HTML pages. but that takes time to do as
well.
So as you can see at the end everything is about time. So what do you decide ?
do you want to spend it every-time on the same problems, or do you want to
spent it to solve the problems once and for all ? None of us have time, but
we all try to make some, in order to contribute to projects we think we can
help. (BTW the company I'm working at, offered twice the services for helping
solve the problems of Lazarus for free, but the decision was made not to
accept it).
That's all I'm going to say on this matter.
>
>
> Marc
>
Ido
--
"We are painted. Fear us."
Grimly The Invisible
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives
