5

I don't know much about network engineering since I just started becoming a programmer. The situation is, that my company has a web-interface hosted on one of our servers that is connected to the internet. Employees of the company log into the web-interface with their password and fill out a form/upload data. Now i want this data to be put into a folder on another server that's used to store customer data. This second server is not connected to the internet.

If we allow the first server to write into the second one, is there a way to ensure it is only done by users in the web-interface and not by someone hacking into the server? Are there other security concerns we have to think about and what can be done about them?

Dyon
  • 151
  • 2
  • How is the second server connected to the first, if not via the internet? – S.L. Barth is on codidact.com Jan 23 '15 at 12:09
  • @S.L.Barth It can be on its own private network behind the out-facing web server. Dyon, normally VPNs are used for companies to communicate with internal servers. They ensure secure communications and some type of authentication for users. It depends on the size of your company, the needs, and the hardware you're running to pick a VPN client/server. – RoraΖ Jan 23 '15 at 12:17

2 Answers2

5

When a hacker takes over the public server, you have to assume the worst case that they can do everything the public server is allowed to do. That means in case of a compromise, any security precautions implemented on the public server are inefficient. You can only rely on those precautions you have on the private server.

  1. Make sure that the public server only has permission on the private server to store files in that one folder. You certainly don't want it to put some files into system folders.
  2. Set file permissions on the private server so that no user is allowed to execute the uploaded files (but keep in mind that simply opening a malicious document might exploit a vulnerability in the reader software which might allow code execution).
  3. Storing the files from the frontend should be the only purpose of that folder. There should be no other data in there which might get overwritten.
  4. Setting a quota for the maximum size of that folder can also be a reasonable protection against an intentional or unintentional denial-of-service attack through filling the whole storage space of the server with garbage.
  5. Having a virus scanner on the private server to scan the incomming files can't hurt. But don't trust it too much. Remember that a malware scanner can only find what it knows.
  6. A sensible precaution can be to only allow files with specific extensions to be uploaded. But keep in mind that the file extension is not a reliable method to check for a type of file. Finding out that hello.jpg is actually a renamed executable is non-trivial. However, it prevents accidental execution due to double-clicking in most cases.

Another possible way of doing this is to use a pull-method. Don't have the public server push its files to the private one. Have the private server check for new files on the public server at regular intervals and pull them. This gives you greater control over what files to pull. You can, for example, only pull files with filenames matching a specific pattern.

Philipp
  • 49,384
  • 8
  • 129
  • 160
3

This is more of a Server fault question but I'll try to answer it anyway.

The best way is to protect against this is by NOT allowing the server to write directly to the other (hidden) server.

this can be done through several means like:

  • A Proxy (the public faced server proxies the file saving to the private server)
  • A Polling system (the private server checks regularly if there are 'new' files. and if so copies them from the public server)
  • A Pulling system (the public server notifies the private server it has a new file through some other means [a web-service for example] and than the private server copies the file from the public server)

All of these need some other method to protect the private server from misuse, but it does limit "arbitrary" use by a hacker of your servers.

LvB
  • 8,943
  • 1
  • 30
  • 47
  • Why should this be on serverfault instead of security.SE? – Pacerier Mar 28 '15 at 17:17
  • because this is not really security related but server operation / configuration. – LvB Mar 30 '15 at 09:18
  • and the configuration has everything to do with security. – Pacerier Apr 06 '15 at 14:39
  • from help

    IT Security Stack Exchange is for Information Security professionals to discuss protecting assets from threats and vulnerabilities. such as

    web app hardening network security social engineering, including phishing risk management policies penetration testing security tools using cryptography incident response physically securing the office, datacentre, information assets etc. Questions on setting up your PC may be more appropriate over at superuser.com TL;DR. Configuration issues are often not for here bot for SE.

     – LvB Apr 07 '15 at 23:45
  • unrelated to security is off-topic here, but configuration issues regarding security are definitely on-topic here. That link is saying that config issues – Pacerier Apr 11 '15 at 17:09
  • We answered your question because it's grey enough to answer here. I still believe its would be better to ask it on SE mainly because there are more people there that do server config opposed to security experts.

    and, as soon as your done with the security bit (not allowing outside access ) it quickly becomes "how to make this work". and that last part is definitely better for SE ;)

     – LvB Apr 12 '15 at 18:50
  • Which question are you referring to? – Pacerier Apr 13 '15 at 12:23
  • 1
    the main one... wich is not yours... wich makes this rather silly now... wich means, I need to get more BEER... ;) later. – LvB Apr 13 '15 at 14:44