Web Security

11 posts / 0 new
Last post
krisblouch
krisblouch's picture
Offline
Last seen: 1 month 3 days ago
Brewer, member since
Web Security

So we clearly got spammed in the past day or two; lots of the usual automation posts (hackers have programs that crawl webpages trying to create things like this)...

This makes me worried about our web security. Personal information is stored on our site. I hope credit card info is not (should not be: what company handles our credit card info?).

Anyway, might be time to have chaos "nerd" meet up and figure out some website stuff. I'm an online security professional so this falls right in my wheelhouse, but we'll need someone who knows our code to help me out. 

Need some input. Board members, please PM me more information about who we think can help with this and any spec you have (where is this site hosted, how do we handle CC data, who is still active in the club who knows our layout and etc., and also why we dont have captcha enabled...)?

Anyone who reads this: do not put anything about our site config in this chain. Anyone can read it. Please PM me or create a private chain that's not publically accessible.

Thanks guys, I'll do what I can if I can get the input I need.

lucas
lucas's picture
Offline
Last seen: 1 week 20 hours ago
Alchemist, member since
I saw this and figured that I

I saw this and figured that I would brain dump out what we've been doing.  First, it's awesome that you'd like to get involved!  With my move to Texas it's just been Conrad keeping the digital lights on and I know he would love help!

From the content monitoring perspective, we have three things that we had configured to fight the bots.  First, the site is configured with the Mollom content monitoring solution.  This combines both server side scoring of messages, source address checking, headers, etc. with a SaaS solution to filter form POSTs.  Captcha's on the site are configured through Mollom, so you most likely aren't seeing them as you've not tripped off the content network. Second, we've also configured the built in Drupal spam monitoring, although in general I haven't been very impressed with it.  Finally, there is cron job running regularly that modifies iptables rules for source addresses that are generating large volumes of requests.  Additionally, although they aren't specifically for spam control, the site also runs through both CloudFlare and mod_security, which doesn't hurt. Sadly, every so often the spammers manage to trip up Mollom, and there is a short period of time where we get spammed.  Given the other layers of defense that we have, it doesn't happen very often, but it does happen from time to time.

Additionally, no credit card information is stored on any of our servers, all recurring payments are handled through either PayPal or Stripe through their APIs.  When we moved to this site, that was a critical point for us given our backgrounds (I'm also a Security guy) that we didn't want to have to worry about it. 

Last couple of questions I think you had, the site is written using Drupal, servers are at Linode, using Apache, Varnish, and Pound.  If you want specifics on any of the code, modules, server configs, etc., I agree that a public forum is not the place.  At this point I believe StevenLane and ConradFuhram are still thinking of doing another redesign, but as I'm no longer in Chicago I'm not 100% sure on the status, so you might want to ping the two of them to make sure we aren't duplicating any effort. 

Otherwise I think it's great that you'd like to get involved as we always need people to help.  Please don't hestiate to PM myself, Conrad, Steven, or el presidente Mark with any thoughts, and thanks for getting involved!

Oh... my... god.  Why haven't we done this?    http://thechive.com/2013/09/17/guys-rig-up-buddies-plumbing-with-beer-wh...

johngammal
Offline
Last seen: 3 days 15 hours ago
Alchemist, member since
Thanks for getting involved

Thanks for getting involved Kris. And thanks to Licas for continuing to be an awesome member, from so far away. Sounds like you have your answers. I am not knowledgable in this field, but please let me know if you need anything else in support of this

charlesjohney3
Offline
Last seen: 3 months 2 weeks ago
Web-only, member since
check our website: Flamingo

check our website: Idiot Video  Are you apprehensive a trade in World Wide Web security? If that's what you produce, recognize AS MUCH as you can. SQL and JavaScript are helpful, notwithstanding also act detailed design of OSes, C (or C++ C# etc) and assembled perspective helpful. Don't avoid the various internet scripting humanistic discipline and such love PHP, ASP, comesNET, etc. Keep qualified date. Whenever several great nifty technol com mistaken, dig into the past it.

Rich
Rich's picture
Offline
Last seen: 9 hours 11 min ago
Alchemist, member since
Oh, the irony...

Oh, the irony...

Canuck
Canuck's picture
Offline
Last seen: 16 hours 14 min ago
Alchemist, member since
DOH!

DOH!

The emperor is not as forgiving as i am

Jim Vondracek
Jim Vondracek's picture
Offline
Last seen: 22 hours 42 min ago
Alchemist, member since
This made my day!

This made my day!

roussel
Offline
Last seen: 5 days 15 hours ago
Alchemist, member since
LMFAO

LMFAO

jaygowdy
jaygowdy's picture
Offline
Last seen: 9 hours 10 min ago
Alchemist, member since
I could probably also lend a

I could probably also lend a hand. I'm a Linux System Administrator for a domain registrar and webhosting company and I've worked with PHP and HTML quite a bit assisting customers. Granted most of them use Wordpress and not Drupal, I feel like I could help if we needed any custom coding or anything of that nature.

Rich
Rich's picture
Offline
Last seen: 9 hours 11 min ago
Alchemist, member since
Good looking out BB

Good looking out BB

brockboland
brockboland's picture
Offline
Last seen: 6 days 5 hours ago
Aw jeez.

Aw jeez.

Jay, you should get in touch with Conrad. I don't think we even need any coding, necessarily: we just need to update the Drupal modules we use, and potentially employ a different captcha technique. We should probably also update Drupal itself, but that will require updates to the custom modules Lucas wrote for things like brewhouse reservations.