Secure Deployment

What Deployment means?


Moving to production/staging
  • code
  • databases
  • images

How Deployment ?




Security Risks ?


Clear Text Usernames, Passwords, File Transfers !

FTP Clients

FileZilla - Don't share PC with anyone

  • filezilla.xml 
  • recentservers.xml
  • sitemanager.xml 


Malwares


  • Harvests information from user machines
  • Injects malware to the websites


Affects

  • Filezilla
  • SmartFTP
  • FTP Navigator
  • Total Commander
  • Core FTP
  • and more...


Sniffers



FakeAV - Trojan variant of Troj/FakeAV-AAL

  • Installs itself
  • Downloads and install packet sniffer  ( Troj/sniffer-R)
  • Listens to port 21
  • Sends the credentials to remote server

Anonymous FTP Servers



ftp ftp.FreeBSD.org

  • username: anonymous
  • password:


Secure Deployment Solutions



FTPS  

FTP over SSL ( port 990 )

  • FTPS - Implicit SSL
  • FTPS - Explicit SSL

SFTP


New protocol
Utilizes SSH
NOT Related with FTP
Port 22



Rsync


Not safe
Data not encrypted

rzync -zvr test.txt $HOME/Desktop


Rysnc  over SSH

Safe
Data Encrypted

rsync -vzr -e ssh user@xxx.xxx.xxx.xxx:$HOME/test.txt $HOME/Desktop

Best Practices


Use SSL/TLS with a strong cipher

Configure the server right 

Least Privilege

Correct Access Control

Remove unwanted files










Thank You

securedeployment

By rejah

securedeployment

  • 2,510