Secure Deployment
What Deployment means?
Moving to production/staging
-
code
-
databases
-
images
How Deployment ?
Security Risks ?
Clear Text Usernames, Passwords, File Transfers !
FTP Clients
FileZilla - Don't share PC with anyone
-
filezilla.xml
-
recentservers.xml
-
sitemanager.xml
Malwares
-
Harvests information from user machines
-
Injects malware to the websites
Affects
-
Filezilla
-
SmartFTP
-
FTP Navigator
-
Total Commander
-
Core FTP
-
and more...
Sniffers
FakeAV - Trojan variant of Troj/FakeAV-AAL
-
Installs itself
-
Downloads and install packet sniffer ( Troj/sniffer-R)
-
Listens to port 21
-
Sends the credentials to remote server
Anonymous FTP Servers
ftp ftp.FreeBSD.org
-
username: anonymous
-
password:
Secure Deployment Solutions
FTPS
FTP over SSL ( port 990 )
-
FTPS - Implicit SSL
- FTPS - Explicit SSL
SFTP
New protocol
Utilizes SSH
NOT Related with FTP
Port 22
Rsync
Not safe
Data not encrypted
rzync -zvr test.txt $HOME/Desktop
Rysnc over SSH
Safe
Data Encrypted
rsync -vzr -e ssh user@xxx.xxx.xxx.xxx:$HOME/test.txt $HOME/Desktop
Best Practices
Use SSL/TLS with a strong cipher
Configure the server right
Least Privilege
Correct Access Control
Remove unwanted files
Thank You
securedeployment
By rejah
securedeployment
- 2,510