Websites and security, big guys always being attacked!

Alexis Wilke's picture
Hackers are most often refered as Black Hats programmers.
A Black Hat—coming from black magic—is often used as a
reference to programmers hacking systems for no good.1.

Last Thursday, SourceForge.net was attacked again2.

You would think that they would be safe from such attacks since SourceForge.net offers a free service for users to offer their free (open source) software online. Yes! That's where you download many of the free tools you are using everyday. For instance, if you have an archaic type of a website, you probably need to FTP3 your data to your account. On Microsoft Windows,Mac OS/X, and Linux, this can be done with FileZilla. Although they have their own website, the download comes from SourceForge.net4.

Security is one of the area where our base CMS system is very strong at and we also ensure that our own Snap! code is secure. This starts with your password, but it includes very much more than just that. This being said, we are not looking for hackers to visit us. Well... it's not like that doesn't happen, but so far so good.

For each service offered on your server, you want to have at least one, most certainly several levels of protection. First, any server on the Internet must have a firewall to survive. Our server blocks several thousand connections a day using just the firewall. Also you can have tools that dynamically add IP addresses you do not want to server to your firewall. This saves you a lot of processing time and a lot of bandwidth too! Actually, large companies use several layers and at times even several different levels of protection depending on the department (i.e. Finance's got to be much more secure than the sales guy computer than the clerk's computer.)

To give you an idea, on our servers we stop about 2,500 low level hits with our firewall. That's about 75,000 a month or 1 million a year.

For websites, the second protection is a website firewall, often referenced as a smart firewall. This one knows of the website protocol called HTTP and it checks the requests before forwarding them to your actual website for processing. This is generally not useful if you don't have a dynamic website (i.e. if all your files and HTML files, then it is not necessary.) This type of system blocks attacks on your website by detecting when a hacker tries to access a file that you know does not exist or a public user does not have access to it. This system can also send that IP address of the hacker to your firewall!

On this one, we block some 1,300 hits a day. That's about 39,000 hits a month or half a million a year. We have less in part because the firewall trims many hits in the first place.

Similar processes are available for emails, domain names, VPN, and any other service you might think of.

So... How do we know that your Snap! Website is secure?

Well, first of all we run all of those protection systems on our server. But not only that, we also have backups. Since we can never be 100% certain that nothing will happen, we keep a full copy of all your data in a safe place. If something does happen and we have to reinstall everything, we'll have your site back online as it was within 1 day of the attack.

This is how important your Snap! Website is to us.

  • 1. This hat comes from a picture of Coolidge who helped the Smoki in 1924.
  • 2. Yeah... Unfortunately, that's not the first time, and it will go on and on and on, and not just for SourceForge.net. See how you can start by protecting your account using a strong password.
  • 3. The FTP protocol is notoriously insecure, but a very large number of people are still using it (if you can, at least try to use the SFTP so the data is encrypted, including your log in and password.)
  • 4. Note that if you were plaining to create a free software, that's a good place for the download because they have access to very large pipes (many T3) and thus thousands of your users could be downloading your data simultaneously.