Youn Elan, code weaver at large
Youness El Andaloussi
 Senior CSM/CSPO Software Developer
profile for Youn Elan at Stack Overflow, Q&A for professional and enthusiast programmers
At a glance

Lamp Developer

  • Linux
  • Apache
  • PHP/ Python

PythonPython Development

  • SQLAlchemy, pymongo
  • Django, Flask, Bottle
  • paramiko, urllib, multiprocessing
  • nosetests,pylint,pep 8

Agile/Scrum

  • Certified Scrum Master
  • Certified Product Owner
  • Experience as Scrum Developer
  • Software Development

    • SDLC
    • Waterfall cycle
    • Stakeholder management
    • Requirements, Design documents

    Team Development

    • GIT, Subversion
    • Vagrant, Fabric
    • Jenkins
    • Jira, Liquidplanner, Bugzilla

    Scaling

    • Query optimization
    • Distributed systems
    • Socket programming

    Custom Linux Distributions

    • Writing installers
    • Anaconda Customization
    • ISO customization

    Cloud & Virtualization

    • AWS
    • Azure
    • ESXI
    • KVM

    PHP Development

    • Object Oriented
    • MVC With code igniter
    • DB with MySQLi
    • E-Commerce

    Web Pages

    Nosql

    • Mongodb Mongodb
    • Cassandra
    • Map/Reduce

    Network Monitoring

    • EM7
    • Nagios
    • SNMP
    • Custom development

    CMS

    • Drupal
    • Wordpress
    • Custom Made CMS

    Coldfusion to PHP

    • MS SQL to MySQL
    • Cold Fusion to Wordpress
    • Cold Fusion to pure PHP PHP

    MySQL Databases

    • Database Administration
    • Query Writing and optimization
    • Replication, Galera
    • Procedures, Joins, Views, Triggers

    Linux Admin

    • Install & Configuration
    • Shell Scripts
    • Cron Jobs
    • Command Line interface

    Apache Admin

    • Server Configuration
    • .htaccess rules
    • SSL Certificates & DNI
    • Problem troubleshooting

    Platforms

    • Redhat/Centos
    • Debian/Ubuntu
    • Windows
    • MacOS
    Social Media
    Press space to Play Yountris
    To start the game press Space. Arrow keys: left/right. Spacebar: rotate
    Canvas Tetris

    Security is not optional on public Facing Sites

    Today I saw an interesting statistic on slashdot: Over 200000 database servers with no authentication, over one petabyte of data access. Earlier this year, there was a post about how many people accidentally post their aws keys to github without realizing they've just opened themselves to potential charges with automated network scanners. 

    An increasing number of people put their servers online without any security and put passwords/keys online. A lot of hacks are a result of careless mistakes/ skipping security altogether.

    Some would argue that the data on some servers is less confidential than others or a cloud server that will be up for a short time is not as much of an issue but as technology evolves, there are more and more money incentives to hacking systems, one should expect more intrusions and more sophisticated attacks.

    Further, security is as strong as the weakest link in the chain and a compromise on an unimportant server that may seem harmless may end up costing much more than expected. For example, I have seen servers that were never meant to be online may end up opening wide open a whole secured network. Sometimes, temporary solutions end up lasting much longer than initially planned. As a result, since security was overlooked because the solution was never meant to last, the whole network is wide open.

    Obviously, there can be no guarantees that a zero day exploit will expose a network to malicious attacks but if there is no security, it is even worse and consequences are potentially catastrophical.

    Many guides to securing servers exist and this is obviously not meant as an depth security manual. As a matter of fact, the advice below should be common sense and already be in place but I have seen these basic rules ignored too many times, so here are things you should already be doing:

    • Keep your server up to date - that includes os updates and software updates. This should be obvious but way too many times, I have seen servers that have not been updated for over a year for no good reason whatsoever
    • Make sure authentication is turned on wherever it needs to be - that includes databases servers, smtp servers, no default users, restrict users to only the permissions they need (For example, if you have a wordpress website, there is no reason for it to use the root mysql credentials. A mongodb admin account that can be accessed from anywhere without a password is obviously a big no no as well)
    • if a service is not necessary, don't have it on by default - The less services you have available, the smaller the network footprint and the less likely one of the services will be vulnerable - either because it is misconfigured or because of a zero day vulnerability.
    • Make sure api key, credentials and sensitive information is not available publically on sites like github.  With many search engines crawling the web automatically on a daily basis, putting them on any directory that can be indexed is looking for trouble as well
    • Make sure you have a backup of your data and do not hesitate to bring the server offline/ reinstall if necessary - if a server is compromised, simply changing the password and putting the server back online is not going to cut it. 
    • Have sensible firewall rules - multiple times, I have seen firewalls disabled during development time and never turned back on.
    • In any application, trust no input. This can avoid the most common vectors of attacks - sql injection, css injection, buffer overflows and abuses due to invalid input. This includes validating the input both in the backend and the frontend.
    • If you are using linux, SELinux is your friend. Too many times, I have seen SELinux disabled just to save a little time in configuration. This will help mitigate damage even if a hacker gets in.
    • Change passwords regularly and they should not be easily guessed. With brute force tools commonly available, many attacks start with a weak password.
    • Have sensible monitoring of both your services and your logs. If you only have one server, then you could get by with manually auditing things but with multiple servers you'll need either a log ingestion engine or some way to automatically parse/filter relevant information

    As I said earlier, there are plenty of more complete guides on securing servers but this is more of a reminder of what you should be already doing.

     

    Fun Fact
    It helps to look ahead and visualize where you want to be. A year from now, what would you have wished you did today?
    When a door closes, at least another opens... the problem is we focus too much on the first door to see the others open
    When they ask me what I do, I say whatever it takes. You have to be willing to go the extra mile on your path to success
    A record company told the Beatles they were no good, they sounded old & boys band were a thing of the past. Persist, do something awesome
    Discipline is the bridge between goals and success - Jim Rohn
    To excel is not a destination but a constant voyage - Brian Tracy
    Proceed as if success is unavoidable. A lot of our limitations exist only in our minds
    Before being an entertainment mogul, Walt Disney was fired for a lack of imagination. Persisting always yields results
    One of Edison's teachers said he was too stupid to learn anything. A healthy self esteem is key for success
    Henry Ford went bankrupt 5 times before he succeeded. Never let failure discourage you
    The first person who hired Elvis Presley as a singer fired him the first night, recommending he give up music for a different profession
    One of Einstein's teachers said he was a lost case, too slow and stuck in unrealistic dreams. Never let someone else's opinion let you down
    Tolstoy failed university. They told him he was not capable of learning. Never let failure stop you on the road to success
    When he started, studios told Charlie Chaplin what he did was nonsense. With persistence, a legend was born
    Leonardo de Vinci has never been to school. Always respect knowledge but remember success is not limited to degrees
    One of Bethoven's professors told him he was a pathetic composer. He proved him wrong even if he was deaf
    Be passionate, always. Even if Van Gogh only sold one painting while alive (to his sister), he painted over 800 paintings
    Never push back to tomorrow what can be done today
    Who risks nothing, begets nothing. Sometimes, taking a calculated risk at the right moment makes all the difference
    The best way to predict the future is to invent it - Richard Bandler
    As your self esteem improves, your performance increases too - Zick Ziglar
    What drowns people is not the jump itself but staying under water does - Paolo Cuelho
    With enough persistence, nothing is impossible. Wherever there is a will, there is always a way
    Petit à petit l'oiseau fait son nid. Rien n'arrive du jour au lendemain et persister permet d'arriver à ses fins
    There is only one way to fail, give up before succeeding - Olivier Lockert
    Do not be afraid of being slow, be afraid only to be at a standstill - Chinese proverb
    The word chance is synonym to tenacity of goals - Ralf Waldo Emmerson
    Today is the first day of the rest of your life, a brand new chance to excel. It is never too late to be what you might have been.
    No one can know what they really capable of until they try
    No extraordinary person complains about the lack of opportunities
    Never be afraid of failure. If you want to double your success rate, you have to double your failure rate - Brian Tracy
    If 'O' stands for Opportunity, it's absent in 'yesterday', once in 'tOday', thrice in 'tOmOrrOw'. There's always opportunities waiting tomorrow.
    It is not the number times we fall that matters, it is the number we get back up... because in the end what matter is that we are standing
    After how many times should a baby trying to walk give up? Obviously none. Giving up is not a trait we are born with - Anthony Robbins
    It is better late than never... and it is never too late to be what you might have been
    To be strong cant be equated with physical force but it is more about having a never failing willpower - Ghandi
    No obstacle is unsolvable. It is about dividing each difficulty int as many subdivisions necessary to succeed - Descartes
    The best way to start is to stop talking and start doing - Walt Disney
    Always remember that all those at the top all started and the bottom and persisted until they got their way
    It is nice to have what you want... but meanwhile, always remember to want what you have
    More often than not, we are limited by our attitude and not by the opportunities that come to us
    It is the little details that make a huge difference. Going the extra mile and making an extra effort change everything - Mark Tway
    To have a list of goals is key in life... otherwise how will you ever know you got to where you want to be?
    Failure is the foundation of success and it is by failing that we build - Lao Tzu
    Many times, the one who tries to do too much ends up doing very little - make priorities, focus and get things done - Italian proverb
    The past is behind use, future is very unpredictable. That is why it is important to focus on the present
    Be at peace with yourself... if you can't trust yourself, why would others do it?
    A list of goals that is not written down is like a wishlist
    To succeed, it is key to have alist of goals and remember that for everything there is a cost... and it is not always money
    Obstacles are these horrible things in life that we see when we get our eyes off of our goals
    The best opportunities in life go to those who make sure that things get done while owning up to their responsibilities - Napoleon Hill
    Time is more precious than gold. We can always get more money but wasted time can never be gotten back
    Do not attempt to do too many things. The best way to get many things done is to focus on one thing at the time - Mozart
    Life is a never ending cycle that keeps repeating - every time is an opportunity to fix previous mistakes you made and do things differently