Most programs must interact with the user by entering certain data, whether it is the full name, height, weight to be entered into the database, or the geometric dimensions of some object for which something needs to be calculated. All this data is entered by the user - a person, which means that anything can come in response. What will the program produce if, instead of the required age, the user writes it in a word? Most likely the program will crash or hang, but not if it has "fool protection" in it.
Why might a program terminate or freeze? The program will try to convert the character set to a number, which will fail, which means further work application is not defined. Therefore, it is very important to organize the structure of the program so that when you enter unexpected for the data program (incorrect in terms of the required format: a number is needed, but a word is entered), the application did not "fall", but informed the user that an error had occurred and offered to repeat the input. This is "fool-proof".
Implementing foolproofing in C
To implement good foolproofing for entering various numeric (int, double...) data, it is necessary to read not the numbers themselves, but the entire input string and only then analyze the input. The C language has a very nice function sscanf(const char *, const char *, args) , which works similarly to the scanf(const char *, args) function, returning the number of successfully read arguments, only the data is read not from the standard input stream, but from the string passed to it as the first argument.
Let's look at a few examples of functions that implement a fool check using the sscanf function.
Entering an integer with checking for invalid input
int get_integer(const char *msg) ( char answer; // string to read int n; // final integer printf("%s", msg); // print prompt fgets(answer, sizeof(answer), stdin); // read the string // until an integer is read while (sscanf(answer, "%d", &n) != 1) ( printf("Incorrect input. Try again: "); // print a message about error fgets(answer, sizeof(answer), stdin); // and reread the string ) return n; // return a valid integer )To read an integer, the algorithm reads the entire string and then tries to get an integer out of it. In the event that this failed, the function displays an error message with a suggestion to repeat the input until the correct integer value is entered.
Entering a real number with a check for incorrect input
double get_double(const char *msg) ( char answer; // string to read double x; // resulting real number printf("%s", msg); // print prompt fgets(answer, sizeof(answer), stdin); // read the string // until a real number is read while (sscanf(answer, "%lf", &x) != 1) ( printf("Incorrect input. Try again: "); // print a message about error fgets(answer, sizeof(answer), stdin); // and re-read the string ) return x; // return a valid real number )Entering a point on the coordinate plane (structure with two real fields)
// description of the data structure typedef struct point_t ( double x; // x coordinate double y; // y coordinate ) point_t; point_t get_point(const char *msg) ( char answer; // string to read point_t point; // final point printf("%s", msg); // print prompt fgets(answer, sizeof(answer), stdin ); // read line // until both point coordinates are read while (sscanf(answer, "(%lf,%lf)", &point.x, &point.y) != 2) ( printf("Incorrect input. Try again: "); // print the error message fgets(answer, sizeof(answer), stdin); // and re-read the string ) return point; // return the correct point )As can be seen from the examples, the feature of returning the number of arguments read by the sscanf function allows you to control the correctness of the entered data in the specified format, and reading the entire line protects against the fact that space characters or line breaks "\n" remain in the input stream, which very often force you to spend not a single hour or even a day to search for an error.
It is impossible to protect the server from external access once and for all, because every day new vulnerabilities are discovered and new ways of hacking the server appear. We will talk about protecting servers from unauthorized access in this article.
The servers of any company can sooner or later become a target for hacking or a virus attack. Typically, the result of such an attack is data loss, reputational or financial damage, so server security issues should be addressed in the first place.
It should be understood that protection against server hacking is a set of measures, including those that imply constant monitoring of server operation and work to improve protection. It is impossible to protect the server from external access once and for all, because every day new vulnerabilities are discovered and new ways of hacking the server appear.
We will talk about protecting servers from unauthorized access in this article.
Ways and methods of protecting servers from unauthorized access
Server physical protection
Physical protection. It is desirable that the server be located in a secure data center, a closed and guarded room, outsiders should not have access to the server.
Set up SSH authentication
When setting up access to the server, use SSH key authentication instead of a password, since such keys are much more difficult, and sometimes simply impossible to crack using a brute-force search.
If you think that you still need a password, be sure to limit the number of attempts to enter it.
Pay attention if you see a message like this when you log in:
Last failed login: Tue Sep 28 12:42:35 MSK 2017 from 52.15.194.10 on ssh:notty
There were 8243 failed login attempts since the last successful login.
It may indicate that your server has been hacked. In this case, to configure server security, change the SSH port, limit the list of IPs from which access to the server is possible, or install software that automatically blocks excessively frequent and suspicious activity.
Install the latest updates regularly
To ensure server protection, install the latest patches and updates of the server software that you use - operating system, hypervisor, database server.
It is advisable to check for new patches, updates, and reported bugs/vulnerabilities every day to prevent attacks exploiting zero-day vulnerabilities. To do this, subscribe to news from the software development company, follow its pages on social networks.
Protect passwords
By far one of the most common ways to gain access to a server is to crack the server's password. Therefore, follow the well-known, but nevertheless relevant recommendations in order not to leave the server unprotected:
- do not use passwords that are easy to guess, such as the name of the company;
- if you are still using the default password for the admin console, change it immediately;
- passwords for different services must be different;
- if you need to share your password with someone, never send your IP address, username and password in the same email or messenger message;
- You can set up 2-Step Verification to log in to the administrator account.
firewall
- Make sure the server has , is configured, and is running all the time.
- Protect both incoming and outgoing traffic.
- Keep track of what ports are open and for what purpose, do not open anything unnecessary to reduce the number of possible vulnerabilities for server hacking.
In particular, a firewall helps a lot in protecting the server from ddos attacks, because you can quickly create blocking firewall rules and add IP addresses from which the attack is coming from, or block access to certain applications using certain protocols.
Monitoring and intrusion detection
- Limit the software and services running on your server. Periodically check everything that you have running, and if any unfamiliar processes are found, delete them immediately and start checking for viruses.
- Periodically check for signs of tampering. Hacking may be evidenced by new Accounts users you didn't create, moving or deleting a file /etc/syslog.conf, deleted files/etc/shadow And /etc/passwrd .
- Monitor your server performance, keep an eye on its normal speed and throughput, so you can notice deviations, for example, when the load on the server has become significantly more than usual.
Using VPN and SSL/TLS Encryption
If needed remote access to the server, it should only be allowed from certain IP addresses and happen over the VPN.
The next step in ensuring security can be setting up SSL, which will not only encrypt data, but also verify the identity of other participants in the network infrastructure by issuing appropriate certificates to them.
Server security check
It would be a good idea to independently check the security of the server using the pentest method, i.e. attack simulation to find potential vulnerabilities and eliminate them in time. It is advisable to involve specialists in this information security, however, some tests can be done independently using server hacking programs.
What else threatens servers besides hacking
A server can go down for a number of reasons other than being hacked. For example, it could be a malware infection or just a physical failure of one of the components.
Therefore, measures to protect the server should include:
- Installing and updating programs to protect the server - antiviruses.
- Regular encrypted copies of data at least once a week, because, according to statistics, server hard drives are in the first place in terms of the frequency of breakdowns. Make sure that backup copy stored in a physically secure environment.
- Ensuring uninterrupted power supply to the server room.
- Timely physical prevention of servers, including cleaning them from dust and replacing thermal paste.
The experience of Integrus specialists tells us that best protection against such threats is the use best practices in the field of server protection systems.
To ensure the security of our customers' servers, we use a combination of tools: firewalls, antiviruses, security / event management technologies (SIM / SEM), intrusion detection / protection technologies (IDS / IPS), network behavioral analysis (NBA) technologies, of course regular preventive maintenance servers and arrangement of secure server rooms on a turnkey basis. This allows you to minimize the risks of hacking or server failure for other reasons.
We are ready to conduct a security audit of your company's servers, consult specialists, perform all types of work on setting up the protection of server equipment.