ndzlogo-1-1
Loading ...

+914846689999

sales@ndz.co

NDZ WorldWide

INDIA – HEADQUARTERS

INDIA

SINGAPORE

DUBAI

UNITED STATES

CANADA

AUSTRALIA

SWITZERLAND

Get in Touch with NDZ

We value your interest in NDZ and are eager to hear from you. Whether you have questions about our services, want to discuss a potential project, or say hello, we’re here and ready to assist you.

At NDZ, we believe in fostering a dynamic, inclusive work environment where creativity thrives and innovation flourishes. As a rapidly growing company at the forefront of technological advancement, we always seek talented individuals who are passionate about making a difference.

At NDZ New Website, we pride ourselves on delivering exceptional solutions tailored to our clients’ needs. Dive into our case studies to explore how we’ve partnered with businesses like yours to overcome challenges, achieve goals, and drive success.

We at NDZ believe in progressing along n-different dimensions to empower our clients and elevate their businesses to remarkable heights, ensuring optimal returns on their investments (ROI).

NDZ stands at the forefront of technological advancement and is dedicated to making a positive impact. With a legacy of over 16 years in innovation, we pave the way for a brighter future for businesses worldwide, spanning global countries.

At NDZ, Research and innovation are at the heart of everything we do. Our dedicated team of experts is committed to pushing the boundaries of technology to drive meaningful change and deliver innovative solutions to our clients.

At NdimensionZ, our impact extends across various industries, like Healthcare, Education, Manufacturing, Retail and Telecom, driving transformation and fostering growth. Explore how we bring innovation and expertise to you.

Find Us

Welcome to NDZ Company! Our headquarters are located in Kerala’s IT Hub, SmartCity, which is strategically positioned to serve our clients worldwide. Whether you’re a local partner or from across the globe, we’re easily accessible and ready to meet your needs.

Our blog covers a wide range of topics related to technology, innovation, business strategies, and more. Whether you’re looking for expert advice, thought-provoking discussions, or the latest updates in your field, our blog has something for everyone.

Life at NDZ isn’t just about work; it’s about fostering a supportive community where every voice is heard, every idea is valued, and every achievement is celebrated.

At NDZ, we envision a future where businesses thrive, empowered by innovative solutions and transformative strategies. Our vision is rooted in a commitment to catalyzing growth, fostering resilience, and driving sustainable success for our clients across the globe.

NDZ’s commitment to driving positive change extends beyond our core operations. We are dedicated to making a meaningful impact across various industries and sectors through strategic diversification and establishing subsidiary companies.

Welcome to the NDZ Gallery, where we showcase snapshots of our journey, accomplishments, and the people who make it all possible.

Subscribe to our newsletter to stay updated on the latest news, insights, and developments from NDZ and the industries we serve. Our newsletter delivers valuable content straight to your inbox.

At NDZ, we are privileged to collaborate with diverse clients, each with unique goals, challenges, and aspirations. We are committed to building strong, lasting partnerships based on trust, transparency, and mutual success.

At NDZ, we understand that choosing the right partner for your business is crucial.
Discover why NDZ is the trusted choice for businesses around the world. Contact us today to discuss your project and learn how we can help you achieve your goals.

Stay updated on the latest news, events, and insights from NDZ by connecting with us on social media. Follow us on our official channels to join the conversation, engage with our community, and stay connected with NDZ.

Application Service

 

Managed service

 

Cyber security Service

Big data Service

 

Power BI Service

 

DevOps Service

Digital marketing Service

 

ERP Service

 

Data labeling Service

YVI

 

Nirnaya

NDZ Store

 

University management system

Server security

by | Mar 27, 2015 | Security | 0 comments

                 The term security or the phrase Server security refers to techniques for ensuring that data stored in a system cannot be read or compromised by any individuals without authorization. The effort to secure a server is a continuous process; where the security threats needs to be analyzed and then protect the server from each new one of them on a daily basis. Securing a server by all means will not assure that the server is not prone to attacks; as new vulnerabilities are evolving day by day of which some are immediately identified while some takes time. That being said, security is the degree of resistance to, or protection from harm.

How to make a linux server secure

A server admin plays the basic role in securing a server. The most common server securing steps include:

  • Implementing and configuring a firewall like CSF or APF
  • Enabling Brute Force protection
  • Securing SSH service
  • tmp hardening
  • FTP Hardening & Apache Hardening
  • PHP Tightening
  • Host.conf and Sysctl.conf hardening
  • Implementing Mod Security
  • Implementing Mod Evasive
  • System Integrity Monitor

Types of Vulnerabilities

  • Sql Injection
  • Cross site scripting (XSS)
  • CSRF Attack
  • Exposure of version information
  • Heart Bleed
  • Shellshock
  • Poodle

Web hack incident database

webhackSQL injection

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. SQL injection can be prevented if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules.To prevent SQL injections we will have to use something called prepared statements which uses bound parameters. Prepared Statements do not combine variables with SQL strings, so it is not possible for an attacker to modify the SQL statement. Prepared Statements combine the variable with the compiled SQL statement, this means that the SQL and the variables are sent separately and the variables are just interpreted as strings, not part of the SQL statement.

sqlCross Site Scripting (XSS)

The hacker will exploits vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. It allows an attacker to embed malicious Javascript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. So xss an attacker will exploit the trust a user has in a website. The simplest and arguably the easiest form of XSS protection would be to pass all external data through a filter which will remove dangerous keywords, such as the infamous <SCRIPT> tag, JavaScript commands, CSS styles and other dangerous HTML markup.

Cross Site Request Forgery (CSRF)

CSRF attacks include a malicious exploit of a website in which a user will transmit malicious requests that the target website trusts without the user’s consent. In XSS, the hacker takes advantage of the trust that a user has for a certain website. On the other hand, in CSRF the hacker takes advantage of a website’s trust for a certain user’s browser. For example in a chat forum, an attacker posts a message which contains an image tag or an HTML image element. However, the source of the image contains a link which performs an action on a victim’s bank website account. So, instead of an image file the attacker has included a link that performs a bank transaction. Below is an example of the image tag containing a rogue URL.

<imgsrc=”https://bank.example.com/withdraw?account=bob&amount=1000000&for=Fred”>

A prevention measure could be the implementation and inclusion of tokens in a user’s (current) session. Tokens are long cryptographic values that are difficult to guess. These will be generated when a user’s session begins and will be associated with this particular user’s session. This challenge token will be included in each request, which will be used by the server side to verify the legitimacy of the end-user’s request. In order for an attacker to forge an HTTP request, they would have to know the particular challenge value (token) of the victim’s session. The disclosure of the challenge token in the URL (GET requests) should be done wisely and with awareness of the CSRF attack. So in the previous example even if the victim has clicked on the image tag, as long as the attacker didn’t know the token he will not forge the https request.

Keeping track of server security

Apart from all these security implementations, one should do a penetration testing to check the server vulnerabilities. Rather, to check the possibility of getting a server hacked, one should think and proceed like a hacker. Then only the security holes can be identified. Hacking techniques include the very basic tools too

Foot printing

  • ping
  • nslookup
  • traceroute

Scanning

  • Acunetix
  • OpenVAS
  • Vega

Enumeration

  • nbstat
  • ftp enumeration
  • telnet

Access gaining

  • Metasploit
  • Meterpreter

Acunetix : This is a widely used web vulnerability scanner. It is a paid service.
Vega       : This is an open source web vulnerability scanner available in the Kali OS
Openvas  : This is also an another tool in Kali OS, the advantage of this tool is it will check the vulnerability of whole server other than Vega a site.

Hacking process

hackingAcunetix

Acunetix has pioneered web application security scanning and has established an engineering lead in website analysis and vulnerability detection
Its deep scan understands complex web technologies such as SOAP, XML, AJAX and JSON. Acunetix AcuSensor Technology allows accurate scanning with low false positives, by combining black box scanning techniques with feedback from its sensors placed inside the source code. An automatic JavaScript analyzer for security testing of AJAX and Web 2.0 applications. Industry’s most advanced and in-depth SQL injection and Cross-Site Scripting (XSS) testing

AcunetixOpenVAS

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs)

openvas

We can use either the command prompt or the graphical interface, which is the Greenbone security assistance that can be accessed via the link

https://localhost:9392

The following command can be used to initiate an openvas scan as follows:

service greenbone-security-assistant start
service openvas-scanner start
service openvas-administrator start
service openvas-manager start
openvas-nvt-sync
openvas-adduser
msfconsole
msf > load openvas
msf > openvas_connect username password 127.0.0.1 9390
msf > openvas_target_create “Local Mac” 192.168.70.128 “My Local machine”
msf > openvas_target_list
msf > openvas_config_list
Msf > openvas_task_create “Local Scan” “Scan My Local Machine” <scan_config_id> <target_id>
Msf > openvas_task_list
Msf > openvas_task_start <task_id>
Msf > openvas_report_list
Msf > openvas_format_list
Msf > openvas_report_import <report_id> <report_format_id>

open1Metasploit

Metaspoit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine. It has the world’s largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems. Exploit is what that delivers the payload. Payload is the code that is executed in the compromised system. Let’s start by firing up Metasploit. You can do this by going through the menu system or simply typing msfconsole from a terminal. Once we have Metasploit open, we can start with psexec by typing:

use exploit/windows/smb/psexec

metasploit

  • Set the Options
  • For our options, we need to tell Metasploit what payload to use first.
    set PAYLOAD windows/meterpreter/bind_tcp
  • Then set our remote host (RHOST).
    set RHOST 192.168.2.129
  • Next, we need to set our SMB user and password. As you know,SMB stands for Server Message Block. It’s an application layer protocol that runs on port 445 that enables computers on a network to share resources such as files, printers, etc. SMB is one of the most common attack vectors in security intrusions.
  • Enter in the SMBuser now.
    set SMBUser administrator
  • Then the SMBpassword.
  • Once we’ve entered all the information correctly for each of the options, we then simply type:

meta1

Note in the screenshot above that we have a meterpreter command prompt. Success! Once we have a meterpreter command prompt on a system, we basically own the box. What we’re able to do is almost unlimited

Windows, and for that matter, most other operating systems, use tokens or “tickets” to determine who can use what resources. We log in once and when we do, the system checks to see what resources we’re authorized to access and then issues a token or ticket that enables us to access that resource without our having to re-authenticate. If we can grab the token or ticket for a particular service or resource, then we can use it with the same privileges as the user who was issued the token. We don’t have to know the token, simply grab it, present it to the service, and we’re in!
In this case, we want to get into the SQL Server service. Let’s first see if SQL Server is running on this system. Meterpreter uses the Linux command ps to list services.

As you can see here SQL Server is running and it has been assigned

meta2

Now that we know that the service is running and its PID, we can attempt to steal its token. Meterpreter has a command called steal_token that, surprisingly enough, attempts to steal the token from a service. Who would have thought! It’s syntax is simple and straightforward, simply the command followed by the service’s PID.

steal_token 1432

As you can see, the meterpreter has come back and indicated that our attempt  was successful

meta3

Now, we should have nearly unlimited access to the SQL Server service and its databases! It should be repeated that psexec is only useful if you already have the sysadmin credentials. When you do, psexec enables you to own the system, while leaving almost no evidence that you were ever there.

To conclude, security can only be guaranteed by maintaining the server health and doing a proper daily research on new vulnerabilities. Finally analysing a server by trying to intrude in to it; just like a hacker !

Submit a Comment

Your email address will not be published. Required fields are marked *