Threat of running a web server?

[FromTheRafters]

to a n00b, what's the difference?

I think that "n00b's" deserve accurate information too, don't you?

if you're running a "service", a
"server" or a "daemon", you're providing "something" to be given out to
someone.

That has little to do with what a daemon is.

Isn't it just a program that loops until an event triggers it into some
action? What do servers have to do with it?

 

[kurt wismer]

to a n00b, what's the difference? if you're running a "service", a
"server" or a "daemon",

if you don't understand the difference between a service/daemon and a
server then i could understand your complaint...

the fact is, they are very different concepts...

you're providing "something" to be given out to
someone. a "server" is a machine which provides either a "service" or a
"daemon".

ummm, no thats really not correct at all...

a server is an entity that services requests from clients, and that may
or may not be implemented in the form of a service/daemon (though
the autonomous nature of services and daemons make servers using that
implementation preferable)... that said, there are many services and
daemons that are not necessarily part of a server implementation...

 

[kurt wismer]

Colonel Flagg wrote:
[snip]

I didn't. all I said was something to the effect of "microsoft weenies",
someone else took that to _mean_ something....

it would appear that you're encountering a reading comprehension
problem... my reply was to the effect that you were erroneously
presenting daemons and servers as being equivalent things... i could
care less about 'microsoft weenies'...

perhaps if you didn't employ that type of antagonism you wouldn't be
tempted to jump to the conclusion that responses to your posts are as a
result of that antagonism...

 

[Colonel Flagg]

a server is an entity that services requests from clients, and that may
or may not be implemented in the form of a service/daemon (though
the autonomous nature of services and daemons make servers using that
implementation preferable)... that said, there are many services and
daemons that are not necessarily part of a server implementation...

let me help you get rid of the "corporate speak" and let's look at the
real definitions.... which are EXACTLY what I was trying to say
previously... perhaps my explanation confused you... here, let's look at
the accepted definitions:


server

http://info.astrian.net/jargon/terms/s/server.html

http://www.catb.org/~esr/jargon/html/S/server.html

http://dictionary.reference.com/search?q=server

server n. A kind of daemon that performs a service for the
requester and which often runs on a computer other than the one on which
the server runs. A particularly common term on the Internet, which is
rife with `web servers', `name servers', `domain servers', `news
servers', `finger servers', and the like.

server

1. A program which provides some service to other (client)
programs. The connection between client and server is
normally by means of message passing, often over a network,
and uses some protocol to encode the client's requests and
the server's responses. The server may run continuously (as a
daemon), waiting for requests to arrive or it may be invoked
by some higher level daemon which controls a number of
specific servers (inetd on Unix). There are many servers
associated with the Internet, such as those for Network File
System, Network Information Service (NIS), Domain Name
System (DNS), FTP, news, finger, Network Time
Protocol. On Unix, a long list can be found in /etc/services
or in the NIS database "services". See client-server.

2. A computer which provides some service for other computers
connected to it via a network. The most common example is a
file server which has a local disk and services requests
from remote clients to read and write files on that disk,
often using Sun's Network File System (NFS) protocol or
Novell Netware on IBM PCs.


-------------------------------------------------

daemon

http://info.astrian.net/jargon/terms/d/daemon.html

http://www.catb.org/~esr/jargon/html/D/daemon.html

http://dictionary.reference.com/search?q=daemon

daemon /day'mn/ or /dee'mn/ n. [from the mythological meaning,
later rationalized as the acronym `Disk And Execution MONitor'] A
program that is not invoked explicitly, but lies dormant waiting for
some condition(s) to occur. The idea is that the perpetrator of the
condition need not be aware that a daemon is lurking (though often a
program will commit an action only because it knows that it will
implicitly invoke a daemon). For example, under ITS writing a file on
the LPT spooler's directory would invoke the spooling daemon, which
would then print the file. The advantage is that programs wanting (in
this example) files printed need neither compete for access to nor
understand any idiosyncrasies of the LPT. They simply enter their
implicit requests and let the daemon decide what to do with them.
Daemons are usually spawned automatically by the system, and may either
live forever or be regenerated at intervals.

Computer Science. A program or process that sits idly in the background
until it is invoked to perform its task.

"...Unix systems run many daemons, chiefly to handle requests
for services from other hosts on a network. Most of these
are now started as required by a single real daemon, inetd,
rather than running continuously. Examples are cron (local
timed command execution), rshd (remote command execution),
rlogind and telnetd (remote login), ftpd, nfsd (file
transfer), lpd (printing)."


----------------------------------------------------

Services.

No entry for "Services" in the Jargon Dictionary

No entry for "Services" in the Jargon File

No entry for "Services" relating to computer sciences at dictionary.com


Would "services" perhaps be yet another phrase coined by Redmond to re-
define their view of yet another age-old computer term that was
previously accepted but not "corporatese" enough? See sig for details.



--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

 

[Dazz]

On Mon, 19 Jan 2004 07:43:05 -0500, Colonel Flagg spoketh


Why do you *always* have to make everything a pissing contest between MS
and Linux? Can't you just leave it alone?

That's strange. I thought it was a pissing contest.

And right now, it's dribbling down Micro$ofts leg. ;-P

Dazz

 

[Anne & Lynn Wheeler]

majority of intrusions via webservers occur via scripts (CGI and so
on). If you are careful about use of scripts, your risk is much
lessened. DN

i had heard some number about fraud ... that about

a) 1/3rd from buffer overflows and other implementation flaws,

b) 1/3rd from viruses and trojan horses involving scripts/executables
arriving from the net and being executed, and

c) 1/3rd from social engineering

some of the network originating scripts/executables also involve
social engineering as to the inducement it takes to have a person
click on the executable (as opposed to exploiting a flaw where the
secript/executable is automatically executed).

 

[zack]

Does leaving port 80 open for serving web pages leave me vulnerable? A few
hours after telling BlackICE to allow port 80 traffic in I got an alarm with
this event: HTTP_Code_Red_II

Norton alerted me to the virus soon after and deleted it. Here's there
write-up on it if anyone's interested:
http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html

I'm running Apache on WinXP with BlackICE and Norton AntiVirus running
behind a Linksys router that is forwarding port 80 to my machine. Anyone
know how this is possible that someone gave me a virus over my apache web
server? Do I have a security hole or is this threat something I have to live
with if I'm going to have a web server? Thanks for any help or suggestions.

Steve.

BlackIce was simply notifying you of code red traffic being sent to
your computer. Code Red only affects IIS, it does not affect Apache,
so you should be safe..

 

[kurt wismer]

let me help you get rid of the "corporate speak" and let's look at the
real definitions.... which are EXACTLY what I was trying to say
previously... perhaps my explanation confused you... here, let's look at
the accepted definitions:

aww, how nice, that's very generous of you...

but please, let me help you get rid of that misconception that i speak
'corporate speak'... the reason the phrases i use sound foreign to you
is that the university i got my computer science degree from focused as
heavily on theory as it did on practical issues... my definition,
abstract though it may seem, is simply more general than the pablum
you'll find in the jargon file...

[snip]

server n. A kind of daemon that performs a service for the

interesting... so therefore there are other kinds of daemons that
aren't servers... so therefore daemons aren't the same thing as servers...

[snip]

Services.

No entry for "Services" in the Jargon Dictionary

No entry for "Services" in the Jargon File

No entry for "Services" relating to computer sciences at dictionary.com


Would "services" perhaps be yet another phrase coined by Redmond to re-
define their view of yet another age-old computer term that was
previously accepted but not "corporatese" enough? See sig for details.

a windows service is the windows nt equivalent of the unix daemon...
did the folks in redmond coin the term? sure, why shouldn't they, they
designed windows nt, they have every right to name the architectural
components anything they like... why use a special new term instead of
'daemon'? because windows isn't unix and unix concepts don't
necessarily apply...

regardless - while both daemons and servers sit around waiting to do
something, the term 'server' specifies a role and the terms 'deamon'
and 'service' both specify an implementation category...

 

[Colonel Flagg]

the reason the phrases i use sound foreign to you
is that the university i got my computer science degree from

lol. I should have known. oops. my bad. so how long you been out of
university? 2/4 years?

[snip]

server n. A kind of daemon that performs a service for the

interesting... so therefore there are other kinds of daemons that
aren't servers... so therefore daemons aren't the same thing as servers...

I just love and argument over semantics.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

 

[kurt wismer]

(e-mail address removed) says...

the reason the phrases i use sound foreign to you
is that the university i got my computer science degree from

lol. I should have known. oops. my bad. so how long you been out of
university? 2/4 years?
non-sequitur...

[snip]

server n. A kind of daemon that performs a service for the

interesting... so therefore there are other kinds of daemons that
aren't servers... so therefore daemons aren't the same thing as servers...

I just love and argument over semantics.

ultimately, semantics is just a fancy term for the meaning of things,
and most arguments boil down to the meaning of things...

that said, your own quote proves my point rather nicely and your
statement "allowing _any_ daemon (server for you microsoft weenies)"
implies an equivalence between daemons and servers that is false...

 

[Colonel Flagg]

that said, your own quote proves my point rather nicely and your
statement "allowing _any_ daemon (server for you microsoft weenies)"
implies an equivalence between daemons and servers that is false...

looks to me like you're full of shit, from the microsoft primary weenie
website:

----------------
http://www.microsoft.com/WindowsServer2003/iis/default.mspx

(IIS)

Internet Information Services
A powerful Web server, Internet Information Services (IIS) 6.0 provides
a highly reliable, manageable, and scalable Web application
infrastructure for all versions of Windows Server 2003. IIS helps
organizations increase Web site and application availability while
lowering system administration costs.

IIS 6.0 supports the Microsoft Dynamic Systems Initiative (DSI) with
automated health monitoring, process isolation, and improved management
capabilities.
-----------------

looks to me like, microsoft prime interchanges "server" and "services"
quite frequently? why can't you accept that?






--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

 

[Frederic Bonroy]

Colonel Flagg a écrit :

http://www.microsoft.com/WindowsServer2003/iis/default.mspx

(IIS)

Internet Information Services
A powerful Web server, Internet Information Services (IIS) 6.0 provides
a highly reliable, manageable, and scalable Web application
infrastructure for all versions of Windows Server 2003. IIS helps
organizations increase Web site and application availability while
lowering system administration costs.

IIS 6.0 supports the Microsoft Dynamic Systems Initiative (DSI) with
automated health monitoring, process isolation, and improved management
capabilities.

Have you considered that the word "Services" in "Internet Information
Services" could have been chosen for marketing reasons rather than for
technical reasons?

 

[kurt wismer]

(e-mail address removed) says...


looks to me like you're full of shit, from the microsoft primary weenie
website:

it looks to me like you are having yet more difficulty with reading
comprehension, not to mention a problem avoiding tangents and
non-sequiturs... but i'll indulge you...

----------------
http://www.microsoft.com/WindowsServer2003/iis/default.mspx

(IIS)

Internet Information Services
A powerful Web server, Internet Information Services (IIS) 6.0 provides [snip]

looks to me like, microsoft prime interchanges "server" and "services"
quite frequently? why can't you accept that?

it looks to me like "Internet Information Services" is a product name,
like "Apache"... and like Apache, the product name does not necessarily
describe what the product contains...

now, are you quite finished being ridiculous?

 

[Ben Measures]

looks to me like you're full of shit, from the microsoft primary weenie
website:

----------------
http://www.microsoft.com/WindowsServer2003/iis/default.mspx

(IIS)

Internet Information Services
A powerful Web server, Internet Information Services (IIS) 6.0 provides
a highly reliable, manageable, and scalable Web application
infrastructure for all versions of Windows Server 2003. IIS helps
organizations increase Web site and application availability while
lowering system administration costs.

IIS 6.0 supports the Microsoft Dynamic Systems Initiative (DSI) with
automated health monitoring, process isolation, and improved management
capabilities.

YHBT.

--
Ben M.

----------------
What are Software Patents for?
To protect the small enterprise from bigger companies.

What do Software Patents do?
In its current form, they protect only companies with
big legal departments as they:
a.) Patent everything no matter how general
b.) Sue everybody. Even if the patent can be argued
invalid, small companies can ill-afford the
typical $500k cost of a law-suit (not to mention
years of harassment).

Don't let them take away your right to program
whatever you like. Make a stand on Software Patents
before its too late.

Read about the ongoing battle at http://swpat.ffii.org/
----------------

 

[Dazz]

it looks to me like "Internet Information Services" is a product name,
like "Apache"... and like Apache, the product name does not necessarily
describe what the product contains...

I disagree.

IIS actually offers a range of services, such as http, ftp and nntp,
so it does in effect describe what it offers - services.

Apache on the other hand, offers http, and let's not forget that it
also offers proxying, but as you pointed out, the product name does
not necessarily descibe what the product contains.

So, in effect, IIS, a product name, is describing what it offers - and
that is, services.

Dazz

<snipped>

 

[kurt wismer]

I disagree.

IIS actually offers a range of services, such as http, ftp and nntp,
so it does in effect describe what it offers - services.

those are not services, those are protocols... hypertext transfer
protocol, file transfer protocol, and network news transport
protocol... IIS contains servers that handle those protocols... calling
that a service or collection of services is like calling all the things
your local bank can do for you 'services'... it's not the same as the
services context used thus far (windows services)...

 

[E.]

those are not services, those are protocols... hypertext transfer
protocol, file transfer protocol, and network news transport protocol...
IIS contains servers that handle those protocols... calling that a
service or collection of services is like calling all the things your
local bank can do for you 'services'... it's not the same as the
services context used thus far (windows services)...

Under Services: NNTP service, SMTP service etc, Handled by IIS....
E.

 

[kurt wismer]

Under Services: NNTP service, SMTP service etc, Handled by IIS....

because as stated previously, under NT, servers are generally
implemented as windows services... that still does not mean that the
two terms are used interchangably...

and i still contend that the context in which 'services' is used in
"Internet Infomration Services" is equivalent to the context of banking
services or other service industry services, rather than windows
services... microsoft rarely includes technical terms in product names...

 

[Dazz]

those are not services, those are protocols... hypertext transfer
protocol, file transfer protocol, and network news transport
protocol... IIS contains servers that handle those protocols... calling

<sarcasm> Really? Gee, I never knew that. </sarcasm>

Any moron knows that they are protocols, however, they are also the
names of services that happen to run on certain servers.

But let me help you, because clearly you don't understand.

I'm going to quote from Micro$oft themselves.

http://www.microsoft.com/windowsserver2003/iis/evaluation/features/default.mspx

"Traditionally, File Transfer Protocol (FTP) is used to transfer files
and to upload Web content to service providers. The built-in FTP
service in IIS 6.0 provides includes the ability to isolate users in
their own directory, to prevent them from viewing or overwriting other
users' Web content."

So you see, even Micro$oft themselves, call ftp, a service.

that a service or collection of services is like calling all the things
your local bank can do for you 'services'... it's not the same as the
services context used thus far (windows services)...

So what?

You can also have a church service, a dinner service and your car
serviced.

The simple fact, that you fail to understand, is that the FTP service
runs on FTP servers, so that people can connect using FTP (file
transfer protocol).

And the same goes for http and nntp.

Dazz

 

[Dazz]

and i still contend that the context in which 'services' is used in
"Internet Infomration Services" is equivalent to the context of banking
services or other service industry services, rather than windows
services... microsoft rarely includes technical terms in product names...

Lets go back to what I originally said.

"IIS actually offers a range of services, such as http, ftp and nntp,
so it does in effect describe what it offers - services."

I didn't say that it was called IIS because it has things running as
services - which seems to be your point.

Otherwise, Windows 2003, XP, 2000 and NT would all be called IIS (they
all run various services).

But lets move on.

Take note of the " ... so it does in effect describe what it offers -
services".

Those "services" happen to be ftp, nntp and http.

As I've already pointed out, even though ftp, nntp, and http are all
protocols, they are also commonly named services that run on various
servers.

Even Microsoft agree.

http://www.microsoft.com/windowsserver2003/iis/evaluation/features/default.mspx

"Traditionally, File Transfer Protocol (FTP) is used to transfer files
and to upload Web content to service providers. The built-in FTP
service in IIS 6.0 provides includes the ability to isolate users in
their own directory, to prevent them from viewing or overwriting other
users' Web content."

So, clearly, I don't think you actually read my post. You half read
it, and then jumped to a conclusion, which happens to be mistaken.

Also take note of the following:

"So, in effect, IIS, a product name, is describing what it offers -
and that is, services."

How do you think Terminal Server got its name?

How do you think Exchange Server got it's name?

So, what I said was actually correct, and that is:

"So, in effect, IIS, a product name, is describing what it offers -
and that is, services."

As you can see, from Terminal Server and even Exchange Server,
Microsoft do name "products" after the description of what they offer.

Further to that, it's interesting that you used the word "rarely"
because that can be taken as they *do* use technical terms in product
names.

Sure, maybe not all the time, but they do.

Dazz