

Show HN: PatrolServer – Continuous updates of the vurnabilities on your servers - dolfje
http://patrolserver.com

======
jcr
1.) The first thing I noticed was "delivery by mail" in the top text, and it
made me concerned; any communication of potential vulnerabilities (i.e. scan
results) should be properly encrypted to the recipient and authenticated from
you.

2.) The site layout (css) is buggy. On older browsers, some text is positioned
partially off screen on the left. Yes, supporting old browsers is a pain, but
within reason, it's worthwhile.

3.) The top menu has a white text, but since the top menu stays in place when
scrolling on to a white background below, the menu text becomes unreadable
(white on white).

Good Luck!

~~~
dolfje
Thank you very much for the feedback!

We have had multiple meetings about the security concern of mail
communication. And we opted (for now) to send the information by mail, just
for the convenience and rapid delivery to the end user. Also in the thought
that all information we scan about your server is actually publicly available.
So getting the information to the owner as fast as possible is more important
than hiding the information (as in security through obscurity). But as we
progress, we definitely see the need to hide data and/or encrypt them in the
mail. (Especially with the PHP detector)

------
Cthulhu_
How is PatrolServer's own security? Are results encrypted? Can the results be
gathered (i.e. 'site X is vulnerable to exploits A, B and C)? I know that
sounds like security by obscurity, but it has to be asked.

I'd much prefer to install a tool on the actual server that reports a local
report. But that's hard to monetize.

~~~
dolfje
Good question! As you already hinted, we will not disclose all our security
measures. But our platform is secured on multiple levels. First of all, all
communication between you and our server is encrypted. No eaves-dropping
possible. So only you known your own vurnabilities. Second because you have to
verify your server, a thirdy party can't get secret vurnability data about
your system. So they cannot use our system as easy tool to get attack vectors.
Third we separate the scan logic and webserver logic into different servers.
And only the scanner has information about passwords and secret information.
So while we make our webserver very safe, the scan server is fort knox. One
particular nice thing, the scanner server has no open incoming ports. So you
cannot access it. Fourth the PHP dectector file will only react to our server
and all data exchange is encrypted with keys only known to the scan server.
The commands that have to be executed are also signed with assymetric keys,
signed on an offline computer. Fifth we keep improving our security while
monitoring our systems (with our service but also with other tools). Because
new attack vectors are released everyday.

~~~
tobylane
I would be interested in a larger writeup on that system, I like it.

~~~
dolfje
We will come back with some more details, but at the moment we are having an
internal discussion of how many details can be published. So expect it
somewhere next week.

------
dolfje
Thanks everybody! 1 day on Hacker News, 1574 uniques, 103 signups, 15% signup
rate and 53% total vulnerability rate. You all have some fixing to do. If you
have more feedback, let us know (or spread the love).

------
RossM
Eh, it just seems to compare detected versions against the latest version of
software. It would be nice if it said _why_ the installed version is
vulnerable, links to CVEs, etc.

~~~
dolfje
We indeed compare versions against the latest version of the software. Though
we also keep track of which versions are supported and also create an
inventory with the CVEs and their risk. There are also vulnerability scanners
incorporated. That is why we sometimes still show a version is outdated, while
we don't know the actual version.

For now we spend more time into giving information on how to keep your system
secure and make that as easy as possible. If we can present 1 solution to fix
22 cve exploits, we find that preferable to showing 22 issues that need to get
fixed with detailed information about the cve. But should that data should
still be findable for experts and is also shown our the data cards. (Except
when the data isn't disclosed yet by the software manufacturer) So if you
don't see the CVE, please tell us more details about the software that doesn't
has vulnerabilities.

~~~
RossM
Okay, that sounds more worthwhile. When I did a simple test against a LAMP
server, the only information I got back was "running 5.5.25, latest 5.5.27,
this is a vulnerability". I assume you're presenting that info for different
software.

~~~
dolfje
There is more logic to it. We try to detect if you use ubuntu/debian and
suggest those updates. From the moment we know the exploits, we show them.
Probably you're talking about PHP? For PHP 5.5.25 there are the following
exploits CVE-2015-3414, CVE-2015-3415, CVE-2015-3416, CVE-2015-2325,
CVE-2015-2326 and CVE-2015-3152. But none of them have information yet. (see
[https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2015-3152](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2015-3152)) So as soon as they are disclosed, the
exploits will automatically be shown (within 5 minutes)

------
Phogo
Incorrect redirect at
[http://patrolserver.com/css/](http://patrolserver.com/css/)

~~~
dolfje
Thanks, solved ;)

------
Immortalin
Website is broken on mobile after logging in.

~~~
roosvert
Thanks! Problem solved!

~~~
dolfje
Indeed the problem is solved. The mobile stylesheet wasn't loaded on
production. Sorry for the inconvenience. But glad you noticed and warned us ;)

