May 26, 2022
Server security requirements vary from organization to organization, and tools for scanning servers also vary. So, a single, comprehensive strategy for addressing reported vulnerabilities simply isn't possible. It is also important to remember that a Rumpus server provides services that are very different from a typical Web server. By design, a Rumpus server allows outside users to upload and download files, view server file listings, and interact with content in ways generic Web sites do not. As a consequence, generalized vulnerability scans may not accurately assess your server's potential for unwanted access.
With that said, here are the first steps you should always take if and when a potential vulnerability is reported.
Maxum is constantly updating the Rumpus software to maintain best known security practices. When reviewing reported vulnerabilities, it is essential that you be running not only the most up to date general release of Rumpus, but the most current maintenance release as well. Access the Rumpus downloads page to check for updates.
SSL/TLS is enabled for both Web and FTP on the Network Settings window, Secure Services tab. Make sure that HTTPS and FTPS are both enabled, as described in the "Secure Transfers" article in the Rumpus package. In addition, once a trusted certificate has been installed and HTTPS has been enabled, make sure that the "Redirect All Connections To HTTPS" option is on, which redirects incoming unsecured connections to the secure HTTPS Web service.
Rumpus includes an option to one-way encode user passwords, making them impossible to retrieve (even by a network administrator). The "Store Passwords" option can be found on the Network Settings window, Preferences tab, and for best security, should be set to "Using Strong Encryption". This option has server management side effects, described here.
Assuming you are not running your Rumpus service within the frameset of some other Web site, you should disable clickjacking. This option is found on the Web Settings window, Advanced tab, and is called "Prevent Clickjacking".
Browser plug-ins are 3rd party software that add functionality to a user's Web browser. For example, a browser may use a plug-in to display a video file or some other content that the browser doesn't natively support. This represents a security risk, however, because a browser may be tricked into sharing files with an unintended plug-in. The problem is solved using the "HTTP-Only" token, and Rumpus will correctly use the token to prevent this type of attack when the "Disable Browser Plug-In Access" option is enabled on the Web Settings window, Options tab.
On the Network Settings window, Secure Services tab, enable the "Enable Strict Trans. Security" option. This option adds an HTTP header token that indicates to clients that they should only access the server on a secure channel.
Security scanners are only one tool in the arsenal of an Internet server administrator. Be sure to review the "Server Security" article in the Rumpus package for other common-sense and important information on maintaining a secure server. As always, contact support@maxum.com if you have questions or concerns not addressed in this article.