How to protect your servers from users with downloadable content?

The user can download, mp4, mp3, svg, giv, png, jpeg, webp and maybe in the future Browser HTML / JS + Mobile games, exactly the file format is not defined.

How to protect your server from they download content?
How do sites like YouTube, FB, VK, Instagram and others?
April 4th 20 at 00:54
6 answers
April 4th 20 at 00:56
Solution
Usually the social network and a major platform encodes uploaded video files this way is getting rid of the metadata and a specially formed sequence of bytes that can be incorrectly interpreted vulnerable software.
Against content won't help if there will download illegal content to answer to the law still have, there is no way to define information is prohibited (because each country has its own laws, even for a harmless picture of Winnie the Pooh planting).
That is, once the user sent to the server the mp3 file, we keep the format but change the encoding?
How and why this will help avoid scripting in the file?
specially crafted sequence of bytes that can be incorrectly interpreted vulnerable software.
not clear to me how exactly it works.

Against content won't help if there will download illegal content
this is understandable, for this is the functionality of complaints and neural networks. Although I would like to know how still brush this kontetom!? - cortney10 commented on April 4th 20 at 00:59
April 4th 20 at 00:58
Solution
The content itself does not pose any direct threat. But if on your server there are vulnerabilities that allow attack you downloadable content, then, obviously, the content here at anything. And you need to fix these vulnerabilities, rather than trying to defend themselves from the content.

And about how do websites like YouTube, FB, VK, Instagram, you need to ask their owners. The rest can only guess. You don't need guesses? Or need?
About guesses, at least theory, database.
About the vulnerabilities, what are the most common?
I wonder how the infection occurs, for example user filled in the mp4 file, it is processed on the server anyway, like ffmpeg. The idea is because you can write a script which will be launched immediately after downloading a file on the server, like web shell? Need details. - cortney10 commented on April 4th 20 at 01:01
Again: mp4 file does not pose any direct threat. Point. From him don't get defensive. - Sunny57 commented on April 4th 20 at 01:04
@Sunny57, what about other types? You have any links to read what files and which specific or potential threats are? - cortney10 commented on April 4th 20 at 01:07
No. This is the content. There are no instructions that can transfer control. And if you put any program, the server will not run, and just throw the error that the video format is not correct.

Well, if by some miracle the server is still hand pumped instead of the video program, a clear threat lies in the genes of the person who set up the server. - Sunny57 commented on April 4th 20 at 01:10
April 4th 20 at 01:00
Solution
Disable execution of all files in the repository for any user.
Even servers? That is 644? https://ru.wikipedia.org/wiki/Chmod - cortney10 commented on April 4th 20 at 01:03
@cortney10, Exactly. - zelda_Lebsack62 commented on April 4th 20 at 01:06
Don't understand what it will. Judging by the subject users and so can't run on the server. - Maverick_Muller commented on April 4th 20 at 01:09
@Maverick_Mullerin question, about the inability to execute code, even a word.
Explain how You made this conclusion? - zelda_Lebsack62 commented on April 4th 20 at 01:12
@zelda_Lebsack62, I kind of conducted audit of parmesano on files. Is there a way to automate this? For example to check every file on the server and display the log if it is right to say 777 or 666? - cortney10 commented on April 4th 20 at 01:15
@cortney10, why? easier all files in the folder to give the needed rights) - zelda_Lebsack62 commented on April 4th 20 at 01:18
@zelda_Lebsack62, then you have to take from the root ~/ as I understand it, and specifically to configure for the project., for there logs, cache - cortney10 commented on April 4th 20 at 01:21
@cortney10, Or so, Yes.
A bash script to do it: each group of objects (files, folders, masks etc.) - have their own rights.
All initially designed for "paper" checks will be logged in the script runs.

Can dopom script for testing rights to do to ensure their correct configuration. - zelda_Lebsack62 commented on April 4th 20 at 01:24
@zelda_Lebsack62, thanks, helpful! - cortney10 commented on April 4th 20 at 01:27
@cortney10, Oh, and block access to the storage through the web, preventing the filter web server the right way. (just in.. as they say...) - zelda_Lebsack62 commented on April 4th 20 at 01:30
@zelda_Lebsack62, for sure! And what is the best and right to do? If the allow access only from specific IP services, IP over time, can be changed and then everything will fall. And allow access only waitlisted domains looks terrible) - cortney10 commented on April 4th 20 at 01:33
@cortney10, Nitsche not understand)
We either give those folders access to the web or not.
If you give something all or only authorized.
And what files.

(what were the domains, services - anything I did not understand all of the content in any case frontovye)

Filter I would put on the front extension for everyone and everything.
On that front, you can start to allow access, not deny. - zelda_Lebsack62 commented on April 4th 20 at 01:36
@zelda_Lebsack62, apparently I misunderstood you.
Storage - where are the files, photos, videos, etc
Web pull in API data is on the server API
API on another server

Filters web server, like CORS, we waitlisted domains that can request a file on the server. In our case, it can only do an IPA server with a specific domain. A kind of a layer between the user and the data store. Give user a temporary link to the file.

As I understand, what mean you?
1
disable access to the vault via the web, banning filter web server the right way.
waitlist in nginx?
2
If you give something all or only authorized.
access to the files only with a specific domain?
3
Filter I would put on the front extension for everyone and everything.
what is the front extension? - cortney10 commented on April 4th 20 at 01:39
@cortney10, storage Access (read files from it) using the script - close to all!
Otherwise, open only what is needed (for extensions).
Give user a temporary link to the file.
I understand that the link is a route-point (script) store.

About CORS at all sure, if you're using a server script.

Filter web server waitlist on regexps. - zelda_Lebsack62 commented on April 4th 20 at 01:42
@zelda_Lebsack62, I understood that it is evening, you begin to blunt, better go to sleep. - cortney10 commented on April 4th 20 at 01:45
@cortney10, then - goodbye! - zelda_Lebsack62 commented on April 4th 20 at 01:48
April 4th 20 at 01:02
Solution
Moderate and promptly remove illegal content. Respond promptly to complaints.
The only way.

How do sites like YouTube, FB, VK, Instagram and others?
Do so.
Plus such a large organization can put pressure, and try to dictate their law often.
April 4th 20 at 01:04
To the question "How to protect" - must be accompanied by a model of the threats against which we must defend. What are You afraid of - attack server, attack to clients (that is, if someone uploaded a malicious file, others download it and have troubles), claims pravoobladanie?
The user downloaded the file, it was processed and sold to other users.
What are the attack vectors on a server and after client?
What to check and test how to protect? - cortney10 commented on April 4th 20 at 01:07
April 4th 20 at 01:06
How to protect your server from they download content?

Something to protect something? From a break site? Or from download vidosik with lalami? If Your website can be attacked userskill content, then obviously you need the site to work on.
And if to protect against illegal content - only post-moderation. Viewing and deleting. And prompt response to complaints. I think that is why pipe modders gaining packs? Because to me and shit and filth (CPU, Guro, stupid jokes, etc.) is very difficult. It would seem - well, what? But try :)
userskill content, then obviously you need the site to Refine
what to modify?
Something to protect something? From a break site?
from userskill execution of scripts on the server side, and during the reading of the file by other users.
I don't know how exactly is the hacking, so the question. - cortney10 commented on April 4th 20 at 01:09

Find more questions by tags Information security