Website Security

Charity Discounts

11-12-2018

Website Security

Here are some tips to keep your site secure. This was primarly written in response to a hacked site:

1. First thing you need to do is check all vendor/developer sites for ALL web scripts/applications used in your account for any update including any mod you may be using in any web application. If you are using any open source web application, that may be the prime suspect. However, you must them check all and keep them up to date. Check the database on www.secunia.com for any known exploits released in public.

2. Once you have verified that 100% of scripts are the latest stable versions, you will need to go through all files of your account and make sure none is uploaded by hackers before you audited or left by you from an old install of an application. You can use ftp or cpanel file manager to go through all files under public_html and compare them with your local copy. [You should always maintain a local copy for this comparison as well as a backup]

3. Make sure all passwords are a mix of alpha-numeric and not a dictionary word. Just because you thought of a difficult word from dictionary does not make it safe.

4. The MySQL database access to all web application should be using separate db users. Do not ever use your main account user/pass for it. Your main user/pass should never be stored in any file in your account.

5. In your control panel, activate archive option of your web logs in Raw Log Manager. This will give you the opportunity to check how the hacker exploited one of the scripts. Otherwise all raw logs are cleared after generating stats. If you have already been hacked, its too late now but you can archive the logs for future attacks.

6. If you have customized a web application with a mod, make sure it is also the latest stable version. Many popular web applications may be stable but one of the addon mods are exploitable.

7. If you have written some code yourself, make sure all input variables are sanitised (checked for valid data before using it). Otherwise a single line of bad code can give access to your entire account. The usual blunder is to include a file based on user input. Again, make sure all input to a script is checked for valid data. All exploits are based on input data. If your site does not take any input, you are 100% safe from web exploits, i.e. if you run 100% static html site with no script whatsoever anywhere in your account.

8. For php, any application that uses register_globals to be active has more chances of being exploitable. Avoid such applications.

9. If you have some mail script, make sure it is safe from header injection. In essence make sure that email address, subject and other part of data that is being submitted by user does not contain line breaks. Here is a code snippet that you use against all input variables from the form:

PHP Code:

//should not allow empty breaks in your mail or subject

//check name, email, and subject
if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) || ereg( "[\r\n]", $subject) ) {
header( "Location: $errorurl" );
exit ;
}

//or put everything you want to check into an array and check it all
$checkme[ ] = $name;
$checkme[ ] = $email;
$checkme[ ] = $subject;

foreach($checkme as $check) {
if ( ereg( "[\r\n]", $check) ) {
header( "Location: $errorurl" );
exit ;
}
}

should probably clean the mail before using it:

PHP Code:

$mail = str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $email);

$subject = str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $subject);
in fact no real reason to even allow html tags in your subject, and so feel free to just use:

PHP Code:

$subject = strip_tags($_POST['subject']);
and just good practice to make sure the end result is formatted: correctly

PHP Code:

if (eregi ("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)+$",$email)) {
//good
} else {
//bad
}

10. Using open source free web applications is great but you have to maintain it by regular updates or you can lose all your data and site if a new exploit is known about it. And as a hosting account owner, it is your responsibility that you have installed only stable applications in your account.

11. If your site has been running fine for years, it does not mean there were no security holes in it. It actually means that exploit was unknown or you were lucky that no one exploited it before.

12. For added security, change the permissions of your configuration files (having database credentials etc.) to 660. You can do that via ftp or file manager.

13. For added security, if you can block access to certain administrative sections of your site, do that by giving access to only authorized IP addresses and blocking access for everyone else, or password protect it.

14. If there is any file upload facility in your account, make sure that only authorized members can use it.

Also the uploaded file should not be accessible via web URL directly (i.e. stored outside of public_html) unless

a) it is only uploaded by a site admin (responsible person)
b) checked and validated to be not exploitable

15. If there is any URL forwarding or Webmail facility for your site membership, make sure it is not given to all without proper authorization or it could be used for spamming.

16. If you're just testing / trying something, which only you need and you know you won't actively keep up to date, just lock it behind a password right away.

17. Since ICCM shared/sdx/reseller servers come with phpsuexec, you do not need any file or folder with world write permissions. The normal folder permissions should not exceed 755. And php/html files can be 644 (or lower through ssh). CGI/perl scripts can be 755.

18. Anyone who writes web application code, should be familiar with security: http://www.oreilly.com/catalog/phpsec/ It covers all apects of vulnerabilities found today in web applications. Also check out this site: http://phpsec.org

Check a Domain is Available:
www.
Click Here to Check Domain









Sign Up - Click Here

Hosting Plans From:

Budget Hosting €3.99/mth
Business Hosting €5.99/mth
E-Commerce €9.99/mth
Reseller Hosting €19.99/mth
VPS Hosting €29.99/mth

Full Domain Price List

Click here to enter shop

 

Latest News -