1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to make your site "secure"?

Discussion in 'Security' started by Skinny, Apr 1, 2007.

  1. #1
    As we all know there is no such thing as a secure website.

    I will soon be launching a new website and since I'm not sure of it's popularity ATM, I was wondering if there was anything that I could do to make my site more secure.

    i.e. make it harder for people to hack, etc.

    What are some tips that you more experienced webmasters have?

    Skinny
     
    Skinny, Apr 1, 2007 IP
  2. Thibaut

    Thibaut Well-Known Member

    Messages:
    886
    Likes Received:
    26
    Best Answers:
    0
    Trophy Points:
    140
    #2
    You could run Nessus to check for security flaws.

    Regards
    Thibaut
     
    Thibaut, Apr 1, 2007 IP
  3. netdeals

    netdeals Guest

    Messages:
    199
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    0
    #3
    you can have a complete security audit of your website. :D just check my signature.
     
    netdeals, Apr 2, 2007 IP
  4. clancey

    clancey Peon

    Messages:
    1,099
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #4
    There are numerous steps involved in making your site secure.

    It starts from who has access to the site and how strong are their passwords. You need to ensure root cannot log in via the internet and you need to make sure that password is extremely strong -- more than 12 characters, including upper and lower case, and non-alphabetic characters.

    You need to review what services are being offered and specifically turn off those that you do not need or intend to offer. For a plain website, the only services accessible from the internet should be sshd and httpd. If you want email add, pop and smtp. Shut down everything else. You will need to learn how to configure your firewall to accomplish these tasks.

    Secure ssh. This was discussed in another thread here today: http://forums.digitalpoint.com/showthread.php?t=286142

    If allowed, you should secure PHP with the suhosin. If not allowed. I have written a freely available script which helps accomplish some of what suhosin does -- preventing a lot of web injection problems. You would need to amend your scripts to call my project -- in my sig -- whereas the suhosin module changes PHP itself.

    Make sure all third-party scripts you run are at their latest patch level and make a habit of visiting their sites for security notices and updates. For scripts you write, NEVER trust user input. Always make sure it is what you expect. Always initialize variables with safe default values. Always return safe default values from functions.

    If you are running AJAX, you need to start reading up on the recent compromises which are being discussed on the net. Start with this article: http://www.fortifysoftware.com/advisory.jsp

    Lastly, never bait hackers and spammers with mocking responses and vulgar error messages.
     
    clancey, Apr 2, 2007 IP
  5. Zinho

    Zinho Peon

    Messages:
    284
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Nessus just runs well known attacks on the server, but it is not able to run customized (manual) penetration testing that would involve the capabilities of security expert. I see "Hacker Safe" pic on the footer of sites that can be sweeped out in a matter of seconds
     
    Zinho, Apr 9, 2007 IP
  6. D_C

    D_C Well-Known Member

    Messages:
    1,107
    Likes Received:
    21
    Best Answers:
    1
    Trophy Points:
    160
    #6
    Well I can give you a few simple tips. Do not use GET in fields. I'm not sure on the security of post but I think it is pretty safe. Request is pretty safe too. Make all fields have some sort of code that verifies the contents of it before it submits it. Once you have that, make sure it will not show the database name when an error occurs.

    That is some simple things. If you want I can do a little over view of your website and tell you what possible holes you have in your website for free IF you let me use your website as a reference.

    PM me if interested.
     
    D_C, Apr 9, 2007 IP
  7. Zinho

    Zinho Peon

    Messages:
    284
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Sorry to contradict you, but POST has nothing more secure than GET.It is just more obfuscated but everyone can forge a request using POST method. Same thing for hidden fields into forms and cookies values.
    Input sanitization should be made at server side before any kind of operation on it.
     
    Zinho, Apr 9, 2007 IP
    D_C likes this.
  8. OwenC

    OwenC Peon

    Messages:
    39
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Agree 100%. GETS are just easier for the layman to haze (by messing with the querystring), but there are a number of tools you can use to inject anything you want into POSTs. The trick is to validate everything at the server side and ensure you're only receiving the input you're expecting.

    Tools like Nessus are ideal to help identify any flaws in your website (like using known hackable version of software) that script kiddies can take advantage of, however there's nothing like human ingenuity when trying to hack a website.
     
    OwenC, Apr 9, 2007 IP
  9. D_C

    D_C Well-Known Member

    Messages:
    1,107
    Likes Received:
    21
    Best Answers:
    1
    Trophy Points:
    160
    #9
    No need to apologize. I'm here to learn like the rest of you and as you can see I told you that I was not sure on the security of post. However now I know, and thank you for correcting me.
     
    D_C, Apr 9, 2007 IP