Computer Help forum

General discussion

12/1/06 How can I protect my Web site from intruders?

Question:

I just recently set up my Web site for my business. And from hearing many horror stories on how hackers maliciously take down or vandalize Web sites randomly for the purpose of having fun, paranoia has set in and I am very concerned for my own Website. I know many of you members have personal or business Web sites out there, and what I would really like to learn is what are the necessary steps and methods that I personally can take to prevent my Web site from being intruded upon by hackers? All recommendations or suggestions are appreciated.

Submitted by: Edmund C.

***********************************************************************

Answer:

Hi! Hackers really are a big concern when we talk about business Web sites. There are some tips that you can follow to try to avoid this problem.

The first thing you should have is a daily backup of your Web site, keeping the last seven (or more, if possible) backup sets stored in a different machine. Usually these vandals change the main page of your Web site just to show off, and you can notice it fast, but sometimes they change some internal page and you just won't notice until later or some of your Web site's visitors warn you. This rule applies to the database too, if your Web site uses one. You never know when a disaster will happen.

Have a very restrictive firewall. Just close all the ports that you don't have a use for. A network administrator will help you with that. Sometimes there are some holes in the operating system's security that hackers love to exploit. A golden rule: Close all ports and open only the needed ones. But be careful to not block your database connection or something like that.

If you do e-commerce on your site, get a secure certificate (like Verisign) and make your transactions within a secured connection using this certificate. This way, your clients will always know that you are trustworthy and, just in case some hacker tries to get your client's information by creating some false webpage identical to yours asking them to login with their real passwords. Surely, they won't have a secured connection and your clients will notice that. Always keep your clients informed of these threats on your site. Moreover, you don't want your client's information being sent in plain text, where someone could easily capture and misuse it, do you?

If possible, keep your database in another server. If the attacker tries to change your website page, he won't have immediate access to your database server or its files, which will keep your business' important information away from him.

If your site has some kind of login/password, always, ALWAYS store it encrypted. By having no way of knowing your client's password, you prevent the hackers from obtaining it too (at least immediately, giving you time to warn your clients and take the necessary measures when an invasion happens). Remember that some people keep only one password for all their accounts, including their bank accounts!

Simulate some of them, like DoS, DDoS, ugly logins (containing commas, semicolons, single quotes, double quotes, etc.). Your webserver and your e-commerce site code have to be able to deal with these problems. Usually the webserver software has a limit of simultaneous solicitations that can be attended. Keep a reasonable limit. Too high, and your server may crash due to overload. Too low, and you'll have clients not attended by your site. Make a projection of visitors (be realistic) and set this limit accordingly.

Well, these usually are my concerns about websites. I preferred to expose the preventive and corrective actions in case of an attack. For me, the most important things are the security of the client's information and the backup. With these two, you can survive an attack of hackers. Without them, you WON'T.

Regards!

Submitted by: Alexandre S.
Discussion is locked
You are posting a reply to: 12/1/06 How can I protect my Web site from intruders?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: 12/1/06 How can I protect my Web site from intruders?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Additional advice from our members

In reply to: 12/1/06 How can I protect my Web site from intruders?

Answer:

A business site is comprised of many parts that work together as a whole, so, in order to have an acceptably secure site (there is not such a thing as a completely secure site), you have to consider all its components.

First, let?s begin assuming you have your own server(s), that is, you are not using a third party hosting service. If that is the case, first thing is to check that all the server software is updated, beginning with operating system (windows, linux, solaris, etc), then to web and additional service software (internet information server, apache, server side scripting software as php or python, database servers, etc). This is necessary because everyday hackers are probing server software in order to find any vulnerability they may find, and generally, if you have your software updated (last versions, updates and patches), most of its reported vulnerabilities should be addressed in one way or another.

Second, besides having your software updated, you have to configure it to production environment standards. What I mean here is that when you are developing your web solution, your development environment is open so you can make modifications and experiment with it without having to open and close settings. Generally, your service software documentation has some ?configuration best practices? to secure your installations.

Third, once you have all your components secured, not all of them need to be outside in the internet, that is, if for some reason you have to have your web service exposed, your database server should be behind a firewall configured just to let the web server request to pass. It is also a good practice (actually a very important one), to close all the ports you won?t be using in your tcp stack. Generally, out-of-the-box server software has netbios, ftp, http and other ports open by default, so if, for example, you do not need netbios on your internet network interface, close the port, you will save yourself a lot of security headaches.

Fourth, although it may seem heavy, always have updated antivirus and antispyware software up and running, and not just trust in the standard protection, run full scans at least twice a month, you never know what new threat just got loose in the internet with the sole purpose of making your life miserably.

Fifth, now that you have yours servers secured, you have to check your web site design, it doesn?t matter how well you secure your software if your scripts are not protected against intrusions, with that I mean, you have to check that all your sensitive content is protected, and that you check every possible situation your software may crash, that is, converting strings to numbers, division by zero errors, etc. How to do that depends on the platform you choose, and again, software documentation is the key.

And finally, last but not least, always KEEP UPDATED BACKUPS OF YOUR SITE DATA AND PAGES, some hackers are not happy with stealing your information, they also like to wreak havoc on your vacation plans deleting all your site just the day your going on a leisure trip. This is also good in case of other kind of non-hacker-related disasters such as burned hardware, floods, nuclear wars and apocalyptical events.

This is by no mean a complete guide, but is what my experience as sys admin has tough me, I hope that it helps you with your concerns.

Submitted by: Omar F.

***********************************************************************

Answer:


Edmond C.,

This is not a complete solution but there will never be just one complete solution when it comes to security; the security we need comes from various software and hardware resources. as well as user habits.

My suggestion is to add a hardware firewall to your machine. You can buy a hardware firewall alone or you can buy a wired router with a hardware firewall built into the router. If you are already use, or plan to use, a LAN for your computers then I suggest a router/firewall combo such as the Broadband Firewall Router with Four Port Switch/VPN Endpoint from Linksys (a Division of the much trusted and widely used networking company Cisco Systems Inc.)

This is just one example of the extra layer of protection that a hardware firewall affords. I use this particular Router/Firewall which comes with a "Special Edition Norton Internet Security 60 day free trial of virus and firewall updates" which is a good idea since a software firewall is mandatory by almost anyone?s standard.

I don't suggest a wireless home LAN when you?re worried about security since wireless will be broadcasting and who knows who shares your bandwidth. (I have a neighbor whose wireless setup allows me to piggyback onto his bandwidth but of course I told him of his system's "leak".)

My home wired net includes a Dell Windows system and a Mac Mini computer from Apple (from $599) because Apples are rarely targets of nasty stuff at this time . . . though times change.

Submitted by: Tom C. of Upstate New York

***********************************************************************

Answer:


Apart from using a strong password (with many random letters, numbers and signs such as "! ","?") and not divulging it (this includes never accessing your site from a machine and a connection that are not known safe and correctly secured), I am afraid there is little else to be done if you are hosting the web page on an external server, which is almost always the case for small companies and individuals. In particular, beware of wireless connections at home /office and third party PCs, such as cyber cafes and the like!

So it is possible your site gets vandalized, eventually.

So visit it regularly (every day at least) and be prepared to restore the site quickly. For this, a copy of all pages used in the site should be stored safely and orderly in your PC. In the few cases I have seen, it is the index page that gets vandalized by those smart hackers who otherwise seem to have no brains for serious things.

And yes, good luck!

Submitted by: Jose J.

***********************************************************************

Answer:


Hi Edmund - There are several things you can do. You seem very concerned so I would recommend a Security Audit on your web site and the software you are using on your website. For most people I would just recommend that you take a few steps to ensure security. Such as changing your passwords often, turn off telnet, password protect online folders, ensure index.html files are in every folder, and update your online software. The protection of your local PCs is also very important and your communication with your website from home can be compromised So update your virus and firewall software. Hope those tips help. Best of luck.

Submitted by: Andrew S. of Raleigh, North Carolina

*******************************************************************

Answer:


Dear Edmund C.,

Your question is very important but the simplest too. You install a good quality of firewall like Symantec Security Suite or Zone Alarm or Nuts & Bolts, etc of your own choice. I have been using Symantec Suite and Zone Alarm. Whichever the security suite you install, what you have to do is to go to the Internet Tools\Options\Security\Settings and input each and every website trying to connect to your website. More precisely, you opt for the settings "Ask me before connecting" and your website is quite safe. If you think that a particular website is not so popular or of your own use, you deny it to connect to your website. Try and enjoy a lot!

Submitted by: Vijay V.

***********************************************************************

Answer:


I guess that you are using a shared hosting. Therefore, security is not your headache. All security concern should be tackle by Hosting Provider. But you should keep your hosting and domain password secret.

Submitted by: Amanat A.

***********************************************************************

Answer:


One answer would be to keep changing your access password to your ISP and to your website or have different passwords for all operations. Eg Forward for your ISP and rearend for your website . Keep those on for one week and then Change . See how you go with that. Kind regards.

Submitted by: Ian M.

***********************************************************************

Answer:


Wow.. big question!

One suggestion is to check out grc.com, Steve Gibson's site for security conscious people. He has a weekly podcast, which is very interesting and informative, albeit it does tend to get rather technical sometimes. All podcasts are available for download on the site. Highly recommended for everyone interested in internet security, not just in response to this question.

Submitted by: Paul L. of Toronto, Ontario

***********************************************************************

Answer:


You can sign up with a hosting company and have them provide security. The cost varies depending on the level of service. One of the largest is CI Host. You can check its web site for the costs of hosting.

Submitted by: Ian G.

***********************************************************************

Answer:


I suggest adding a good program such as System Mechanic Professional 6 or System Suite 7. Also make sure Windows updates are current.

Submitted by: Rodney C.
Collapse -
Website Security

In reply to: Additional advice from our members

We keep a back up of the files containing the site information on 2 computers and a thumb drive. If it goes down we can bring it back as quick as our FTP can load it. Any changes made are copied to the thumb drive and from there to the second computer.

We use 1and1.com as our host and they provide security.

Collapse -
content and graphics

In reply to: Website Security

While we are on the subject of websites, could those of you that have websites think about us poor country folk that can only get slow dialup, did I mention slow? Large heavy graphics take forever to load, sorry Lee but C/Net takes forever to load. Graphics can be lightened up quite a bit and not harm the appearance. Thanks, Nathan.

Collapse -
Nathan. It applies for Whole Countries too.

In reply to: content and graphics

I happend to see your comment, and yes the U.S. and European companies that promote the Internet lose MILLIONS of potential clients because of this one failing, they think everyone is like them, superdoted with the latest high speed tech. No Way.
Example:- I live in Honduras in San Pedro Sula the second largest city in the country some 700,000 people, and 5 miles outside the city center, I use Dialup 56kbps. My office nearer the Center and Internet Cafe have Cable 256kbps.
There are two main problems in the third world Countries, accessibility and price.
I could write a page on this problem just from Honduras, as there are dozens of examples.
Here are three. 1/ A webpage offers a large download it takes literaly hours, and can disconnect at any time. 2/ A webpage offers a product you would like to buy, but does not tell you, untill the end of the application, it only applies in their country. 3/ A webpage offers something that can be paid for by CC, but limits it to Visa or PayPal which does not work in your Country.
Perhaps others would like to comment on this problem. But please you Tech Wizards do something for us.
Ed Skinner, Honduras C.A.

Collapse -
The timestamp

In reply to: Additional advice from our members

Re-upload your site or copy to the public directories of your server regularly. Copy from a CD, not another location on your server.

Do it at specified times, too, like noon.

The time stamp will show if it's your copy of the file.

Look at your files, sorted by time. Any altered files will have a different date, unless the hackers are particularly aggressive, in which case, they might try to mess with your files on the same day.

In either case, checking the time on the files will let you see quickly whether the files have been altered. The hackers will know, too. If you replace everything on your site at the same time, they will see that masking their activities is going to be a bit harder.

You can also re-structure your site so that the most sensitive pages are all in one directory, so you can check them separately. Think of pages with shopping cart codes and so forth.

Preparing your site on one machine and uploading it from another using a CD to transfer the files (the hacker can't touch that without invoking your CD burning software), you should be able to stay ahead of them. Burning to a CD will also change the attributes to 'read only', which in turn will make the files 'read only' on the server. Easy to change, but it's nice to know the hackers have to do a little more to mess with you.

How ofen are YOU willing to upload to sweep the bugs out, and how often are THEY willing to do the same to bring them back. You see? You win.

Server logs are no help at all for this kind of thing. They never track uploads, only files accessed.

Like any other kind of defense, you have to consider what's in the mind of your adversaries. If they don't stand to gain anything by attacking you, they'll move on to easier targets. If there's money in it for them, then you have to be more active about protecting your site.

Collapse -
McAfee SiteAdvisor

In reply to: The timestamp

To protect your computer for virus,adware,spyware when surfing on the net use McAfee SiteAdvisor. Green good Red dont. I use the free version of it, you can see it at www.mcafee siteadvisor.com

Collapse -
Another vulnerability to consider

In reply to: Additional advice from our members

Most responsible ISPs are clamping down on spammers, so they're looking for other ways to distribute their junk mail. If ANY of the forms on your site generate an email message, you need to double-check that the scripts behind them can't be subverted into sending a mail message injected by the user, to addresses injected by the user. If they can, guess whose mail gateway's going to be blacklisted?

Don't assume that the the spammer has to use your form. There's nothing easier than to set up an automat that generates Post requests with ANY data. I've seen attempts of this nature with 99 bcc: addresses as a 'response' to the 'Country' select box, or 10 links to pornographic sites in the field that theoretically corresponds to a radio button.

Collapse -
Imp factor is the cost ... How much are you ready to pay ?

In reply to: Additional advice from our members

I just went through the replies to this topic.

Everyone has suggested to get hardware and software security. Along with it comes the updates and patches. These things cost a lot. Upon that you need to know how to install it. If you dont know, you need to hire a system admin. Again cost increases. To keep it updated you need to pay for it monthly.

How much would the cost be to keep a secure website live ? 1000's of dollars ? Is the client ready to invest so much ? Most of you guys know how much hosting providers are selling their services for, arround $5- $50 per month with tons of space.

To be economical. Host your website with any hosting provider who doesnt oversell space. Check the uptime. Check the response time.

Most IMP... Back Up!!!Back Up!!!Back Up!!!Back Up!!!.... Do not rely on anyone for your backups.

To host a website you dont need to be a system admin and invest so much on hardware or software products. No product is 100% secure. All you can do is tighten your security. Let the hosting providers handle it. Chose a reliable host.

Collapse -
Hacker Prevention?

In reply to: Additional advice from our members

Hey Everyone,

I have a small web design business and simply got tired of trying to keep up with the security issues and hurricanes on my own server. So I rented a virtual server from 1and1.com for $10.00 month! With so much space and all the bells and whistles to protect my sites, I thought I wouldn't have any more problems. Wrong.

A couple of months ago some hacker got into MS Frontpage Extensions and screwed up the Shared Borders on a global plate. So every site I built had to be reloaded. It was frustrating but not really a problem since I had very new backups.

But it just happened again 2 nights ago. I thought the big guys in the sky would've figured that knothead out by now. But not so.

You've heard it before but it's worth repeating... Keep your backup fresh and check your sites often...

Honey Smith Walls,
Melbourne, FL

Collapse -
Deny the hackers!

In reply to: Additional advice from our members

One important thing that was not mentioned for this question was what operating system were used for the new website hosting. Some of the answers assumed Windows and some assumed Unix/Linux. We will assume Unix/Linux since most web servers are using Unix/Linux in one "flavor" or another. I have been running web development and hosting business for 6 years now. We have employees just to deal with all our security issues, but I do know two things we do that help us out a lot.

1.) Unix/Linux keeps a file of IP addresses that will be refused if they try to connect. We use a program called DenyHosts which constantly monitors and updates this list based on the number of attempted connections and bad passwords. Check it out here: http://denyhosts.sourceforge.net/

2.) We also are very careful when creating PHP scripts. For example, if you are including a page, and getting the name from the URL, you should check the filename and make sure it is one you want to include. This could potentially be a HUGE security issue. You may also be interested in looking at Apache settings to be sure you have them as secure as possible.

If you know anyone that is particularly computer savvy, you may have them try to break your system and let you know what they did. We do that with each website we create.

Collapse -
Ban IP addresses from India, Hong Kong, and other bad places

In reply to: 12/1/06 How can I protect my Web site from intruders?

Go to this site and get a list of network IP addresses for these sites. India, Pakistan, Hong Kong, Korea, Taiwan, and others. 99% of the web problems come from these countries - why allow them to ruin your site?

http://www.hakusan.tsg.ne.jp/tjkawa/lib/krfilter/index-e.jsp
Add these to your site and voila - all those adds and junk disappear.

Then, get a list of anonymity sites and ban them also. Use Google and search for them.

Then, implement a registered user only posting and use the email authentication for registration.

These tips will keep your site safer.

Semper Fi!

Collapse -
I wish I had received the email with this question!

In reply to: 12/1/06 How can I protect my Web site from intruders?

1. My site once established will be quite small, tight, and static.
2. It will be run from a machine in my own home. It will be a lowly, dated laptop--as long as it's faster than the bandwidth, who'll ever know?
3. It will be on a burned CD-RW installed in a read-only drive, so if the "server" is hacked, a simple reboot will mean I'm back on line.
4, Anytime I want to update my site, simply burn a replacement CD-RW and insert it in the "server".
5. If my site develops an active element such as a forum like this, then temporary hard drive (ludicrous password including graphic characters) storage, and I have to be vigilant about updating the CD-RW on at least a daily basis.
6. A further option is to hook up a secondary machine which is not running as a server--it simply records ALL INCOMING traffic to the server. If you are hacked you have all the evidence to hand over to authorities.

Collapse -
Points to consider in protecting a website from intruders

In reply to: 12/1/06 How can I protect my Web site from intruders?

Remember not all intruders are from the outside if you are managing a website where more than just YOU as an administrator you need to consider internal security procedures too. Besides the good information others have posted on this topic like firewalls, changing passwords software updates there are a few other things that I think about regarding my web servers-

1. Ensure that any applicaion/tool passwords are set differently than the default and contain at least 6 characters two being numbers and NONE of the application/tool passwords are the same.

2. Take an inventory of any plugins you use on your site and do a complete search on their integrity, they sometimes offer a hacker access.

3. Make sure you remove any leftover installation code or management tools from web accessible areas of your hosted environment. Remove any JDKs left behind in their installation too but make a back up copy of them. This can be a pain when you later want to update the tool or plugin but sniffing tools like Snoop and ShowCfg can reveal a wealth of information about your environment, JDKs being one source.

4. Consider the implementation of SSL, (Secure Sockets Layer(you will potentially limit who can attach to your system but you will help ensure you know who is attaching. SSL does not ensure security from my experience but it does help you authenticate who is attaching.

5. Consider using a secure version of file transfer programs if you offer an ftp services.

6. Don't be cheap and run a vendors sample code on your server - they are samples and often not intended to be used in production and don't have all the native security of its production version.

7. Create separate administrative IDs for your web server services and limit what different IDs can do on your server. Some might be read only while others can alter code or parameters.

8. Disable any used ports or services on your server.

9. Others have already mentioned keep up with patches. It is critical.

10. Define what should happen on your server if there is an error, like log them and check that log often. Hackers don't often get in the first time they try and error logs can tell you if you might be a target.

Collapse -
safe hosting service

In reply to: 12/1/06 How can I protect my Web site from intruders?

I have been using a hosting service called "Homestead" for several years now. I have never had an intrusion problem. I have not taken the jump to try to host my own, but I am researching what I need and trying to educate myself so I might be able to in the future.

They do not host PHP so I can not set up a forum, but have complained and hopefully they will add the service in the future.

Their site builder tool is one of the best I have seen and plain enough for us html challenged people. Drop and drag with a lot of extras as well as being able to set up a store front with the better package.

Collapse -
Host PHP and webserver for needed services only.

In reply to: safe hosting service

Hi Ganeal,

You could start out by just hosting the pages that need PHP on your own server and redirecting from your public webpage. This way the initial point of contact is your hosting service with there security. You would need to still provide all the proper security on your local server but hacking impact would be minimal in the beginning.

Collapse -
Most just want to send spam

In reply to: 12/1/06 How can I protect my Web site from intruders?

The days of "hackers" defacing Web sites for fun are pretty much over. These days intruders want to send spam or do denial-of-service attacks. They may try to steal your customers' credit cards. They don't want to be detected at all, so they'll only send a few hundred spams at a time from your server. That's why they break into thousands of servers at a time, using automated attacks. If you avoid being "low hanging fruit," these guys and their attack bots will probably leave you alone.

The first thing you should do is choose a secure hosting situation. The difference between an "unlimited bandwith" with database for $5/month place and a professional grade host where you'll pay at least twice that with bandwidth limits announced up front, is security.

Microsoft Windows simply cannot be secured. It's not really designed to be exposed directly to the Internet, and *most* exposed Microsoft hosts get broken into, firewall or not. So stay away from places that try to put you on a Microsoft server. The $5/month places don't do any proactive security. They can't afford it at that price, their staff is spread so thin it's all they can do to put out fires.

Well-run web hosting shops do proactive security. They monitor their network traffic. If you get compromised by a spammer, they'll see it and disable your outbound mail (at least) before they or you get any complaints. This will keep you and them off the blocklists. They scan their machines for old versions of software like PHP and its applications. They'll ask you to revise it, or revise it for you, depending on the deal. They run their servers with some "flavor" of unix. It doesn't matter that much which one.

Don't just pick a Web application because its Web site looks cool, and install it and forget it. Those are the unix-hosted sites that get intruders. Search around and get a feel for its security record. Drupal and Wordpress have been great. Mambo and PHP-Nuke are equally popular but they've been awful. Stick to programs with great security records and active, friendly support communities. Revisit their Web sites at least weekly, and subscribe to their security newsletters. Stay away, for example, from Matt's Script Archive. Even Matt says to use nms-cgi.sourceforge.net instead, and you'd find that out with an adequate security search. Stay away from web hosts who let you install Matt's Script Archive products through a "control panel," for obvious reasons. If you take these minimum steps, you will go for years with no intruders and no spam mailers.

Have fun carefully,
Cameron in California
http://nowindoze.blogspot.com

Collapse -
I disagree

In reply to: Most just want to send spam

Ever heard of the turkish hackers group? Basically a bot that exploits a weakness in phpBB boards and overwrites the main site and changes the admin password. Either way, the reason you don't see defacings that often is because people can setup a secondary backup system that can automatically replace the page after the defacing.

What you are doing is mixing two entirly different groups together.
You have the white hackers, who hack just to prove they can (and / or to show an exploit to the owner). (Hmm... http://blogs.zdnet.com/Ou/?p=237)

And you have the black hackers, the people who wish to cause dammage, to steal the credit information. Do you know that a large percentage of people use the same password on public forums as their email account? This 'turkish' hackers group could have stolen millions of peoples information, since phpBB records the email and password (although you have to pry a little to get it).


If any company is serious of hosting their own site, they would have their own server room. There is too much at stake to trust public servers, expecally when dealing with sensitive information. I personally believe that the only people TO use public servers are people with personal websites.
Infact, with the propper software, it is as simple as plugging the computer into an direct internet connection. Now the (DPM?) may offer a little bit of a hassle, but I believe there are online services to help create an domain name and associate it with your IP address. Really, pretty simple... the biggest problem is when you have alot of visitors (and your computer can't handel it) THEN you have to upgrade to a server computer, and that costs a bit (+Maintanence)

Collapse -
Additionally

In reply to: I disagree

Denial of Service is a type of defacement. The goal is not to 'steal' anything... but to bring the site down for a time.

Collapse -
My hosting experience

In reply to: 12/1/06 How can I protect my Web site from intruders?

I started out with a simple hosting via my ISP. Most of these are very limited and since I wanted to gain some experience I choose to build my own Linux server and use it for hosting WEB, SSH, FTP, PHP

Out of the box all of the services need security tweaking and none should be installed and "simply" turned on. I did a lot of research on the Internet via web and news groups and have (I hope) a fairly secure server. My FTP and SSH services get hammered all the time and it is not unusal for the attacker to try 2500 - 3500 username/password combinations. Some thoughts on SSH and FTP. Root should NEVER be allowed to login via SSH or FTP. Both of these services should be restriced to a select group of users. If you need to "Serve" files, blind links is the best method (a link that directly downloads the file).

After a few years of WEB, SSH, FTP, PHP hosting, I have recently this year setup a Mail server for my company to use due to evolving problems with our ISP host mail service. This I also researched heavily before implementing and putting online.

Collapse -
Protecting your website

In reply to: 12/1/06 How can I protect my Web site from intruders?

I recognise that this solution is not for everyone ... but I put it out as it has worked beautifully for me.

I got an old Macintosh (8100 - made in 1995). I've run my site for many years now ... since 1997 I think ... without a hitch.

Steps followed:

1. Use OS9 (now obsolete ... which is even better since the nasties are all looking for loopholes in the new OS')
2. Use NetPresenz ... now freeware. It used to be a $10 shareware.
3. NetPresenz is a web and FTP server and can be set up by a 10 year old, it is so simple. It uses the Mac security to manage access by web browsers etc.

This machine runs with 132MB of RAM and serves up four domains right now.

A few hackers have tried and given up (I keep an eye on my logs). They couldn't do anything to get past the security - probably because they didn't know how to deal with a Mac!

I run a different software for my mail server ... and am a heavy use of RBL's to block the nasties (china, korea, taiwan and large IP blocks in the US are the biggest offenders). They are really looking for an open relay to run their spam off. And they are looking for Windows to break into!

Like I said, this won't work for everyone, but it works wonderfully for me.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

REVIEW

Sublime suburban chariot

High on style and technology, the 2019 Volvo XC90 is an incredibly satisfying everyday crossover.