Hackers & host security

Portal Home > Knowledgebase > Articles Database > Hackers & host security

Posted by mistervb, 03-27-2009, 04:16 PM
For you, what a webmaster must do to prevent get hacked?
Posted by e-Sensibility, 03-27-2009, 04:18 PM
Don't install unnecessary software, maintain a firewall with a default blocking stance, have a well thought out data storage, security and retention policy and stick to it, patch ASAP when vulnerabilities are discovered, and audit your config files/permissions/system in general with a security scanner like nessus. Edit: Also only give users & employees access on an as needed basis.
Posted by wise, 03-27-2009, 05:56 PM
you forgot the obvious ones too for root hacks... disable root ssh login ensure 12 character complex passowrds at minimum or use SSH Keys change ssh port to something other than 22 disable unneeded services enable notification on root login via email
Posted by HJI Technologies LLC, 03-27-2009, 06:05 PM
Basically, what the above 2 guys said is what you would need to do, however, if you are going to do with a Managed Host, you can ask them to do all of this for you. Most of hosts that you go to will have basics done, some even have a lot more done than just the basics. Then again, the kind of software you install will depend on how many vulnerabilities it has.
Posted by wise, 03-27-2009, 06:08 PM
even with a managed host - ask the questions many dont do it ....
Posted by bithost(NET), 03-27-2009, 07:29 PM
1, Choose a good host. This is one of the key areas that sets apart the good ones from the bad ones. Bailey
Posted by Outlaw Web Master, 03-27-2009, 07:32 PM
has to be #1 priority. good hosting providers should already have their servers locked down to a fairly high degree. owm
Posted by StartYourServer, 03-27-2009, 10:31 PM
That is very important. Just because your host is popular, never assume that all your security needs are being met.
Posted by FS - Mike, 03-27-2009, 10:41 PM
I wouldn't say disabling SSH access for root is a good idea, as you can only do that on the root account and if you need to access root, to adjust iptables (the firewall used in linux) or access MySQL CLI, you'd be stuffed. Using SSH keys is good practice and also randomly generated 12 character passwords with multiple non-alpha-numeric as well as alpha-numeric characters.
Posted by MikeDVB, 03-28-2009, 01:51 AM
The number one reason I have seen for compromised accounts was due to out-of-date scripts. The second reason has been compromised systems sending out passwords to who-knows-who. Always make sure to keep your scripts on your account up to date and then make sure to run regular scans of your system with a trusted Virus Scanner that is updated. Beyond that, there isn't much you can do that your host shouldn't already be doing for you.
Posted by RandyE, 03-28-2009, 02:32 AM
As you can see, the biggest reason for people getting hacked is because of non updated software. Such as a hosting company I've seen on here running SMF forums, v 1.2 when they just released 1.8 and 2.0 RC. They claimed they did things to secure it...yeah right. But, Wordpress and PHPBB are some of the biggest offenders in this catagory that I have seen. People just scan sites until they find a site that is not updated then they exploit it. Also, the passwords, as said, is very important. Many people don't use complex passwords and then they wonder why they get hacked. 8+ charecter, using a minimum of 2 lowercase, 2 uppercase, 2 numbers, and 2 symbols (!,@,$,^, etc.) will do the trick. The more characters you have, the more secure it will be.
Posted by AquaCyclone, 03-28-2009, 02:44 AM
phpBB is without a doubt the biggest offender in exploit due to out of date. I tried for weeks to get a friend to update their install and they didn't so I moved in with the exploit and left a clear message to update. I know, not the best method but when you ask for weeks and even offer to do it you have to take some measures. Always update scripts even if that add-on won't work. Either wait for it to update or have someone update it for you. On note for Joomla users, use .htaccess to block the /administrator/ directory from all but YOUR ip. That will slap away the large part of exploiters.
Posted by RandyE, 03-28-2009, 04:21 AM
Sometimes you have to do what you have to do I would have just suspended my friend until he and me sat down and updated the script together lol. I hate PHPBB, I use SMF for everything. I'm thinking about buying a vBulliten license for a site I'm starting up, that I expect to generate a lot of traffic due to the nature of the site. And that is just from the URL, without any SEO/marketing on it lol. I do strongly discourage disabling logging in as root. That could lead you to much more problems than leaving it available. All you need is a complex password and you'll be fine. Don't use anything like family members' names, b-days, initials, etc and you should be ok. So long as all scripts are updated. I know you see a lot of hosts offering Fantastico, but, I personally don't ever use it on my sites, mainly because it will install outdated scripts and you're going to have to update them anyway. It's good if you don't want to go through the process of manual installations though, they can be a PITA if you don't know what you're doing lol.
Posted by Tristan Perry, 03-28-2009, 04:49 AM
Do you mean 1.1.2 and then 1.1.8? Just checking (since there's no 1.2 and 1.8, although I guess you mean 1.1.x?) If so, that's really bad - there's been.. well, at least 6 potential security exploits found since 1.1.2; not upgrading is just silly, especially since SMF provide this option via the admin panel. There's a message saying you need to upgrade - and then with a few clicks you can upgrade via the admin's package manager.
Posted by RandyE, 03-28-2009, 05:11 AM
Yes, that is exactly what I ment, I just didn't want to put the extra 1 in b/c I was in a hurry and figured that everyone here woudl understand and get the gist of the message. When I contacted them about how can I trust putting a personal site on their servers when they can't even take the time to properly secure their forums, by leaving a horribly outdated version, they just said they have taken measures to prevent it, but didn't want to re-write their modifications. That is what is going to get people hacked. I promptly bid them good day and continued my endevor.
Posted by wise, 03-28-2009, 05:35 AM
you add a normal user to the wheel group for ssh to login with. If you need root privelidges you can then su - and enter the root password. Disabling root SSH access IS good practice - doesnt mean you cant use root - but that you cant login to SSH straight awy and gain root access.
Posted by FS - Mike, 03-28-2009, 08:41 AM
That's true but as long as your using either SSH keys or an extremely secure password, then it's a moot point. Someone could just as easily gain access to another SSH account, then SU to root. Either way it's configured, the primary concern with a root account is to ensure that you are using a secure authentication method, like SSH keys.
Posted by bithost(NET), 03-28-2009, 03:32 PM
This is a good point -- because of Fantastico's slowwwww update response, there are often multiple scripts in the Fantastico installer which are indeed out of date & exploitable. This is why clients who want quick-installed scripts functionality should look for Installatron rather than Fantastico. Installatron has many of the same scripts as Fantastico (plus several others) and has lots more features than Fantastico (like backups, restore from previous snapshot, etc.). Installatron also makes script updates available within 24 hours, usually less. Clients will still need to manually do the updates, but at least they are available to run in Installatron right away, unlike Fantastico which can take 6-odd weeks to finally get around to publishing an update on their system. Bailey
Posted by mistervb, 03-28-2009, 03:46 PM
More thanks for the info, but how i can prevent ddos attacks?
Posted by RandyE, 03-28-2009, 04:00 PM
You can't. You can try, but, eventually you're not going to be able to keep up. It is semi possible, but, someone that is really determined will get by.
Posted by mistervb, 03-28-2009, 04:26 PM
I know that google ban a ip that have made more connections per second, how i can do this?
Posted by flimbo, 03-28-2009, 05:07 PM
Hi, 1. Firewall. Only allow connections to the port you need. 2. It is better to use keys for ssh, but you can also use hosts.allow and hosts.deny (or even the firewall) to restrict the ip's that can connect to your server. 2 (optional) Create a VPN between your server and your connection(s). 3. If you only plan to receive mail (you should run a mailserver separately anyway), then run the mailserver on localhost only. 4. Use mod_security and suhosin (hardened-php). 5. Always use the latest versions (packages) for the software you are running. 6. Use SFTP, not FTP. 7. Most important, make sure your scripts are secure (mostly check for sql injections, xss and file inclusion). If you have the money you can always hire a security company to audit your scripts. If you plan on keeping very important data on the server, you can also go with gresecurity/pax + MAC (mandatory access control) (requires a good administrator). Hope this helps, flimbo.
Posted by e-Sensibility, 03-28-2009, 05:57 PM
Using openssh, root logins have always been disabled by default for me. Maybe it's different on linux, don't know, only use *BSD. As for passwords, never use a password no matter how many characters it has! Public keys are so easy to use there's no reason not to switch to them. And changing the ssh port to something other than 22 gives you only a trivial amount of protection, considering if someone scans you they'll find the port anyways
Posted by CarmenKarma, 03-28-2009, 08:24 PM
A lot of great advice. I always stress making sure you get patches installed ASAP. You don't need script kiddies running around on your server exploiting old bugs.