I’m going to be opening a website soon, with my friend and partner. I know squat about site security as far as hacking goes. We’ll be using a hosting service that we buy space and bandwidth from, and we’ll be using an Cute_FTP to upload everything.
My question is what can we do as far as keeping people from hacking in to our site? I know there’s no such thing as having an unhackable website, but I’d appreciate some pointers just to get us started. We’ll be using readyhosting.
Thanks in advance.
It all pretty much depends on two things for you.
One is what the host has configed. You have no control over this, other than researching and finding a decent host. The host you pointed to seems to be using Microsoft server software, which isn’t the most incredibly secure thing in the world…
Two is your password, which should be pretty obvious… alphanumerics that make no sense and are 8 chars long.
The best defense is probably to not be the RIAA.
Make sure EVERY folder in your site has an index.html (even if it’s a blank one).
Don’t be obvious with your FTP password. The longer and more random you can make it the better. Common words are BAD.
If you use any administrative or maintenance scripts, only upload them when you need to use them, then remove them again.
Use CHMOD to limit access to folders and files, if you have stuff on there you don’t want people getting to, like password or email address lists
A lot of your site security is out of your hands if you’re buying space, but there’s a lot you still need to handle yourself. Are you using dynamic pages (PHP, ASP, JSP, etc.)? There are a lot of details involved with coding for the web that can open security holes that might not seem obvious.
For example, one of the biggies is to never ever use user-supplied inputs in any system command. For example, a lot of sites allow users to upload files for one reason or another. It is critical for site security that you don’t use the original filename supplied by the user but instead rename the file according to your own specs. Using the user’s filename would allow a malicious user to construct a filename that could exploit holes in your file system. Similarly, never send an email to a user-supplied email address unless you’ve rigorously checked the address format. This isn’t nearly as big a hole as it was back in the day when we used CGI to pipe to sendmail, but a user can still construct an email address that would cause problems.
There are lots of books on this kind of thing. One that comes to mind is “Hacking Web Applications Exposed”, a web-specific sequel to “Hacking Exposed”. It was of moderate quality and it not completely up to date, but it serves as a good intro to a lot of the things you might take for granted.
Choose a hosting service that does not use MS products. That goes a long way towards a better secured website.
That’s a gross generalization that does a disservice to the OP. There are plenty of ISPs running WinOS servers that are quite secure. It takes some diligence, but no more so than staying up to date with *nix patches. On the other hand, there are plenty of *nix hosts out there who pay very little attention to security and don’t bother to secure against even known exploits. If you know what you’re doing, it is no more difficult to secure a Win box than a non-Win box. If you don’t know what you’re doing, you can screw up even OpenBSD.
Thanks for all the answers guys, it helpso ut quite a bit.
We’re actually just using straight HTML code written in Notepad with the addition of the Coranto news posting program that uses CGI, and also a javascript that will tell users today’s date.