1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What's he best way to prevent hacking...

Discussion in 'Web Hosting' started by Supplierneeded, Dec 14, 2012.

  1. Supplierneeded

    Supplierneeded Junior Member

    Joined:
    Dec 4, 2012
    Messages:
    101
    Likes Received:
    5
    Occupation:
    Reselling
    Location:
    USA
    What can you do to help prevent hacking of emails and your website???
     
  2. GiorgioB

    GiorgioB Supreme Member

    Joined:
    Feb 28, 2012
    Messages:
    1,288
    Likes Received:
    1,318
    Occupation:
    Making money
    Location:
    Touching the Sky
    strong password would be the first and most simple security element to take care of.
     
  3. LakeForest

    LakeForest Supreme Member

    Joined:
    Nov 11, 2009
    Messages:
    1,269
    Likes Received:
    1,802
    Location:
    Location Location
    Never allow access by anonymous ftp
     
  4. cgimaster

    cgimaster Power Member

    Joined:
    Jun 30, 2012
    Messages:
    525
    Likes Received:
    311
    Gender:
    Male
    1) Hosting Company
    Considering you are using a shared hosting, that company MUST have good Server Admins and system to monitor their servers, any fault done by their parts can and will compromise your sites.

    For instance bad/lazy admins will leave breachs that allow people to gain access to your site from another site hosted within the same server you are sharing.

    2) Your site
    If you are using a CMS or self made script you need to care for a lot things like SQL injection, XSS, and other dangers

    Make sure you have proper .htacess file in place with rules that match what youre doing and/or need to have to improve your security

    Make sure you dont allow external access to your ssh, mysql.

    Make sure your email, ftp, ssh, mysql passwords are not easy to guess and contains at least 1 upper 1 lower case character, 1 symbol and is 8 or more characters long.

    3) Personal Data

    - Passwords hard to guess as previously mentioned
    - If you store any credentials anywhere like on the browser by selecting remember or anything alike
    - how do you care for your computer or the places you use your credentials from (aka antivirus, firewall and other things that can improve your security)
    - Monitor applications running on your computer and keep track of it and check it every now and then to make sure you don't have anything weird running on your background

    Make sure all applications and softwares are always up to date with the stable version.

    Well I guess these are some of the essentials things to look at but there is a lot more
     
    • Thanks Thanks x 1
    Last edited: Dec 14, 2012
  5. Supplierneeded

    Supplierneeded Junior Member

    Joined:
    Dec 4, 2012
    Messages:
    101
    Likes Received:
    5
    Occupation:
    Reselling
    Location:
    USA
    Thanks
     
  6. Zapdos

    Zapdos Power Member

    Joined:
    Oct 22, 2011
    Messages:
    597
    Likes Received:
    708
    Location:
    Eastern North Carolina
    GENERAL:
    1) Strong passwords. I use anywhere between 14 and 36 character passwords with upper, low and number. PasswordSafe to generate and remember them
    2) Disable root login.

    FTP/SERVER:
    3) For SSH login disable password authentication. Instead use key-based.
    4) For SSH login, disable any IP login. Do a white-list method. Using a VPN to have a consistent IP is useful in this case
    5) Disable FTP, FTPS, FTPES. Only use SFTP with key based auth.
    6) Disable anonymous FTP

    MySQL:
    7) Disable remote MySQL management.
    8) Only create MySQL users with the permissiosn needed. Giving blanket permissions is a security risk.
    9) Only assign users to databases if they need it. Don't create one user for multiple databases.
    10) Log all MySQL activity. This may create large logs but it can reveal hackers.

    Email:
    11) Make sure your SMTP server isnt an open relay
    12) Force SSL/TLS and only use newer ciphers

    Firewall:
    13) If on linux, install CSF for a firewall and configure it to block unneeded ports/port+ip combos.

    Server software:
    14) Keep all software updated. This includes cPanel, WHM, Apache, PHP, exim, CSF, named etc.
    15) Watch security lists for new exploits
    16) Disable any software you do not use!

    Website scripts:
    17) Review any new installations. Make sure they dont have any current exploits.
    18) Review any new module/plugin installations. Make they dont have any current exploits
    19) Keep an eye on security lists for exploits for them...
    20) Enable logging for all scripts.
    21) Use strict access control. Don't give access to what isnt needed
    22) Don't leave "archived" versions of your site! If it's not being used, delete it.
    23) Review all work done on your site. Some freelancers may install backdoors.
    24) Be wary of encrypted (ioncubed) scripts. You dont know what is in it.
    25) use htaccess to block access to directories that admins use and consumers do not.
    26) Disable errors from being shown to the user.
    27) Do not allow file uploads unless the script has advanced security features for finding malicious files.
    28) Store config files and error logs above the www directory so they can only be viewed via ftp.
     
    • Thanks Thanks x 3
  7. GutierresSEO

    GutierresSEO Registered Member

    Joined:
    Apr 1, 2012
    Messages:
    65
    Likes Received:
    9
    After reading some of your posts and guessing what your line of work is, I would expect nothing but this kind of caution from you!:D
     
  8. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    ^^ In other words, develop a passion for the vast field that is network security and never stop learning (or hire professionals).
     
  9. Zapdos

    Zapdos Power Member

    Joined:
    Oct 22, 2011
    Messages:
    597
    Likes Received:
    708
    Location:
    Eastern North Carolina
    Professionals don't help much unless they limit you :p

    I know someone who works for a certain company type that handles very sensitive personal information. Thousands upon thousands records of people. Socials, addresses, cc#s etc... They have no password policy and reportedly they all use bad passwords (think top 20 used passwords < 8 characters long no #/uppercase). They have no monitoring software. No SSL. Allows remote access. They have no security cameras. Records are sometimes put onto a super small USB (like 5cm^2) and transported between building unencrypted. They don't listen to their professional (him) because the non-professionals don't care and it upsets them. The boss? Sides with them.

    You're only as strong as your weakest link. If someone else is calling the shots you're probably going to have very poor security.



    Also, I should probably mention that my PasswordSafe password also follows the same guidelines. The exception is I also store it in truecrypt containers that yet again follow the same guidelines and uses keys on the hard drive and also on network/usb. The containers are backed up to multiple places to prevent loss.
    Once I find the time do so I'll be going to full drive encryption so even if someone stole my entire computer they wouldn't have access.

    Paranoid? Probably. But the minor inconveniences are nothing compared to the benefits and peace of mind. Great marketing too. I can use all kinds of fancy words and combinations to "ooo and aahh" customers if needed :D
     
    Last edited: Dec 15, 2012
  10. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Obviously you want a top-down approach to securing your organization. You don't let just anyone call the shots, security plans/policies are initiated by responsible top-level manager(s).

    As much as I would love to, it's impossible for me to do everything myself. Either I personally verify that outsourced work is secure, or I hire a security professional to do that for me.
     
  11. Supplierneeded

    Supplierneeded Junior Member

    Joined:
    Dec 4, 2012
    Messages:
    101
    Likes Received:
    5
    Occupation:
    Reselling
    Location:
    USA
    Very good answers :)
     
  12. laralist123

    laralist123 Newbie

    Joined:
    Sep 19, 2012
    Messages:
    33
    Likes Received:
    0
    Occupation:
    SEO
    Location:
    Islamabad
    I am use method but my website still hacked again and again. Can you share any other good way to stop hacking.
     
  13. SUPER CHAMP

    SUPER CHAMP Junior Member

    Joined:
    Dec 1, 2012
    Messages:
    153
    Likes Received:
    43
    Sanitize your textboxes, have a strong PW & make sure you are not having an SQL injection prone website...

    Read a few tuts on net on how to prevent.
     
  14. rinor4ever

    rinor4ever Junior Member

    Joined:
    Jun 7, 2012
    Messages:
    103
    Likes Received:
    57
    1. Strong password - 8-12 char
    2. Never remember your passwords in wb
    3. Disable IC before using any tools
     
  15. rinor4ever

    rinor4ever Junior Member

    Joined:
    Jun 7, 2012
    Messages:
    103
    Likes Received:
    57
    You are asking in wrong forum.

    If you want to stop hacking u need to learn hacking!