Discussion in 'Web Hosting' started by Supplierneeded, Dec 14, 2012.
What can you do to help prevent hacking of emails and your website???
strong password would be the first and most simple security element to take care of.
Never allow access by anonymous ftp
1) Hosting Company
Considering you are using a shared hosting, that company MUST have good Server Admins and system to monitor their servers, any fault done by their parts can and will compromise your sites.
For instance bad/lazy admins will leave breachs that allow people to gain access to your site from another site hosted within the same server you are sharing.
2) Your site
If you are using a CMS or self made script you need to care for a lot things like SQL injection, XSS, and other dangers
Make sure you have proper .htacess file in place with rules that match what youre doing and/or need to have to improve your security
Make sure you dont allow external access to your ssh, mysql.
Make sure your email, ftp, ssh, mysql passwords are not easy to guess and contains at least 1 upper 1 lower case character, 1 symbol and is 8 or more characters long.
3) Personal Data
- Passwords hard to guess as previously mentioned
- If you store any credentials anywhere like on the browser by selecting remember or anything alike
- how do you care for your computer or the places you use your credentials from (aka antivirus, firewall and other things that can improve your security)
- Monitor applications running on your computer and keep track of it and check it every now and then to make sure you don't have anything weird running on your background
Make sure all applications and softwares are always up to date with the stable version.
Well I guess these are some of the essentials things to look at but there is a lot more
1) Strong passwords. I use anywhere between 14 and 36 character passwords with upper, low and number. PasswordSafe to generate and remember them
2) Disable root login.
3) For SSH login disable password authentication. Instead use key-based.
4) For SSH login, disable any IP login. Do a white-list method. Using a VPN to have a consistent IP is useful in this case
5) Disable FTP, FTPS, FTPES. Only use SFTP with key based auth.
6) Disable anonymous FTP
7) Disable remote MySQL management.
8) Only create MySQL users with the permissiosn needed. Giving blanket permissions is a security risk.
9) Only assign users to databases if they need it. Don't create one user for multiple databases.
10) Log all MySQL activity. This may create large logs but it can reveal hackers.
11) Make sure your SMTP server isnt an open relay
12) Force SSL/TLS and only use newer ciphers
13) If on linux, install CSF for a firewall and configure it to block unneeded ports/port+ip combos.
14) Keep all software updated. This includes cPanel, WHM, Apache, PHP, exim, CSF, named etc.
15) Watch security lists for new exploits
16) Disable any software you do not use!
17) Review any new installations. Make sure they dont have any current exploits.
18) Review any new module/plugin installations. Make they dont have any current exploits
19) Keep an eye on security lists for exploits for them...
20) Enable logging for all scripts.
21) Use strict access control. Don't give access to what isnt needed
22) Don't leave "archived" versions of your site! If it's not being used, delete it.
23) Review all work done on your site. Some freelancers may install backdoors.
24) Be wary of encrypted (ioncubed) scripts. You dont know what is in it.
25) use htaccess to block access to directories that admins use and consumers do not.
26) Disable errors from being shown to the user.
27) Do not allow file uploads unless the script has advanced security features for finding malicious files.
28) Store config files and error logs above the www directory so they can only be viewed via ftp.
After reading some of your posts and guessing what your line of work is, I would expect nothing but this kind of caution from you!
^^ In other words, develop a passion for the vast field that is network security and never stop learning (or hire professionals).
Professionals don't help much unless they limit you
I know someone who works for a certain company type that handles very sensitive personal information. Thousands upon thousands records of people. Socials, addresses, cc#s etc... They have no password policy and reportedly they all use bad passwords (think top 20 used passwords < 8 characters long no #/uppercase). They have no monitoring software. No SSL. Allows remote access. They have no security cameras. Records are sometimes put onto a super small USB (like 5cm^2) and transported between building unencrypted. They don't listen to their professional (him) because the non-professionals don't care and it upsets them. The boss? Sides with them.
You're only as strong as your weakest link. If someone else is calling the shots you're probably going to have very poor security.
Also, I should probably mention that my PasswordSafe password also follows the same guidelines. The exception is I also store it in truecrypt containers that yet again follow the same guidelines and uses keys on the hard drive and also on network/usb. The containers are backed up to multiple places to prevent loss.
Once I find the time do so I'll be going to full drive encryption so even if someone stole my entire computer they wouldn't have access.
Paranoid? Probably. But the minor inconveniences are nothing compared to the benefits and peace of mind. Great marketing too. I can use all kinds of fancy words and combinations to "ooo and aahh" customers if needed
Obviously you want a top-down approach to securing your organization. You don't let just anyone call the shots, security plans/policies are initiated by responsible top-level manager(s).
As much as I would love to, it's impossible for me to do everything myself. Either I personally verify that outsourced work is secure, or I hire a security professional to do that for me.
Very good answers
I am use method but my website still hacked again and again. Can you share any other good way to stop hacking.
Sanitize your textboxes, have a strong PW & make sure you are not having an SQL injection prone website...
Read a few tuts on net on how to prevent.
1. Strong password - 8-12 char
2. Never remember your passwords in wb
3. Disable IC before using any tools
You are asking in wrong forum.
If you want to stop hacking u need to learn hacking!
Separate names with a comma.