Now days, the hacking is increasing through out the web. So for webmasters, it is very crucial situation. Is here any body who knows more about this field to give some points to take precautions to prevent hacking ?

It is very worthy on now days.

Surely this thread will help me and users like me to increase their web site's security.

:)

I guess I could get it started,

- Only use reputable, up to date, scripts.
- Do not make your root password easy to 'guess'.

FFMG

1. Set all your passwords to something very difficult to guess. This includes control panel passwords and paswords to an admin areas of your scripts. a good example would be somethin like ~th15*p455w0rd*15*n0t*345y*t0*gu355~
2. Research your scripts before installing them. There are alot of insecure scripts that can leave you vunerable.
3. Use a host that has some sort of brute force protection installed on the server.
4. Make sure your host also has a firewall installed on the server.
5. Use commone sense

...
5. Use commone sense


Good one, it is amazing how many sites are hacked because the admin did not use common sense.

FFMG

1. Set all your passwords to something very difficult to guess. This includes control panel passwords and paswords to an admin areas of your scripts. a good example would be somethin like ~th15*p455w0rd*15*n0t*345y*t0*gu355~
2. Research your scripts before installing them. There are alot of insecure scripts that can leave you vunerable.
3. Use a host that has some sort of brute force protection installed on the server.
4. Make sure your host also has a firewall installed on the server.
5. Use commone sense

1. The password you suggesting is very hard to remember. I think it is better to have a password with 10 - 15 characters and contains letters as well as numbers. Also it is better not to use the same password on other applications.

3,4. Can you list hosts that support it?

5. It is a valuable tip. But now days, there are news spread out of hacking of very large and popular web sites. How hackers get into the root of these sites?


One more question:

Is it is insecure to host sites on shared hosting server?

Make sure if you are using php, when you have get commands always have the program check if the get command is a real one that you have assigned. Make sure you are not vulnerable to SQL injection or cross site scripting. These are the most common ways of hacking these days...

Indeed, sanitize all user input ~ never trust the user.

Follow what's going on in the world as regards security. Sites like Secunia are great, as well as milw0rm, etc. Wherever you can get information of holes in security for the various web apps you're using ~ knowledge is power.

Keep your software up-to-date. Most forums that get hacked, for example, are those owned by people who do not keep their software up to date, and ignore available upgrades.

Don't get traffic. ;)
Avoid doing things as root.

i personally am a hacker.
Just use common sense, don't use "common" passwords.
Don't use exploitable scripts (milw0rm.com)
and make sure you keep everything up to date! :D

I can find some valuable informations on this thread for avoid hacking. Expecting more tips from the members.

Do you think shared hosting affect hacking?

don't piss off a hacker ;)

yes, it's much easier to get hacked on shared hosting because the hacker can get to your site from other accounts that may have exploites.

1- make your server ( No shared hosting )
2- use firewall & IDS & mod security .....
3- upgrade all your prog
4- never use warez
5- always take tours at milw0rm , securityfocus , securityreason , php.net and all security websites
6- use Zend , ioncube
7- always revise logs
8- 99% security is from the server, 1% your mail
9- penetration test
10 -the security was created to be hacked there's No 100% security

Okay, OT so please forgive me but I have a question parallel to this. I think I either have some type of virus I have never seen or my site has been hacked but I am not sure which one. I can access one of my five sites. I have no connections to the other four at all. Still, when I use any computer other than my own I can connect fine. Any ideas? Sorry to go off topic but seeing people here who seem to be in the know, I need any ideas I can to keep from having to write zeros across my drive again.

Thanks

Ward

Ok here are some tips

1) Reverse Apache Proxy Servers (great way to protect your IIS servers and Domino Servers)

2) IP restrict SSH, FTP, and other protocols using your firewall

3) IP restrict management interfaces for Joomla, WP etc.. Use apache or your .htaccess for this.

4) Install ossim (http://www.ossim.net) I know these developers their app is sweet!!!

5) Nessus scan your box monthly

6) Never run Windows or Windows servers, never run ASP or .NET, or IIS or any of that crap

7) Run paros proxy against your site reg. http://www.parosproxy.org/index.shtml great URL vuln scanner

8) Change passwords every month, use upper, lowercase, numbers and symbols on your passwords

That should keep you safe for a while...

Ok here are some tips



6) Never run Windows or Windows servers, never run ASP or .NET, or IIS or any of that crap


oh yes all products of microsoft = No security = always able to be hacked
just beautiful control panel and simlple to use but no security

oh yes all products of microsoft = No security = always able to be hacked
just beautiful control panel and simlple to use but no security

That is totally false. Any site that isn't managed well (out of date patches, weak passwords, bad programming) is insecure. It makes no difference whether it is running BSD, Linux, Windows, PalmOS... I have personally run Windows Servers as Firewalls, Web Servers, and Database Servers without security issues. All it takes is some common sense. Look at Microsoft.com, it is run exclusively on Microsoft software and it seems to have a pretty good security record. It is all about the people running the server.

oh yes all products of microsoft = No security = always able to be hacked
just beautiful control panel and simlple to use but no security

I don't think this is true, (anymore).
The windows machines, (personal use), have many security issues because the users don't protect their systems. The MS servers on the other hand are very secure.

A good network/server administrator will ensure that the MS Server is up to date and secure.

FFMG

rfdavid & FFMG
if you say that microsoft products safe
d you remember IIS bug hhhhh
and why all big company use linux like google , FreeBSD like yahoo
digitalpoint.com use linux ,freebsd ,macos
microsoft.com use linux oh yes :
download.microsoft.com & search.microsoft.com
http://searchdns.netcraft.com/?restriction=site+contains&host=microsoft.com&lookup=wait..&position=limited
if products of microsoft are safe why microsoft was hacked 2 time this year
http://www.zone-h.org/index2.php?option=com_mirrorwrp&Itemid=43&id=6202670
http://www.zone-h.org/content/view/14780/31/
where's the security

there are really nice steps, which i never knew that.. after seeing many hacked websites i think i need to be look on that really.. one of my freind 44 directories network just hacked of because common root passwords he was using for all.

rfdavid & FFMG
if you say that microsoft products safe
d you remember IIS bug hhhhh
and why all big company use linux like google , FreeBSD like yahoo
digitalpoint.com use linux ,freebsd ,macos
microsoft.com use linux oh yes :
download.microsoft.com & search.microsoft.com
http://searchdns.netcraft.com/?restriction=site+contains&host=microsoft.com&lookup=wait..&position=limited
if products of microsoft are safe why microsoft was hacked 2 time this year
http://www.zone-h.org/index2.php?option=com_mirrorwrp&Itemid=43&id=6202670
http://www.zone-h.org/content/view/14780/31/
where's the security

Both of the times that Microsoft site was hacked was due to SQL injection which is not because IIS isn't secure, it is because the website developer didn't write proper SQL code. SQL injection is just as easy with PHP and MySQL as it is with ASPX and MSSQL.


Look at the post below yours, 44 sites running your super secure Linux hacked at once. All server software in skilled hands can be secured. In incapable hands, there is no security. Anyone who says "X can't be secured" is really saying "I don't know how to secure it"

ebay: IIS
Walmart.com: IIS
CDW.com: IIS
Dell.com IIS

Why would we believe the Server admins at these 4 huge websites when we could take a Linux fanboy's advice instead?

any guide about how to program properly without leaving security holes?? i usually write all the scripts by myself :S

...All server software in skilled hands can be secured. In incapable hands, there is no security. Anyone who says "X can't be secured" is really saying "I don't know how to secure it"


Well said, IIS is not the problem, the user is.

I am not saying that MS is great, but more often that not ignorant users will blame the tool rather than themselves.

FFMG

rfdavid
IIS unicode just put a code after the url and you get a important info
where's the security <<<<<<< is none
refer to netcraft the APACHE is the N 1
why people use MS products = just simple to use
ebay is a commercial website so they just need a simlpe system
in your opinion what is more securised :
a system developed by 1000....... programmers
or
a system developed by some person
i know there's No 100% security
but MS products don't have any relation with security
Dell has a lot of business with microsoft they sell windows with there pc
ebay also has a business relation with MSN
now opensource products become more popular in europe some governement sponsor them
open source give more security
THE END = MS PRODUCTS ARE 4 NEWBIES

IIS unicode just put a code after the url and you get a important info fixed 7 years ago
where's the security <<<<<<< is none
refer to netcraft the APACHE is the N 1 XP is number 1 on the desktop, so it is more secure than BSD?
why people use MS products = just simple to use One of many reasons. Ease of use is not a bad thing.
ebay is a commercial website so they just need a simlpe system Ebay has a huge team of professionals that specialize in network and programming security. A statement like that shows how little you understand about the subject.
in your opinion what is more securised :
a system developed by 1000....... programmers Quality <> Quantity
or
a system developed by some person IIS is not developed by some person, it is developed by a team of professional software developers.
i know there's No 100% security Can't argue with that.
but MS products don't have any relation with security MS has the same relation with security of any large software group Open or Closed Source. Any program that is more complicated than "Hello World" will have security issues. Exploits are discovered in all applications from IIS and Apache to MS Word and iTunes. Admins/users have to be vigilant in preventing security breaches and updating their software.
Dell has a lot of business with microsoft they sell windows with there pcDell also sells Red Hat and Ubuntu.
ebay also has a business relation with MSN They also have a relation with google, who is one of the biggest open source promoters.
now opensource products become more popular in europe some governement sponsor them There is nothing wrong with open source, and it is chosen where it is the best solution to an organization's goals.
open source give more security At best it provides the same security. At worst it gives a false sense of security when users think that since they are using an open source product it is perpetually secured right out of the box.
THE END = MS PRODUCTS ARE 4 NEWBIES That is one of the great things about windows and MS in general. They are easy enough for my Grandma to use and powerful enough to run a fortune 500 company on. I am not a MS lover, I use both closed and open source products depending on business needs and available resources. Limiting yourself to one group or another based on some quasi-religious views about development methodologies is kinda silly IMO. I dunno, maybe we will just have to agree to disagree ;)

fixed 7 years ago >>> this is some new bugs not unicode ,they fix in part and new bugs appear in other part
Microsoft IIS <= 5.1 Hit Highlighting Authentication Bypass Exploit 2007-05-31
http://milw0rm.com/exploits/4016
Microsoft IIS 6.0 (/AUX/.aspx) Remote Denial of Service Exploit 2007-05-21
http://milw0rm.com/exploits/3965
take tour at milw0rm

The first bug doesn't affect IIS 6.0 and the second is only a temporary Denial of Service that only works on slow servers. DOSing a slow server is hardly a gaping security hole. Check out this (http://www.securityfocus.com/archive/1/469899/30/0/threaded) bug report from May 2007(same time as the above vulnerabilities)

apache = opensouce : if you are a pro of programing you can fix the bug
MS products : you must wait MS to fix the bug and it take a time
so more time = more attacks = customers transfer there sites

apache = opensouce : if you are a pro of programing you can fix the bug
MS products : you must wait MS to fix the bug and it take a time
so more time = more attacks = customers transfer there sites

Not entirely true.
MS almost always give you a 'workaround' while they investigate the problem.
Then a fix is available at the next update.

Apache does not get updated as often as you make it sound, (the security alerts are fixed quickly but they are not officially released for a long time).
Many Apache servers are still running on 1.x or 2,0.x

Also MS Windows Desktop might have a lot of security issues, (because it is so widely used I think), but the MS Servers are very secure.

In the end, it is a mater of choice as the one you choose, but they are both very secure.

FFMG

Both of the times that Microsoft site was hacked was due to SQL injection which is not because IIS isn't secure, it is because the website developer didn't write proper SQL code. SQL injection is just as easy with PHP and MySQL as it is with ASPX and MSSQL.


Look at the post below yours, 44 sites running your super secure Linux hacked at once. All server software in skilled hands can be secured. In incapable hands, there is no security. Anyone who says "X can't be secured" is really saying "I don't know how to secure it"

ebay: IIS
Walmart.com: IIS
CDW.com: IIS
Dell.com IIS

Why would we believe the Server admins at these 4 huge websites when we could take a Linux fanboy's advice instead?

Well EBays entire BILLING system is all SUN and Oracle, So is AT&T's DirectTV's, DishNetwork, Verizon, Nextell, and EchoStar. I know because I was on the team that implemented Ebay's billing system as well I lead the re-architecture of the billing systems for AT&T, DirectTV, DishNetwork etc..

Just because Ebay might run their auction site on IIS doesn't mean they TRUST their financials to IIS or any microsoft product. There is a reason the largest telecommunication companies in the WORLD use a *nix system and not a windows system for their financial transactions.

Come to think of it when I was head of security for CSG Systems, Inc we rented data center space from First Data Corp (the company that handles millions of transactions for the IRS) guess what they where using a *nix system as well.. I know because their systems where right next to mine.

I stand corrected on ebay, they only have their customer-facing servers running IIS. Ebay's solution is probably the best in terms of security: Use a diverse range of server software. This limits the effects of any bugs and exploits to a smaller group of servers in the datacenter.

The whole argument anyways is that IIS is inherently insecure and is not worthy of running webservers. Ebay is one of the biggest websites in the world and runs IIS. I think the case is closed.

It seems though that the companies you mention as running a *nix financial system didn't chose the server software, they outsourced the financial system to a third party that chose *nix. I am curious what flavor of *nix it is. I think the general consensus around the IT world is that with everything else being equal BSD is the most secure, so choosing any other OS would be making a concession.