Hi, Here is one of my first posts here. I'd like you to take advantage of my experience in IT security. I am going to give you a few tips and tricks. There is no exhaustive security "to do" list - security is a state of mind. Each time you do something, you have to think "How can this be exploited ? Now and in the future ?" 1) Get a firewall You don't have to pay for an expensive one. On Linux, iptables is enough and is provided on every box. Use it to prevent access on ports you do not use and prevent unnecessary outgoing connectiong (goal: prevent reverse shells and shell binding on TCP ports). Don't limit yourself to blocking TCP, the other protocols can also be used to transfer unauthorized stuff to and from your box. 2) In PHP: disable what you don't need, and the big known security holes Disable register_globals, allow_url_fopen, and prevent the use of functions such as system, exec, unlink, unless you have a use for them. If you are using the url_fopen feature, you should consider recoding the pages that use it to use cURL. The url_fopen is a real threat because it makes it incredibly easy for hackers to do RFIs (Remote File Inclusions) and to execute arbitrary stuff on your server if you have some vulnerabilities. 3) Apply the principle of least privilege Example: The username used to access your database should not have unnecessary privileges. If, for example, you have a news website, then there is no reason to use a user who can insert data or modify data in the news database for the pages which only show the news. The user who can modify stuff should be used only on the administration pages, which should be protected both by the application-layer protection (password, ...) and by a server-level protection (htaccess, ...). 4) Be sure to secure the permissions of your server. Most script kiddies use a RFI exploit to download a file to your server (using exec to call wget or curl from inside PHP) and then run it. If they have no place to download it and if you have forbidden the use of exec, system and similar functions then their work will be harder. 5) Always change the default URLs of your admistration pages if possible. While I wouldn't rely on security by obscurity, it would prevent automatic scanners to target your website if one day you forget to update some program. This brings us to... 6) UPDATE your web applications and your server REGULARLY. And watch the security mailling lists to know about any exploit in the wild. Failure to properly update your stuff will get you hacked some day for sure. I really mean it: if you don't update your servers, you WILL get hacked, it's just a matter of time. There are thousands of script kiddies scanning the web for old vulnerable applications. They ARE already visiting your website regularly and they WILL see any known vulnerability. Actually, I think we'll all get hacked some day. But we should do our best to reduce the frequency of these attacks, and to be able to detect them quickly and to recover from them immediatly. This brings us to: 7) BACKUPS. Save your pages, save your database. Keep old backups because you might fail to notice you've been hacked for some time. What if you have been hacked a month ago and you only keep the backups which are less than a week old ? Also, get a new server, and try to restore your backup. See how long it takes you. See if you have saved everything or if you forgot something. A backup that you cannot restore is useless so be sure you know how to restore your backup and check it's complete by doing some drills. 8) There is no "easy" security. You can't just throw 10 queries in Google and assume you're secure, such as proposed in another thread. Seriously guys. Security is hard because we start in an unfair position: the hackers only need us to do one mistake to hack us. We have to watch everything and not do a single mistake. 9) Never think that everybody loves you Or that noone wants to harm you. You are always the target of someone. It might be someone who wants to spam his p0rn links all around the net, it might be someone interested in distributing some adware through your website, or it might just be someone looking to hack a box in your IP subnet to bypass some filtering rules somewhere else. You are always a target, never forget that. 10) Intrusion detection is good You can use several forms of intrusion detection. The best is to detect intrusion attempts, but if you detect that you've been hacked it's good too because it gives you a chance to act quickly because there is too much damage (search engines indexing hacked pages, loss of reputation and visitors, ...) You can use a real IDS (Intrusion Detection System) such as Prelude or Snort, but you can also simply use some basic detection system that checks if your files are modified. Be careful with full features IDS because they might flood you with data you won't have time to fully analyze. Finally... If you are unsure... ask or hire someone. There are security professionals out there. Just as some of you are very good at advertising and marketing, some people are very good at security. You can't be good everywhere. If you feel unsafe, if you don't have the time to think about security, then ask for help or hire someone. That's all for now. If you apply everything here you will be less likely to get hacked. Most hacks are done by script kiddies using well known vulnerabilities and standard hacking scripts. If you can defeat them, you'll defeat 90% of the hacking attempts toward your website. uski
This is a great primer on internet security! You make a great point on #9, I can't stress how important that is. I'll be sure to pass this post around. ************** Nico del Castillo Microsoft Security Outreach Team http://www.microsoft.com/hellosecureworld/level7
Great information.. I have already done this on all my boxes but this is great.. I agree with you on the hire an expert that is what they are there for..