Results 1 to 11 of 11
-
07-28-2008, 06:36 PM #1WHT Addict
- Join Date
- Jan 2008
- Posts
- 115
How do you secure your website's database information from hackers?
Is simply having the appropriate permissions on the files with your database information good enough or are there other measures you can take to secure your database information? I normally use PHP websites so this info is usually in the configuration file.
-
07-28-2008, 06:41 PM #2WHT Addict
- Join Date
- Jul 2008
- Location
- France
- Posts
- 105
all depends what srt of dbases we are talking about
-
07-29-2008, 12:28 AM #3Web Hosting Guru
- Join Date
- Nov 2002
- Location
- Bay Area, California
- Posts
- 309
To secure your site, begin by removing all php scripts.
Sorry, but that's my best advice.Sunwave Communications
http://www.sunwave.com/
Safety - Service - Economy
-
07-29-2008, 12:38 AM #4Junior Guru Wannabe
- Join Date
- Jul 2008
- Location
- San Bruno, CA. / Brazil
- Posts
- 40
Hello,
if you have any php file that have some confidential datas, i suggest you to use some encryption program like zend to encrypt your files. So, you have to check your file permission too (CHMOD Linux).
Regards,
-
07-29-2008, 07:06 AM #5WHT Addict
- Join Date
- Jul 2008
- Location
- France
- Posts
- 105
lol thats an 'interesting' approach, secure the website by removing it!
for mysql its simple, only allow localhost connections, ensure the root and any user passwords are very secure, and make sure all software version (httpd, php, mysql-server) are up to date.
For mssql, ensure the dbase files are outside of the webroot directories.
For sqlite, make sure the dbase files are again outside of the webroot directory, i.e. outside of the www or public_html folder but still within the users account folders.
Once again make sure all passowrds are secure and all software is up to date. This will be enough to keep the wrong ppl out.
-
07-29-2008, 01:05 PM #6Web Hosting Master
- Join Date
- Dec 2005
- Posts
- 3,110
Pretty much what everyone has mentioned but my suggestions are:
Block external access to MySQL, at your Firewall too is a good idea
Keep MySQL Updated
Keep your Scripts Updated
Check File Permissions
Run scripts as their own user with SUPHP/PHPSuexec
-
07-29-2008, 01:27 PM #7Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
Bingo - also you could go crazy and host the MySQL server on a different server so if someone got access to your machine they couldn't simply wipe out /var (or wherever MySQL databases may be) - the issue is if someone actually gets shell access to your server they still can do almost anything to your database :-\.
█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor
-
07-30-2008, 02:59 AM #8Junior Guru Wannabe
- Join Date
- Jul 2008
- Location
- San Bruno, CA. / Brazil
- Posts
- 40
I suggest you to use md5 in passwords fields into your MySQL Databases too.
-
07-31-2008, 12:27 AM #9WHT Addict
- Join Date
- Jan 2008
- Posts
- 115
So basically using "localhost" instead of your actual server address is more secure? If that's true I just learned something new.
-
07-31-2008, 02:45 AM #10Newbie
- Join Date
- Jul 2008
- Posts
- 8
If your on shared hosting localhost connections can be intercepted, I personal use MySQL sockets but sockets on a shared server are no safer then tcp. MD5 for passwords is a must!
If you can edit apache's config i recommend mod_security to have at least some protection and to be really safe suhosin for php is another thing to look at but i am not sure about its effectiveness.
Block dl,exec,passthru,proc_open,proc_close,shell_exec,system,curl_exec,curl_multi_exec,parse_ini_file,show_source
in incase of remote code vulnerabilities if you really want to got that far. Even farter would be locking php down with base_dir and safe_mode but that will break 90% of all php applications.
Securing the temp directory with things like noexec may save you the time later if it comes to that.
Firewall and protect SSH FTP and MySQL access.
Some servers are configured so you can chmod to 700.
Keeping php apps upto date shouldn't even have to be said.
You have to secure the server itself before you secure anything else.
-
08-29-2008, 01:05 AM #11WHT Addict
- Join Date
- Jan 2008
- Posts
- 115
If you purchase "shared" hosting from a company like Godaddy.com, do they automatically secure the server for you?