Results 1 to 6 of 6
Thread: Secure a website
-
08-07-2008, 10:42 PM #1Junior Guru Wannabe
- Join Date
- Jun 2008
- Posts
- 99
Secure a website
I was wondering how to secure my website from hackers, or anything like that. I host my own website, from a home server and I was wondering what I can do to protect me and my website.
-
08-08-2008, 12:31 AM #2Retired Moderator
- Join Date
- May 2006
- Location
- San Francisco
- Posts
- 7,325
Keep your server software upgraded, setup a firewall and only open needed ports, update your website scripts, etc.
-
08-08-2008, 06:14 AM #3Newbie
- Join Date
- Jul 2008
- Posts
- 11
You can also run your site over SSL. Create your own certificate or you can buy one. HTTP port can also be redirected to HTTPS so that visitors can put http:// and they would get redirected to https://. Keep only port 80 and 443 open in firewall and keep your packages updated.
-
08-08-2008, 06:28 AM #4Web Hosting Guru
- Join Date
- Apr 2006
- Location
- Williston Florida
- Posts
- 262
Even with all the above great suggestions, I would suggest for any server open to the web, a file integrity program like tripwire (depreciated) or OSSECto monitor for attack attempts and unwanted changed files.
WarPigW2-Old site for game I used to play, and other things along the way
TutorialMasters - Tutorials Designed for You
-
08-08-2008, 07:20 AM #5Web Hosting Master
- Join Date
- Feb 2007
- Location
- USA, UK, Singapore
- Posts
- 3,481
In addition to the above suggestions, you should seriously consider getting your server secured from a professional.
Rick██ SoftSys Hosting ██ - 14 Years In Business - 24/7 In-House Support - Enterprise Class Replicated Cloud Servers For HA
Cloud Hosting With Anti-Malware, IDS/IPS, WAF & Litespeed - Windows 2019 Shared Hosting w/ Plesk
-
08-08-2008, 08:54 AM #6Registered User
- Join Date
- Aug 2008
- Posts
- 41
I'm assuming it's a Linux based server with Apache/PHP.
1) Install mod_chroot, configure your chrooted environment accordingly.
2) Ensure valid restrictive ACLs in the chrooted environment.
3) Install the Suhosin extension
4) Install and configure OSSEC-HIDS (as already suggested) to monitor for file changes inside the chrooted environment as well as system-wide.
5) Shutdown unnecessary daemons, verify with 'netstat -apvtuln'
6) Configure a restrictive ingress/egress firewall using iptables with a default chain policy of DROP
7) Implement fail2ban configured to protect your daemons from authentication brute-force attacks. Configure fail2ban to ban after excessive 404 or script-kiddie site enumeration.
8) Implement restrictive php.ini settings inclusive of disabling phpinfo(), allow_url_fopen, allow_url_include, expose_php, and others.
9) Implement mod_evasive to reduce resource exhaustion during targeted DoS attacks.
10) Reduce the TCP FIN_TIMEOUT to 30 seconds.
11) Perform a daily manual log review to supplement OSSEC in looking for intrustion attempts or oddities.
12) If using SSH, disable password authentication and use keybased authentication with strong passwords. Move the SSH daemon from TCP 22 to another port. Force protocol version 2.
13) Configure Apache to serve your site based on the vhost host header not on IP address. Configure the default website, running on IP address, to 403. Configure Fail2ban to ban after any hit to the default site.
14) Configure Apache2 to use ProductToken ServerOnly and ServerSignature Off
There's a lot more, this is all I could come up with in 4 minutes.