Results 1 to 6 of 6
  1. #1
    Join Date
    Jun 2008
    Posts
    99

    * Secure a website

    I was wondering how to secure my website from hackers, or anything like that. I host my own website, from a home server and I was wondering what I can do to protect me and my website.

  2. #2
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,325
    Keep your server software upgraded, setup a firewall and only open needed ports, update your website scripts, etc.

  3. #3
    You can also run your site over SSL. Create your own certificate or you can buy one. HTTP port can also be redirected to HTTPS so that visitors can put http:// and they would get redirected to https://. Keep only port 80 and 443 open in firewall and keep your packages updated.

  4. #4
    Join Date
    Apr 2006
    Location
    Williston Florida
    Posts
    262
    Even with all the above great suggestions, I would suggest for any server open to the web, a file integrity program like tripwire (depreciated) or OSSECto monitor for attack attempts and unwanted changed files.
    WarPigW2-Old site for game I used to play, and other things along the way
    TutorialMasters - Tutorials Designed for You


  5. #5
    Join Date
    Feb 2007
    Location
    USA, UK, Singapore
    Posts
    3,481
    In addition to the above suggestions, you should seriously consider getting your server secured from a professional.

    Rick
    ██ SoftSys Hosting ██ - 14 Years In Business - 24/7 In-House Support - Enterprise Class Replicated Cloud Servers For HA

    Cloud Hosting With Anti-Malware, IDS/IPS, WAF & Litespeed - Windows 2019 Shared Hosting w/ Plesk

  6. #6
    Join Date
    Aug 2008
    Posts
    41
    I'm assuming it's a Linux based server with Apache/PHP.

    1) Install mod_chroot, configure your chrooted environment accordingly.
    2) Ensure valid restrictive ACLs in the chrooted environment.
    3) Install the Suhosin extension
    4) Install and configure OSSEC-HIDS (as already suggested) to monitor for file changes inside the chrooted environment as well as system-wide.
    5) Shutdown unnecessary daemons, verify with 'netstat -apvtuln'
    6) Configure a restrictive ingress/egress firewall using iptables with a default chain policy of DROP
    7) Implement fail2ban configured to protect your daemons from authentication brute-force attacks. Configure fail2ban to ban after excessive 404 or script-kiddie site enumeration.
    8) Implement restrictive php.ini settings inclusive of disabling phpinfo(), allow_url_fopen, allow_url_include, expose_php, and others.
    9) Implement mod_evasive to reduce resource exhaustion during targeted DoS attacks.
    10) Reduce the TCP FIN_TIMEOUT to 30 seconds.
    11) Perform a daily manual log review to supplement OSSEC in looking for intrustion attempts or oddities.
    12) If using SSH, disable password authentication and use keybased authentication with strong passwords. Move the SSH daemon from TCP 22 to another port. Force protocol version 2.
    13) Configure Apache to serve your site based on the vhost host header not on IP address. Configure the default website, running on IP address, to 403. Configure Fail2ban to ban after any hit to the default site.
    14) Configure Apache2 to use ProductToken ServerOnly and ServerSignature Off


    There's a lot more, this is all I could come up with in 4 minutes.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •