VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Tips to avoid Hackers [}:)]
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

andreshm
Starting Member

10 Posts

Posted - March 05 2003 :  00:23:39  Show Profile  Visit andreshm's Homepage  Reply with Quote
Hi all,
(Probably for system admin, webmasters)
This is a very, very fast overview on how to secure a little bit more your servers, databases and administrative web pages.
It's well known that every system/code has security holes of every type. First step to learn how to avoid hackers, is in fact try to be one of them: to know what they know is the best defense. Inform yourself, at least about security issues on the system that you're using.
I will focus on windows systems since they seems to be more vulnerable.
If you are using windows systems, visit often window update website, get a enterprise firewall (if you can still get Atguard 3.2, it's the best one and more customizable) and block every port that the server is not using.
For database users, I highly recommend to use MYSQL instead ACCESS or MSSQL. First of all, is extremely secure, very fast, and free. Be sure to remove any access from external users: just leave user root, access from localhost. If you have to use Access, please donít put the database on the root directory, and use A DSN connection.
Now, for your administrative pages, I have some simple but clever tricks that will keep away hackers or curious people from your administrative pages. first of all, even if you have a secure login/password, think about it twice: once the login interface is available on the web, hackers can use
brute force username/password generators that can send hundreds of request in minutes, for hours until they gain access to your administrative facilities. So first step, is to hide or change of location your administrative pages on the site:
- use a different directory than root or the default (if you bought your shopping cart i.e. VPASP).
- I'll use ASP for the following example, but it can be done in easily on php: If you have control over your server, add a new port to it, let's say 2342 (or any unused port) then use the following code on top of your admin. page:
<% if request.ServerVariables("SERVER_PORT")<> "2342" then response.Redirect("anypage_or_website.asp") end if %>
This little code will restrict the access to your admin just to that port.
- To restrict the access just to your office or home computer and other administrators, the best way is to get a connection with static IP, the add the following code on top of the following page:
<%
ipaddress = Request.ServerVariables("REMOTE_ADDR")
if ipaddress <> "yourIPHERE" or ipaddress <> "youradminIPHERE" then
response.Redirect("anypage_or_website.asp")
end if
%>
Now the admin page will be available just to your pc and your admin's pc.

- Do not keep CC information on you database!! You just need it to process your order, then it becomes useless (but not for hackers).

These are very simple measures that can help you big time to secure your site.

I hope this helps.

yoyo510
Starting Member

1 Posts

Posted - April 03 2003 :  20:14:25  Show Profile  Reply with Quote
I tried the code for blocking non valid ips but when I enter two different ips in the areas it does not work. If I enter the same ip in both locations it works fine but I need the admin page accessible by 2 different ips. What is going wrong here with this? Thanks for your help.

Go to Top of Page

andreshm
Starting Member

10 Posts

Posted - April 08 2003 :  12:47:47  Show Profile  Visit andreshm's Homepage  Reply with Quote
sorry, That one works for just one Ip.
This one will work fine:

first line: <%
ipaddress = Request.ServerVariables("REMOTE_ADDR")
if ipaddress = "yourIPHERE" or ipaddress = "youradminIPHERE" then %>


- PAGE CODE HERE -

last line <%
else
response.Redirect("anypage_or_website.asp")
end if
%>




Edited by - andreshm on June 12 2003 11:33:19
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000