Posted - March 05 2003 : 00:23:39
| Hi all,
(Probably for system admin, webmasters)
This is a very, very fast overview on how to secure a little bit more your servers, databases and administrative web pages.
It's well known that every system/code has security holes of every type. First step to learn how to avoid hackers, is in fact try to be one of them: to know what they know is the best defense. Inform yourself, at least about security issues on the system that you're using.
I will focus on windows systems since they seems to be more vulnerable.
If you are using windows systems, visit often window update website, get a enterprise firewall (if you can still get Atguard 3.2, it's the best one and more customizable) and block every port that the server is not using.
For database users, I highly recommend to use MYSQL instead ACCESS or MSSQL. First of all, is extremely secure, very fast, and free. Be sure to remove any access from external users: just leave user root, access from localhost. If you have to use Access, please donít put the database on the root directory, and use A DSN connection.
Now, for your administrative pages, I have some simple but clever tricks that will keep away hackers or curious people from your administrative pages. first of all, even if you have a secure login/password, think about it twice: once the login interface is available on the web, hackers can use
brute force username/password generators that can send hundreds of request in minutes, for hours until they gain access to your administrative facilities. So first step, is to hide or change of location your administrative pages on the site:
- use a different directory than root or the default (if you bought your shopping cart i.e. VPASP).
- I'll use ASP for the following example, but it can be done in easily on php: If you have control over your server, add a new port to it, let's say 2342 (or any unused port) then use the following code on top of your admin. page:
<% if request.ServerVariables("SERVER_PORT")<> "2342" then response.Redirect("anypage_or_website.asp") end if %>
This little code will restrict the access to your admin just to that port.
- To restrict the access just to your office or home computer and other administrators, the best way is to get a connection with static IP, the add the following code on top of the following page:
ipaddress = Request.ServerVariables("REMOTE_ADDR")
if ipaddress <> "yourIPHERE" or ipaddress <> "youradminIPHERE" then
Now the admin page will be available just to your pc and your admin's pc.
- Do not keep CC information on you database!! You just need it to process your order, then it becomes useless (but not for hackers).
These are very simple measures that can help you big time to secure your site.
I hope this helps.