Security is an interesting topic, with a lot of shades of gray. HamaraHost.com takes security very seriously, but as with any other system, there are potential security issues that may arise and there are always trade offs when balancing security and convenience. We will go through some common things you can do to keep your website secure.
What is security? Fundamentally, security is not about perfectly uncrackable systems, which might well be impossible to find and/or maintain. Security has more to do with trust and responsiveness. For example, a trusted host runs a stable, patched branch of their webserver (be it Apache, IIS, or whatever). They should tell you this, test their configuration themselves, and let you determine it for yourself. An untrusted host does not apply patches when they are released and does not tell you what server versions they are running.
Several themes run through this guide:
- Limiting access: Making smart choices that effectively lower the possible entry points available to a malicious person.
- Containment: If a weak point in your Website is found by a malicious person, your system should be configured to minimize the amount of damage that can be done once inside your system.
- Knowledge: Keeping backups, knowing the state of your Website at regular time intervals, documenting your modifications all help you understand your installation.
If your site is hacked, you have to stay calm to be able to deal with this situation. The first step before you respond to any security incident is to calm yourself down to make sure you do not commit any mistakes. We are serious about it.
Vulnerabilities on your computer
Make sure the computers you use to FTP access your Website are free of spyware, malware, adware, and virus infections; and are running secure, stable versions of your applications. For example, none of the following makes the slightest difference if there is a keylogger on your PC.
Scan your local machine.: Sometimes the malware was introduced through a compromised desktop system. Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them. So maybe try a different one. This advice generally only applies to Windows systems. If you do not have any AV software installed on your computer, you could use ClamAV for Windows-based PCs or ClamXav for Macs. ClamAV is also available for Linux and BSD systems.
Vulnerabilities in the Website itself
Your Website could have vulnerabilities as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause Bad Things to happen.
There are two ways to deal with this problem:
- Keep up to date with the latest version: Developers do not maintain security patches for older package versions. Once a new version has been released or the vulnerability has been fixed then the information required to exploit the vulnerability is almost certainly in the public domain making any old versions more open to attack by a simple script kiddie..
- Report bugs: If you find what you think is a bug, report it. You might have uncovered a vulnerability, or a bug that could lead to one.
The webserver running your Wesbsite, the database with the data, PHP and any other scripting/programming language used for plugins or helper apps could have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server, database, scripting interpreter, or make sure you are using a trusted host that takes care of these things for you.
It should also be mentioned that if you’re on a shared server (one that hosts other people besides yourself) if someone else is compromised, then it’s very likely you could be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.
The network on both ends — the server side and the client network side — should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. A busy Internet cafe where you are sending passwords in cleartext over an unencrypted wireless connection is not a trusted network, for example. Your host should be making sure that their network is not poisoned by hackers, and you should do the same. Network vulnerabilities allow passwords to be intercepted via sniffers and other sorts of havoc (such as man-in-the-middle attacks) to happen.
Some vulnerabilities can be avoided by good security habits. An important element of this are passwords: do not use your own name for your password, do not use a dictionary word (from any language) for your password, do not use a 4 character string of numbers as your password. Your goal with your password is to make the search space as large as possible, so using numbers and varying capitalization all make it more difficult, statistically, to brute force a password. This is particularly important if you do not rename the administrator account. In that case half the puzzle is already solved for malicious users as they know what username will give them significant privileges to edit files and databases. Many automatic password generators can be found on the internet and used to create secure passwords.
A strong admin password is necessary not just to protect the site/blog content; but also to protect against a hacker for instance uploading a script or doing other damage which could result in a compromise of the entire Website – in other words if a hacker gains access to the admin area they can do a lot more damage than simply changing the content.
Change the passwords again!: Remember, you need to change the passwords for your site after making sure your site is clean. So if you only changed them when you discovered the hack, change them again now.
When connecting to your server you should use encryption if your web host allows. Using encryption or FTPS is the same as traditional FTP, except your password and content is encrypted as it copied from your computer to your website. This means your password is never sent in the clear. Alternatively you can also use SSH to connect to your server, again if your web host allows.
Some websites allow some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment.
It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.
Here is one possible permission scheme.
All files should be owned by your user account, and should be writable by you.
If you run multiple websites/blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is a containment strategy: if an intruder successfully cracks one of Website, this makes it that much harder to alter your other blogs/websites.
If you administer MySQL yourself, ensure that you understand your MySQL configuration and that unneeded features (such as accepting remote TCP connections) are disabled. See Secure MySQL Database Design for a nice introduction.
Backup your data regularly, including your MySQL databases. Data integrity is critical for trusted backups. Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media (such as CD-R) increases your confidence that your data has not been tampered with.
A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire Website (including core files and your database) in a trusted location. Imagine a site that makes weekly snapshots. Such a strategy means that if a site is compromised on May 1st but the compromise is not detected until May 12th, the site owner will have pre-compromise backups that can help in rebuilding the site and possibly even post-compromise backups which will aid in determining how the site was compromised.
Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your blog back in place.
Monitoring your logs: If you are on a private server (where you have admin access), you have to watch your logs to detect password guessing attempts, web attacks, etc. A good open source solution to monitor your logs in real time and block the attacker is OSSEC.
Monitoring your files for changes: When an attack happens, it always leave traces. Either on the logs or on the file system (new files, files modified, etc). If you are using OSSEC that we recommended above, it will monitor your files and alert when they change as well.
Monitoring your web server externally for malware and changes: If the attacker tries to deface your site or add malware, you can also detect these changes by using a web-based integrity monitor solution.