The Internet Safety Guy
Internet Security & Web Site Security Tips

Most People On The Internet Are Good

Most people on the internet are good, honest people. However, there are some people browsing the internet who derive fun from poking around websites and finding security holes. A few simple tips can help you secure your website in the basic ways. Password Protecting Directories

If you have a directory on your server which should remain private, do not depend on people to not guess the name of the directory. It is better to password protect the folder at the server level. Over 50% of websites out there are powered by Apache server, so let's look at how to password protect a directory on Apache.

Apache takes configuration commands via a file called .htaccess which sits in the directory. The commands in .htaccess have effect on that folder and any sub-folder, unless a particular sub-folder has its own .htaccess file within. To password protect a folder, Apache also uses a file called .htpasswd . This file contains the names and passwords of users granted access. The password is encrypted, so you must use the htpasswd program to create the passwords. To access it, go to the command line of your server and type htpasswd. Type "htpasswd -c .htpasswd myusername" where "myusername" is the username you want. Confirm it and the file will be created. Also, if the file is inside your web folder, you should move it so that it is not accessible to the public. Now, open or create your .htaccess file. AuthUserFile /home/www/passwd/.htpasswdAuthGroupFile /dev/nullAuthName "Secure Folder"AuthType Basic

require valid-user

On the first line, adjust the directory path to wherever your .htpasswd file is. Turn Off Directory Listings

By default, any directory on your website which does not have a recognized homepage file (index.htm, index.php, default.htm, etc.) is going to instead display a listing of all the files in that folder. Your second option is to, again, use the .htaccess file to disable directory listing. To do so, just include the line "Options -Indexes" in the file. Now, users will get a 403 error rather than a list of files.

Remove Install Files

If you install software and scripts to your website, many times they come with installation and/or upgrade scripts. Leaving these on your server opens up a huge security problem because if somebody else is familiar with that software, they can find and run your install/upgrade scripts and thus reset your entire database, config files, etc. A well written software package will warn you to remove these items before allowing you to use the software. Just delete the files from your server.

Keep Up with Security Updates

Those who run software packages on their website need to keep in touch with updates and security alerts relating to that software. Anybody so inclined can find your site running the software and exploit the vulnerability if you do not upgrade. Reduce Your Error Reporting Level

Speaking mainly for PHP here because that's what I work in, errors and warnings generated by PHP are, by default, printed with full information to your browser. The problem is that these errors usually contain full directory paths to the scripts in question. To alleviate this, reduce the error reporting level of PHP. One is to adjust your php.ini file. Look for the error_reporting and display_errors directives. However, if you do not have access to this file (many on shared hosting do not), you can also reduce the error reporting level using the error_reporting() function of PHP. Secure Your Forms

Forms open up a wide hole to your server for hackers if you do not properly code them. Since these forms are usually submitted to some script on your server, sometimes with access to your database, a form which does not provide some protection can offer a hacker direct access to all kinds of things. Keep in mind...just because you have an address field and it says "Address" in front of it does not mean you can trust people to enter their address in that field. Imagine your form is not properly coded and the script it submits to is not either. What's to stop a hacker from entering an SQL query or scripting code into that address field? Use MaxLength. Input fields in form can use the maxlength attribute in the HTML to limit the length of input on forms. Use this to keep people from entering WAY too much data. This will stop most people. A hacker can bypass it, so you must protect against information overrun at the script level as well.

Hide Emails If using a form-to-mail script, do not include the email address into the form itself. It defeats the point and spam spiders can still find your email address.

Use Form Validation. Ensure that the fields received are the fields expected. Check that the incoming data is of reasonable and expected length and of the proper format (in the case of emails, phones, zips, etc.).

Avoid SQL Injection. A full lesson on SQL injection can be reserved for another article, however the basics is that form input is allowed to be inserted directly into an SQL query without validation and, thus, giving a hacker the ability to execute SQL queries via your web form. To avoid this, always check the data type of incoming data (numbers, strings, etc.), run adequate form validation per above, and write queries in such a way that a hacker cannot insert anything into the form which would make the query do something other than you intend.

Conclusion

Website security is a rather involved subject and it get a LOT more technical than this. However, I have given you a basic primer on some of the easier things you can do on your website to alleviate the majority of threats to your website.

© 2008-2024 The Internet Safety Guy - All Rights Reserved
Admin | powered by Affiliate Niche site Pro Deluxe Technology | Internet Safety