In my quest to beat the hackers who have had a go at some customer websites, I have created a list of a few basic security steps for people building their own websites. Please do leave comments of any others you can think of.
1) Make sure that passwords are not readable in your database.
Yes, it can make life more difficult when you need to reset your own password, but if a hacker manages to gain read access to your database (which can be quite easy, see step 5) then if passwords are on show they can access anything. Even if you just create an MD5 checksum of the password so that it is difficult to read, that is a step in the right direction.
Yes, it can make life more difficult when you need to reset your own password, but if a hacker manages to gain read access to your database (which can be quite easy, see step 5) then if passwords are on show they can access anything. Even if you just create an MD5 checksum of the password so that it is difficult to read, that is a step in the right direction.
2) Give your logons good user names.
In single user systems it is tempting to do without user names or use basic names such as ‘admin’. Don’t! If a hacker has to find out a username and a password they are much less likely to get through. Store them on separate tables in your database, or in a single user (or limited user) environment, why not store the username in the PHP / ASP? A username is a good protection against brute force attacks.
In single user systems it is tempting to do without user names or use basic names such as ‘admin’. Don’t! If a hacker has to find out a username and a password they are much less likely to get through. Store them on separate tables in your database, or in a single user (or limited user) environment, why not store the username in the PHP / ASP? A username is a good protection against brute force attacks.
3) Check what you upload!
Does your admin allow you to upload files to your server? This is what a hacker wants – then they can upload their backdoors. If you are expecting to upload images check the file is an image (jpg, gif etc). If it is meant to be PDF validate that. Then, rename the file to hide it! For example picture.jpg might become 1.jpg.
Does your admin allow you to upload files to your server? This is what a hacker wants – then they can upload their backdoors. If you are expecting to upload images check the file is an image (jpg, gif etc). If it is meant to be PDF validate that. Then, rename the file to hide it! For example picture.jpg might become 1.jpg.
4) Do not directly access uploaded images.
If a hacker can upload a file, then they need to find out where it is stored. But, if you instead use a picture resizing routine which has the uploads directory hard coded, then there is no clue as to what directory the files are stored in. If a hacker realises that the uploaded files are well hidden it might be enough to make them leave your site alone.
If a hacker can upload a file, then they need to find out where it is stored. But, if you instead use a picture resizing routine which has the uploads directory hard coded, then there is no clue as to what directory the files are stored in. If a hacker realises that the uploaded files are well hidden it might be enough to make them leave your site alone.
5) Validate all input string parameters.
To gain read access of the database a hacker can try to manipulate inputs. So, make sure the values are what you expected. For example, if you have mypage.php?id=1 and the id is a number, then fail the script immediately if the id is not numeric.
To gain read access of the database a hacker can try to manipulate inputs. So, make sure the values are what you expected. For example, if you have mypage.php?id=1 and the id is a number, then fail the script immediately if the id is not numeric.
If you are passing a string, within the PHP / ASP check it for an exact match on expected results before using it within a MYSQL query. You can do this by running through the database values or a hardcoded list.
If you are running a search function then this is a lot more difficult to protect, but not impossible. Make sure you use the POST method and check the referring page is on your website. If possible, remove all non alpha-numeric characters or at the very least backslash out quotes. If you don’t then they will cause problems anyway in genuine searches.
6) Monitor failed logons.
And maybe even those queries detected in step 5. If the logon fails, send yourself an email. If there is a brute force attack you might find your email box suddenly filled up, so you might prefer to use a separate email address for this. If you want to be really clever monitor the failed logon attempts and lock your admin out for an hour after a few failed attempts.
And maybe even those queries detected in step 5. If the logon fails, send yourself an email. If there is a brute force attack you might find your email box suddenly filled up, so you might prefer to use a separate email address for this. If you want to be really clever monitor the failed logon attempts and lock your admin out for an hour after a few failed attempts.
No comments:
Post a Comment