Basics For Non-Experts
This tutorial is written for those who create hobbyist websites, but aren't web security experts, and want simple tips to protect themselves from hacks.
Why Protect your Server?
I can never be 100% sure, but evidence leads to my server control panel that had a known security hole. From there, the hacker gained ftp access to my site, and then ran a whole list of bad scripts. Was it my fault? Well, there was a whole host of things I *should* have done since day one to harden my server that most likely would have blocked the hacker. This article is to share what I learned the hard way.
Now I know what you are thinking, because I thought it too: "I'm a noob at web security and don't want to spend years studying web security to defend myself. My website is about [insert non-IT interest here], not IT related!" This website is about making robotics - I'd rather spend years studying robots, not defending myself against fat loser hackers who still live in their parents basement and can't get a real job (rant rant rant).
So this page is how to defend yourself against 95% of all hacks on your site, and to help you protect yourself from your noobness.
Don't Give Hackers a Target
php ruby on rails cgi webmail (just use redirects to your gmail, etc.) perl asp etc.
The other major advantage to turning everything off is that you don't need to constantly make sure that each are fully patched and updated against the most recent exploits. Simply turn off and forget.
Keep Software Up-To-Date
Now it's not reasonable to check for updates *every day*, so there are other methods. Some software has 'auto-update' or 'auto check for update' features. Turn on 'auto check for updates', but be wary of 'auto-update' as you don't want it to break anything without your knowledge. Also, sign up for any software mailing lists that notify users of newer versions . . . and pray they don't spam you with promotions in the mean time.
Hide software version numbers from public facing pages if at all possible.
There are also automated methods to update your server, such as Yum and Up2Date. These programs make it easy to check for new versions of software and to upgrade them without much hassle.
And DO NOT trust your webhost to do this for you!
Assume That You Will Be Hacked
Make sure you backup everything, and do it often. Automate your backups, because it's annoying to do it manually in my opinion. Verify that your backups actually work. And don't delete your old backups, keep them all and date them appropriately. I once discovered a backup of mine was corrupted after corrupting the most recent version . . . and I only had that one backup. That was a sucky day for me . . . Assume that maybe one day your house will have a fire, flood, burglary, tornado, or some other 'wrath of god,' and any backups stored in your house will be destroyed/lost along with it. Keep a copy of your backups with a trusted friend/relative or in a safety deposit box at a bank.
Also assume that people are trying to hack you, but haven't succeeded yet. They'll occasionally test your system for any flaws that come up. You'll probably see these attempts in your server error log. They'll be pretty obvious, like attempts from a single IP address trying to access many non-existent files on your server, such as yoursite.com/admin. Don't ignore them, they may one day 'pwn joo'. Learn how to use a .htaccess file and IP block those basement dwelling losers cold.
You probably already know this, but don't use simple passwords, or any password that can be found in a dictionary (heard of the dictionary attack, yet?). Hackers expect your password to consist of only a few letters, then a few numbers (usually a recent year) at the end. If it's a password someone else is likely to use, it's probably in a hackers database already. Don't use the same password for every website - if one's hacked, all are. And don't store those passwords on your laptop/PC as it can be physically stolen.
Use a firewall. You [should] know exactly what programs are running on your server, and your firewall should only allow those programs access to the net. A backdoor would probably use a non-approved port number, so a firewall would quickly block it. Be careful when you first turn your firewall on, making sure you allowed valid programs access *first*. If you don't you'll end up blocking your own ftp, shell access, control panel, etc. If you don't know what you are doing, set your firewall up to 'allow all'. It won't block anything, but it'll at least log rogue programs.
Turn off anonymous ftp so a hacker doesn't have access to your code for potential exploit perusal.
Assume That You Have Already Been Hacked
As soon as you realize you were hacked, try to find out when. Look at the file dates and go through your error logs and ftp access logs. If you have a low traffic site, even go through your normal access logs. It's always good to at least skim through your error logs once a month to see any failed hack attempts (the successful ones won't get recorded there). Skim through your ftp access log occasionally for IP addresses that aren't yours. You can even block ftp access to any IP that isn't yours.
Finding that you were hacked, don't immediately delete all the hack files in a wave of frantic paranoia - save them first on your PC locally for later analysis. Save log files and everything else.
Try to determine if it was a non-directed automated attack (favorite method for spammers), or an intense directed attack specifically at you. The latter is scarier, because the hack will be much better hidden and customized to fool specifically you. If it's directed at you, they'll definitely try again. Those that use automated methods wouldn't think you are worth their time to hack again if their automated attack fails.
The most recommended course of action after being hacked is to simply erase your server and start over again, as there is no real way of knowing if any hidden backdoors were installed. But don't do this yet - figure out how they got in first. If you don't, you'll just reinstall the same security holes and get hacked again. Browsing Google for exploits on the software you used will definitely help you find that hole(s).
Has this site helped you with your robot? Give us credit -
link back, and help others in the forums!
Society of Robots copyright 2005-2014