Protecting your site against hackers

Keeping your site safe and secure from hackers is very important. Although TPP Internet employs a raft of measures to keep our servers secure, this does not mean that your own account is impervious to hackers.

This support article contains some strategies you can take to better secure your site against malicious activity.

Keep your scripts up to date

This is an extremely important measure – make sure you keep abreast of the latest updates to any scripts you run, especially if they are popular and widely used (for example, Joomla, Mambo, Wordpress, Vbulletin, as well as any shopping carts, forum software, etc). Once a vulnerability is exploited it spreads like wildfire through the internet.

Most scripts cannot auto-update themselves so you will have to do this manually. If you are using any third party software you will need to check the vendor’s website for the current version, most likely there will be an upgrade package you can download with instructions. Before upgrading your 3rd party software ensure you make a copy of your current web files and database.

Some scripts may have an RSS feed or newsletter you can subscribe to if you want to be informed about the latest updates. Note that this applies equally to any 3rd party modules and plugins you may use.

Remove the install folder/script

Often when you install a script it will leave behind a configuration or installation script. Most of the time you will be instructed to delete that script once you are finished installing your software (otherwise someone else can simply run the script again and gain access to your installation!).

Obfuscate your admin area

Using automated scripts, hackers will scan and probe directories looking for tell-tale files like login.php, adminlogin.php, and so forth. If possible, rename that file to something nonsensical (mypetdogrover.php for example). By doing this you are denying the hackers another technique in their arsenal.

Use appropriate file permissions

File Permissions tell the server who can read, write or execute a file or folder. Most FTP programs can set file permissions (try right clicking the file/folder and then clicking file permissions or properties).

File permissions are set using a group of 3 numbers (this is called an octal representation, in that one can use numbers ranging from 0 to 7). The first number defines file permissions for the owner of the account (that’s you), the second number for the group, and the third for all others.

Appropriate file permissions

644

* Owner has read and write permissions
* Group has only read permissions
* Others have only read permissions

755 – (required to install some scripts or to browse to a certain directory)

* Owner has read, write, and execute
* Group has read and execute
* Others have read and execute permissions

What is the difference between read, write and execute?

For files:

* Read – the file can be read
* Write – the user or process can write to and change the file
* Execute – the file can be executed or run

For directories:

* Read – the directory listing can be obtained
* Write – the directories contents can be written to. New files can be created or existing files deleted.
* Execute – the directory can be accessed

You can click around with the various options for user, group and world in your FTP program, and see how the octal values change.

Don’t use 777 permissions!

Can you see now why you should never use 777 permissions? 777 infers that anyone can both read, write and execute files and folders in your webspace. Therefore, a malicious hacker can deploy a payload to your 777 directory or file (the ‘write’ part) and then run it inside your webspace (the ‘execute’ part). At this point your entire account is probably compromised.

You should always refer to your script documentation for appropriate file permissions. If you are not sure then 644 is generally quite safe to use for your files.

When installing software onto the web server the vendor will instruct you to use 777 permissions on particular files. Doing this gives ‘anyone’ access to execute files in your webspace. You need to ensure these file permissions are set to 755 to avoid this happening

Maintain strong passwords

Make sure you use strong passwords (at least 12 characters, with symbols and numbers where possible). This mitigates the possibility of a brute force and dictionary attack.

Use different and unique passwords for your MyAccount, Cpanel, MySQL databases and email accounts. If you need some secure passwords then you can use the random password generator at http://www.pctools.com/guides/password/.

It is also a best practice to change your passwords every month to maintain the security of your accounts.

Keep your own PC up to date and virus free

Make sure you keep up with all the Windows updates and leave your firewall on (either the Windows firewall or ZoneAlarm should do). Also make sure you are running an up to date virus scanner and that you scan for Spyware periodically.

If your computer does get infected, hackers can potentially install a keylogger on your PC. Keyloggers record everything you type and send it back to the hacker, thereby compromising all your secure accounts.

Don’t log into your account at internet cafes or via unsecured wifi

It goes without saying that you don’t know what is on the internet cafe PC, and you therefore should not trust it. Even if the internet cafe owner is legitimate someone may have installed a hardware dongle keylogger on the keyboard itself, capturing all your passwords and login details. Similarly, if you use a Wifi point someone might be ‘listening in’ and intercepting your details.

Containment principle

Our servers are set up in a way that contains any damage or hacking activity to just the one user account. Therefore, if you make any mistakes as listed above and you are exploited then only your user account will be affected. If you are affected however, the best and quickest way to recover is to restore from backup.

Restoring from a backup

If your account is compromised, restoring from your last known good backup is preferred. Using this method you can be sure that none of your files have been tampered or modified. Although we do create backups, we urge all our customers to periodically make their own. Once your account is restored you can then utilise the tips above to prevent it being compromised again.

Developing applications

If you are developing an application, or are customising a ready made script, you need to be painfully aware of these two types of actor vectors: SQL Injections and Cross Site Scripting (XSS). These attack vectors are well beyond the scope of this article but they are important enough that you should educate yourself about them.

Conclusion

We hope that you learned something from this article. It is not meant to be a complete guide on server security – indeed, behind the scenes we diligently perform dozens of backend server tweaks and tasks to ensure that security of the service is maintained (the mechanics of these tweaks is beyond the scope of this article). Nor do we warrant or guarantee that by following these best practice principles you will be 100% safe. What we do believe is that this article will definitely give you a fighting chance and make you a far harder target to exploit then someone who does not adhere to them.

Glossary

Brute force attack: A hacking technique whereby someone attempts to guess your password by trying hundreds or thousands of various combinations.

Dictonary attack: A variation on Brute Force; the attacker instead uses a set of common dictionary words to guess your password.

Firewall: A collection of security measures designed to prevent unauthorised access to your files. Firewalls can be hardware devices or software that resides on your PC.

Script: A file written in some sort of programming language that, upon execution, runs a series of commands. Examples of complex scripts include shopping carts, forums, blogs, or content management systems