Jump to content
xisto Community
iGuest

How To Prevent Your Site From Hacking?

Recommended Posts

This is the issue that a lot of people has been concerned about!Lots of site and Forum has been hacked.And I really worry about this might happen to my site or forumSo, do anyone know how to protect our passwords, and prevent from hacking?

Share this post


Link to post
Share on other sites

I used to be a hacker, and let me tell you what I've found.Anything that can be changed by an authorized person remotely, can be changed by anyone that wants to do enough research to get in. There is no such thing as "absolute security". Although most of my knowledge is with computer "security", it applies to all types of security.In the mind of a hacker, any upgrade to "security" is merely a challenge. Whenever a company says that thier new system is unbreakable, I want to see if thier claim is true. I now only hack my own computers. And although I don't spend as much time hacking as I used to, I still haven't found any type of protection that can't be broken. Also, the more protection that is put on any kind of site, the more hassles the real users have to deal with. It's all a compromise. If you wanted to have a dozen layers of security to get into a site, that could be done. Sure, it would make it harder on any hacker to break in, but that also makes it take longer for you to get in.So just remember, there is no way to completely prevent you site from getting hacked. But if you keep your website small, not near as many hackers will want to try to break in.-YB

Share this post


Link to post
Share on other sites

Nothing is foolproof, but some elementary caution will help:1. Never assign permissions to any user or object greater than what they really need to be used.2. Use the HTML maxlength attribute when practical to prevent people from entering scripts into text boxes.3. Always have a default object in every directory, to make it harder for people to discover your directory structure.

Share this post


Link to post
Share on other sites

Absolutely right!4. Use a GOOD password for your admin account! Not "root" or "admin" or "susan" or "smith", but something that consists of letters AND numbers, perhaps mixed with some $§&€@-signs. And it is always safer to use a LONG password instead of a short one. A bruteforce attack might hack "susan17" but might need much more time to hack "s1&usanru56lokp34&hajkslwto@4772830hfgw". (just for example)GreetingZ

Share this post


Link to post
Share on other sites

maybe there is no way to make the unbreakable site, but the majority of people who want to call their selfs hackers, prefer "playing" with unprodected sites. This people arent in real hackers. they know nothing more than u and me. they just want to to make ur life harder. By using a small security this people cant hard u. There still remain the real hackers. what do u think ? why should they hack ur sites?I dont find a reason. so.... dont say, i wont put security cz they will destroy it. you will put, and if the other wants to touch ur site he willif he is just a "kid playing with his computer!!" he will give up easy!Hope u find a kind of good security ;)

Share this post


Link to post
Share on other sites

Most people that do damage to sites are generally called "script kiddies" because they are simply running programs written by others, and they don't know what's going on in the program. These programs usually only work if the site is unprotected, or thier security is really out of date. These kind of individuals usually can't do anything to a reasonably protected site. And unless you get really big, of have something extremely interesting hidden within your site, the real hackers will probably leave you alone.-YB

Share this post


Link to post
Share on other sites

basically if u dont have any php scripts or anything that process user input,

you should be safe as long as your web server is updated and protected.

in case of a free web hosting, theres nothing u can do if the server itself gets hacked.

 

And just a small remark about what Cassandra said,

Nothing is foolproof, but some elementary caution will help:

 

1.  Never assign permissions to any user or object greater than what they really need to be used.

2.  Use the HTML maxlength attribute when practical to prevent people from entering scripts into text boxes.

3.  Always have a default object in every directory, to make it harder for people to discover your directory structure.

1064320892[/snapback]

2. HTML maxlength will not prevent long information from being sent to the processing script, it will just prevent it being sent from your form, which can be easily bypassed by sending a raw POST request or downloading and changing the maxlength of the field.

 

hope this extra info helped :mellow:

Share this post


Link to post
Share on other sites

2. HTML maxlength will not prevent long information from being sent to the processing script, it will just prevent it being sent from your form, which can be easily bypassed by sending a raw POST request or downloading and changing the maxlength of the field.

If I'm not mistaken, neither of these ick-techniques should be a problem, as long as the receiving script is designed not to accept data from off-site.

hope this extra info helped :mellow:

Well, it certainly can't hurt!

Share this post


Link to post
Share on other sites

If I'm not mistaken, neither of these ick-techniques should be a problem, as long as the receiving script is designed not to accept data from off-site.

1064325436[/snapback]


the receiving script, either php or asp, has no way of knowing if the user came from his own site or from nowhere,

only by referer, which can easily be changed or faked to be as if it came from a ligitimate place.

 

the real solution to the length problem should be inside the receiving script itself, for it is server side and cant be bypassed without changing its source.

Share this post


Link to post
Share on other sites

hmmm...

what exactly do you mean? cant be run by anyone?

I may be crazy, but I'm not that crazy. If I had meant that the script can't be run by anyone, I would have written nobody, without the quotes. When I wrote "nobody', with quotes, I was referring to the special user called "nobody" on many UNIX-type systems. If I'm not mistaken, the user "nobody" is the server itself, and if one sets the owner of a script to "nobody", and then has it writable, executable, whatever, only by the owner, it can't be run except by a process on the server itself, not by an ordinary user. Of course, I may be wrong.

 

 

with what are you going to limit this? .htaccess? or chmod?

CHMOD, as above.

 

 

and if no one can access it why does it exist?

To preserve the spiritual balance of the Universe.

 

it seems odd to me, or i didnt quite understand what you ment?

You obviously didn't understand what I meant, but it could be that what I was suggesting is impossible. Somehow, though, I seem to remember seeing scripts which were really written that way.

Share this post


Link to post
Share on other sites

you are suggesting a good idea...though it will require some kind of gateway script that will make the request on the other script so it will originate from the server itself...otherwise the origin even on regular surfing is always from the user.what you are suggesting can be done, and ive seen it, its quite good protection...

Share this post


Link to post
Share on other sites

I suspect that there's something very simple which would be pretty effective in practice, if not in theory: Just have the script check the referrer. It's true that the referrer can be spoofed very easily, but whoever hacks the site isn't going to know immediately why he got a 403, or whatever, and he often won't have any overwhelming interest in hacking a particular site, unless it's a professional hacking a bank site, or whatever. I suspect that most of the vermin who hack other people's Web sites are script kiddies trying to feel important: if they (or their robots) can't get in immediately, they'll just go elsewhere.Like the lock on a door, Web security doesn't have to be perfect, and never will be. It just has to be good enough to make hacking that site a waste of the guy's time.I have two desktop machines always online protected only by minimal and very standard security, and I've never been hacked (yet).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.