How To Prevent Your Site From Hacking?

[iGuest 3]

This is the issue that a lot of people has been concerned about!Lots of site and Forum has been hacked.And I really worry about this might happen to my site or forumSo, do anyone know how to protect our passwords, and prevent from hacking?

[yungblood 0]

I used to be a hacker, and let me tell you what I've found.Anything that can be changed by an authorized person remotely, can be changed by anyone that wants to do enough research to get in. There is no such thing as "absolute security". Although most of my knowledge is with computer "security", it applies to all types of security.In the mind of a hacker, any upgrade to "security" is merely a challenge. Whenever a company says that thier new system is unbreakable, I want to see if thier claim is true. I now only hack my own computers. And although I don't spend as much time hacking as I used to, I still haven't found any type of protection that can't be broken. Also, the more protection that is put on any kind of site, the more hassles the real users have to deal with. It's all a compromise. If you wanted to have a dozen layers of security to get into a site, that could be done. Sure, it would make it harder on any hacker to break in, but that also makes it take longer for you to get in.So just remember, there is no way to completely prevent you site from getting hacked. But if you keep your website small, not near as many hackers will want to try to break in.-YB

[specter 0]

Ugh, why do we live in a world where people think it's cool to destroy some one's hard work? Never give your pass/user name to anyone, thats all I can say.

[Cassandra1405241487 0]

Nothing is foolproof, but some elementary caution will help:1. Never assign permissions to any user or object greater than what they really need to be used.2. Use the HTML maxlength attribute when practical to prevent people from entering scripts into text boxes.3. Always have a default object in every directory, to make it harder for people to discover your directory structure.

[hazeshow 0]

Absolutely right!4. Use a GOOD password for your admin account! Not "root" or "admin" or "susan" or "smith", but something that consists of letters AND numbers, perhaps mixed with some $§&€@-signs. And it is always safer to use a LONG password instead of a short one. A bruteforce attack might hack "susan17" but might need much more time to hack "s1&usanru56lokp34&hajkslwto@4772830hfgw". (just for example)GreetingZ

[fotisp88 0]

maybe there is no way to make the unbreakable site, but the majority of people who want to call their selfs hackers, prefer "playing" with unprodected sites. This people arent in real hackers. they know nothing more than u and me. they just want to to make ur life harder. By using a small security this people cant hard u. There still remain the real hackers. what do u think ? why should they hack ur sites?I dont find a reason. so.... dont say, i wont put security cz they will destroy it. you will put, and if the other wants to touch ur site he willif he is just a "kid playing with his computer!!" he will give up easy!Hope u find a kind of good security

[yungblood 0]

Most people that do damage to sites are generally called "script kiddies" because they are simply running programs written by others, and they don't know what's going on in the program. These programs usually only work if the site is unprotected, or thier security is really out of date. These kind of individuals usually can't do anything to a reasonably protected site. And unless you get really big, of have something extremely interesting hidden within your site, the real hackers will probably leave you alone.-YB

[Fate1405241510 0]

basically if u dont have any php scripts or anything that process user input,

you should be safe as long as your web server is updated and protected.

in case of a free web hosting, theres nothing u can do if the server itself gets hacked.

 

And just a small remark about what Cassandra said,

Nothing is foolproof, but some elementary caution will help:

 

1.  Never assign permissions to any user or object greater than what they really need to be used.

2.  Use the HTML maxlength attribute when practical to prevent people from entering scripts into text boxes.

3.  Always have a default object in every directory, to make it harder for people to discover your directory structure.

1064320892[/snapback]

2. HTML maxlength will not prevent long information from being sent to the processing script, it will just prevent it being sent from your form, which can be easily bypassed by sending a raw POST request or downloading and changing the maxlength of the field.

 

hope this extra info helped

[Cassandra1405241487 0]

2. HTML maxlength will not prevent long information from being sent to the processing script, it will just prevent it being sent from your form, which can be easily bypassed by sending a raw POST request or downloading and changing the maxlength of the field.

If I'm not mistaken, neither of these ick-techniques should be a problem, as long as the receiving script is designed not to accept data from off-site.

hope this extra info helped

Well, it certainly can't hurt!

[Fate1405241510 0]

If I'm not mistaken, neither of these ick-techniques should be a problem, as long as the receiving script is designed not to accept data from off-site.

1064325436[/snapback]

the receiving script, either php or asp, has no way of knowing if the user came from his own site or from nowhere,

only by referer, which can easily be changed or faked to be as if it came from a ligitimate place.

 

the real solution to the length problem should be inside the receiving script itself, for it is server side and cant be bypassed without changing its source.

[Cassandra1405241487 0]

How about using a script which can only be run by "nobody"?

[Fate1405241510 0]

hmmm...what exactly do you mean? cant be run by anyone?with what are you going to limit this? .htaccess? or chmod?and if no one can access it why does it exist?it seems odd to me, or i didnt quite understand what you ment?

[Cassandra1405241487 0]

hmmm...

what exactly do you mean? cant be run by anyone?

I may be crazy, but I'm not that crazy. If I had meant that the script can't be run by anyone, I would have written nobody, without the quotes. When I wrote "nobody', with quotes, I was referring to the special user called "nobody" on many UNIX-type systems. If I'm not mistaken, the user "nobody" is the server itself, and if one sets the owner of a script to "nobody", and then has it writable, executable, whatever, only by the owner, it can't be run except by a process on the server itself, not by an ordinary user. Of course, I may be wrong.

 

 

with what are you going to limit this? .htaccess? or chmod?

CHMOD, as above.

 

 

and if no one can access it why does it exist?

To preserve the spiritual balance of the Universe.

 

it seems odd to me, or i didnt quite understand what you ment?

You obviously didn't understand what I meant, but it could be that what I was suggesting is impossible. Somehow, though, I seem to remember seeing scripts which were really written that way.

[Fate1405241510 0]

you are suggesting a good idea...though it will require some kind of gateway script that will make the request on the other script so it will originate from the server itself...otherwise the origin even on regular surfing is always from the user.what you are suggesting can be done, and ive seen it, its quite good protection...

[Cassandra1405241487 0]

I suspect that there's something very simple which would be pretty effective in practice, if not in theory: Just have the script check the referrer. It's true that the referrer can be spoofed very easily, but whoever hacks the site isn't going to know immediately why he got a 403, or whatever, and he often won't have any overwhelming interest in hacking a particular site, unless it's a professional hacking a bank site, or whatever. I suspect that most of the vermin who hack other people's Web sites are script kiddies trying to feel important: if they (or their robots) can't get in immediately, they'll just go elsewhere.Like the lock on a door, Web security doesn't have to be perfect, and never will be. It just has to be good enough to make hacking that site a waste of the guy's time.I have two desktop machines always online protected only by minimal and very standard security, and I've never been hacked (yet).