GeekSpeak

A Security Checklist for Newbies.

By Johnny Fuery ⋅ August 22, 2008 ⋅  Print This Post ⋅ Post a comment

One of my clients had their web site compromised this morning. Apparently some hacker in Russia figured out their web server’s SSH password, logged in, and replaced their root index page. (No, my firm had never performed a security audit for them – the site structure was set up by a predecessor.)

Bummer. Here’s a quick refresher on some things to make sure you audit on your own site.

• Use a unique account for your web-originating database access. This means a unique account with its own password and credentials as limited as possible. Making your DB access credentials the same as anything SSH-capable is asking for trouble. You don’t use your ATM access code to login to your email account, do you? (You’d better not!)
• Lockout all but the necessary functions (usually just insert, select, and update) at the database level for your new database access account. If you need to give this user “delete” access, too, maybe you need to re-think your application’s logic. (Deleted should be handled via a flag in most applications, not by actual removal of the data.)
• Place all of your common core server-side includes outside of your root web context. So if your web server’s root is “public_html”, put all of your shared libraries, especially your core database connection library, above public_html in your directory structure. If you can’t do this on your web host and you give two craps about the security of your site, get a new host. In English, this means that no one on the web should be able to surf to any of your core libraries. Requiring authentication to get to these files might feel just as good, but it isn’t.
• Chmod 777 is a Very Bad Idea.

This is by no means definitive, nor should it take the place of a professional audit by a skilled professional. However, if your development staff consists of your left brain, your pooch, and white board, this is a decent place to start.

Tags: hosting, programming, security, web sites