Article in Hosting & Security

There are individuals malicious enough to destroy websites developed through

hard work. They Web are defaced, attacked using DDoS, or "simply" spammed by

advertising posts or links.  How can a novice webmaster defend against such

attacks?

Securing a web site is always an uphill battle, but there are options to

mitigate the risks.  At the top echelon the costs are astronomical, so let

us review the simplest solutions that requires the least amount of money and

time.

Backups

"Backup" is such a horrible misnomer.  The process of making a known copy of

a web site and associated data sould be called "future restore", or

"futore".  The key element of a backup is that in case the web site is

somehow damaged, it can be restored from a copy to the current host or a new

one.

Most backups create one or more files, in a compressed format.  The most

often used compression tools are  gzip and zip, creating files with .gz and

.zip extensions.  Note that .tar files are not compressed files (they are

appended files), but can be used just as well for backup, and later

compressed.  The backup files are either stored on the server, or sent

through most often with HTTP (through the browser) or FTP (through the

browser or a dedicated FTP application) to the administrator of the backup.

It is foolhardy to keep a backup on your server, and not download a copy.

It is always a good idea to name the backup files for the date they were

created on starting with the year, then month and day in YYYY-MM-DD.  Should

you store multiple backups in one directory or folder, the indicated format

will allow for simple chronological sorting on the file name. Labeling the

media, such as DVD or CD is a must.

Backups are worthless, unless they are tested and learned how to restored

them properly.

Restricting access control lists

In both Unix/Linux and Microsoft Windows based web servers access control

can be limited to unique user account(s).  In Unix/Linux the use the  

.htaccess and .passwrd files, and in Windows, the Internet Services Manager.

  Both solutions can grant or limit visitors listing and of the folder or

directory content, reading files, writing files, or executing applications.

In general, you should never grant write access to any folder other then

those required by the scripts and programs explicitly requiring the

information.

Directory/folder listing should be always disabled, for folders that do not

explicitly require it.

Although most web content management systems, forums, blog and such tools

provide and require a unique login for administration, it is one of the best

protections to enable the operating system access control.  This is often

simple to do since the administrative files tend to be in a separate

directory/folder structure.

Separate accounts

If the system allows logins for posting messages, such as in a forum or

blog, the administrative account should never be used to post.  A regular

posting account must be created and used for day-to-day activities, and a

separate administrator account should be used for administrative tasks.  It

is important that the password to the two accounts are not the same.

Passwords

Strength of a password increases with complexity and length. Complexity is

defined by adding upper and lower letters, numbers, and unusual characters

such as "~!@#$%^&*()_" normally not part of words. Readable words that may

appear in a dictionary, in any common language, weaken the password.

Although the consensus in the security field is that the more often a

password is changed the stronger it gets, this is not necessarily true.

Presuming the password was not compromised, the human nature is to write it

down, and to make the frequently changing passwords weak, for example by

using repeating sequence and words (apple1, apple2, apple3, etc.).  A

reasonable timeframe is 90 to as high as 180 days.

Conclusion

Although this document does not go into technical details of server 

hardening, security policies, standards and procedures, the above three

topics, if implemented properly will reduce the risks for most webmasters.