Elxis CMS Forum

Support => Security => Topic started by: CREATIVE Options on June 22, 2008, 09:21:07

Title: General Security TIPS
Post by: CREATIVE Options on June 22, 2008, 09:21:07

Tips for keeping your website secure
Here are a few Tips for keeping your website secure:

* Set up a new ftp user.  Do not use your primary control panel user for ftp.  That way if your ftp user/password does get compromised at least they do not have access to all your settings (although they could still get to some of them through direct file editing).

* If you have a forum or use other off-the-shelf scripts, create a subdomain as another site (package).  Then the forum will be isolated from the rest of your website.  If someone does hack their way in, they cannot reach anything except that forum.  It is those open source scripts that always seem to get hacked.  If you use one, keep it current.

* If you are running php, consider using a custom php.ini file.  At a minimum you should ensure the following:
   o register_globals = off   The only reason to have it on is to allow poorly written scripts to execute on your site.  That just invites hacking in the event of coding errors (and there always can be some coding errors).  If you have a script that requires register_globals = on, fix it or dump it and get a new script.
   o session.use_trans_sid = 0  This will help prevent revealing the ID of your php sessions in urls.
   o Then there are a few other setting you should consider:
      + Set your own upload_tmp_dir value so uploads are processed in your space rather than in a server shared directory.
      + Set your own session.save_path so session files are stored in your  space rather than in a server shared directory.  Remember to delete these files on a regular basis.  There is a script for doing that on this page.
  o Be sure to chmod your custom php.ini file to 600.  This will prevent others from viewing the contents of the file.

* Chmod 600 any PHP sctipt that contains secure information, like usernanes and passwords.  This will prevent others on your same server from looking at the code.

* Use file upload scripts rather than giving out ftp access to your site.  If you must give out ftp access, set the ftp user so their access is to a directory above public_html.  That way what ever they upload cannot be seen or executed from the net.

* Any file upload scripts should have basic protection built into the script.  These protections should includes file type restrictions so no one can upload any scripts or other damaging files, placing the files in an alternate directory for isolation and to ensure no key file is overwritten, file size retrictions, and upload directory size restrictions so the facility is not abused (and you site does not run out of space).  You can find a file upload script with these protections on this page.

* Ensure passwords are random and contain combinations of characters, numbers and symbols.  You can find a good password generator on this page (in B&T's Tool Box).  And, of course, change your passwords regularly.

* Send all 403 errors to a 404 page using ErrorDocument in htaccess.  There is no reason to let someone know anything is forbidden rather than not there.  Why invite an attempted hack?

[VIA (http://tips-scripts.com/secure)]

Title: Re: General Security TIPS
Post by: Farhad Sakhaei on June 22, 2008, 10:00:26

I think using SuPHP will increase your security and also you don't need to change any permissions or using ftp account for writing on files and folders ...