|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 24 days
|
How do you protect a website?
#26667962 - 05/13/20 05:00 AM (3 years, 8 months ago) |
|
|
From hackers and spammers?
My website doesn't have log in or user registration. Everyone is free to post as guests.
I dont have captcha or ip recording.
I would leave it as it is but there always be a douche bag who will try to ruin fun for everyone else. I was told to look out for "injection" SQL attacks?
And anything i can do about bots/spammers?
--------------------
|
nooneman


Registered: 04/24/09
Posts: 14,555
Loc: Utah
|
Re: How do you protect a website? [Re: Gypsy Boy]
#26667994 - 05/13/20 05:33 AM (3 years, 8 months ago) |
|
|
For bots and spammers, you'd need accounts with user registration, captcha and probably ip logging. If you use an SQL database, then you need to be careful not to have any security vulnerabilities that will allow access to the database, like "injection" attacks.
You'd have to be familiar with security vulnerabilities in software (and in website related software especially) and you'd need to know how to code in whatever languages your website uses in order to be able to check your website for security problems and solve them. If you're not intimately familiar with those, then there's not a lot you can do.
Even if you're a good coder familiar with security, it's still very likely that you'll have some security vulnerabilities. That's just the nature of modern software and computers. My advice would be to keep good backups in a physical form (like a usb drive, etc.) that are not connected to the internet, and be prepared to wipe your website and restore from backups if something happens to it.
Also I would advise against storing any sensitive information on your website whatsoever unless you're really very good with coding and security. In which case all that stuff should be end to end encrypted for starters.
Oh, one universal and actually useful piece of advice: always keep all the software your website runs 100% up to date. The moment a new version is released of anything your site uses, your site should be using the newest version the same day.
Edited by nooneman (05/13/20 05:34 AM)
|
Gypsy Boy
Redeemer



Registered: 03/17/17
Posts: 4,501
Loc: Deep in the discoteka
Last seen: 2 months, 24 days
|
Re: How do you protect a website? [Re: nooneman]
#26668207 - 05/13/20 08:22 AM (3 years, 8 months ago) |
|
|
Thanks for help dude
I finally did it, i completed my website. A month of hard work.
I noticed that my host displayed a lil padlock that says connection secure.
I kinda wonder if my web host already did all the hard bits about protecting their clients
--------------------
|
koraks
Registered: 06/02/03
Posts: 26,667
|
Re: How do you protect a website? [Re: Gypsy Boy]
#26668249 - 05/13/20 08:54 AM (3 years, 8 months ago) |
|
|
Quote:
Gypsy Boy said:
I kinda wonder if my web host already did all the hard bits about protecting their clients 
No, it just means your site uses ssl. Any vulnerabilities are still all yours to resolve. If you've made something with php+mysql and you did not explicitly take measures against e.g. sql injections, odds are that your system is extremely vulnerable. This is a risk not only for your site, but also all other clients using the same server (which can be hundreds).
|
deadwk
00101011


Registered: 06/17/09
Posts: 8,890
Loc: Canada, eh?
|
Re: How do you protect a website? [Re: koraks]
#26684526 - 05/20/20 11:14 PM (3 years, 8 months ago) |
|
|
There's a lot of different ways you can do this. There's stuff like snort to sit in-front of your website and be able to prevent some form of attacks, as well as stop port scanning attempts, etc...
You might also want to look into WAFs (Web Application Firewalls) like suciri. Cloudflare also offers WAF . If you're storing user account information you'll want to make sure you store password in your database after hashing them using bcrypt.
|
chibiabos
Cosmic Pond Scum



Registered: 03/16/17
Posts: 4,180
Last seen: 10 months, 9 days
|
Re: How do you protect a website? [Re: Gypsy Boy]
#26684598 - 05/20/20 11:55 PM (3 years, 8 months ago) |
|
|
Quote:
Gypsy Boy said: From hackers and spammers?
My website doesn't have log in or user registration. Everyone is free to post as guests.
I dont have captcha or ip recording.
I would leave it as it is but there always be a douche bag who will try to ruin fun for everyone else. I was told to look out for "injection" SQL attacks?
And anything i can do about bots/spammers?
Just try learning the basics of network science and what tools are out there in your free time. It's probably a lot easier to understand than most people make it out to be and it's not like you're trying to break new ground in computer science.
Like I said in your GPG thread, man pages and Google are your friend. Try using "info" instead of "man" too. If you're on a Linux system then there's already a lot of documentation that comes with your software.
|
PTreeDish



Registered: 04/22/18
Posts: 353
Last seen: 3 months, 14 days
|
Re: How do you protect a website? [Re: Gypsy Boy]
#26691003 - 05/23/20 06:57 PM (3 years, 8 months ago) |
|
|
Hackers and spammers are looking for low-hanging fruit.
Here are a few things I would check out and look for:
* I advise against running your own host if you're just running a small website. A mainstream shared hosting provider will generally be more equipped to ensure the OS and all running software is patched and updated. * If you are using WordPress or other backend, you should ensure you're using the lastest stable version and that you have some way of being alerted when a new version is available. * Add a captcha to any publicly accessible forms to deter spam bots. I like reCAPTCHA but there are others. * Check out Akismet for added spam detection. * If using 3rd-party plugins, make sure they are reputable and keep them up to date. * Exercise the Principle of least privilege when granting any user or integration access to your app. * Use https://www.cloudflare.com/plans/ Free plan for ddos protection and free CDN. * When using open source software, try choosing projects which have a lot of contributors and are actively maintained.
Quote:
I was told to look out for "injection" SQL attacks?
SQL injection attacks happen when your app doesn't properly sanitize input data. A malicious user can sneak in a SQL-based database command, such as DROP DATABASE, and because your app didn't properly escape the data, it interprets and executes the SQL statement literally.
This is one of a myriad of other security vulnerabilities that new developers have to learn about when rolling their own software. Most major CMS (like WordPress) are pretty well secured from SQL injection attacks at this point, provided you are using an updated version.
Would you feel comfortable sharing what your website is running behind-the-scenes? That would help us give you more precise advice.
Kudos to you for addressing this now when the stakes are low.
|
|