Other Measures?

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,140
OK, so far we've had recommendations for using .htaccess control over both the Admin and Moderator control panels as well as using SSL to handle connections to those areas, changing the directory to "something whacky" to make it less obvious, and using proper passwords.

What other measures are there to increase site security?
 

Redshift

Aspirant
Joined
Jan 7, 2004
Messages
26
I think it should be possible to increase the admin CP lockout to a much longer time. What I mean is keep the normal login the 15 minute lockout but if the lockout is imposed from attemting to gein entry to the admin / modcp or an admin/ mod account then I think something along the lines of a six hour lockout should be an option.
 

Wayne Luke

Tazmanian
Joined
Jan 6, 2004
Messages
5,791
Everyone knows not to use Telnet because passwords are sent in plain text over the Internet. For this, it is recommended to use SSH. In fact most hosting providers disable the Telnet daemon completely. However, FTP is always overlooked.

FTP also sends passwords in plain text and it is no more secure than Telnet. And yet, not many people think of disabling it or using more secure methods. I would bet that most intrusions to a server start with a violation of FTP Integrity. This is because most hosts use a single username and password for Control Panels (cPanel, Ensim, etc...), MySQL, FTP, SSH, POP3 and other access. So my first suggestion would be to change these and use different passwords for each server daemon you want to access. My second suggestion is to completely ditch FTP and use SFTP or FTP over SSH instead. I use SFTP personally, and it is faster and allows more control than most FTP daemons do.

If you have a dedicated server, never log on with your Root ID and password. In fact you need to set the server up so that the root account cannot log in directly, except from the console. Create an account that is totally unrelated to your websites and use a completely different password for this account. Give the new account permission to SU and deny permission to SU for every other account. Then log in using it and SU over to your root account if you need to. SUEXEC lets you control who can use the SU command by creating a "wheel" group.
 

revolution

Aspirant
Joined
Jan 7, 2004
Messages
24
I agree with wayne, ftp can insecure in a lot of ways and most admins overlook alot of the subtle ways of attack. I havent used ftp in quite a while now, i use SCP (secure copy via ssh) and its worked out great. With a good gui it can make it easy and look similar to ftp clients.
 

eva2000

Habitué
Joined
Jan 11, 2004
Messages
1,787
yup using ssh telnet myself but using sftp is a pain with cuteftp as i can't rename remote files in sftp mode for some reason... and sftp is alot slower to connect and navigate than regular ftp :(
 

Wayne Luke

Tazmanian
Joined
Jan 6, 2004
Messages
5,791
Maybe it is because you are not using a program with security or professional use in its design specifications. Try one of the security minded applications and it is a much different story. I personally use SecureFX from www.vandyke.com.
 

SaintDog

Participant
Joined
Jan 11, 2004
Messages
60
SSH.com also offers a free-based version as well, bundled with SFTP and an SSH client.
 

eva2000

Habitué
Joined
Jan 11, 2004
Messages
1,787
Wayne Luke said:
Maybe it is because you are not using a program with security or professional use in its design specifications. Try one of the security minded applications and it is a much different story. I personally use SecureFX from www.vandyke.com.
bout time i changed i guess.... :)
 
Top