Security and hacking [solved]
Posted: Mon Jul 11, 2011 1:10 pm
Hi, I have had a couple of my sites hacked since I started using CMSMS. The most recent was a phishing scam that had been uploaded to a site within the tmp directory. Luckily this was only a semi dead site for my brother. However it started me looking at how to secure my sites. This is when I have run into problems. I have followed the Security Wiki advice, but most of the tips and tricks don't seem to be compatible with my sites.
Firstly, I would say that I am not a programmer/developer as such, but an experienced designer who has endeavored to learn as much as I can about php and the basic services that run a website.
Tip one: Really haven't gone there. I can't get my head around chrooted-jail mode etc. My sites sit on Webfusion VPS packages, so I have some access to the basic software running the system but getting to grips with command lines and SSH are a bit beyond me (at the moment, I am trying).
Tip Two: Similar as above for PHP settings.
Tip Three: This might be operator error, but I tried the settings recommended in the htaccess file, but seemed to break the site every time.
Tip Four: Yep done that, apart from the forced SSL.
Oh, and the permissions on the tmp directory (which from my last expereince could be critical). I have tried all types of settings on the tmp, but only 777 works.
I know longer expose what is running the site, but would be grateful for any other suggestions. If anybody could suggest information resources so that I could get up to speed on the server basics that would be great.
I have a suspicion the other settings might be down to permissions and owner privilages. Although, the VPS is "nearly" a server with full access it still shares services and I have had to get the server company to alter some settings as I can't get access to certain root directories etc.
Should I attempt to alter the PHP settings? - I can get to the php.ini.
Trouble is I have found a little knowledge is a dangerous thing.
Firstly, I would say that I am not a programmer/developer as such, but an experienced designer who has endeavored to learn as much as I can about php and the basic services that run a website.
Tip one: Really haven't gone there. I can't get my head around chrooted-jail mode etc. My sites sit on Webfusion VPS packages, so I have some access to the basic software running the system but getting to grips with command lines and SSH are a bit beyond me (at the moment, I am trying).
Tip Two: Similar as above for PHP settings.
Tip Three: This might be operator error, but I tried the settings recommended in the htaccess file, but seemed to break the site every time.
Tip Four: Yep done that, apart from the forced SSL.
Oh, and the permissions on the tmp directory (which from my last expereince could be critical). I have tried all types of settings on the tmp, but only 777 works.
I know longer expose what is running the site, but would be grateful for any other suggestions. If anybody could suggest information resources so that I could get up to speed on the server basics that would be great.
I have a suspicion the other settings might be down to permissions and owner privilages. Although, the VPS is "nearly" a server with full access it still shares services and I have had to get the server company to alter some settings as I can't get access to certain root directories etc.
Should I attempt to alter the PHP settings? - I can get to the php.ini.
Trouble is I have found a little knowledge is a dangerous thing.