Some material is very old and may be incorrect today
© June 2013 Tony Lawrence
It's an unfortunate fact of life that there are people who want to hack your blog. It may be nothing more than leaving spam comments which are easily deleted or may actually involve your blog having been taken over entirely and used for illicit purposes behind your back. It's even possible that the hacker has left your blog per se entirely alone: you and your readers can still access it, but the server is leading a double life as a spammer or an attack bot without your knowledge.
The first thing I'd like to make clear is that I'd prefer a Unix or Linux host over Windows always. That's not because Windows is necessarily less secure, and it's not because awful security holes don't pop up in the Unix/Linux world. But.. Windows is the best known platform. There are simply more people who know how to hack a Windows machine and at any given minute, more of them are apt to be testing your sites defenses. If Linux ever becomes more popular than Windows, that might change, but this is the situation now.
Among Unix/Linux systems, I prefer BSD more than any other. I know full well that arguments can be made for hardened Linux systems, but again I feel that BSD is a little bit less well known than Linux, so any Unix attacks will be predominantly Linux oriented.
Not that most of the attacks have any real intelligence behind them. Look at the logs of any Linux or Unix system and you'll see that they are chock-full of Windows attacks that have absolutely no chance of succeeding.
The other reason I prefer Unix/Linux is because of the power of the shells and command line tools. You may curl your lip in disgust, but the command line is where the real power is - even Microsoft recognizes that and has promised much more powerful shells in their upcoming Vista product (among other useful features. Powerful command line shells and utilities allow you to quickly and efficiently do tasks that are difficult or even impossible in a graphical environment.
That all said, a lot of security preparedness is the same for any OS platform. You need to keep OS vendor patches up to date - don't necessarily trust that your hosting provider is doing this. Maybe they are, maybe they aren't. If you have any control over that (you may not with low end hosting plans), make sure you exercise it. The same warning of course applies to languages like Php and especially to any Content Management Software you are using. Keep it up to date.
Don't neglect any modules you may have added: is that special Guest Book you put in last year still safe? Do you even remember where you got it? Keep a log of these things and check back with the author's sites regularly so you can be aware of any new security problems.
Don't be obvious about logins. Of course your passwords should be difficult (and different for each site, sorry), but the user name shouldn't be easily guessed either. If you share my given name, your login shouldn't be "tony" or "anthony", and it shouldn't be the same as your site's name, either. Ideally, it would be as nonsensical as your password: user "xyzebra" with a password of "5%sOsh!0R8" is a whole lot better that "tony" and "tony98". Don't depend on "security by obscurity", though this is one small area where it can help.
Make a practice of reading your logs, especially your error logs. It's not just your website logs: read the system logs. Most of the time they are boring, pointless, and add nothing to your knowledge. But every now and then you will see something suspicious and you may just catch it early enough to prevent a real problem. I really don't have the space here to go into much detail, but I do want to make you aware of some basics:
If you don't need ftp, don't run it. With Unix/Linux systems, you might be able to use the much more secure "sftp" or "scp". That's also possible on Windows though it's an add-on, not something that comes with the OS. Don't even consider running telnet. If you can use ssh, you may consider configuring it to use key identification rather than passwords: on my systems, even if I told you my password, you still couldn't log in from any computer but mine. By the way, I have many articles on ssh and Unix/Linux security here. In general, don't run anything you don't need to run. Even log analysis programs have had bugs that have allowed attackers access simply by crafting an error access that causes the log analyser to obligingly put up a link that allows a hack. On Windows or Unix, become familiar with the daemons and background processes that are supposed to be running so that you will notice anything unfamiliar immediately. Know how much disk space you are using; a sudden increase could indicate a security breach. The same applies to cpu load: know what is normal for your system.
Here's the piece that no one wants to hear: no matter how careful you are, you just might get hacked someday. Therefore, you need to be able to recover your posts and recreate them. You simply cannot rely upon your hosting company's backup systems for this. Yes, chances are that they can recover all of your articles quickly and easily. But if this is important, you want your own copies too. Make sure you have them. You may never need them, but if you ever do..
Worrying about security isn't pleasant, but it is a necessary part of your life as a web site owner.
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
More Articles by Tony Lawrence © 2009-11-07 Tony Lawrence