Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Setup
PC Setup Ideas
Ubuntu Hardening
Message
<blockquote data-quote="Victor M" data-source="post: 1118306" data-attributes="member: 96560"><p>I can sort of count the hackers that try to attack my fortified ubuntu web site. Thats because the logs show attempts to fetch non-existant pages. Pages that are partciular to Wordpress, various .js and php scripts that I don't have, login pages, database stuff and so on. And they always try it multiples times and my reporting tool shows the count. I estimate around 5-6 hackers every week. If I count all the individual instances then there would be a lot more.</p><p></p><p>Two years ago, I put up an obnoxious fake IT security firm web site using wordpress under the name No Hackers Here as an experiment. It was taken down by attackers within a month.</p><p></p><p>What does that tell you? Hackers don't just attack big corporates where the rewards are huge. They also attack things they don't like, like security firms and security sites like mine. And they might not like sites like MT and [USER=1]@Jack[/USER] can weigh in on this.</p><p></p><p>Here are my 2 cents' worth of advice if you are considering setting up a security related site.</p><p>a. don't have any moving parts if possible. Static web sites are safer. No js, no cgi,</p><p>b. don't use wordpress. While wordpress itself may be secure, it's various plug-in's aren't.</p><p>c. deploy on a cloud provider where you can control your security measures. Web hosting sites sometimes offer very little security mechs.</p><p>d. if you must have input fields, then don't trust any input. Do a whole lot of validation server side.</p><p>e. if you accept payment, then hand off the payment processing to paypal or similar. Don't do it yourself. If you do it yourself you assume</p><p>responsibiity over the credit card numbers which hackers want.</p><p>f. if you must have code, then do SAST, DAST and IAST.</p><p>g. go over the OWASP checklist and make sure you follow their suggested best practices.</p></blockquote><p></p>
[QUOTE="Victor M, post: 1118306, member: 96560"] I can sort of count the hackers that try to attack my fortified ubuntu web site. Thats because the logs show attempts to fetch non-existant pages. Pages that are partciular to Wordpress, various .js and php scripts that I don't have, login pages, database stuff and so on. And they always try it multiples times and my reporting tool shows the count. I estimate around 5-6 hackers every week. If I count all the individual instances then there would be a lot more. Two years ago, I put up an obnoxious fake IT security firm web site using wordpress under the name No Hackers Here as an experiment. It was taken down by attackers within a month. What does that tell you? Hackers don't just attack big corporates where the rewards are huge. They also attack things they don't like, like security firms and security sites like mine. And they might not like sites like MT and [USER=1]@Jack[/USER] can weigh in on this. Here are my 2 cents' worth of advice if you are considering setting up a security related site. a. don't have any moving parts if possible. Static web sites are safer. No js, no cgi, b. don't use wordpress. While wordpress itself may be secure, it's various plug-in's aren't. c. deploy on a cloud provider where you can control your security measures. Web hosting sites sometimes offer very little security mechs. d. if you must have input fields, then don't trust any input. Do a whole lot of validation server side. e. if you accept payment, then hand off the payment processing to paypal or similar. Don't do it yourself. If you do it yourself you assume responsibiity over the credit card numbers which hackers want. f. if you must have code, then do SAST, DAST and IAST. g. go over the OWASP checklist and make sure you follow their suggested best practices. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
