http://Check-these.info/SecurityMemo.html

If you want higher security ...

If you are worried about the security and don't know well about site management,

do not use any scripts.

Static sites are pretty safe as long as you keep control panel (OPS in case of PowWeb), FTP, and other password, as well as your home/office machines are well protected.

If you want to use scripts ...

Don't make them available to public unless you know what you are doing.

Password protect them, and/or protect with IP (range),

and allow only selected people to share.

If you want to use scripts for publicly accessible area, avoid common popular PHP/Perl scripts.

PhpBB is one of the most popular script among novice users and novice crackers.

Formmail and Awstats have been popular target, too. And there are many others ....

In case of defacement:

Although some people are shocked by defacement, it's the least harmful form of attack,

and it's not bad to have them because they serve as an alert for uninformed people.

You will never be aware of more harmful attacks because cracker won't let you know that your site is attacked, hijacked, and possibly used for criminal purposes.

The reality of Internet

Unfortunately, Internet isn't very peaceful place.

It's like a downtown of big US cities. A zoo or jungle where everything from nice commerce to maffia are sharing same space.

Actually, it's a mixture of middle East, Africa, Asia, North/South America, and Europe.

You can imagine what kind of people/organizations you can encounter if you traveled a bit.

So, people living in a safe, calm country should be very careful.

Internet isn't like your country. It's not like your home. It's a wild street. A mixture of Irak and Iceland.

Furthermore, unlike real world, all nice things and criminals are within reach of a click.

There is no barrier of distance, fences, walls, borders, patrols, .....

And anyone can access instantly when you make things public.

So, think at least several times before you decide to put something for everyone in the world.

Someone very nice or cool, as well as very hateful or ill may see the contents, and react to them.

Also, there are many many automated robots scanning for innocent victims like those who got defaced.

Sometime, these are done by real humans, but often it's simple automated robots cracking tirelessly.

But they serve as an alert agent for negligent site owners, and do only minimal damage, so far.

What to trust

Personally, I don't trust MS FP/OE/IE, Javascript/Activescript/Java, PHP and its apps.

I have only limited scripts working in my site, all of them are written by myself with several security/safety features, and all other administrative scripts are protected.

This way, if something goes wrong, I don't have to waste my time/energy for finding someone else to blame and throw the anger.

If I feel like, I can blame myself, as much as I want. :)

Usually, I don't waste my energy in blaming and frustration because I would be busy trouble shooting my own stupidity.

As most people cannot write their own program, they have to make a choice of what to trust and how far.

I tend to trust more something simple than very complicated.

So, I trust static pages first, then SSI, shellscript CGI, Perl/Python CGI, and finally PHP.

Also, I trust critical person, someone who knows s/he makes mistakes, and programs written by such person.

You can often recognize them by the "conditional statements" and "warnings/notices".

The Ten Commandments (for PowWeb users)

1. Use safer permission setting of 710 instead of 755 for all directories.

2. Use even safer permission of 700 for directories not directly accessed by Apache.

3. Use 750 only for directories you want to use Apache's default directory listing.

4. Use safer permission of 600 instead of 640 for ALL PHP scripts.

5. Use safer permission of 700 instead of 755 for ALL CGI scripts.

6. Password protect ALL scripts other than you want general public to access, including webstats provided by PowWeb.

7. Avoid using unsafe scripts: Matt's Formmail.pl, phpBB2, php-Nuke, and many other PHP and CGI scripts. I guess 90% of cracking happens this way.

Remember that PHP is a vulnerable, buggy, and risky languages

and scripts written with it are often very vulnerable, buggy and risky.

Static contents require much less maintenance and a lot safer,

and can be as cool as stupid CMS/BLOG construction.

8. Check the IP of last access for OPS, FTP, and mail, regularly.

9. Check your raw log to see suspicious access and cracking attempts.

10. Keep your PC safe. If your PC is compromised, bad people can obtain access to your site and many many personal information.

DO NOT trust BIG corporation, like MS, SONY, and so on.

These guys often create stupid products, but they can be clever in deceiving naive users.

Stay away from hyped, fancy, needless, or heavy features.

Stay away from IE/OE, html mail, Javascript, and so on.

How to reduce risks

Now, I think what we need is something to replace PHP and its badly written apps.

PHP is a cancer of shared hosting in terms of security and resource usage.

(On dedicated server or VPS, it's not as bad.)

Some PHP users are dreaming that Ruby on Rails will be the savior, but I don't think so.

It's still too heavy and apps will be written by same PHP coders who have been writing unsafe inefficient scripts that the end result will be similar.

I've experimented OCaml and found it pretty fast and small.

And I will write replacement Form mailer and simple CMS with it, probably.

The main problem is the ignorance, again.

People are not aware of how much they are suffering from bad hype around PHP, just like they are suffering from unsafe MS products such as IE/OE.

And I don't foresee any change in this area very soon, unfortunately.

I've been telling this many times in some forums.

Yet most people are still using unsafe permission and vulnerable scripts without protection.

It's nearly "normal" and inevitable to get cracked.

Links

More about security.

http://check-these.info/security.html

Doomed permission checker.

http://check-these.info/tools/#666

Use extratools.php (auomatic installer) if you have problem in installing.

This page is http://Check-these.info/SecurityMemo.html

My main site is hosted by PowWeb, one of the best low budget host !