WhiteSites Blog
WhiteSites Blog
With all the recent news coverage on companies and government agencies being hacked, I thought it might be time to write an article about how to protect your website and or server from hackers and bots. So if your website is getting flooded with unrelated traffic and constantly being attacked here are a few tips.
This should be obvious. Your Firewall should only have ports open that are needed. Everything else should be closed, or at least limited to a select few IPs. Ports needed for remote control (Remote Desktop) 3389 should be open for only your home IP and or subnets that you frequently use.
In real crimes of brick and mortar businesses. Criminals will often conduct survalence of a target and then plan how and when they will make action. Websites are the same. Hackers will use compromised computers, and or proxies to sniff out websites for known weaknesses. Many websites these days are running on template software like Word Press or Joomla. However since using these frameworks is so easy its often used by new developers who don't have the coding skills to make a website on their own. They just set it up with the default settings without any worries of security. They assume that Word Press is going to just handle all that for them. The problem is these frameworks often use the same paths for admin access. For most Word Press websites you can just goto /wp-admin, or /wp-login to get the login page. Then use a dictionary to brute force you way into the backend. If you are like me and you do not use Word Press you can assume that any request for Word Press related pages are bots and hackers sniffing out your site, and block these connections.
Here is a list of terms I use for detection of bots and hackers that are up to no good. If I find these words anywhere in the URL path, I immediately firewall the IP, which provides immediate protection to the 50+ sites running on my server.
wp-admin
Common admin access for Word Press websites
wp-login
Common login access for Word Press websites
/admin/
Common admin access for some template software
.php
file extension used in PHP websites. If you don't run PHP websites there is no reason to allow connections for it.
cpanel
Common server administrative controls for shared hosted websites
scripts
Common scripts directory
phpmyadmin
Common webadmin for mysql databases
mysqladmin
Common webadmin for mysql databases
/fckeditor/
Directory used for the FCKeditor text box control.
/editor/
Director used for textbox editor control
/manage/
Directory for admin controls of some websites
/include/
Directory for include files for some websites
/manager/
Direcotry for website manager
/wordpress/
directory for word press hosted websites
These are just a few of the terms I look for. Detecting these and firewalling IPs that access them will help to cut down your exposure to hackers and bots.
Bots will often just incrementally go through IPs to see what IPs respond with what ports. Then once they have determined which IPs are active they will start their attack. If your IPs don't directly repond to requests and require host headers, this will greatly cut down your detection by bots and hackers.
Check all Cookies, Form fields, and QueryStrings for terms commonly used in SQL statements. Filtering them should be obvious, but its also a good idea to just firewall IPs that do this. The more tries you give a hacker to find weaknesses in your site, the more likely they are to find one and exploit it.
Terms to search for in SQL injection
exec(
;--
=cast(
varchar
information_schema
table_name
1=
These are just a few terms I search for. Also besure to look for single quotes as well. This is often the starting point when hackers are looking for places to try SQL injection.
Your websites should always provide User Friendly Server Errors that tell the visitor an error has occured. You DO NOT want to show the visitor what the actual error was with details, as this can often be used by hackers to determine how your SQL queries are setup and how to customize their injection strings to work.
If your website is only serving users from a single country ( USA ). It makes sense to block countries that tend to harbor hackers. A great place to get a list of IPs for specific countires is IP Deny.
Recommended countires to block
Its always good to occassionally review the IPs that you are blocking. This can help you identify new countries that you want to block completely from the server, but it can also identify false positives. One thing you never want to happen is for your firewall to start blocking Google's Spiders. The result is your websites ranking will start to drop.
One thing to watchout for is too many rules in your firewall. Each rule you add to your firewall is going to slow down requests. Once you have several hundred rules with a couple hundred IPs in each, this performance hit can really add up. This is especially true for older servers, with limited RAM and CPU power. A slower server can also hurt your search engine rankings, as it is one of the factors Google takes into consideration. If you server starts to slow down after beefing up your firewall it might be time for a new server.
Take your website and server security seriously! I know what I have stated above is just a broad explantion with little detail in how to impliment these solutions. Those in themselves would be another article in the future. I hope this helps others secure their websites and servers.