Guidelines for Securing Websites

The Internet is not a very friendly place.  Thousands of Websites have been hacked in the past months. Internet security is EXTREMLY important. 

Most hackers are amature and have day jobs and only want to hack a website thats easy.  These are the easiest to protect yourself against.  You want to make your site a difficult to get into as possible so that they will give up and move on to easier prey. The smaller percentage are professionals and spend the majority of their time finding new ways and new security holes to take advantage of.  These are real threats and the below list will help in securing your website. Keep in mind that nothing in full proof, but if you are always conscious of your security and maintain steps you can better protect your websites.

 

Maintain minimum 4 hours backups on web servers that has data change on a regular basis, or backup after each change if modified once in a while.

Patch software used on the webserver for the website, The server OS, webserver software (Apache, IIS, etc.), Website software itself (Joomla, WordPress, Drupal, MODx CMS or other third-party software).

Check and patch vulnerabilities in website plugins (Commercial or Open-Source, Menus Systems, WYSIWYG editors, etc.).

Check for vulnerabilities in software on the local computer (Adobe Reader, Flash, Java, Microsoft, Apple, etc.).

Check and Patch for vulnerabilities in the code itself in the website (SQL injection, Code injection, Cross-site scripting XSS, Remote File Inclusion, Cross-site request forgery, Path/directory traversal, etc.)

Use strong, unique passwords for login that meet complexity requirements (Passwords must be minimum 7 characters. Passwords must not contain the users email alias, first name, last name or any part of the company name. Passwords must contain three of the four categories. Uppercase A through Z, Lowercase a through z, Base 10 digits 0 through 9, Nonalphanumeric characters "~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/". The "@" character must not be at the beginning or end of the password.).

Use server-side validation for login pages and other web forms.

Always use SSL Certificates on websites with login capability and force HTTPS.

Check file permissions ( ex. On Linux servers make sure that file permissions are changed from the completely open 777 to more restricted 755 (for folders) or 644 (for files).

If your site uses PHP, use suPHP for added security.  Without suPHP, the PHP scripts will run as the user “nobody,” meaning they have the system level access.  suPHP restricts PHP scripts to run as the actual user of the account.

Run webserver in a DMZ that has restricted access to the internal network if that is needed.

Employ Intrusion Prevention System (Cisco IPS, SecureWorks, etc.).

If working with really sensitive information such credit card payments or medical records, a Web Application Firewall (Cisco ACE, Imperva, etc.) can be employed.  These are very expensive and most small business can afford them. Amazon and PayPal use such a system for PCI compliance.

 

If you have any questions about the above, please feel free to contact us.

Support Resources

Here you will find a variety of resources on many topics.  These are here to better support our customers. Please feel free to contact us if you need assistance.

 

Miscellaneous

Identify Cable Connector Types (Comming Soon)

Public Domain Name Service (DNS) Servers

Public Time (NTP) Servers

Internet Connection Types

Windows 8 Shortcuts

IP Address Lookup

Guidlines for Securing Websites

 

Email Realtime Blackhole Lists / Reputation Lists

ZDS™ - Zombie Detection System™

Cisco IronPort SenderBase Security Network

MX Toolbox®

BlackListCheck.com

The Anti-Abuse Project

Ted's Webtools

RBL Check

Public DNS Servers

The purpose of a DNS server is to enable people and applications to lookup records in DNS tables. Most DNS servers are now private, meaning that they are configured to only provide service to the people and organizations who own and maintain them.

A few domain name servers on the Internet provide DNS resolutions for anyone who requests it of them. These are known as "Public DNS Servers."

Most public DNS servers are public on purpose. Below is a list of Public DNS Servers.

Google (Wichita, KS, US)
8.8.8.8
8.8.4.4

Level 3 Communications (Broomfield, CO, US)
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

CenturyLink (Fomerly UTS, Sprint, Embarq, CenturyTel)
207.14.235.234
67.238.98.162
74.4.19.188

Verizon (Reston, VA, US)
151.197.0.38
151.197.0.39
151.202.0.84
151.202.0.85
151.202.0.85
151.203.0.84
151.203.0.85
199.45.32.37
199.45.32.38
199.45.32.40
199.45.32.43

GTE (Irving, TX, US)
192.76.85.133
206.124.64.1

One Connect IP (Albuquerque, NM, US)
67.138.54.100

OpenDNS (San Francisco, CA, US)
208.67.222.222
208.67.220.220

Comodo SecureDNS (Jersey City, NJ)
156.154.70.22
156.154.71.22

Exetel (Sydney, AU)
220.233.167.31

VRx Network Services (New York, NY, US)
199.166.31.3

SpeakEasy (Seattle, WA, US)
66.93.87.2
216.231.41.2
216.254.95.2
64.81.45.2
64.81.111.2
64.81.127.2
64.81.79.2
64.81.159.2
66.92.64.2
66.92.224.2
66.92.159.2
64.81.79.2
64.81.159.2
64.81.127.2
64.81.45.2
216.27.175.2
66.92.159.2
66.93.87.2

Sprintlink (Overland Park, KS, US)
199.2.252.10
204.97.212.10
204.117.214.10

Cisco (San Jose, CA, US)
64.102.255.44
128.107.241.185

OpenNIC
202.83.95.227 (au)
119.31.230.42(au)
178.63.26.173 (de)
217.79.186.148 (de)
27.110.120.30(nz)
89.16.173.11 (uk)
69.164.208.50 (us)
216.87.84.211(us)
2001:470:8388:10:0:100:53:20 (us)
2001:470:1f10:c6::2 (us)

Public Time Servers

 

Public Time Servers use the Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computer systems and networking equipment over packet-switched, variable-latency data networks. It is designed particularly to resist the effects of variable latency to keep all equipment in sync.

 

Below is a list of public time servers available for use.

 

ntp2.usno.navy.mil (192.5.41.209) USNO, Washington, DC

tock.usno.navy.mil (192.5.41.41) USNO, Washington, DC

tick.usno.navy.mil (192.5.41.40) USNO, Washington, DC

time-a.nist.gov (129.6.15.28) NIST, Gaithersburg, Maryland

time-b.nist.gov (129.6.15.29) NIST, Gaithersburg, Maryland

time.nist.gov (192.43.244.18) NCAR, Boulder, Colorado

ntp-s1.cise.ufl.edu (128.227.205.3) University of Florida, Gainesville, FL

 

Internet Connection Types

There are different types of connections to the Internet.  Below is a explanation of each to help better understand the differences.

Low Cost Internet connections

For residential users and small sized businesses requiring cost-effective alternative for high-speed access.

DSL and Cable Internet connections are connected via a shared, switched *ATM network.  A number of customers are aggregated at multiple single connection points (DSLAM, Node, NOC, CO, etc.).  Each aggregation point is a potential point of failure.  DSL and Cable are also unregulated - There are no State and FCC regulations in place. Circuit cost escalations, defined quality levels, and customer service responsiveness are at the discretion of local Telco/CATV and the third party providers. Upstream (Upload) and Downstream (Download) speeds will be different.

Digital Subscriber Line

DSL - Potentially can transmit data from 256 Kbit/s to 40 Mbit/s. Usually Upstream of up to 1.54Mbit/s and Downstream of up to 10.0 Mbit/s.

Cable Internet Access - Data Over Cable Service Interface Specification (DOCSIS)

DOCSIS 1.x - Obsolete(Not used anymore).
DOCSIS 2.0
- Transmits data Upstream up to 2.0 Mbit/s and Downstream up to 16Mbit/s.
DOCSIS 3.0 - Transmits data Upstream up to 10.0 Mbit/s and Downstream up to 150.0 Mbit/s. Equilalent up to 6 T1 Lines Upstream and 33 T1 Lines Downstream. (Faster speeds will be available soon)
DOCSIS 3.1 - Transmits data Upstream up to 1.0 Gbit/s and Downstream up to 10Gbit/s. This new specification will do away with 6 MHz and 8 MHz wide channel spacing and instead use smaller (20KHz to 50KHz wide) orthogonal frequency division multiplexing (OFDM) subcarriers.

 

Dedicated Internet connections

For organization with mission-critical need for high speed connectivity, including web hosting and company-wide access.

Dedicated connections are private point-to-point dedicated connection between the customer and the provider. They are rock-solid and based on proven, mature technology. High availability and reliability. Guaranteed fixed speeds with Service Level Agreements. Dedicated connections are regulated - State and FCC regulations mandate minimum cost escalation, defined quality levels, and customer service responsiveness.

T-carrier/Digital Signal crossconnect

T1/DS1 - Transmits data at 1.54 Mbit/s. 24 64 Kbit/s Channels or 24 Voice Channels. (T1 Circuits can be bonded togather to provide faster bandwidth.)
T3/DS3 - Transmits dataat 44.746 Mbit/s. Equivalent 28 T1 lines

SONET Optical Carrier transmission

OC-1 - Transmits Data at 51.84 Mbit/s. Equivalent to 28 T1 Lines or 1 x T3 Line
OC-3 - Transmits Data at 155.52 Mbit/s. Equivalent to 84 T1 Lines or 3 x T3 Lines
OC-9 - Transmits Data at 466.56 Mbit/s. Equivalent to 252 T1 Lines or 9 x T3 Lines
OC-12 - Transmits Data at 622.08 Mbit/s. Equivalent to 336 T1 Lines or 12 x T3 Lines
OC-18 - Transmits Data at 933.12 Mbit/s. Equivalent to 504 T1 Lines or 18 x T3 Lines
OC-24 - Transmits Data at 1.244 Gbps. Equivalent to 672 T1 Lines or 24 x T3 Lines
OC-36 - Transmits Data at 1.9 Gbps. Equivalent to 1,008 T1 Lines or 36 x T3 Lines
OC-48 - Transmits Data at 2.488 Gbps. Equivalent to 1,344 T1 Lines or 48 x T3 Lines
OC-96 - Transmits Data at 4.976 Gbps. Equivalent to 2,688 T1 Lines or 96 x T3 Lines
OC-192 - Transmits Data at 9.953 Gbps. Equivalent to 5,376 T1 Lines or 192 T3 Lines
OC-256 - Transmits Data at 13.271 Gbps. Equivalent to 7,168  T1 Lines or 256 T3 Lines
OC-768 - Transmits Data at 39.812 Gbps. Equivalent to 21,504  T1 Lines or 768 x T3 Lines

*Asynchronous Transfer Mode (ATM) is a switching technique for telecommunication networks. It uses asynchronous time-division multiplexing, and it encodes data into small, fixed-sized cells. This differs from networks such as the Internet or Ethernet LANs that use variable sized packets or frames. ATM provides data link layer services that run over OSI Layer 1 physical links. ATM has functional similarity with both circuit switched networking and small packet switched networking. This makes it a good choice for a network that must handle both traditional high-throughput data traffic (e.g., file transfers), and real-time, low-latency content such as voice and video. ATM uses a connection-oriented model in which a virtual circuit must be established between two endpoints before the actual data exchange begins. ATM is a core protocol used over the SONET/SDH backbone of the Integrated Services Digital Network (ISDN).

Metro-Ethernet (metropolitan area network or MAN)

A metropolitan-area Ethernet, Ethernet MAN, or metro Ethernet network is a metropolitan area network (MAN) that is based on Ethernet standards. It is commonly used to connect subscribers to a larger service network or the Internet. Businesses can also use metropolitan-area Ethernet to connect their own offices to each other. Internet can also be bundled either by using a VLAN or an MPLS cloud.

An Ethernet interface is much less expensive than a SONET interface of the same bandwidth. Ethernet also supports high bandwidths with fine granularity, which is not available with traditional SONET connections. Another distinct advantage of an Ethernet-based access network is that it can be easily connected to the customer network, due to the prevalent use of Ethernet in corporate and, more recently, residential networks. A typical service provider's network is a collection of switches and routers connected through optical fiber. The topology could be a ring, hub-and-spoke (star), or full or partial mesh. The network will also have a hierarchy: core, distribution (aggregation), and access. The core in most cases is an existing IP/MPLS backbone but may migrate to newer forms of Ethernet transport in the form of 10Gbit/s, 40Gbit/s, or 100Gbit/s speeds or even possibly 400Gbit/s to Terabit Ethernet network in the future.

 logo portal vergevoip

VoIP Admin Portal

logo portal plesk2

Hosting Control Panel

PineApp Manager

 

Client Login