As you probabily know there is a lot of web-based Software available for free on the Web. This Open Source Software could be used by you without any payments. That's a great advantage these days.

When using Open-Source Software on a Webserver, remember that everyone could get the hand on the source code and could try to break your System.

However, there are some small things you could do to make it harder to crack your System. The following list is not complete, so you might search for additional and stronger security measures.

1. Make use of a Database Prefix

Most web-based Software, especially Content-Management-Systems (CMS) are using MySQL Databases. This tip is not only based on MySQL, it could be used on any Database.

Databases are normally arranged in database-tables. Each table has it's own name, but normally starts with a name to refer to the Software the database is used for.

Many CMS allow you to specify a so called „table prefix“. Don't use the one which is given by default. Create your own one!

Here is an example:

    Database Table name would be as default: defaultprefix_cms_userdata
    Create your own by only changing the prefix: k3z5h0q_cms_userdata

Do not change the other names of the table, that could break the system. The example above shows a prefix which is not likely to be found by try and error, as there are to many options for the prefix.

This makes it harder to get into your database. By using Letters and Numbers you are also increasing
the number of options for the prefix. Each digit of your prefix will increase the number of options a cracker needs to test to break into your database.

Don't use your sites name as a prefix, it would be the first to be tested. Usually the Installation Procedure of the Software you are going to use, will ask you for a database prefix. But not all are doing this.


2. Setup Administrator with different names

Don't use „admin“ or the like as Username for your Administrator. Use other usernames. If a systems tells you that the main Administrator could not be deleted. Review the database, usually you could delete it there. But setup a new administrator before you delete the old one.


3. Review Program Code for Administrator Setup

If a System has it's own Administration Program Code which you enter separately from the user area, than it could be a good idea to review the source code and to disable all actions you do not like to see used, such as to setup new administrators.

Don't delete the program code, just command it out. This way you could activate it any time you need it.

There are Systems out there where you don't need to do this, as the admin code is embedded in the overall source code.


4. Review your Server Settings

Review the Server Settings for the Software the CMS is written in. This could be PHP, Perl or others. Each of them have there own settings on your Server.

As I'm not an expert for each of these Programming Languages I'm not going to give you examples here. Instead of this I like to encourage you to visit the site of the Programming Language or the Site of the Provider of your CMS to find out which Security Settings you should apply.


5. Input Validation

Open-Source Software has the great advantage that you could change it to your needs. When you are enhancing the Software of your CMS, take care to validate all User Input.

This is to prevent, that your database is compromised or that your system is kidnapt by a stranger. Usually User Inputs are correct, but you never know.


6. Disable Error Display in a Live/Production System

This will let your site look better, when an error occures. And it will not show the directory structure of your Server.

Many Error Messages reveal the directory structure of your System by default. Furthermore, sites which show system generated Error Message don't make a visitor feal well about the Site.

Install a Testsystem for yourself, if you are going to change the source code. If your program code runs there, without any errors, it is likely to run smooth within your Live-System.


7. Working on your Webserver only using a safe connection

It shouldn't matter if you are working on the content of your website or the program code, always use a safe connection.

Safe connections are the ones which use SSL or SSH. Many tools are on the Web, which help you to accomplish that. SSL must be available at your Webserver, thus you could connect to your CMS by using https://www.yourwebsite.com.

SSH is normally available on every Webserver, thus you only need a tool to connect to your Webserver, which is able to communicate in SSH. If you are running Linux, Quanta Plus is such a System. It's an Open Source Editor able to edit PHP, CSS, HTML and other files. However, there are numerous tools available as Open Source for Windows as well.

Oh, by the way, you should do this, just because someone could get a hand on your passwords when using a non-encrypted connection, as passwords are normally sent in clear letters.


Well, these are just a few safety measures, which everyone is able to get to work. But there is a lot more, what is possible. To get a very safe system, it would be necessary to learn a lot more things about Webserver and Database Configurations. Or you leave these things for people, which have the knowledge for going into the details of a Webserver Configuration.

Hopefully your System will be more save and secure by applying the above measures.
Good Luck.

Security

- (2497 Reads)