In this article..
Get the latest server software
Install your website
Secure the defaults
Disable directory listings
Disable raw error reporting
Secure the configuration files
Review log files
KISS to be secure
Get the latest versions of the software that will be required to host your website. Most web servers like Apache and database servers like MySql have vulnerabilities that are reported. The latest versions of these software will usually have fixes implemented for these vulnerabilities. Over time, as more vulnerabilities are reported, you can apply patches.
Install the files that make up your website or application. This may seem obvious. But what I mean is “install only the files that make up your website or application”. In all the years that I have performed vulnerability assessments and penetration tests, I have seen so many sites that have files that are not required. These may be backups for files that were modified over time or files that are not in use anymore. One client had almost 300 jsp files that were obsolete and not used anymore. Entire directories had to be pruned because they were not necessary anymore. These files may provide enough information to an attacker to be able to launch successful attacks.
If you use Oracle for instance, it installs over 200 default accounts. These include accounts that are required for Oracle Financials, even though you may not actually use them or not even have bought that package. Remove any default accounts or change the passwords for these accounts. Set a password for every account that you retain. Some default accounts have no password set for them.
If your server allows directlry listings and there is no default page specified, when a visitor types in the name of the directory in the web browser, all the files in that directory are listed. For example, a visitor can type
This can reveal information that you may not want an attacker to know. For example, if you have a backup file (see step 2 above), then anyone can simply click on that file to get it and analyze information or code in that file. The same goes for log files and config files. One thing you can do is to create an empty file and name it index.html (or whatever is the default page for your web server) and place it in all the directories that do not already have a default page. This will ensure that visitors see an empty page whenever they type the name of a directory without a file name.
Error messages are very good sources of information for someone looking to attack your website. Raw error messages can contain information such as your file paths, database server information, table structure, etc. These should not be shown to visitors to your website. If an error happens, you should log the error and provide a generic error message to the visitor. A generic error message would look like this:
An error occurred. Please contact the website administrator
You can set up custom error pages on most servers and platforms.
After you install your website, make sure that you are not able to download your configuration files. You can do this by opening your web browser and typing in the exact url for the configuration files. These files usually contain sensitive information such as database connection strings that can fall into the wrong hands.
Log files will contain all the requests that users make to the web server. They can provide you with an idea of which pages people are using. They can also provide indications of attacks or hacks. If the website has been breached and someone has places malicious pages on your server, the server logs will record requests to these files. Regular review may help you minimize the impact of a successful attack.
The most important thing to remember is to KISS (Keep It Simple, Stupid). This is a concept that does not seem to have many followers. Everyone wants all the bells and whistles. But you have to keep the website as simple as possible. Remember, the more functionality you add, the bigger the attack surface becomes. There are more places and more ways the website can be attacked. Do not add functionality just because it looks cool.
These are just some steps that you can take to secure your website. Depending on the platform and programming language, you may have to do other things.