Intrusion

Practices

• Use a secure method to update the content of your Web site: File Transfer Protocol (FTP) is an insecure protocol and should never be used to send private account information. With insecure protocols, attackers may be able to obtain your username and password by listening to your network traffic. With this information they can modify any of the data on your site. Ask your web-hosting company for an account using a secure method such as SFTP, SSH, or HTTPS.

• Make sure the location of your Web server is secure: With physical access to the machine that hosts your Web site, an attacker’s job is much easier. He can simply power down the machine and interrupt your Web site. Most companies should be able to provide you with their own internal security policy that outlines what measures they take to ensure the physical security of their machines. Increased security is another advantage of using a Web hosting company.

• Update your virus definitions: Your anti-virus software relies on current virus definitions to do its job. If you don’t keep your definitions up to date, you may unknowingly spread a virus to your own Web server.

• Perform frequent backups of your site’s content: If malware infects your machine, your site’s content may be modified or destroyed. You should perform regular backups of the files you have on your site so that you can recover from such infections. Use external storage media such as CD-ROMs, tape or zip drives, or remote machines to backup your data. You can perform these backups manually or use backup software to do them automatically.

• Choose a Web hosting service with intrusion detection: A good Web hosting provider should have an Intrusion Detection System and a policy stating how it is used. Always look for this when shopping for a Web hosting service.
• Contact your Web hosting service if you suspect an intrusion: If you are using a Web hosting service and you suspect an intrusion, contact the Web hosting service provider. They may be able to help you identify the source of the attack and limit or prevent such attacks.

Settings

• Configure your Web server to enable additional logging: All Web server software packages provide a way to enable additional logging to monitor the connections to your Web server. Good items to log are remote IP addresses, date and time of connections, and the requested URLs. It is particularly important to log this information for any external program that is executed by the Web server.

  • IIS: You can set Microsoft’s Internet Information Server to log additional properties through the Microsoft Management Console. Go to the Web Site tab and select the Properties button in the Logging Format section. We recommend logging Date, Time, Client IP Address, User Name, Service Name, Server IP, URI Query, Time Taken, User Agent, Cookie, and Referrer. Other properties may be useful depending on the content you serve.
  • Apache: The default logging by Apache is quite good but there are options which allow you to change the format or add information to each log entry. You can use the main Apache configuration file (http.conf) to enable more detailed logging. Apache provides ErrorLog and AccessLog directives that allow you to specify the location of each log. See Apache HTTP Server - Log Files  or Apache HTTP Server Version 2.0 - Log Files  (depending on which version of Apache you are using) for more detailed information.

Tools

• Anti-virus software: The popularity of the Microsoft Windows operating system makes it a prime target for hackers and other virus writers, so anti-virus software is crucial for users of this system. Anti-virus software works by identifying files that match definitions of known viruses and keeping them from infecting the system. Make sure that your virus definitions are kept up to date by automatically or manually downloading them from your software manufacturer's Web site. Do not install more than one anti-virus program because incompatibility issues between the programs may end up leaving your system unprotected.

  Two popular anti-virus packages are Symantec’s Norton AntiVirus  and McAfee AntiVirus . AVG , AntiVir  and ClamWin are free alternatives. The major anti-virus programs, such as Symantec and McAfee, can protect against worms and Trojan horses as well as viruses.

  PDA and mobile phone anti-virus applications normally interact with the full version on a PC and hold fewer virus definitions. New virus updates are automatically transferred from your desktop computer each time you synchronize your PDA. Therefore it is important to keep your desktop computer's anti-virus software updated and synchronize your PDA regularly. Some commonly used anti-virus packages are Trend Micro's PC-cillin for Wireless  and Symantec AntiVirus for Windows Mobile .

• Firewall: A firewall is like a security guard for your computer that monitors the traffic into and out of your computer. A firewall is your first line of defense against intrusions, especially Trojan horses. One popular firewall is Symantec's Norton Personal Firewall . The Windows operating systems such as Windows XP and Windows Vista  include a firewall that is turned on automatically. This built-in firewall is described in more detail on the Microsoft site .

• SSL certificates: Secure Sockets Layer (SSL) encryption keeps data from being intercepted when someone logs into a restricted part of your Web site or sends personal information through a form. When entering credit card information in an online form or visiting a secure area of a Web site you may have noticed a yellow or gold lock symbol on the bottom row of your browser window. This is a sign that SSL encryption is active and any data you send to the Web page should be secure.

  SSL encryption has become the industry standard in security, so if you want to build an e-commerce site you should have an SSL certificate. This will reassure customers that their personal information is safe.

• Intrusion Detection Systems (IDS): An intrusion detection system can monitor your system and alert you to items that may indicate your system has been compromised. Most IDS monitor core system utilities to make sure that they are not modified. Some examples of IDS available online are Symantec Host IDS , Tripwire (Commercial) , and Tripwire (Open Source, Linux-only) .