Many people want to host their own website, be it a personal site or one for a business, and they don't want to use a free website space. They'd rather have it look more professional and have it's own domain name such as www.******.com instead of www.geocities.com/~ankitjain/ In this kind of a situation, you must pay a company to host your website so it can be available on the internet for all to see and use. There are a few types of website hosting options, and the most common ones are dedicated and shared. A dedicated server is a machine that is yours alone, the entire machine. You can put on there what you like, manage it how you like, the company just charges you for the space it occupies and the bandwidth it uses. For most, the cost of a dedicated server (managed or not) is often too high so many opt for shared hosting. It also requires technical knowledge far beyond the norm, and most people don't have the time or the skill set. With shared hosting, you don't get the entire machine to yourself, you share it with other websites (hence the name). Moreover, you may even share the same IP address, which is fine for most people's needs. The web server can use the same IP address for multiple sites because it knows how to map your domain to the correct location, and not to the location of some other person's site on that same IP. That shared hosting solution also comes with the added benefit that the server is managed by the company you buy it from. You don't need to worry about software updates, deleting old log files, or account changes. They do all of that for you. So, there you go. That is the technical explanation of shared hosting. Still confused? Basically, it's a situation where your website, and dozens of others are all placed on the same machine, sharing its hard drive space, bandwidth, and most often, its IP address. The account is very basic and managed by the company you buy it from, unlike a dedicated server. Shared hosting is great for small companies or personal websites (like this one, www.******.com) and is very affordable. Shared hosting often costs anywhere from $8.95 to $39.95 depending on the features. As time goes by, companies offer more and more features at cheaper prices so those prices may change, but they generally hover in that area. (This article is mostly about Shared hosting, but for those who care, dedicated hosting can cost anywhere from $60 to $500) A shared hosting provider should offer the most basic of services, such as email accounts, visitor/hit statistics, a control panel, SPAM filters, FTP access, and possibly file management via a web browser. As more and more companies enter the arena, more and more choices and features will become available. Some even offer database capabilities, ssh or telnet logins, webmail access, and other advanced features. With so many options, it's easy to see that the hunt for a shared hosting company can be daunting. But, it's in your best interest to shop around. Some require you to sign up for an entire year, others charge on a monthly basis. Some aren't as user friendly, others are. So, make sure you know what you want before you start looking and have a price range in mind. Below I list some of the better shared hosting companies I have found, or used in the past:
A2 Hosting - http://www.a2hosting.com/
iPowerWeb - http://www.ipowerweb.com/
DreamHost - http://www.dreamhost.com/
Lunarpages – http://www.lunarpages.com/
Some basic features you need to focus on are:
How many email accounts do I get? (10? 50? 100? Unlimited J )
What server log reporting tools do they offer? (Analog? Webalizer? AwStats?)
Do they offer free SPAM filtering?
What are the monthly data transfer limits? (10gig, 20?)
How much website space do I get? (100gig? 50?)
Does webmail access come with it?
Do I get FTP access so I can upload my website and other files?
How do I manage my account, is there a control panel?
Is the billing monthly, or annual? Once you have found one that suits your needs, you will need to buy a domain name or have your current domain name pointed to the new server. The hosting company will help you with that part; often they have documentation at their website explaining the process. It generally takes 24 to 48 hours for a new domain name to change name servers across the entire internet, at which time your site will now be visible at its new server.
Sunday, September 16, 2007
The Basic Tips
If you are developing a web-based system whereby a user, or users, are logging in and staying logged in (sessions, cookies), the following ideas are written with you in mind. Making sure your authentication and authorization schemes are secure is going to be part of your task. All of those things fall under the umbrella term: security. Any competent, security conscious person should already know that most intrusions/attacks are undertaken as follows:
1. Social Engineering (conning)
2. An inside job, by an employee or trusted person
What it all means is that nothing is stopping one of your users from choosing an easy password, sharing it with others, or leaving themselves logged in as they step away from the machine. Nor can you completely stop an employee from misusing your internal system. However, it behooves you to implement the most basic security measures in your programming, in this case, website programming. That is why I have written this article. Some Basic Rules
Rule #1 -
Nothing is totally secure. Break-ins and compromises are inevitable.
Rule #2 -
Segment your system/software in order to diminish the damage from said compromise.
Rule #3 -
Log as much as you can.
Rule #4 -
Never trust user input.
My definition of security Slowing down an attacker long enough to capture them, and/or fix the security holes, while at the same time safeguarding a system that is segmented in order to lessen the degree of damage during a successful attack. In other words, make a system that is designed for security, defense and facilitates recovery from attack. (Think like kevlar, not concrete: be flexilble, absorb attack, recover and respond.) Basic Security Methods The following should be in place in your system, as a minimum.
1. Usernames and passwords should be 6 characters long, or more. Go for 8 or more characters to be safer.
2. In the event of login failure, be very uncooperative Tell the user "Your login attempt was unsuccessful" not: "Your password was missing the letter x" or "Your username is not in our system". Give very few leads as to why the login failed. They only serve to help intruders.
3. Handle errors gracefully Place the ampersat symbol (@) in front of many of your PHP function calls. If they fail, the ampersat will stop that failure from showing in the browser window. This is very useful when making database calls but your database is down, or the SQL statement returns an error. Such messages would only give feedback to intruders, or look unprofessional to regular users. Example: $variable = @function_name($parameter);
4. Passwords in the user account table of your database must be encrypted (SHA-256 or higher) That way if someone were to somehow gain access to the database itself, and view all of the user accounts, they would be able to see usernames, but not plain text passwords. Unless they changed the password, which would alert the user once they realized they couldn't log in, or they tried to crack the encrypted password (possible, but hard) they would have no way of using their newly found information. To accomplish this, the "password" field in your SQL datbase should hold an encrypted string. Before you compare the user input password to the one stored in the database, use the PHP encryption functions to encrypt it. Example: $encrypted = @hash("sha-256", $password);
$encrypted = @md5($password);
5. Create a different area for administrators/webmasters to login at and use If your users log in at http://www.site.com/access/, then create a different folder and set of code for the administrators to log in at. Something like http://www.site.com/master/ Now, I do not mean that this is for "power users" or "managers", I really mean you, the main site webmaster, when I say administrators. Put your login code and other PHP code in that separate folder, and name it something odd instead of "admin" or "root". Make it non-obvious.
6. Log the total number of logins for each user, as well as the data/time of their last login Logging the total is just a good indicator, and *may* be useful for security purposes depending on your system. Keeping track of their last login is very useful in the event that someone logged in using their account, without permission. You now know the time it happened, and if you log the date/time of any changes in your database and by whom, you can track what that intruder did while logged in. In order to accomplish the above, the user account table in your SQL database should have three extra fields: Logincount of type INTEGER Lastlogin of type TIMESTAMP (or datetime) Thislogin of type TIMESTAMP (or datetime) When the user logs in, in PHP, update that user's information in the database by incrementing their login count and by getting the timestamp using PHP's built in date() function. After successful login, first transfer the info stored in 'Thislogin' to the 'Lastlogin' field, and then insert the new date/time into 'Thislogin'.
7. Strip backslashes, HTML, SQL and PHP tags from any form field data If someone maliciously tries to send HTML, SQL or PHP code through a text field entry not meant to expect it, they can disrupt or break your code. An example of an attack this is meant to help stop is the SQL Injection attack. Use the following PHP functions to strip out such text: strip_tags(), str_replace() and stripslashes() Example: $username = @strip_tags($login); Example: $username = @stripslashes($login);
8. Use $_POST not $_REQUEST If your HTML form uses POST to send the data to the login script, then make sure your login script gets the input data using $_POST, and not $_REQUEST. The latter would allow someone to pass data via GET, on the end of the URL string.
9. In general, limit user access according to their role Design your system to give users specific layers, or subsets of access. Not everyone needs to be all powerful, nor all knowing. Using the unix group idea as your starting point. Classify users and give them features based on that. If you have a system with multiple users who have different roles, give them functionality based on those roles. Accountants, and only allow accountants can see financial data, not warehouse inventory or much else. The person at the cash register can enter in a sale, but not delete it. That is a managers job, and needs override permission. Etc.... Conclusion You should now have a somewhat complete picture of what can be done to create a secure, login based site. Most of what I have discussed refers to programming, and your code. I have not discussed the finer points of security, which I briefly mentioned at the introduction and have to do with our most human failings. Outside of the scope of this article are additional security measures such as requiring your users to choose non-obvious passwords, forcing users to change passwords every 30 to 90 days, training them not to give out their password over the phone, and so on..... Always keep in mind, security is meant to slow down an attack enough for you to capture the intruder, or fend them off and then correct the security hole. If you think your site is 100% intruder proof, think again.
1. Social Engineering (conning)
2. An inside job, by an employee or trusted person
What it all means is that nothing is stopping one of your users from choosing an easy password, sharing it with others, or leaving themselves logged in as they step away from the machine. Nor can you completely stop an employee from misusing your internal system. However, it behooves you to implement the most basic security measures in your programming, in this case, website programming. That is why I have written this article. Some Basic Rules
Rule #1 -
Nothing is totally secure. Break-ins and compromises are inevitable.
Rule #2 -
Segment your system/software in order to diminish the damage from said compromise.
Rule #3 -
Log as much as you can.
Rule #4 -
Never trust user input.
My definition of security Slowing down an attacker long enough to capture them, and/or fix the security holes, while at the same time safeguarding a system that is segmented in order to lessen the degree of damage during a successful attack. In other words, make a system that is designed for security, defense and facilitates recovery from attack. (Think like kevlar, not concrete: be flexilble, absorb attack, recover and respond.) Basic Security Methods The following should be in place in your system, as a minimum.
1. Usernames and passwords should be 6 characters long, or more. Go for 8 or more characters to be safer.
2. In the event of login failure, be very uncooperative Tell the user "Your login attempt was unsuccessful" not: "Your password was missing the letter x" or "Your username is not in our system". Give very few leads as to why the login failed. They only serve to help intruders.
3. Handle errors gracefully Place the ampersat symbol (@) in front of many of your PHP function calls. If they fail, the ampersat will stop that failure from showing in the browser window. This is very useful when making database calls but your database is down, or the SQL statement returns an error. Such messages would only give feedback to intruders, or look unprofessional to regular users. Example: $variable = @function_name($parameter);
4. Passwords in the user account table of your database must be encrypted (SHA-256 or higher) That way if someone were to somehow gain access to the database itself, and view all of the user accounts, they would be able to see usernames, but not plain text passwords. Unless they changed the password, which would alert the user once they realized they couldn't log in, or they tried to crack the encrypted password (possible, but hard) they would have no way of using their newly found information. To accomplish this, the "password" field in your SQL datbase should hold an encrypted string. Before you compare the user input password to the one stored in the database, use the PHP encryption functions to encrypt it. Example: $encrypted = @hash("sha-256", $password);
$encrypted = @md5($password);
5. Create a different area for administrators/webmasters to login at and use If your users log in at http://www.site.com/access/, then create a different folder and set of code for the administrators to log in at. Something like http://www.site.com/master/ Now, I do not mean that this is for "power users" or "managers", I really mean you, the main site webmaster, when I say administrators. Put your login code and other PHP code in that separate folder, and name it something odd instead of "admin" or "root". Make it non-obvious.
6. Log the total number of logins for each user, as well as the data/time of their last login Logging the total is just a good indicator, and *may* be useful for security purposes depending on your system. Keeping track of their last login is very useful in the event that someone logged in using their account, without permission. You now know the time it happened, and if you log the date/time of any changes in your database and by whom, you can track what that intruder did while logged in. In order to accomplish the above, the user account table in your SQL database should have three extra fields: Logincount of type INTEGER Lastlogin of type TIMESTAMP (or datetime) Thislogin of type TIMESTAMP (or datetime) When the user logs in, in PHP, update that user's information in the database by incrementing their login count and by getting the timestamp using PHP's built in date() function. After successful login, first transfer the info stored in 'Thislogin' to the 'Lastlogin' field, and then insert the new date/time into 'Thislogin'.
7. Strip backslashes, HTML, SQL and PHP tags from any form field data If someone maliciously tries to send HTML, SQL or PHP code through a text field entry not meant to expect it, they can disrupt or break your code. An example of an attack this is meant to help stop is the SQL Injection attack. Use the following PHP functions to strip out such text: strip_tags(), str_replace() and stripslashes() Example: $username = @strip_tags($login); Example: $username = @stripslashes($login);
8. Use $_POST not $_REQUEST If your HTML form uses POST to send the data to the login script, then make sure your login script gets the input data using $_POST, and not $_REQUEST. The latter would allow someone to pass data via GET, on the end of the URL string.
9. In general, limit user access according to their role Design your system to give users specific layers, or subsets of access. Not everyone needs to be all powerful, nor all knowing. Using the unix group idea as your starting point. Classify users and give them features based on that. If you have a system with multiple users who have different roles, give them functionality based on those roles. Accountants, and only allow accountants can see financial data, not warehouse inventory or much else. The person at the cash register can enter in a sale, but not delete it. That is a managers job, and needs override permission. Etc.... Conclusion You should now have a somewhat complete picture of what can be done to create a secure, login based site. Most of what I have discussed refers to programming, and your code. I have not discussed the finer points of security, which I briefly mentioned at the introduction and have to do with our most human failings. Outside of the scope of this article are additional security measures such as requiring your users to choose non-obvious passwords, forcing users to change passwords every 30 to 90 days, training them not to give out their password over the phone, and so on..... Always keep in mind, security is meant to slow down an attack enough for you to capture the intruder, or fend them off and then correct the security hole. If you think your site is 100% intruder proof, think again.
Subscribe to:
Comments (Atom)