can you hack a site?

[bugjuice]

not that I want tips on how to do it, but on how to prevent it...
I have an idea for a website, but it has to be more solid than granite. The modern Fort Knox of sites. Books can say so much, but take so long to say it. The real world is where the fun is, and the tips/learning.

I know a little about SSL etc, and some protocols, but I want to start off in the right direction. Don't think this'll be my money saving grace, but I just want to see if the website will work.

Oh, and don't ask what it's about, cos I don't want people steelin my ideas..

[dhunt]

not that I want tips on how to do it, but on how to prevent it...
I have an idea for a website, but it has to be more solid than granite. The modern Fort Knox of sites. Books can say so much, but take so long to say it. The real world is where the fun is, and the tips/learning.

I know a little about SSL etc, and some protocols, but I want to start off in the right direction. Don't think this'll be my money saving grace, but I just want to see if the website will work.

Oh, and don't ask what it's about, cos I don't want people steelin my ideas..

Can you give a bit more of an idea of what you are trying to do/need? ie static webpages, cgi scripts, php etc

Best start is with apache (if you need secure with lots of features or a smaller more secure webserver if not needed) running in a chroot enviroment (makes the server think it's running just by itself on the computer).

Is that what you are after?? Or do want to know how to make the webpages themselves secure etc? If so I'll see what I can dig up for you.

[Skunk]

What's it all about? I kill me

As dhunt says.

I've put it a firewall to block all ports I don't want accessed (all but :80 say), then used htaccess to secure the rest. Keep the updates up to date on the software that's installed.

Is that enough? Or are we talking credit card numbers and passwords...

[2_SL0]

OK, give me all your credit cards details and I will keep them safe.

[pyrocam]

OK, give me all your credit cards details and I will keep them safe.

lol

I've put it a firewall to block all ports I don't want accessed (all but :80 say), then used htaccess to secure the rest. Keep the updates up to date on the software that's installed.

Id agree with this. but for more random proberly not what you were after stuff.
If you want to make your code unavailable to be ripped off or looked at look at ZEND optimizer (personally I hate it) http://www.zend.com/

or write your site with a serverside cobol app to process the requests. lol

if your looking at something that might be defaced. I would just make sure your not susceptible to the basic kiddie tools on the net. Ive been defaced before because I had an FTP server on the same box I didnt keep updated.
(http://www.internetnews.com/dev-news....php/10_760451 I got the
"f*** USA Government - f*** PoizonBOx," screen. woot. I saved it somewhere too

or.
be super cool
and set up the site.
then post it on slashdot
I think you would find out if its unhackable pretty quickly. If you did that with a 'dummy' site you wouldnt loose your internet prowness but learn how you were attacked (with a bit of research)

but like skunk said. if your talking customers transactions then a SSL certificate ($300 by the way) would do the trick nice as.

my flatmate is a god php programmer if you want to chat to him. (yes god is spelled with 1 o)

[Ixion]

lol
..
or write your site with a serverside cobol app to process the requests. lol
..

W00t - Cobol. That would be really good but only if you're getting a hell of a lot of traffic. Maybe 10000 orders a day. Best language there is for high volume stuff.

[bugjuice]

people will be entering data onto it. I want to keep it secure (and no, not a scam for peoples credit cards. Thats the next site..). Not sure what route to take as I've only dabbled in static html and very little php.
I don't know if I'd rent space which might be dodgy, from someone like www.hostme.co.nz and let them deal with it, or host it from home on a dedicated powermac (OSX is Unix based, comes with Apache pre-loaded) or something of the sort.. I don't expect a high volume of traffic thru it, but still want it secure none the less

[Biff]

I may be coming from the wrong angle on this - but are you looking for a secure connection from the person entering the data to the web server or just security of the data on the server?

If it's a secure link you want then you'll could do worse than using a secure Virtual Private Network (VPN), otherwise referred to as secure tunnelling. The most cost effective/secure and easiest way for a member of the public to achieve this is by using a Public Key Infrastructure (PKI) company. Basically the remote user and the site share a common encryption key, a unique cryptographic key.

There are loads of companies of there that can supply a PKI solution. If you want a even more secure solution, then you're talking big money for something like a bulk IP encryptor.

[pyrocam]

Ive PM'd you.
but basically SQL and some simple php code will keep everything hunky-dory.

[Skunk]

I don't know if I'd rent space which might be dodgy, from someone like www.hostme.co.nz and let them deal with it, or host it from home on a dedicated powermac (OSX is Unix based, comes with Apache pre-loaded) or something of the sort.. I don't expect a high volume of traffic thru it, but still want it secure none the less

Mine is on an old BW G3. It's fast enough, the cable connection isnt (128k).
Apache, PHP, MySQL, Dyndns.org. All free. Up to you to secure it. I use Webloc (a System Pref.pane) [OSXers will know what that is]

[bugjuice]

I want the data being sent to the server to be secure, and the server itself to be solid. I have other 'security' measures in mind, to ensure that the person logging on is that person, but that isn't anything to do with people hacking into the server to extract the gold.

Pyro, thanks. replied.

Skunk - nice dude..

[Wonko]

If you are taking CC numbers from people there are a number of options for that to be done withou that information being needed to disclosed directly. there are third party companies that can handle that for you. IE customer A is redirected to Third party Company secure screen. Third party then sends you and email with order information, and ref number. Log onto third party's site for CC number. Downside is that it is not real time, and you still have to process the orders yourself, and handle the CC transaction.(this is what we use at work for internet orders)

If you have a need for a live database, then PHP using MySQL all on top of an Apache server somewhere is what I would use. As to extra security, I have no real idea.

[bugjuice]

If you are taking CC numbers from people there are a number of options for that to be done withou that information being needed to disclosed directly. there are third party companies that can handle that for you. IE customer A is redirected to Third party Company secure screen. Third party then sends you and email with order information, and ref number. Log onto third party's site for CC number. Downside is that it is not real time, and you still have to process the orders yourself, and handle the CC transaction.(this is what we use at work for internet orders)

If you have a need for a live database, then PHP using MySQL all on top of an Apache server somewhere is what I would use. As to extra security, I have no real idea.

hey Wonko, not seen you around for a wee bit!
There may be some cc transactions taking place, but the data entered into the site is just as sensitive, altho it wouldn't involve all the bank crap that goes with cc transactions.
as for the extra security, it was an idea like TradeMe's address verify system, where you are sent a letter and you have to go to the address on the letter and re-enter details etc to verify. Not thoroughly thought thru, but the gist is there..

[dhunt]

I want the data being sent to the server to be secure, and the server itself to be solid. I have other 'security' measures in mind, to ensure that the person logging on is that person, but that isn't anything to do with people hacking into the server to extract the gold.

Pyro, thanks. replied.

Skunk - nice dude..

SSL encryption between client and server helps protect the channel, Then running apache (preferrable in a chroot enviroment) and php & mysql (with only local access).

Basically the main issues you will have to deal with are buffer overflows which allow local access to the computer and making sure your authentication method is secure/not open to brute force.