WEB So what steps can one take to prevent being hacked?

Discussion in 'OT Technology' started by Browning, Apr 16, 2008.

  1. Browning

    Browning Active Member

    Joined:
    Feb 14, 2005
    Messages:
    89,463
    Likes Received:
    10
    seeing smiliesftw get hacked is kinda :noes:

    Is there really anything one can do to prevent this?:o
     
  2. Pepsi1975

    Pepsi1975 Mod of the Year

    Joined:
    Jan 6, 2005
    Messages:
    47,590
    Likes Received:
    1
    Location:
    Detroit
    damn this is the first i heard of smilies getting hacked
     
  3. Browning

    Browning Active Member

    Joined:
    Feb 14, 2005
    Messages:
    89,463
    Likes Received:
    10
    seen a couple threads about it in the main forum:sad2:
     
  4. Pepsi1975

    Pepsi1975 Mod of the Year

    Joined:
    Jan 6, 2005
    Messages:
    47,590
    Likes Received:
    1
    Location:
    Detroit
    yeah after reading this, i did a search and read the one where you posted the google link
     
  5. nubian

    nubian Active Member

    Joined:
    Aug 11, 2003
    Messages:
    27,761
    Likes Received:
    1
    doesnt jesse own it?

    ot isn't all that secure either.
    anything humanily made can be humanily broken.
    there are ways of still viewing the main forums w/o having a sub you know. ;)
     
  6. Browning

    Browning Active Member

    Joined:
    Feb 14, 2005
    Messages:
    89,463
    Likes Received:
    10
  7. rwdftw

    rwdftw Guest

    easy
    a) don't include this on your site
    [​IMG]
    b) don't place the admin login on site.com/admin, make it some random combination of letters, and like some moron startup this weekend, don't leave that area w/o a password.
    c) don't use a short username or a short password. (for example my password is 24 letters long, completely random, with #s, dashes and underscores.
    d) for admin logon code it, that the person only gets 5 tries, with 2 minute wait if they get it wrong, and a 1 hour ban if they don't get it after 5 tries. If a person gets banned for an hour, a report is files with the admin with the ip.
    e) never use unsecured networks to login into your sites
    f) have one seperate computer that you use for the site, and nothing else on it. No games, no programs, no freeware. Only use that computer to go to your site admin and thats it.

    but even then it can probably still get hacked...but at least you'll prevent most of the script kiddies.
     
  8. Browning

    Browning Active Member

    Joined:
    Feb 14, 2005
    Messages:
    89,463
    Likes Received:
    10

    :bowdown:
     
  9. Limp_Brisket

    Limp_Brisket New Member

    Joined:
    Jan 2, 2006
    Messages:
    48,422
    Likes Received:
    0
    Location:
    Utah
    24 character password, holy shit.
     
  10. Logik

    Logik Livin la vida broka

    Joined:
    Jun 30, 2000
    Messages:
    20,667
    Likes Received:
    1
    Location:
    The Steel City
    what effect would including that have on site security?
    how about not having an admin panel at all? The .htaccess should be sufficient as long as an appropriate passwd is used. If the login is just a login form input screen, put an .htaccess over top of that.
    14 mixed chars is sufficient. A proper 14 char paswd would take a brute force cracker app 154,640,721,434 millennia to guess. 24 chars is way overkill and impossible to remember. Also, pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters - like #@$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
    As stated before why even have an admin panel? Remember to lock down SSH, via iptables, to your home IP and block all other requests. A random bot searching servers for an open port 22 can be disastrous once you've been spotted... then that bot will try the common test accounts on your box (e.g., test/test123/t3Stacct).
    While this is true, we can safely assume that most in TWL aren't accessing their servers through a honeypot or man-in-the-middle attacks. It's a good practice, but not for everyone.
    This is just silly. Who the fuck would do this?
     
  11. kingtoad

    kingtoad OT Supporter

    Joined:
    Sep 2, 2003
    Messages:
    55,924
    Likes Received:
    11
    Location:
    Los Angeles
    lol
     
  12. rwdftw

    rwdftw Guest

    its a combination of 3 different passwords...so they do make sense...to me:p, anyone else the letters would be gibberish.

    its kinda like a challenge. Oh hacker secure? Really? Lets find out
    you have an admin panel, its just not located at www.site.com/admin/ Why does it matter to you if you write that or write www.site.com/circlejerk/. No big deal for you, but you avoid script kiddies finding your login page and being tempted.

    like I said to the other guy, its not really random for me. Its 3 different passwords mixed together. But to anyone else it'll be gibberish, because each password is unique and is not an actual word you can find in a dictionary.
    ip block is a good idea, if you only login from home. But what happens when you need to login from a conference? Or from an investor's office?

    I'm mainly talking about doing login while you are sitting on someone else's wifi
    Not really that silly considering how much junk there is on most PCs. Surely you can afford a $1000 PC dedicated entirely to your website management/database backup, if you are making any serious money. And there is that added security of knowing that you didn't download a keylogger or a virus, etc or some trojan by playing that very funny youtube movie or that shareware version of software.

    Whats $1,000 compared to losing your entire business overnight because some hacker got into your site. + you have the security of knowing you have an offsite backup of the most important components.

    Granted if you are some script kiddie making your money off affiliate links its a little bit overboard, but if you are running any sort of business I think its a good thing to have.
     
  13. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    i just can't help it.

    :rofl:
     
  14. biawokauns

    biawokauns New Member

    Joined:
    Sep 18, 2001
    Messages:
    19,893
    Likes Received:
    0
    Location:
    Republic of Kalifornia
    it's called :2001:
     
  15. Logik

    Logik Livin la vida broka

    Joined:
    Jun 30, 2000
    Messages:
    20,667
    Likes Received:
    1
    Location:
    The Steel City
    Let's just bullet some points

    • I've whitehat'd and blackhat'd for ~15 years and have never been teased or coaxed by a "Hacker Safe" image. Maybe the scriptkiddies would jump at that, but godaddy.com has something like that on their site.. whois gonna "hax" them?
    • 24 char passwd is bad advice. A good (mixed char/num/sym) 8 character passwd would take 2.10 centuries to brute force... so to your average TWL poster, this is more than enough. Personally, I'd recommend 13-14 chars just for that extra sense of "security."
    • You can update iptables from any IP that is allowed. You can also add more than 1 IP.. home, office, mobile would work. If you expect to be at a certain building /office that day, add that IP. If you arent sure what IP to add, then just SSH into an "allowed" box and update it from there.
    • Most in TWL aren't big businesses, they are just kids trying to make a buck, thus they are not going to spend $500-$1000 on a separate PC for only logging into their site. That's just silly. Maybe Microsoft or Cisco could do this, but why? I have 3 PCs at my home each with it's own purpose, and I use all of them to access my servers around the world. Am I worried about malware? NO.... because I am a responsible admin that is always certain that I do not have any. FYI, I don't run antivirus at all. and my only "firewall" is iptables combined with NAT.
     
  16. Jesse

    Jesse PSN: iamajesse; XBL: Inhale My Rod; G8 GT crew; Ne OT Supporter

    Joined:
    Jan 12, 2005
    Messages:
    25,649
    Likes Received:
    0
    Location:
    California :: (925)
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
     
  17. Logik

    Logik Livin la vida broka

    Joined:
    Jun 30, 2000
    Messages:
    20,667
    Likes Received:
    1
    Location:
    The Steel City
    lol.
     
  18. kingtoad

    kingtoad OT Supporter

    Joined:
    Sep 2, 2003
    Messages:
    55,924
    Likes Received:
    11
    Location:
    Los Angeles
    lol
     

Share This Page