projects

FTP and Website Security

Web Dimensions, Inc. — Fri, 04 Feb 2011 02:34:51 GMT

Is your website getting hacked? Do you find strange files in your webroot directory that say things like H/\C|<@d by <hacker-name/> ? Do you find that folders on your website are suddenly full of files named index.html, index.htm, index.php, index.gi, index.asp, index.aspx and other index pages with any other file extension, all which read H/\C|<@d by <hacker-name/> ? You've been hacked!

Check to see if you have ftp running on your machine. If so, you should try logging into your own machine by ftp and see what you can do on it. If you know your way around ftp, (cd = change directory; put = copy file; dir=get directory listing; lcd = change directory on local machine, etc.) you should try to be able to see how far you can navigate in the file system on the computer you've logged into. If you can get into anything important, chances are the outside world can do the same thing. And if you can copy a file into an important area of the computer you've logged into, then you know that computer is compromised. What you might not realise is that there are thousands of "script kiddies" out there running programs that can figure out passwords just by trying them all on unsuspecting servers who have left ftp open for some innocent reason, like letting developers in to work on the website.

If you don't have your ftp acces set up correctly, you are asking for trouble. One of the most important ways to tighten up on your ftp is to first, limit the amount of user accounts who are dedicated to ftp. In fact, it is said that the most secure way of running ftp is to allow anonymous ftp to an isolated directory on a virtual path the server and give 'anonymous' full access to that folder, but nowhere else on the computer. That way, you allow the world to do what it wants for free, but the rest of your server is completely protected. However, that doesn't solve the problem of needing to have developers get access to the web files. So how do you allow that, without letting the whole world in, too?

Well, there are a number of approaches to securing an ftp site. The first, as I wrote, is user access. Start with creating one new account on your system to use ftp. When creating the user, avoid names like "Admin" "Administrator" "ServerAdmin" "ftpuser" and the like. Those names are the first ones the hackers try, let's use some common sense here. Make sure that user has a STRONG password. Not your pet's name, not your birthdate, not your favorite color or 123456. It has to be at least seven characters in lenght, with both upper case and lower case letters, some numbers, and some symbols like *&^%$#@+

Then set up one folder on your computer as the ftp parent folder, and grant access for that one user to that one folder. Make sure that folder is not a parent folder to something else on your machine -- like don't set it up over the webroot, or developer code, or any other sensitive content that you don't want people to have access to, make sure it is completely empty of all files and folders. Then set up that folder as your virtual ftp root directory using the IIS Admin console or Apache configuration or whatever it is that you use, so this folder becomes the "landing area" of anyone logging in via ftp. If set up correctly, the ftp will not allow a user to change to the parent directory from this level, but they may have access to folders beneath this level -- that means they can see all physical folders in the filesystem that are contained in that folder. That's why you want this folder completely empty. If set up correctly, however, they cannot see virtual paths that you create in the admin console. So if you set up the ftp service correctly, the ftp login can see no subfolders beneath them, and cannot change to the directory above, so if they don't know the name of the virtual path, they will not be able to get to it. These virtual paths can point to any folder on your system and they can have any name you give them. The stronger-named the path, the more difficult it will be for any hacker that manages to get your login credentials to get any further in your system.

To sum up, limited users, strong passwords, a well-designed ftp root with strongly-named virtual directories make it more difficult for hackers to get into your system, as they will have to crack the path name as well as the user name and password. The approach described above is always the best way to set up ftp. Our sysdamins and IT architects here at Web Dimensions, Inc. always ALWAYS set up ftp this way if it is necessary. You should never EVER have an ftp root set directly onto an important area like your webroot. This is just like inviting someone to hack you every day.

Actually, the very best way to protect your website -- and this is what we actually do here at Web Dimensions, Inc. -- is to have a LAN-WAN-based firewall with a router programmed to let certain fixed ip addresses route in on certain selected ports, and block all other ports for all other ip addresses, except port 80 for website requests and possibly port 25 for smtp mail requests for your public traffic. Most applications have a way of doing things through port 80 http protocols nowadays, or if they don't, we can write an app for that pretty easily. The point is, if all ports except http are blocked for everyone except certain ip addresses, then you will never EVER have a problem with this kind of hacker (of course unless you leave some other route exposed).

Tags:

ftp

security

system administration

isp

Examples of our Work

Web Dimensions, Inc. — Wed, 12 Jan 2011 21:23:03 GMT

Welcome to Web Dimensions, Inc.

Here are some links to current projects and maintained websites:

http://www.crew.camperandnicholsons.com

http://www.miamimusicproducer.com

http://www.vancouvermusicproducer.com

http://www.beatsfordays.com (just under construction but halfway decent graphics)

http://www.webdimensions.biz ecommerce site

http://www.elisasintjago.com artist website

http://www.jessejonesjr.com artist e-marketing site

http://www.captainjarvis.com artist website

http://www.funkatology.com record company website

http://www.stringpuller.net artist website

http://www.webdimensions.org internet solutions company

We are ready, willing and able to assist you on the web for your internet presence. Please call us today at (305) 490-5338

Please view our summary of qualifications here.

Your Web Presence -- Are You At Sea in a World of Unclear Options?

Web Dimensions, Inc. — Wed, 05 Aug 2009 21:19:48 GMT

If you are trying to establish a web presence for the first time, and you are not some kind of computer expert (who the heck is? well -- we are, but that part comes later) then you are in a very vulnerable position, not knowing whom to trust and/or whom to hire to manage your most important web-based business. Often, what ends up happening is that the small business owner ends up being hoodwinked by the web designer who masquerades as a system administrator and web manager, when you find out later you don't really own your own domain name and your artist or web designer -- who is the only one with access to those files which cost you so much money -- has flown the coop, with the password. We have seen these scenarios play out again and again.

We here at Web Dimensions, Inc. recognize that one of the most important aspects of our job (aside from the high-availability hosting, offsite backups and 24 hour-a-day monitoring of your websites) is client education. And I don't mean pedantic lecturing about this or that. What I mean by this is that we want each one of our clients to know how to protect themselves, how to own their own domain name if they wish to, and generally how to be the ones driving this bus that is their own company's internet presence. As your web hosting company, system administrator, application designer, and overall caretaker of your website, we feel that it serves everyone's interest that the client have some knowledge of the ins and outs of this business -- your internet business.

So call us today at 305 490 5338 or click here to send us an email to find out how to establish an effective internet presence, or to get answers on how to effectively manage your current web solution. You will find we have some very intelligent observations to share with you which will usually result in your getting further ahead in your goals on the internet. In the current economic climate, we can't afford to jack up your prices. I guarantee that I will do everything within my power to provide you with a cost effective quote for your needs that fits well within your pre-allotted budget.

Hugh J. Hitchcock
CEO, Web Dimensions, Inc.

Who Are Our Clients?

Web Dimensions, Inc. — Tue, 28 Jul 2009 20:01:47 GMT

We have served many large-stream companies. Our main client from 1996 until 2009 has been Camper and Nicholsons International, where we handled web and database design and integration, system administration, web hosting, and application design and support for over 12 years. Please call us at 305 490 5338 if we can help you.

A bit about our history: our chief software architect was commissioned to create a cutting-edge document transcription program integrating Dragon Naturally Speaking voice recognition software with a medical database in 1998 for 21st Century Eloquence. That program can be found at http://www.eloquentlystated.com . He also worked at Microsoft as a contracted developer in 2000 where he worked for msn.com creating back-end database web GUIs. He helped develop a successful online travel website at www.1st-air.com in 1999, also assisting www.public-works.com in their many online projects over the years.

The following websites have utilised our consulting services: