Website Security

[Albert Shagnastier]

Any IT Security wizards on here that can answer a few questions?

If you have several websites (that are based on US servers) which are getting hacked maliciously regularly and want to change the whole set-up to be more secure - what is the cheapest and simplest way?

Get your own server?

If in Thailand would you rent directly from TOT/True or buy one and run it from home?

If using Joomla and Virtuemart, what are the most essential security settings in the back end that you must select to secure the site?

If anyone can recommend any good online info resources or remote co's that are good and reasonably priced and can help - I'd appreciate the info - cheers.

[Butterfly]

If you have several websites (that are based on US servers) which are getting hacked maliciously regularly and want to change the whole set-up to be more secure - what is the cheapest and simplest way?

it's not going to be cheap. Securing a server hard is feasible, the question is how far you want to go. When obvious security holes are there, you have all the kids trying their intrusion script. If your security is strong, much harder for the kids and they give up easily. If your website has no intrinsic value or doesn't store valuable information, skilled hackers won't bother, hence you are safe. If you have a high profile website, then you will need serious help and that can costs quite a lot to have real experts and tools to secure all your website traffic.

Get your own server?

you could, but if you have no clue on securing a server, it won't be safe even if you own it.

If in Thailand would you rent directly from TOT/True or buy one and run it from home?

not really feasible and more prone to hacking IMO,

[Butterfly]

If anyone can recommend any good online info resources or remote co's that are good and reasonably priced and can help - I'd appreciate the info - cheers.

define reasonable priced ? you won't find all the answers online. These skills are learned on the job and the know-how is often not shared.

Basically you are fucked and need to find a reliable hosting company that can secure servers, not the cheap co-host for 15 USD per year

[Jesus Jones]

Joomla forum would be the best place to ask i think.

[Butterfly]

When I had to secure my server farm, a quick audit cost me about 10,000 USD for about 25 hosts. Then I had the experts draw me a security plan and implement it. That was another 15,000 USD for the farm.

if it's one small website with Joomla and Virtuemart, you are dealing with "no value" assets so basically, good basic measures needs to be implemented, like password patterns etc...

[Butterfly]

if you are suffering from DoS attacks, then make sure to take the anti-DoS option from your hosting company, it's usually another 20 USD per host per year

[Albert Shagnastier]

you could, but if you have no clue on securing a server, it won't be safe even if you own it.

Ok. So if I get a server here and pay a local security expert to maintain it this could work right?

What sort of cost per site (joomla/virtuemart/50 or so products) (one off at the beginning and then monthly via retainer) would you guesstimate?

And how much if you use a reliable western company?

Joomla forum would be the best place to ask i think.

I don't have the time to learn the skills unfortunately so will have to sub the work out.

[Butterfly]

Ok. So if I get a server here and pay a local security expert to maintain it this could work right?

What sort of cost per site (joomla/virtuemart/50 or so products) (one off at the beginning and then monthly via retainer) would you guesstimate?

And how much if you use a reliable western company?

I could get you a secure server on European hosts with an annual contract for about 6,000 EUR per year. That would be a professional contract.

Your company will need to be a real business, not some dodgy personal one.

[Butterfly]

which are getting hacked maliciously regularly

can you define the type of malicious hacking you are suffering from ? defacing ? DoS ? Zombie Takeover ? Spambot ?

[Albert Shagnastier]

When I had to secure my server farm, a quick audit cost me about 10,000 USD for about 25 hosts. Then I had the experts draw me a security plan and implement it. That was another 15,000 USD for the farm. if it's one small website with Joomla and Virtuemart, you are dealing with "no value" assets so basically, good basic measures needs to be implemented, like password patterns etc...

It's on the lowest level moneywise but still... doing my nut.

As I just replied to JJ - I don't have the time to learn the skills. Basically, I can do the sites 90% myself. For the 10% I've used freelancers of freelancerdotcom - I think that's where the trouble started.

So I need to get a server (secure) and rebuild the sites from scratch alone and then pay someone a (relitively small i hope) fee just to have a check if something goes wrong?

[Albert Shagnastier]

which are getting hacked maliciously regularly

can you define the type of malicious hacking you are suffering from ? defacing ? DoS ? Zombie Takeover ? Spambot ?

Again - don't know enough about this area to comment really but emails hacked/passwords changed and yesterday my server shut down one of the sites saying it was sending out millions of spam emails. Could be cloaking/re-directing etc.

[Butterfly]

then you are fucked, I suggest you shutdown everything, if revenues are small, less than 5000 USD per year, not worth it

Securing is expensive,

of course if your time is not worth much, then learning is the way

is it Windows or Unix based ?

[Albert Shagnastier]

I could get you a secure server on European hosts with an annual contract for about 6,000 EUR per year. That would be a professional contract.

Nothing like that mate, just simple/smallscale 3/4 sites using joomla/virtuemart with standard off the shelf templates . payment through paypal.

[Butterfly]

rebuild the sites from scratch alone and then pay someone a (relitively small i hope) fee

nobody serious is going to bother with your website if you can't pay them anything. What is your definition of a small fee ? if it's only a few hundreds, then you will get students or Indians that will sell your info on the "blackmarket" once they have "secured" the server.

Your best chance is to use a serious personal hosting company, not a co-host, with a small managed contract, could be about 100 USD per month. Not sure you will get much from them at that price, but you could try.

Using Freelance_com is asking for trouble, above all when you give them direct access to your servers to fix things. A big no-no in security compliance or security guidelines. Never give a password to a third party.

[Albert Shagnastier]

then you are fucked, I suggest you shutdown everything, if revenues are small, less than 5000 USD per year, not worth it

Securing is expensive,

of course if your time is not worth much, then learning is the way

is it Windows or Unix based ?

windows

Maybe like you say I should just shut them down and sell through ebay instead. Let them deal with the security.

[Albert Shagnastier]

nobody serious is going to bother with your website if you can't pay them anything. What is your definition of a small fee ? if it's only a few hundreds, then you will get students or Indians that will sell your info on the "blackmarket" once they have "secured" the server.

Yup - exactly what's happened I think.

[Albert Shagnastier]

Your best chance is to use a serious personal hosting company, not a co-host, with a small managed contract, could be about 100 USD per month. Not sure you will get much from them at that price, but you could try.

That's affordable - thanks, I'll look into that.

Using Freelance_com is asking for trouble, above all when you give them direct access to your servers to fix things. A big no-no in security compliance or security guidelines. Never give a password to a third party.

I know that now

[harrybarracuda]

Fecking quality!

[Albert Shagnastier]

Fecking quality!

Glad you think it's funny you prick.

[Butterfly]

don't mind harry, his sense of security is about hiding in his mom basement to play Call of Duty on his XBOX

[Butterfly]

Maybe like you say I should just shut them down and sell through ebay instead. Let them deal with the security.

that's what most people do, they can't handle the security and the management of a small website operation

[harrybarracuda]

Fecking quality!

Glad you think it's funny you prick.

Funny, I think it's fecking hilarious! Computer advice from Buttplug!

HAHAHA!

Butters, what was it you were saying about someone stiffing you for Bt20,000!

When I had to secure my server farm, a quick audit cost me about 10,000 USD for about 25 hosts. Then I had the experts draw me a security plan and implement it. That was another 15,000 USD for the farm.

[Albert Shagnastier]

Fecking quality!

Glad you think it's funny you prick.

Funny, I think it's fecking hilarious! Computer advice from Buttplug!

HAHAHA!

Butters, what was it you were saying about someone stiffing you for Bt20,000!

When I had to secure my server farm, a quick audit cost me about 10,000 USD for about 25 hosts. Then I had the experts draw me a security plan and implement it. That was another 15,000 USD for the farm.

So what would your advice be then harry?

[baldrick]

using Joomla and Virtuemart

stop - why would you use a space shuttle to pull a somtam cart ?

your server should only be running a webserver serving basic web pages on port 80 ( have SSH daemon running to admin the server ) - link the purchase product link to a ebay/paypal page and let them look after that sh1t

'tinternet security is so fcuked because everyone is running software meant to manage massive database backends and then allowing all sorts of offsite calls to make the thing "pretty" and serve ads etc

if you have 10 products it should require about 12 static pages ( one index page and , 10 product spec pages and a contact page ) and no javascript

if your server provider ( will be a virtual server anyway ) gets hacked , nothing you can do will help

[harrybarracuda]

So what would your advice be then harry?

Well you're the fecking expert mate, surely one of your tin foil hat insiders can tell you how to protect yourself from the CIA.