IMPORTANT NOTE! Most of what you hear about break-ins and sabotage on the Internet is sort of hyped up a bit. This does not mean that you should ignore it, but take reasonable steps to safeguard your site. Don't lose sleep over it... - Bruce "Dori Look! Daddy left an open telnet session to bignosebird on my computer again!!!!

THE GREATEST THREAT... If I have learned anything during the past 15 years it is that I am the greatest security threat to my own systems! Let's see... Erasing files which I thought were backed up. Making a quick change that was so simple it did not require testing. Doing something for Company X's system- while in fact logged on to Company Y's. Running system crippling applications during business hours. Too much coffee. More likely, too little coffee! MINIMIZING THE GREATEST THREAT... I am not the greatest threat to you. ;-) My point is that if somebody is going to trash your site it is most likely going to be you! Here are some tips for protecting your site. Never make changes or deletions unless you have a backup! Never share your password- two people knowing a secret is not a perfect secret. Do not believe for a minute your safety extends beyond somebody's lack of interest in trashing your site. Do not spam (flood) newsgroups with ads for your site- unless your site is of meaning to that group. Why give somebody that level of interest mentioned above? Don't put a dumb message up like, Welcome to the Invincible- Hacker-Proof Site Check all Server Side Includes and CGI-BIN programs for problems- such as allowing the passing of exec or special shell characters. Drink just the right amount of coffee to get the job done. DEALING WITH THE OTHER THREATS... Okay, even if you are the greatest threat to your site, this does not mean there are other ones. Here are a few tips to help safeguard your site. For the virtually hosted... Ask your hosting companies what steps they take to prevent and detect server intrusions. Ask what steps they take to prevent other customers from either trouncing or reading your private (non-public readable) files. Ask if SSH (secure shell) is available for telnet use. If so, see if you can can a different account for FTP, and for e-mail. In otherwords, you want to make it so your e-mail account (if POP3) cannot write to your files, nor can your FTP user account. For those with dedicated or co-located servers... All of the items for the virtually hosted! Stay current on ALL vendor's security patches. Install some type of intrusion detection software such as tripwire. Make http://www.cert.org one of your daily surfing stops. Do not discuss your security techniques. As silly as this sounds, a car that has a sticker that says, "protected by X" on the window sort of gives a thief the schematics. For more information password protecting your site's information, please read the htpasswd and .htaccess tutorial. For some specific information on Apache Server sites, stop by BNB on APACHE Server. Also, check out the Protecting your FORM input using MD5 and perl tutorial.