Site Security for Noobies!

[klachman]

I am new to website hosting and quite unfamiliar with its subtleties, having spent most of my time in the past opening up peer-pper local networks, and now faced with buttoning up a local site. I take it .htaccess is the way to go. Is there anyone available specifically adapted to Hostgator. I've seen a bunch posted, and not sure whether to cocantenate or replace. Havent a clue as to Robots.txt - any advice on getting the good crawlewrs in and keeping the nasties out? I dont use Wordpress, at least not yet, amd the question is would it be a havzard to link it to my OSCommerce 2.2 site? TIA...

[klachman]

Still havent a clue as to what Im doing, but my pastings in .HTACCESS I guess are working.

They seem to be blocking some spiders, well, most of the time, and they let Google in to crawl.

Google was getting errors on about half the stuff. For some reason it was trying to read the raw URLs and failing, but pulling up the modified URLS with full titles with no problem.

Are there any legitimate reasons for anyone to read my /admin/configuration.php file? Not much real info there. My /includes directory is blocked to ALL. Is it ok to do with admin?

Here is my default .HTACCESS for /admin:

# $Id: .htaccess 1739 2007-12-20 00:52:16Z hpdl $
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
# AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)

# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers

#<IfModule mod_setenvif.c>
# <IfDefine SSL>
# SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
# </IfDefine>
#</IfModule>

# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter

# AcceptPathInfo On

# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)

# php_value session.use_trans_sid 0
# php_value register_globals 1


Please let me know if these questions are *that* stupid!

[aeons]

Don't rely on any one thing to secure your site.
The most popular way of hacking a site is through insecure code.

If you run any scripts (php, cgi, asp, etc) make sure all inputs (where visitors post comments, for example) are validated.
I use preg_replace() for almost everything regarding validation. It's a built-in php function.
After php cleanses the variables, mysql_real_escape_sting() cleans it before writing to the database.

Likewise, if you use a pre-made script (no custom coding done by yourself) make sure you keep an eye on the vendor's site and update immediately anytime a security patch is released.


Oscommerce is a bit sketchy for updates.
I am using what's considered a grossly out of date version (2.2 MS2 with RC 1+2 security patches), but I also took the time to install the security add-ons I felt were necessary for my site, like FWR Media's Security Pro (essential to any Oscommerce shop owner, in my opinion).

I also modified the absolute hell out of my store. Not every function is native to default oscommerce anymore; so what may have been a hole for a default site running Oscommerce is gone in mine.

If you're using a vanilla version of Oscommerce (no contributions/custom codes) update as soon as new versions and patches are released.

Read up here: http://forums.oscommerce.com/forum/76-security/ for additional security tips for Oscommerce-specific sites.

[klachman]

Many thanks

Excellent advice.

MY site is also heavily modded, but unfurtunately the documentation for it was lost in a crash a while back. It had been mothballed for a while.

I have not been adding much new code, mainly tinkering with the old.

I was hoping there would be some kind of regularly updated master list, much like PeerGuardian uses. I have a version of that on my Fedora system.

It looks like I really need to be brushing up on my PHP, especially the part about cleansing scripts.

Other than the standard store stuff, most user interation will take place though the Wordpress log site which is connected.

But perhaps Drupal would be better?
(as far as the security at least???)

[aeons]

Security-wise, any pre-made CMS is highly vulnerable unless you're good at keeping up-to-date. (Make yourself a weekly schedule or cron, to remind you to check) would be my best advice.

Likewise, if you can't code very well, I wouldn't bother trying to make your own CMS until you get the basics of filtering down pat.
After you get the filtering/security aspects down to the essentials, everything else is just a matter of taste.

I've never used any CMS, to be honest. The closest I've ever gotten to one was Oscommerce. Still using it to this date, been up and running since 2005.

[satnav]

It is always better for you to check updates for your site including add ons. This will make sure that you have all the security you need for every program you have for it. Good advice by the way.