Sofware in Review
Tech news
at TheJemReport.com
Software reviews
at SoftwareinReview.com
Hardware reviews
at HardwareinReview.com
Discuss technology
at TJRForum.com
Sofware in Review → Tutorials → Security tutorials →

How to secure your blog or Web site

By Jem Matzan

Weblogs are being attacked, compromised, and defaced. This sort of thing has been happening for years to other kinds of Web sites, but the attacks seem to be more frequent these days, especially in the wake of the blogger grassroots effort to mirror the Mohammed cartoons. It's not that software has become less secure, and it's probably not because potential attackers have increased in number. No, the reason that attacks are more prevalent is likely because many bloggers don't know how to secure their own Web sites. Here are several in-depth tips to help independent journalists protect themselves from the barbarians who would silence them.

Know your enemy

The people trying to break into your Weblog are probably not very smart or very skilled. Most likely they are script kiddies -- disgruntled teenagers who use other, smarter people's programs and knowledge to attack vulnerable Web sites. Script kiddies are generally put off by systems that require real skill and computing resources to crack. Few things can protect you against a highly skilled and motivated attacker, both online and in the real world. Fortunately for civilization, highly skilled and motivated attackers are extremely scarce.

The tips in this article do not defend against local or wireless intrusions. That means that if someone steals your computer or monitors your wireless Internet signal, none of the below information will matter. However, by far the greater threat is not from high-end crackers or clandestine wireless network sniffers -- it is from script kiddies.

Strong passwords

No matter how your Weblog is hosted or how secure it is, weak passwords will undermine it. The preferred weapon of the enemy is known as a dictionary attack. This is where a cracker (not a hacker -- if you're still calling them hackers, you are not properly educated) uses a program that repeatedly tries to log into your server by using a bank of common passwords and, indeed, dictionary words. This is also referred to as a brute force attack, because it uses no finesse in attempting to guess a privileged user's password.

In case you didn't follow the above paragraph: do not use a word that can be found in any dictionary, including foreign language dictionaries. Do not use conglomerates of words found in a dictionary. Do not use names or places. Do not use a common word or name plus a number. Do not use your birthday. Do not use religious terms (God does not care if your password is guessed). Do not use your fraternity's secret password.

So what's left? A bunch of numbers? I guess you could do that, but it wouldn't be very easy to remember. The best passwords are combinations of upper- and lowercase letters, symbols, numbers. So if you just whacked your keyboard a few times and produced random characters, you would end up with a very secure password:

LKfj932%)!@*#fUUSqoKl

But it's not easy to remember, is it? If you constantly forget your password, then it is not a very good one. In order to better remember your password, spell something that is easier to remember, but don't use standard letters or spellings:

F|0r1d@r0X

In the above example, I've used both capital and lowercase letters, symbols, and numbers. It's pretty easy to remember, and it is also a strong password because it cannot easily be guessed (even if someone knows that my password is "Florida rocks," they don't know what symbols or numbers I used, which letters are capitalized, or how I spelled both words -- there are thousands of possibilities), and it is not subject to dictionary attacks.

If your blog is on a hosted community service like MySpace, AboutMyLife, or LiveJournal, this is as far as you need to read. The software and operating system you use is maintained by the hosting company, so all you have to worry about is a strong password.

Use good software

Now that you are using a strong password, the next step is to verify that your software doesn't suck. You might immediately reject that notion because your blog software looks pretty and is easy to use, but underneath the surface it could be a security nightmare.

What Weblog software are you using? What is its security record? If you don't know, find out right now. How? By going to this page at Secunia.org and find the name of your blog software in the list. Are there any unpatched vulnerabilities? If so, how serious are they? How many critical (or worse) security flaws have been found in the past -- especially within the past year? If you can't list the name and exact version of your Weblog software, stop right now. Bookmark this article. Return to reading it when you have updated your blog software to the most recent version.

Compare your blog software with other, similar programs and see how it stacks up. Remember that each program is categorized by its version number, so be sure to look up the most recent major release, not old releases. You don't need to know about security vulnerabilities in old releases; they have either been fixed since then or are re-listed in the current release's section.

If you see a large number of vulnerabilities -- especially those that are unpatched and/or of "critical" grade or worse -- steer clear.

If you want my advice as to the most secure blogging software to use, I suggest hand-coding the entire thing in XHTML and CSS, using no scripting languages or databases. It will take a long time to make it usable and attractive, you will have to have a great deal of CSS skill, and the blog will be cumbersome to maintain. On the upside, you'll use virtually no bandwidth, search engines will love you, and script kiddies will be unable to compromise your system through plain XHTML. If you're reading this article, though, this solution is probably not an option for you, but you get the idea -- no complex, database-driven, Internet-facing software will ever be totally safe from attack, but some can be better than others.

Don't stop with your blogging software -- examine your operating system as well. If you are doing your own hosting, do not host on any version of Microsoft Windows, or ancient versions of GNU/Linux or BSD. Windows can be made secure, but you really have to know what you are doing; secondly, Microsoft only releases patches once per month, and has a long and damning history of leaving really bad security holes unpatched for a long time. Don't worry about securing Windows as a server -- just don't use it.

GNU/Linux is a very popular choice for Web hosting, but a surprising number of hosting providers are using distributions that are no longer updated. Red Hat 7 and Red Hat 9 are two that I see on Web servers far too often. These geriatric versions of Red Hat are full of known security holes that will never be patched because they have been addressed in later versions. Red Hat 9, for instance, has been replaced by Fedora Core. As of this writing, Fedora Core 4 is current, which means that RH9 is four generations old; this is the Microsoft equivalent of Windows 95.

OpenBSD has a well-earned reputation for being a highly secure operating system, but in order to stay secure, you must upgrade it to the new release every six months. Old versions are not maintained -- all development is concentrated on the current and future releases. So if you're hosting on OpenBSD, you'd better check the OpenBSD site to make sure that you're on the most current version. The same goes for NetBSD -- use the most recent version.

As of this writing, FreeBSD version 4.x is slowly becoming unsupported, and the 5.x branch will probably fade away shortly thereafter. If your Web host is using anything below FreeBSD 6.x, contact them and make sure that they are applying the latest security patches. If they aren't, switch to a different hosting provider immediately.

If your Web host is running on Solaris, chances are the hosting company is knowledgeable enough to update it regularly. That doesn't mean you shouldn't check to make sure, though. Any versions older than Solaris 8 are probably too old to be updated.

Update regularly

Along with checking for and applying operating system and Weblog software updates, you have a few more update responsibilities.

Check to make sure your Web server is at its most recent version. I won't go into Microsoft IIS because you're not hosting on Windows, remember? The Apache Web server is, as of this writing, on its second generation -- Apache 2. Every OS except OpenBSD should be using Apache 2. OpenBSD uses a heavily patched and refactored version of Apache 1, and while it may not scale as well as Apache 2, it is at least as secure (this is in reference to OpenBSD's Apache 1.3 implementation; I will not vouch for other versions of Apache 1).

What other programs do you have that connect to the Internet? An FTP server? OpenSSH? MySQL? PostgreSQL? PHP? Perl? Webmin? AWstats? PHPMyAdmin? PHPadsNew? PHPbb? Vbulletin? Game servers? The one program you have that I forgot to list? You have to check them all for updates at least once a week. If you installed them through your OS' package manager, the standard update utility should check for and apply any available patches for you. If you are unsure how to do this, you'll either have to learn how by reading the documentation for your operating system, or entrust your hosting to a company that will take care of all of this for you. I recommend Rackspace. Secunia also offers a service that will notify you of software updates. Almost every one of the above-mentioned programs has a security mailing list that you can subscribe to which will inform you of new vulnerabilities and patches.

Use a hardware server-side firewall

If you're doing your own hosting, either from home or from a rented or colocated server, your best line of defense against small DDoS attacks and intrusions is to use an abstract firewall. Do not just run a firewall program on your server; this might seem to work nicely, but it is not the most secure way to keep out unwanted traffic. You should be using a hardware firewall device that filters all traffic from your Internet connection. Do not just connect your server to the naked Internet.

Many commercial-grade routers, VPN devices, and some kinds of switches have an integrated firewall. If you are colocating, you might look into buying such a device and installing it in your rack, assuming your service provider does not offer any firewall services. If you're on a rented server, ask your service provider if anything can be done to implement a hardware firewall. If you're hosting from home, you have a few options. You could use a consumer-grade router like those made by Linksys, D-Link, and Netgear, but they are not powerful enough to handle more than a few hundred concurrent connections. If your site is very popular (or if you expect a Digg/Slashdot/Drudge event in the future), you will need something more robust. I highly recommend the D-Link DFL-200. It is reasonably priced, easy to set up, and can handle up to 3000 concurrent connections.

Once you have access to a hardware firewall, set it up so that only the services you need are allowed through. That usually means the following ports: 21 (FTP), 22 (SSH), 25 (SMTP), 80 (Web), 110 (POP3), 143 (IMAP4), and 443 (SSL). Open only these ports at first, then work from there. If you don't use some of these services (like FTP and POP3), then block their ports. If possible, use network address translation to further protect your server from intrusion.

DDoS countermeasures

What can you do to prevent or combat a distributed denial-of-service (DDoS) attack? There are hardware solutions out there that can prevent some forms of DDoS, but I haven't had the opportunity to put any of them to the test, so I can't make any definitive statements about their effectiveness. Many hardware firewalls have some degree of DDoS prevention built in. Realistically, such devices can only work if there is enough network bandwidth available. So if you're on a "bare minimum" Internet connection, beyond a good hardware firewall like the above-mentioned D-Link DFL-200, there is nothing you can do to defend your server against a large-scale DDoS. Fortunately, such attacks are rare against ordinary bloggers because DDoS attacks require either skill or resources; script kiddies do not usually have direct access to either.

If you depend on your Web site to make money, you may want to look into Prolexic Technologies to defeat DDoS attacks. They have a heavy-duty network infrastructure that can survive various forms of DDoS, and can filter your traffic until the attack is over. I'm not sure how much it costs, but if they don't list the price on their site, you can bet it's expensive. This is probably not an option for all but the top handful of bloggers who are making a living online.

The extra mile

If you've made it this far and taken the advice in this article, you can sit back and relax -- your blog is as safe as you can reasonably make it. If you want to go the extra mile, take these steps:

  • Perform nightly backups; do not store them on the server, and keep at least a month's worth of backup archives (do not overwrite the same files every day).
  • After the server is installed, configured, and updated the way it needs to be in production, make an image of it. If your system is compromised later, you can quickly and easily restore your original configuration from the image.
  • Enable WPA (or WEP, if WPA is not available) encryption on your wireless network connections.
  • Change your strong passwords every three months. Also, ensure that all privileged users (moderators, for instance) are using strong passwords.
  • Install and configure intrusion protection software on your server.
  • Periodically check your system and Web server log files to scan for irregularities (such as failed logins). Or if you're a real hard charger, create a script to automatically parse the logs and email you any suspicious information.

Good luck, and good blogging.