Discussion in 'OT Technology' started by Browning, Apr 16, 2008.
seeing smiliesftw get hacked is kinda
Is there really anything one can do to prevent this?
damn this is the first i heard of smilies getting hacked
seen a couple threads about it in the main forum
yeah after reading this, i did a search and read the one where you posted the google link
doesnt jesse own it?
ot isn't all that secure either.
anything humanily made can be humanily broken.
there are ways of still viewing the main forums w/o having a sub you know.
a) don't include this on your site
b) don't place the admin login on site.com/admin, make it some random combination of letters, and like some moron startup this weekend, don't leave that area w/o a password.
c) don't use a short username or a short password. (for example my password is 24 letters long, completely random, with #s, dashes and underscores.
d) for admin logon code it, that the person only gets 5 tries, with 2 minute wait if they get it wrong, and a 1 hour ban if they don't get it after 5 tries. If a person gets banned for an hour, a report is files with the admin with the ip.
e) never use unsecured networks to login into your sites
f) have one seperate computer that you use for the site, and nothing else on it. No games, no programs, no freeware. Only use that computer to go to your site admin and thats it.
but even then it can probably still get hacked...but at least you'll prevent most of the script kiddies.
24 character password, holy shit.
what effect would including that have on site security?
how about not having an admin panel at all? The .htaccess should be sufficient as long as an appropriate passwd is used. If the login is just a login form input screen, put an .htaccess over top of that.
14 mixed chars is sufficient. A proper 14 char paswd would take a brute force cracker app 154,640,721,434 millennia to guess. 24 chars is way overkill and impossible to remember. Also, pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters - like #@$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
As stated before why even have an admin panel? Remember to lock down SSH, via iptables, to your home IP and block all other requests. A random bot searching servers for an open port 22 can be disastrous once you've been spotted... then that bot will try the common test accounts on your box (e.g., test/test123/t3Stacct).
While this is true, we can safely assume that most in TWL aren't accessing their servers through a honeypot or man-in-the-middle attacks. It's a good practice, but not for everyone.
This is just silly. Who the fuck would do this?
its a combination of 3 different passwords...so they do make sense...to me, anyone else the letters would be gibberish.
its kinda like a challenge. Oh hacker secure? Really? Lets find out
you have an admin panel, its just not located at www.site.com/admin/ Why does it matter to you if you write that or write www.site.com/circlejerk/. No big deal for you, but you avoid script kiddies finding your login page and being tempted.
like I said to the other guy, its not really random for me. Its 3 different passwords mixed together. But to anyone else it'll be gibberish, because each password is unique and is not an actual word you can find in a dictionary.
ip block is a good idea, if you only login from home. But what happens when you need to login from a conference? Or from an investor's office?
I'm mainly talking about doing login while you are sitting on someone else's wifi
Not really that silly considering how much junk there is on most PCs. Surely you can afford a $1000 PC dedicated entirely to your website management/database backup, if you are making any serious money. And there is that added security of knowing that you didn't download a keylogger or a virus, etc or some trojan by playing that very funny youtube movie or that shareware version of software.
Whats $1,000 compared to losing your entire business overnight because some hacker got into your site. + you have the security of knowing you have an offsite backup of the most important components.
Granted if you are some script kiddie making your money off affiliate links its a little bit overboard, but if you are running any sort of business I think its a good thing to have.
i just can't help it.
it's called :2001:
Let's just bullet some points
I've whitehat'd and blackhat'd for ~15 years and have never been teased or coaxed by a "Hacker Safe" image. Maybe the scriptkiddies would jump at that, but godaddy.com has something like that on their site.. whois gonna "hax" them?
24 char passwd is bad advice. A good (mixed char/num/sym) 8 character passwd would take 2.10 centuries to brute force... so to your average TWL poster, this is more than enough. Personally, I'd recommend 13-14 chars just for that extra sense of "security."
You can update iptables from any IP that is allowed. You can also add more than 1 IP.. home, office, mobile would work. If you expect to be at a certain building /office that day, add that IP. If you arent sure what IP to add, then just SSH into an "allowed" box and update it from there.
Most in TWL aren't big businesses, they are just kids trying to make a buck, thus they are not going to spend $500-$1000 on a separate PC for only logging into their site. That's just silly. Maybe Microsoft or Cisco could do this, but why? I have 3 PCs at my home each with it's own purpose, and I use all of them to access my servers around the world. Am I worried about malware? NO.... because I am a responsible admin that is always certain that I do not have any. FYI, I don't run antivirus at all. and my only "firewall" is iptables combined with NAT.