Some questions about security.

[Elektrisk]

Hello. I'm totally new to web administration, so bear with me. I have a question; when you use a firewall to protect your website, is the firewall installed on your server, or what? I don't really understand the whole concept, so if you could briefly explain or point me to an article, that'd be great.

Secondly, is there anything in particular I should know to prevent my websites against exploits? I have Acunetix vulnerability scanner, and once my website is up and running, I plan to scan it with that and patch any vulnerabilities. I also plan to make sure all of my code, including javascript, is validated with no errors or warnings. I dunno if that could prevent against any vulnerabilities, but I'm sure it can't hurt.

See, I know about PC security, but not web security. So, if there're any decent articles or websites on this subject, I'd love to see them. Any tips you can give me would be greatly appreciated.

I also have Fallen's DDoS mitigation script that he posted, but I'm not sure this will be enough. I don't see a particular reason why my website, which is for a friend's small business, would be targetted. I'm sure that the only people who would attack our website would be script kiddies who get pleasure out of it, and not well known hacking groups, so that's a plus. Still, I'd like to be able to sleep at night knowing that I'm doing all I can to keep the website secure.

We haven't picked a hosting yet, and I don't know how that facotrs into the equation. I assume we will use Apache as our server, but I haven't explored other possibilities. Of course I'll want to update all of my software (php versions, apache version, ect), but I know that there's a lot I'm missing, so if you could fill in the blanks, I'd be grateful.

Thank you.

[Guerreiro]

http://www.ioncube.com/ is a great great great tool for security.

Also as per what server you are going to use, I would also go with Apache. MS Server just is not something you want. Also if you use SQL then read up on how to defend against SQL injection. Just Google the terms you are afraid of with prevention or avoidance something. You also have programs against DDOS'es but why would you get targeted for DDOS? That is usually only done to get back at someone. If you have a client database be sure to make that as secure as possible. Hosting will play a part, if you have the money use dedicated hosting as that is just more secure. There aren't really more things I can say other than just read up on the terms and see what products are associated with it

[Elektrisk]

Hm, I don't really understand how ionCube helps with security. As I understand it, it's mainly a tool for encrypting your PHP scripts, right? But, how would that be beneficial? I suppose I can see how obfsucating HTML documents would be beneficial (they apparently offer a product that does that as well), but can you elaborate on the PHP one?

Acunetix scans for SQL injectable pages, so that's not a problem.

As for the DDoS, like I said, we probably won't get targetted, but it's possible. I mean, it's not like we'll have enemies, but someone who just started using botnets might think, "Oh, look, a small website. I'm going to test my botnet on it." I just don't want to risk anything.

Thanks

[Grizzly]

Ioncube is used for encrypting php pages. It won't secure anything, as php code isn't displayed when you view the source.

Are you coding your scripts yourself? Or are you using a CMS?

No matter what you do for shared hosting, it won't really do anything. When you are on shared hosting it really depends on the server default server set up. If you go on your own dedicated server than you will have the responsibility of securing it farther. Really just make sure you secure your scripts. If the business page is going to accept money it's going to have to be PCI compliant which costs a lot of money so I hope you're not plan on doing that, unless you get a special host for it.

[Socrates]

Own server dude because shared sucks. Just ask iintens lol

[Grizzly]

Actually, shared hosting is just fine. If you get free shared hosting of course it is going to suck. There is absolutely no reason to pay for a dedicated server when you have 10 visitors a day. I've been in the hosting biz for several years now. There is absolutely no reason for a person to pay $100+ for a dedicated server that they're using 5% of the resources at any given time. Especially when shared hosting runs between $5 and $15 for a decent account.

[Elektrisk]

Are you coding your scripts yourself? Or are you using a CMS?

I plan to code them myself, but I might also get some free ones from various websites. Also, I don't know much about CMS's, so I can't really decide if it's worth using one. I assume you mean CMS's such as Joomla?

Own server dude because shared sucks. Just ask iintens lol

We're not going to get a dedicated server until we have a high amount of traffic.

[Grizzly]

Yeah, take a look at joomal, it's a pretty decent CMS IMHO. Steep learning curve, but once you get it it's very powerful.

And yes, don't get a dedicated server. There is no reason until you absolutely need it. There is also WAY more headaches involved.

[Guerreiro]

ioncube will also protect your templates and such. It is just optional. Other than that everything above is all good advice. Server hosting is personal taste.

[manipulate]

Own server dude because shared sucks. Just ask iintens lol

eyyyy.