Author: vdebolt

Secure your Server-Side Scripting

Locks for Sale

There is no web server existing within our society that proves fail proof. Web servers are often targeted in organizations because of the sensitive information they contain. Securing a web server proves as momentous as securing web or website applications and the networks surrounding them. If you have a secure web application that is paired with an unsecured web server or if this is reciprocated, your business will remain a substantial risk.

Securing web servers can prove frustrating and tedious along with requiring expertise, but it is not an impossible task. Ensuring the company web servers are secured will save your company from various headaches and data breaches in the future. No matter the operating system you have or web server software you are using, an out of the box configuration is always unstable. Companies should implement necessary tasks to increase the security of their web servers.

The following is a list of steps that should be taken to protect business web servers:

1. Remote access

Server administrators should always log onto local web servers. If remote access is warranted, you must ensure that the remote connection is properly secured. This is achieved by tunneling and following encryption protocols. It never hurts to use security tokens and other sign-on equipment. Do not use public computers or networks when you are accessing business servers remotely. This means that when you are enjoying a cup of java in the cafÈ, do not try logging onto business servers.

2. Remove services that are unnecessary

Default configurations and operating system installations are never safe. In standard default installations, network services that will not be used in web server configurations are installed. Some great examples of this are printer server services, RAS and registry services. When your operating system has an abundance of services running on it, this leaves open more ports, thus leaving more ìbackdoorsî for hackers to take advantage of. Disable and turn off all unnecessary services and this will ensure the next time you boot up your server, they will not start automatically. This task will also provide that extra boost to your serverís performance with freeing up hardware resources.

3. Server-side scripting and web application content

Web applications and or website scripts and files should always be on separate partitions and not that of your operating system, system files or logs. Hackers can easily gain access to the web root directory and exploit vulnerabilities.

4. Separate testing/development and production environment

It proves faster and easier for developers to develop new versions of web applications on production servers. It also proves standard that testing and development of these applications are performed directly on the production servers. Because these types of web applications are in early development stages, they usually have different vulnerabilities, cannot handle exceptions properly and they lack input validation. These applications can easily be exploited and found by hackers with using ordinary, free tools found on the Internet.

To deal with this issue, developers have begun to develop internal applications that allow access to the databases, web servers and other resources. The applications typically do not have any restrictions because they are merely testing applications that normally are only accessed by developers. If testing and development is not performed on a production server, they can easily be found by hackers which can help them gain access to the production server.

Testing and development of web applications should be performed on remote servers from the Internet and should never connect to or use real life databases and information.

5. Installment of security patches

Just because your web server contains fully-patched software does not assure its security. Ensure that you pay close attention to updating the operating system, and software running on it. Any hacker will admit that one of the easiest ways to take advantage of operating systems is through unpatched software and servers.

6. Audit and monitor the server

Logs should always be stored in a segregated section in web servers. Network services logs, database server logs, operating system logs and website access logs should be monitored regularly. If you see suspicious activity occurring on the server, the action should immediately be investigated to see what exactly is going on.

7. Privileges and permissions

Network and file services play a vital part in the security of web servers. If a web server becomes compromised through network service software, hackers can use the account where the network service is running from to carry out their evil deeds. It proves necessary to assign privileges warranted for network services to run. It is necessary to backend databases and information.

8. Use scanners

Scanners prove to be practical tools that aid in automating and easing the process of web application and web server security. Scanners that include port scanners can enable port scans on the web server hosting web applications being scanned. Scanners will initiate various security checks in reviewing network services and open ports that are running on your web server.
Remove software extensions and unused modules

Default Apache installations contain various predefined modules that are enabled. Ensure that you turn off these modules to prevent attacks to these modules. This also applies to Internet Information Services (Microsoftís web server). By default, IIS is configured to serve various large application types such as ASP. NET, ASP and more. The application list extensions should only contain the extensions the web applications or website are using. Each application extension should be restricted to using HTTP verbs only, whenever possible.

User accounts

Any default user account creating when an operation system is installed should be immediately disabled afterwards. It proves necessary to examine the long list of softwareís that have been installed on the server. This software should be checked regularly and frequently. The admin account should be renamed and should not be used; the same applies to the root user on a Linux/ Unix install. Any admin accessing the server should have their own user account with privileges. It is also highly recommended not to share your user account information with anyone.

Conclusion

In our modern era, tips and information on software and operating systems can easily be found on the Internet. It proves useful to stay informed while educating yourself about new tools and malicious attacks. One easy way to accomplish this task is by reading security-type magazines, forums, newsletters or other types of communities. Knowledge is power and the more you learn, the more you will be able to protect the security of server-side scripting.

Guest author Alfred Richards an experienced web designer and has profound knowledge of web hosting and web marketing, to know more visit his site VPN service.

Pastry Box Project

The Pastry Box Project calls itself sugar for your mind. It’s been going since January but I just found it mentioned on A Blog Not Limited. 30 top web designers baking up one cup a sugar a day. A must subscribe feed.

The Pastry Box is a great online resource for teaching. It’s a daily dose of whatever the writer is thinking about in relation to the web – a sort of limited time A List Apart, if you will. A few of the thinkers involved are Andy Clarke, Bruce Lawson, Dan Moll, Denise Jacobs, Emily Lewis, Ethan Marcotte, Jenn Lukas, John Allsopp, Lea Verou and many more leaders in the web design community. The project is the brain child of Alex Duloz.

Here’s the thing: what do you think of the color scheme? I sort of love the simplicity of it.

pastry box project writers screen capture

Useful links: Komen fiasco, CNN sued, ARIA widgets

Lessons from the Susan G. Komen/Planned Parenthood Firestorm. A social media meltdown can happen to anyone. Go read the takeaways in this analysis.

CNN sued over lack of closed captioning on website. “The suit accuses CNN and its owner, Time Warner, of violating state disability laws by denying full online access to more than 100,000 Californians who are functionally deaf.”

Understanding ARIA widgets. Good code examples.

Have a little fun with QR codes

There’s a beta site called QRhacker that has a clever twist on QR codes. It will generate a QR code for you based on some text, a URL, a phone number, a V card, or wifi access. Then you can customize it by adding a photo in either the background or the foreground. You can also select a foreground color.

I made two and saved them as images. One has my photo in the background, one in the foreground. Try them out and see where they take you.

background image foreground image

Changes in WordPress free sites

I have another blog called First 50 Words. It’s one of the free WordPress blogs, with a wordpress.com URL. I use that blog to post writing prompts for writing practice. For the past few months, there has been a constant reminder on the free blog, suggesting I upgrade to pro. This would mean I’d get a “real” URL. It isn’t expensive to do. I think the last time I looked it was $17.

But I like things the way they are. WordPress hosts thousands, perhaps millions, of free blogs. I don’t blame them for wanting some money from all the moochers like me who are using their free services. I just don’t want to change my blog or my URL.

WordPress won’t leave things alone. Now they are throwing up an annoying sidebar after each post is published.

wordpress sidebar

To get rid of the sidebar, you have to click. What you are left seeing after you do that is the newly published post. So WordPress arbitrarily decided that the next thing I want to do every time I publish a post is 1) see an intrusive sidebar, and 2) look at the new post. Since it’s dead easy to view your published post without any urging from the WordPress interface, I don’t really need this help.

I can only conclude that this is WordPress’ way of annoying me into going for the upgrade. It isn’t making me want to upgrade. It’s making me mad.

Dear WordPress, if you’re listening, I’ve used you here on Web Teacher and in other places for years. You are my favorite. You are my sunshine. You are my morning coffee. But you need to rethink the sidebar thing. Please.

Should You Have a Comment Policy?

Reading blog comments can be painful. For every insightful and well thought out post there are at least 10 spammers, trolls and illiterate shrieking banshees just looking to start a fight. This is hard enough when you are a visitor trying to shift through all the garbage to find the occasional diamond to respond to. But it is an impossibly frustrating task when you are the blog owner or writer, and you are forced to find those that actually offer you something decent to work with.

Worse is when a flame war breaks out, and there are always plenty of offensive, obscenity-filled, bigoted or otherwise negative comments you have to decide to either keep or delete. This isn’t a simple decision when you are trying to keep an open and yet friendly place for visitors to share their thoughts and opinions.

Comment Policy

Image Credit: 1

Usually when I give bloggers a rule of thumb on this issue, I tell them this: If it doesn’t contribute anything to the conversation, it isn’t necessary. If you have a bunch of posts only written by spammers to share websites, they don’t add anything to the discussion. If you are reading endless posts by a troll who is insulting the reader base or blog with no specific focus or reason, they are not giving you something to think about. These comments don’t belong there.

But sometimes deleting such things can cause even more havoc as they begin to point it out. Which is why it helps to have guidelines you can direct anyone to prior to the comments being posted. These set of rules should lay out what won’t be tolerated and what you will do in the case of such violations.

Creating a Comment Policy

What Problems Are Obvious?

To start writing this section, you should take a look through your posts and see what things you find that bother you. Make a list of what you won’t allow to continue. This will give you the baselines for the rules.

What Will You Do About It?

Next, come up with a system for mild, moderate and severe violations. For instance, say you have a spammer who is posting genuine comments, but putting keywords into their names and obviously sharing links. Maybe you decide to delete the comments. But if they come back with nothing but copy/paste and irrelevant comments, you ban the IP address.

Another example is for trolls: If you have someone who is causing trouble, you can delete the comment and give a warning for a mild infraction. If they continue give them a temporary ban, and if they still persist or step over a line, ban them permanently.

How Will You Present It?

Comment Policy
Image Credit: 2

For the actual comment policy page you have two options: professional or personable. I have seen both used to great effect. The first requires you to give a dry rundown of your general policy, just stating that you reserve the right to delete comments or bad members for certain offensive acts. The other is a lengthier page explaining why you have chosen to come up with a comment policy in the first place. I prefer the latter.

Should Comments Be Moderated?

If you want to make sure your policy is strictly enforced, you can choose to approve or deny comments prior to publication. Of course, this takes a lot of effort and time. To get around this you can apply a spam filter to aid you. Or, if you have several people working for the site, you could just have them cover the comments on their own pieces.

Conclusion

So, should you have a comment policy? Yes. People have a tendency to push social boundaries online they wouldn’t in person, due to the anonymity and the feeling of protection from behind their keyboard. Most act responsibly, but there are plenty who do not. It is best to filter them out for the sake of pleasant and productive commenting, rational feedback and criticism and lively (levelheaded) debate.

Guest Author Olivia blogs for PsPrint, an online printing company specializing in brochure and poster printing among other popular services. Follow PsPrint on Twitter and Facebook

Komen Can Kiss My Mammagram

Looking
Photo by Tim Waclawski via Flickr

As anyone who pays attention to the social blogosphere and the network news knows, the Susan G. Komen Foundation decided to stop funding Planned Parenthood’s breast cancer screening and mammogram program.

I’m a woman and a liberal. It doesn’t take much more information that that for you to know that I think politicized right wing attacks on the rights of women to receive important health care is wrong. But that’s not what I want to talk about.

I want to talk about how social media–Twitter, Facebook–and motivated individuals with connections online can change the outcome of an event. The Komen Foundation mishandled this event in social media terms. The supporters of Planned Parenthood used social media to their advantage. The consequences include damange to Komen’s reputation, lots of discussion about what Planned Parenthood really does, and many donations rerouted from The Komen Foundation to Planned Parenthood.

Instead of retelling the story of how this happened, I’ll send you to Beth’s Blog, where she’s already recounted it. Go see what social media can do to help a cause, or to slam a social media clueless organization.