Kryptronic Software Support Forum

my config.php file was rwxrwxrwx...not sure if that was bad, but it still is until hosting company changes ownership of file (currently nobody/nobody, so I can't change permsissions)

The one major drawback to the installer system CCP uses its it wants everything 777 and that makes the files writeable by anything that can get on the box.  This is especially true of shared hosting environments.

I agree on a solid dedicated environment 777 isn't as big a problem.  Still two thoughts.  First for security one should always use the lowest permission setting possible to get the job done.  This is just wise and strong security.  I don't like 777 or 666 except for general temp directories.  They are just a security hole.

The problem with 777 on shared environments is one is at the mercy of any other site.  For example if someone else has Joomla installed and a hack is done on Joomla depending on the compromise an attacker could tell Joomla to overwrite all index files in the /home directory (which is often where sites are stored).

If something is 777 or 666 then anyone on the server can overwrite that file but at least with 644 or 755 (the two common permissions for non global writes) then such an attack would fail as only the owner can perform writes.  Heck on a shared environment (without a chrooted/jailed environment) one can create scripts and read directories, even with write permissions off, which includes discovering the database information.  That is one reason I strongly suggest people run VPS/VDS as soon as possible.

I realize Dave you know this but I thought I would share these thoughts with the community.

Virtual Private Server/Virtual Dedicated Server (Two terms used to mean the same thing)

That way its your environment and if Joe's site is attacked it is his problem as the hack should be contain to his container area.  Of course if a DOS attack occurs well that can effect anyone on that server or network but at least with DOS your files are safe.

Well a VPS is a dedicated environment.  You just order it like shared hosting.  If you want references I can provide some (no I don't work for any hosting companies).  Although like anything in life the quality of hosts vary widely and keep in mind things like cPanel/WHM aren't the safest environments in the world.  In fact a security tech at Secureworks I know says they could make a full time living patching just cPanel/WHM.  I will give cPanel credit they are getting better but still know the risks.  Often when making things easier it comes at the cost of security.  Note I said often not always.

For a shopping cart if you want the best security get a VDS/dedicated server and reduce its attack surface by locking down all you can.  For example if you don't need DNS turn it off (many domain providers now provide DNS services), make sure telnet is off and use SSH, etc.  Also get a firewall (hardware is better as it doesn't take server resources and isn't at the mercy of a possible server OS hack).

I realize it costs money but even the simple act of getting a $35/month VPS will increase your security a lot.  Of course nothing is foolproof and like in the real world the bad guys will never run out of targets but there is the key.  Don't make yourself an easy target as just like in the physical world most evil doers will pass a house by with a security system to hit one that doesn't have one.  So make it harder for them and some simple steps can also stop a lot of automated bots and such that run 24/7 searching for weaknesses.

Plus with a VPS you can do some advanced things to reduce your attack surface.  In one of my other threads I was seeking to possibility start a security type area but it doesn't look like people are that interest.  I can't say I am surprised as I know most don't think much about security, performance or backing up things until its to late.

Hello Dave,

I do understand that most people just don't know.  I interact with a lot of small business owners (in fact we have several products that teach about starting online businesses) and I have taught computer classes in the past.  I even ran one of the biggest computer help chats on Yahoo! Chat years and years ago.  So believe me I understand that idea.

I also realize many on here are one or two people operations.  We aren't a big enterprise either.  Still my idea for the forum (and you guys might not want it anyway) was simply to build an area for security and performance tips, tricks, ideas, etc to those interest and those who want to learn.

I also don't believe this is basic insurance.  Well some of it is but there are a lot of bots that scan the internet all the time looking for known issues.  Its just like spyware millions and millions and millions of computers around the world are infected with trojans, root kits, etc.  Neither is a trivial problem.  How many times do I read in eWeek or such were some automated SQL injection bot hit 50 to 100K sites.  Those sites weren't hit with some person but other computers.

I know the bad guys often will read about patches to Windows, Joomla, Wordpress, etc and then program a bot knowing few people update their installs.  Heck there are even back market sites that compile all that data and sell as subscription to the bad guys/evil doers.  So while I understand say an advanced dedicated firewall device is way over the head of most CCPers I don't think a VPS is or should be.

CCP is a very safe application and Nick does an awesome job.  Outside of the 777 thing which is going way you said (great news) I have no complaints about CCP security.  Still CCP doesn't run in a vacuum.   It is at the mercy of Apache, ISS, Bind, other PHP applications running on the box, etc and as you know the list is long.

Security is a journey and not a destination.  As hackers say just cause I can't today doesn't mean I can't tomorrow.  I also don't paint myself as any security guru but still I do what I can to make our company as safe as possible and I like passing along information to help others.

Last edited by cyberws (04-06-2009 13:24:11)

That's also a very valid point James. As I used to say in my "sales pitch", what would happen to your business if every computer in your office vanished overnight (used that as the tag line on the back of my business cards too)?  Most people were horrified by the thought but either couldn't afford to do something about it or weren't too concerned that it might happen to them.