9 Oct
2013
9 Oct
'13
12:04 a.m.
Hi Sam,
On Tue, Oct 08, 2013 at 11:01:40PM +0200, Samuel Bächler wrote:
Yesterday I friend asked me how I'd build a
webstore. I told him that I
would take something like Magento[1] or OpenCart[2] for that. But I could
not tell him how I'd set things up to protect the store against getting
compromised. Could anyone come up with a suggestion on how to build up a
webstore securly using bitfolks infrastructure?
Assuming that the payment processing will be taking place externally
to the VPS, e.g. via some sort of payment gateway third party, which
is common, then really your question becomes:
How do I securely run large, popular PHP web applications on a
small virtual server?
That's a big topic but I feel confident that if you took simple
measures such as:
- Stay absolutely on top of security updates for the application
itself
- Put some effort into securing any administrative web interfaces,
like phpmyadmin or whatever
- Restrict administrative access wherever possible, as much as
possible
- Reiterate those restrictions with IP-level blocks, for example, if
only a few people need access to particular URL spaces used for
admin functions, then by all means restrict access to those URL
paths by IP address. That would be like the wp-admin/ URLs in
Wordpress - why let people view them if you don't need to?
- Make as much as possible of the web space the application runs
from read-only
- Research the given application's community for tips and tricks of
securing it. There are often simple measures that frustrate the
vast majority of the attacks out there.
then I think you would be ahead of 90%+ of the other people running
the same popular app.
And that is really all you need.
Most compromised VPSes I see did none of the above and attackers got
in via very simple means.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"SCSI is usually fixed by remembering that it needs three terminations: One at
each end of the chain. And the goat." — Andrew McDonald