Login Security For Websites

Jun 9, 2007

how to best secure logins and password storage, I'm trying to come up with a set of tools to make this easier, but first I'd like to hear opinions if my ideas are feasible, and most importantly secure.

Most scripts (including very popular ones like phpBB) send the password & username over http and then perform an MD5 hash on the sent password on the server and compares it to the hash stored in the database.

I'm thinking this is really quite insecure for more then a few reasons.

1) The password could easily be sniffed since it's sent in plain-text
2) MD5 is a pretty weak hashing algorithms with plenty of exposed vulnerabilities
3) If a hacker was to get their hands on the database, they could just brute force (birthday, rainbow tables, etc) the passwords and get the passwords to a large group of users in a fairly limited time since people are horrible with their passwords

I'm thinking a secure alternative could be something like...

1) Combine the password and username client side (via js) and send the username over plain text, but instead of the password send a hash (preferably with a strong algorithm like SHA256) to the server.

-- This would increase the work of a hacker that managed to sniff out the connection right? This shouldn't be a major drain on bandwidth (SHA256 JS Code < 3.5 Kbs) and the length of the hash shouldn't cause any major additional load, right?
-- Obviously HTTPS would be a much better solution, but that's quite a bit harder to implement.

2) The server should then perform plenty of operations on the hash sent by the password, the most important of which would be salting the hash and rehashing the result.

-- This would make it nearly impossible to use rainbow tables, and a hacker would have to separately brute force each users password?

Okay, the set of tools for developers I've mentioned early in this post is available at [url], I'd like some opinions on whether this is even a good idea, and if I'm doing anything (or nothing ) right. I'm going to be making additions to common applications to help increase the level of security in the passwords department.

View 7 Replies


ADVERTISEMENT

Security Leaks Within Websites

Apr 25, 2007

In my /tmp folder I found a file bind.tar.gz and an unpacked directory called bind which contains a bot script.

I've tried figuring out where it came from, but after scanning some logs I didn't find the source.... Could anyone tell me what steps to take to find how it got there and from what user, so I can have them close the leak?

View 11 Replies View Related

CPanel Prompts Login On Websites Index

Jan 25, 2008

I'm having an issue on my buddies website. He keeps getting this weird login prompt whenever you view his website. I thought it was just for his site itself but then I remembered e107 never has a pop up prompt to ask you to log in. I looked closely and realize it said its for the cPanel. So whenever you try to view the index page of his site it asks you for your user name and password. Very odd... Anyone know what could be causing this.?

View 2 Replies View Related

VPS With WHM/cPanel Webmail - Login ... Then Login Fails

Jan 31, 2008

Just got a new additional VPS with WHM/cPanel.

Browse to www.mydomain.com/webmail and get login box > login accepted and taken to Horde/Squirrelmail choice screen > choose Squirrelmail and get login box ... login not accepted! > Retry and choose Horde ... login not accepted!

The login is correct and the results are the same when logging in as root, or through /cPanel or /Webmail.

View 3 Replies View Related

MOTD In Front Of Login And After Login.. How

Apr 9, 2007

i had access in some servers via SSH and when i try to connect i get:

Welcome to The HOST!
login as: nickname
--------------------------
We monitor/log everything on that server! IP Logged!
--------------------------
nickname@host's password:
.............

I know that there is the motd file in /etc that i can put a message but i see it when i full be recognized by the server.. (after putting the password).. How can i put the other 2 messages?

View 4 Replies View Related

Plesk Automation :: Login As User From Admin / Actual Login As User Are Different

Jan 3, 2014

when I find the subscription from the admin side of PPA, if I select "Login as user" I've noticed that it is different from actually logging in as the user - for example - "add domain alias" is missing when I login as a customer - but not as an admin... I need my customers to add their own aliases and manage them - how do I add that feature to the client login side?

View 9 Replies View Related

Joomla Security / Linux Security

Apr 4, 2008

I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.

When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.

However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.

Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.

View 10 Replies View Related

How Do Websites Get Hacked?

Oct 20, 2008

Every now and then I'll run into a website that has a message that says it was hacked by a certain hacker. How exactly do this? Do they hack into the actual server or do they somehow get a hold of the website owners FTP info?

View 10 Replies View Related

How Many Websites Can Stand On VPS

Oct 19, 2009

how many websites can stand on VPS with following configurations?

I'm asking this because Can I install whm reselling script like whmphp? or WHM Reseller creator?

It enables to create master reseller and whm reseller respectively. So there will be huge number of websites, databases, emails hosted on VPS
So which one to choose?

1.
Disk space - 10 GB
Bandwidth - 200 GB
Burst. RAM - 256 MB
Gurnt. RAM - 128 MB
Max CPU Usage (per CPU) - 80 %
OS - CentOS 5.3

2.
Disk space - 20 GB
Bandwidth - 400 GB
Burst. RAM - 512 MB
Gurnt. RAM - 256 MB
Max CPU Usage (per CPU) -
OS - CentOS 5.3

3.
Disk space - 30 GB
Bandwidth - 800 GB
Burst. RAM - 1024 MB
Gurnt. RAM - 512 MB
Max CPU Usage (per CPU) -
OS - CentOS 5.3

View 14 Replies View Related

How Many Domains/websites On A VPS

Oct 17, 2009

I have a pretty 'beefy' VPS (Future Host 'Titanium' plan, 1Gb RAM, equal share, 750 Mb bandwidth, 50Gb disk).

I'm using it mostly to host relatively small, low-traffic Wordpress sites. Right now, there are about 40 domains & blogs set up.

The majority see only a few dozen visitors per day. A few have traffic around 100 visitors, and 1 or 2 may get up to 500 per day.

My question is, what might be a comfortable limit on domains/blogs I can host before I should start thinking about adding a 2nd VPS?

View 6 Replies View Related

Can't Connect To Outside Websites

Jul 30, 2009

We can't resolve any outside websites, for example wget won't resolve any websites.

elvis:~# wget [url]
--2009-07-30 03:12:15-- [url]
Resolving g-ecx.images-amazon.com... failed: Temporary failure in name resolution.
wget: unable to resolve host address `g-ecx.images-amazon.com'
elvis:~#

How can we debug this? Its just started to do this, before it was fine for months.

We can resolve IP addresses fine.

elvis:~# wget [url]
--2009-07-30 03:18:08-- http://206.251.77.82/~proxy/images/b...ntent-view.png
Connecting to 206.251.77.82:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 241 [image/png]
Saving to: `background-content-view.png'

100%[======================================>] 241 --.-K/s in 0s

2009-07-30 03:18:08 (63.8 MB/s) - `background-content-view.png' saved [241/241]

elvis:~#

View 2 Replies View Related

How Can I Host My Own Websites

May 15, 2009

I have three domains that I want to host myself on my own computer. Two are temporary sites that I only put up on Memorial Day weekend for the Detroit Electronic Music Festival or Movement 09 to direct people to my after parties and the other site is a two page bio site for myself. I have a very tight budget this year and I can't afford to pay for web hosting all year round when these are only temporary sites even though I own the domain names all year round. I do know some of the promoters for the festival do the hosting themselves.

View 14 Replies View Related

Websites Timing Out

Mar 10, 2008

I'm not sure why my brand new dual proc quad core xeon 2.5ghz harpertown gets time out when the server load is under .5

Like it'll be running ultra fast and suddenly, I can't get into ssh, whm, my websites or anything. When I ping it, no reponse. Is it because it restarted itself?

View 4 Replies View Related

How Come The Big Websites Never Have Downtimes

Jun 14, 2008

Just out of curiosity, do the big boys deploy hosting solutions that are different from the ones we know?

They never complain of Network Outages or Hardware failure. How come the likes of Yahoo, Facebook, Youtube and the others are always there any second you need them?

View 14 Replies View Related

How To Access Websites

Jul 24, 2008

Earlier when my client's domain was not resolved he used to easily access his website using [url]

But after putting in the openbase dir protection they cannot access the site anymore.

how can the user view their site when openbase is protected?

View 1 Replies View Related

Types Of Websites

Oct 8, 2008

what are all the different types of websites? i know there's e-commerce, forums, blogs, personal and etc. what are some other types of websites people start?

View 9 Replies View Related

For Streaming Websites

Oct 31, 2008

If one video was ~128MB and I had 800 videos, and if I had 3000 views on each video, then would a 100mbps line be able to handle that?

View 14 Replies View Related

Websites Are Not Loading

Feb 2, 2007

This is a little wierd, I am not able to see any of my websites on my home network, but from anywhere else it seems too load just fine. Even when i go through a proxy site they load. I'm still able to get to WHM and cPanel from my home but the websites themself do not load.

this started happing yesturday and after a few hours it seemed to work again on its own.

View 5 Replies View Related

Some Of My Websites Haf Been Hacked

Jun 8, 2007

i have a reseller account with canaca.com the safe mode &security mode are on! and everythings was great! till those hackers bastards appeared! they somehow could upload a php shell files to my websites! and then they deleted everythings in 4 of my websites!
i contact my tech support and they restored my websites and i checked that there is no shell files! next day,my websites hacked again and there was i php shell files in them!
i deleted those god damn files and i deleted the page that the hackers put in my websites! you security is zero,and we will hacked the entire server.., but after 3 hours the pages returned and the shell files are there! i dont belive that! the
unbelivable this is that when i want to run those php shell files the safe mode stoped them doing anythings! so how can those bastards do what they do?how can they ulpload the files in the first place? is there any soultions to this problem! cause i restored my websites about 3 times now and everyting i restore it they hacked it again and again!

View 13 Replies View Related

Cannot Access Websites

Jan 17, 2007

I think I broke my server. I was trying to install Zend Optimizer, but it didn't work.

After doing some research, I found out that I needed to disable selinux. After doing so, I rebooted. Then I installed Zend Optimizer and rebooted again.

Since then, all my websites have been inaccessible. I can access my server through Plesk control panel, but connection to my websites just timeout.

What can I do to fix this?

Edit :
I can access my sites via FTP as well.

Edit 2 :
I tried starting Apache with the following command :

Quote:

/sbin/service httpd start

...but it keeps on telling me that the service is already in use.
It seems like TCP is bound to port 80.

View 1 Replies View Related

UK VPS For 15 Websites And VPN Server

Jul 3, 2007

i currently have a reseller server in the states but ive seen for the money im paying (and im not using the space actually) i can get a VPS server here in the UK which i can combine for webhosting and other development projects. I am after a UK based VPS for the following requirements:

Host 15 websites

Access the box remotely and dial-in to the box which needs to be configured as a VPN server (the box will act as a router, i presume masquerading on eth0 for the connected vpn clients to go out through the server and onto the net).

Traffic will not be too high, maybe around 75GB per month.

Around 3-4 websites run forums on (small size phpbb) and the other sites are again small and mostly used for email.

I will need full root access and maximum configurability.

Preferably Suse 10 as i have worked with that before but i am open to suggestions on other OS. I need to configure the pppd service and easier this is via the OS the less time i have to dig in scripts and terminal! I wouldnt mind windows but on a VPS this will be a resource drain so i am happy to get more performance from the box by sticking with smaller footprint of linux.

Plesk for website management, or cpanel, i dont mind either way.

I dont however know how much CPU/RAM i will need, what is a sensible amount? I dont think my requirements are too strenuous, what would be a good sensible amount of RAM to select to allow me to host say 50 web sites in future?

I have heard good things on the forums for the following:

a2b2.com
cheapvps.co.uk
1and1.co.uk

I know you get what you pay for so i do need something reliable, but if people say the service from the above sellers is good i will go for them as the price is fantastic. It would be great to hear of other recommendations also.

View 6 Replies View Related

How Do Websites Know IP Addresses

Apr 29, 2007

Does the client tell the site or a third party internet "authority" do so.

I've heard a guy that make a program that keep changing our IP. How can anyone do that?

I thought it requires a proxy to hide your IP. You can't just "lie" to a server right?

View 1 Replies View Related

VPS You Can Host Multiple Websites?

Apr 27, 2009

So with a VPS you can host multiple websites?

Do certain packages come with WHM where you can make an account for each of your domains?

Also, what is the importance of having more IPs? Does having 1 IP allow me to have only 1 site hosted?

View 9 Replies View Related

Multiple Websites On One Server

Jun 16, 2009

we have one dev server that is hosting a website. I would like to use the same server to host another internal website. Can i do that?

I am using Linux centos OS.

View 8 Replies View Related

Hack Erases 100,000 Websites

Jun 9, 2009

Don't know if anyone else saw this.

[url]

Once again points out the importance of backups.

View 5 Replies View Related

Check Websites Before Dns Propogation

Feb 23, 2008

I used to check new websites before dns propagation by adding an entry to windows/system32/drivers/etc/hosts file and used to work perfectly. But now days I think IE7 and Firefox 2 is bypassing the hosts file and the method is not working.

any alternative method to check the website before dns propagation?

View 4 Replies View Related

Websites Email Going To Spam

Sep 16, 2008

I currently have a problem with my websites email going to spam. Most of the mail my website sends out, responses to registration, lost passwords etc...gets sent to spam. I have never used this site to send mass email or newsletters. I was thinking of getting an external hosted email solution, but wanted to know what you thought is the best solution for this and what you use to send out emails from your site.

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved