how to best secure logins and password storage, I'm trying to come up with a set of tools to make this easier, but first I'd like to hear opinions if my ideas are feasible, and most importantly secure.
Most scripts (including very popular ones like phpBB) send the password & username over http and then perform an MD5 hash on the sent password on the server and compares it to the hash stored in the database.
I'm thinking this is really quite insecure for more then a few reasons.
1) The password could easily be sniffed since it's sent in plain-text
2) MD5 is a pretty weak hashing algorithms with plenty of exposed vulnerabilities
3) If a hacker was to get their hands on the database, they could just brute force (birthday, rainbow tables, etc) the passwords and get the passwords to a large group of users in a fairly limited time since people are horrible with their passwords
I'm thinking a secure alternative could be something like...
1) Combine the password and username client side (via js) and send the username over plain text, but instead of the password send a hash (preferably with a strong algorithm like SHA256) to the server.
-- This would increase the work of a hacker that managed to sniff out the connection right? This shouldn't be a major drain on bandwidth (SHA256 JS Code < 3.5 Kbs) and the length of the hash shouldn't cause any major additional load, right?
-- Obviously HTTPS would be a much better solution, but that's quite a bit harder to implement.
2) The server should then perform plenty of operations on the hash sent by the password, the most important of which would be salting the hash and rehashing the result.
-- This would make it nearly impossible to use rainbow tables, and a hacker would have to separately brute force each users password?
Okay, the set of tools for developers I've mentioned early in this post is available at [url], I'd like some opinions on whether this is even a good idea, and if I'm doing anything (or nothing ) right. I'm going to be making additions to common applications to help increase the level of security in the passwords department.
In my /tmp folder I found a file bind.tar.gz and an unpacked directory called bind which contains a bot script.
I've tried figuring out where it came from, but after scanning some logs I didn't find the source.... Could anyone tell me what steps to take to find how it got there and from what user, so I can have them close the leak?
I'm having an issue on my buddies website. He keeps getting this weird login prompt whenever you view his website. I thought it was just for his site itself but then I remembered e107 never has a pop up prompt to ask you to log in. I looked closely and realize it said its for the cPanel. So whenever you try to view the index page of his site it asks you for your user name and password. Very odd... Anyone know what could be causing this.?
Browse to www.mydomain.com/webmail and get login box > login accepted and taken to Horde/Squirrelmail choice screen > choose Squirrelmail and get login box ... login not accepted! > Retry and choose Horde ... login not accepted!
The login is correct and the results are the same when logging in as root, or through /cPanel or /Webmail.
i had access in some servers via SSH and when i try to connect i get:
Welcome to The HOST! login as: nickname -------------------------- We monitor/log everything on that server! IP Logged! -------------------------- nickname@host's password: .............
I know that there is the motd file in /etc that i can put a message but i see it when i full be recognized by the server.. (after putting the password).. How can i put the other 2 messages?
when I find the subscription from the admin side of PPA, if I select "Login as user" I've noticed that it is different from actually logging in as the user - for example - "add domain alias" is missing when I login as a customer - but not as an admin... I need my customers to add their own aliases and manage them - how do I add that feature to the client login side?
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
Every now and then I'll run into a website that has a message that says it was hacked by a certain hacker. How exactly do this? Do they hack into the actual server or do they somehow get a hold of the website owners FTP info?
how many websites can stand on VPS with following configurations?
I'm asking this because Can I install whm reselling script like whmphp? or WHM Reseller creator?
It enables to create master reseller and whm reseller respectively. So there will be huge number of websites, databases, emails hosted on VPS So which one to choose?
1. Disk space - 10 GB Bandwidth - 200 GB Burst. RAM - 256 MB Gurnt. RAM - 128 MB Max CPU Usage (per CPU) - 80 % OS - CentOS 5.3
2. Disk space - 20 GB Bandwidth - 400 GB Burst. RAM - 512 MB Gurnt. RAM - 256 MB Max CPU Usage (per CPU) - OS - CentOS 5.3
3. Disk space - 30 GB Bandwidth - 800 GB Burst. RAM - 1024 MB Gurnt. RAM - 512 MB Max CPU Usage (per CPU) - OS - CentOS 5.3
I have three domains that I want to host myself on my own computer. Two are temporary sites that I only put up on Memorial Day weekend for the Detroit Electronic Music Festival or Movement 09 to direct people to my after parties and the other site is a two page bio site for myself. I have a very tight budget this year and I can't afford to pay for web hosting all year round when these are only temporary sites even though I own the domain names all year round. I do know some of the promoters for the festival do the hosting themselves.
I'm not sure why my brand new dual proc quad core xeon 2.5ghz harpertown gets time out when the server load is under .5
Like it'll be running ultra fast and suddenly, I can't get into ssh, whm, my websites or anything. When I ping it, no reponse. Is it because it restarted itself?
Just out of curiosity, do the big boys deploy hosting solutions that are different from the ones we know?
They never complain of Network Outages or Hardware failure. How come the likes of Yahoo, Facebook, Youtube and the others are always there any second you need them?
what are all the different types of websites? i know there's e-commerce, forums, blogs, personal and etc. what are some other types of websites people start?
This is a little wierd, I am not able to see any of my websites on my home network, but from anywhere else it seems too load just fine. Even when i go through a proxy site they load. I'm still able to get to WHM and cPanel from my home but the websites themself do not load.
this started happing yesturday and after a few hours it seemed to work again on its own.
i have a reseller account with canaca.com the safe mode &security mode are on! and everythings was great! till those hackers bastards appeared! they somehow could upload a php shell files to my websites! and then they deleted everythings in 4 of my websites! i contact my tech support and they restored my websites and i checked that there is no shell files! next day,my websites hacked again and there was i php shell files in them! i deleted those god damn files and i deleted the page that the hackers put in my websites! you security is zero,and we will hacked the entire server.., but after 3 hours the pages returned and the shell files are there! i dont belive that! the unbelivable this is that when i want to run those php shell files the safe mode stoped them doing anythings! so how can those bastards do what they do?how can they ulpload the files in the first place? is there any soultions to this problem! cause i restored my websites about 3 times now and everyting i restore it they hacked it again and again!
I think I broke my server. I was trying to install Zend Optimizer, but it didn't work.
After doing some research, I found out that I needed to disable selinux. After doing so, I rebooted. Then I installed Zend Optimizer and rebooted again.
Since then, all my websites have been inaccessible. I can access my server through Plesk control panel, but connection to my websites just timeout.
What can I do to fix this?
Edit : I can access my sites via FTP as well.
Edit 2 : I tried starting Apache with the following command :
Quote:
/sbin/service httpd start
...but it keeps on telling me that the service is already in use. It seems like TCP is bound to port 80.
i currently have a reseller server in the states but ive seen for the money im paying (and im not using the space actually) i can get a VPS server here in the UK which i can combine for webhosting and other development projects. I am after a UK based VPS for the following requirements:
Host 15 websites
Access the box remotely and dial-in to the box which needs to be configured as a VPN server (the box will act as a router, i presume masquerading on eth0 for the connected vpn clients to go out through the server and onto the net).
Traffic will not be too high, maybe around 75GB per month.
Around 3-4 websites run forums on (small size phpbb) and the other sites are again small and mostly used for email.
I will need full root access and maximum configurability.
Preferably Suse 10 as i have worked with that before but i am open to suggestions on other OS. I need to configure the pppd service and easier this is via the OS the less time i have to dig in scripts and terminal! I wouldnt mind windows but on a VPS this will be a resource drain so i am happy to get more performance from the box by sticking with smaller footprint of linux.
Plesk for website management, or cpanel, i dont mind either way.
I dont however know how much CPU/RAM i will need, what is a sensible amount? I dont think my requirements are too strenuous, what would be a good sensible amount of RAM to select to allow me to host say 50 web sites in future?
I have heard good things on the forums for the following:
a2b2.com cheapvps.co.uk 1and1.co.uk
I know you get what you pay for so i do need something reliable, but if people say the service from the above sellers is good i will go for them as the price is fantastic. It would be great to hear of other recommendations also.
I used to check new websites before dns propagation by adding an entry to windows/system32/drivers/etc/hosts file and used to work perfectly. But now days I think IE7 and Firefox 2 is bypassing the hosts file and the method is not working.
any alternative method to check the website before dns propagation?
I currently have a problem with my websites email going to spam. Most of the mail my website sends out, responses to registration, lost passwords etc...gets sent to spam. I have never used this site to send mass email or newsletters. I was thinking of getting an external hosted email solution, but wanted to know what you thought is the best solution for this and what you use to send out emails from your site.