I came across this article written by a Greek EE student named Georgios Konstantopoulos. It was published in Hackernoon here: https://hackernoon.com/how-i-hacked-40-websites-in-7-minutes-5b4c28bc8824. It is aptly titled: “How I Hacked 40 Websites in 7 minutes”.
The key takeaways here are:
- If content can be uploaded, take precaution to prevent any execution of data within the upload folders. This is especially important for any CMS-driven website (WordPress/Joomla/Drupal/phpBB).
- Make sure that any web input is sanitized. Remember the XKCD cartoon “Exploits of a Mom“, starring Little Bobby Tables and his SQL Injection antics.
- Make sure your webserver runs ans an unprivileged user, without a valid shell. This is usually “www-data” or “www”.
- Create proper user accounts and put the associated website data in them. Don’t be a schmuck and put all your websites under a single folder hierarchy.
- The webserver (Apache, Nginx, etc.) should run as the owner of the user folder that contains the website content (SETUID/SETGID).
- Close/Firewall unnecessary TCP/IP ports.
- Minimize the amount of services running on the server.
- For CMS and other database-driven websites, (1) never use the same credentials for the databases and (2) never use the SQL SuperAdministrator/Root credentials for database access.
- Just because you run Unix doesn’t make you hacker-proof. Check for patches weekly.