My servers have been compromised numerous times in the last 16 years... What i've learnt (the hard way)
95% of my security breaches happened because of unpatched scripts (commercial, open source or homebrewn).
To have some basic security you need to:
- chose a secure OS, i would personally recommand suse or RHEL if you're actually working with money. I would personally stay away from windows server (altough they've become pretty secure over the last couple of years)
- harden your OS... an example for RHEL5:
https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf- make sure you don't install any software that isn't strictly necessary, always chose for the most secure option (for example, i like to use postgresql instead of mysql if my script is properly written and allows me to chose)
- make sure your OS, installed binarys and installed scripts are always up-to-date
- if you do your own scripting, make sure what you're doing. One of the most used techniques (SQL injection) was already mentioned, but there are numerous other errors a scripter can make
- if possible, find somebody to do a decent penetration test (i guess that's what you're trying to do here)...
- spend some time thinking about rules and procedures for your staff, it wouldn't be the first time a business is compromised by social engineering instead of "real" hacking
I probably forgot some extra points of attention. And don't forget: the only service that can't be compromised is the service you never put online. Everything can be compromised, even the most secure and well-written systems.
My main point is: don't put all your eggs into one basket, make sure your whole concept is as secure as possible instead of just checking if all your scripts follow security standards...
