Need info-In making of new business website!

[JagFire19]

Hey all,

This summer I'm going to begin a website for my moms business venture. She quite her ole' job at her attorney-was get'n too stressed out-and began her mark to be an entrepeneur. Her business is in the selling of European housewares and gifts. As a farely new enterprise, her shop is going quite nicely. She actually travels to Europe and spots things that she believes would sell. They are then shipped via air-what other way!?....canoe maybe-and arrive here.

My question to all of you is asking for links on websites that can help me so the website that I am going to make doesn't get defaced and how I can keep it secure. Eventually, and when I say eventually I mean in a farely long time, and when I say farely long time I do mean a couple of years, I want to make the kind of site where her consumers can shop for her items online. There are alot of legal issues with this and before getting to the point of online shopping, I want to make sure I can prevent and handle a simple security defacement issue.

Thx.
-Jagfire19

[Tim_axe]

Well your best bet would probably be to search for a robust shopping cart program. Depending on who is hosting your server, this may/maynot be possible. Ie, don't expect to do this on Geocities or anything like that. Odds are you don't want to be hosting yourself if you are fairly new in cyber-security and don't have the time to stay current with new developments. So shop around for a webhost that at least lets you use MySQL and PHP. You will need some-sort of Server-Side scripting.

Also, make sure that your hosting company has a good track-record. If they have a lot of downtime, like my friend's host, that definately isn't good. You also don't want a host whose main database server or web servers get hacked or owned. I don't have any suggestions to the different hosts, but googling and asking here might help. Ie you might want to ask about specific web hosts after you do research and maybe someone might know a thing or two about them.

As for the shopping scripts themselves, you might consider looking at http://www.hotscripts.com/ and checking out the scripts in different languages. There are thousands of scripts to check out, and I suggest you look under PHP. If your web host does Windows servers, then you could look into ASP. But PHP/mySQL on a Linux server are probably going to be safer overall unless you find a well managed Windows host. Anyways, you will want to look at different scripts there, and also Google them and read comments users left behind. If you have a secure sever, but a weak script, then your website can be defaced (or worse, such as stealing customer information, etc). Make sure that the script you choose doesn't have huge vulnerabilities, and Google them just to make sure.

Good luck.

[JagFire19]

Hey Tim_axe,

Thanks bunches for the link and the input. I have a question though. Why is it that Linux provides better security. I'm thinkin it's because the more options for securing the server, but I'm not entirely sure about that. Can you help me out and explain this or provide a link to where I can read about this.

Thanks for your cooperation,
-Jagfire19

[lord_darkside_x]

really defacement is not the major concern, your big concern is going to be if you are trying to have people by stuff online, you'll need a secure connection and so on. as for shopping cart scripts, they are easy enough to find and that includes free ones. if you go to google and search for "open php" you should find what you need. there are a lot of php script sites that have opensource, you just have to find what you need on em. and as was already said, you'll need a host that allows for php and mysql or it won't work. basically you are gonna have to pay for hosting somewhere to get that cause most freesites don't allow that.

[JagFire19]

Hey lord_darkside_x,

Yah, paying for a website that is secure is of key importance when I end up getting to the extent of payment online, even before then too-even though it wouldn't be that hard to transport my script to another website after I begin "online shop." Do you have any links to web hosts that provide secure connections. Money is not an issue...although a cheaper one with the same features as another would be nice.

Thx.
-Jagfire19

[lord_darkside_x]

off the top of my head i can't think of anything too exceptoinally special... i know www.brinkster.com has sql 2000 availanble on all it's pay subscriptions... but i don't know how secure they are. you'll basically have to shop around unless someone has a testimonial on here... most of the stuff i work with has a dedicated server...

[Tim_axe]

I'll list sources at the end of this...

There are many reasons that people choose Linux over Windows for a server. One concern is cost. You may think that the standard Windows XP Professional / 2000 Professional Operating System that costs around $300 or so is expensive... A license for Windows 2000 Server (Not Adv. Server or Datacenter Edition which is OEM only) starts at $1,000 and goes to $4,000 for 2003 Enterprise Edition. Luckily, you do not need such extravagent licences to run a *basic* web server, such as IIS 4 and 5. Unfortunately, the most recent version of IIS is 6, and is only available with Windows Server 2003 which starts at $1,000/$1,200, and $4,000 for the Enterprise Edition...

As you can imagine..., the costs associated with that filter down to the person who pays a hosting company to use the server...you. Luckily, it is possible to be a web host with the cheaper $1,000 version of Windows Server 2003 to get IIS 6.0. Otherwise, the companies hosting with older servers will have to buy 3rd party programs to add into IIS 4/5, and those aren't very cheap; although they *could* probably even write their own.


With Linux, many times the very popular Apache web server is bundled in large distributions. If not, you can head over to http://www.apache.org and download your own copy. The Operating System can be freely downloaded. The mySQL (database) server is freely avaliable also. Same with support for PHP, and any other scripting languages also. So there is a huge price advantage there. I guess that Microsoft's claims that Windows was cheaper to maintain than Linux are for a very small and specific class of users...no idea who they are though.


So, after the people running the server save cash on the OS and hopefully charge less, the next important part is security... The people stuck on IIS 4/5 and not wanting to pay the cash for 2003 Server with IIS6 are at a disadvantage here, and will need lots of help from 3rd party software that can be expensive. Of course, if they know exactly which software they need they can cut costs by getting the better software, but there have been times where people have complained that some of the software broke compatibality with older web sites. Fortunately your site would be new, and you should find a good script / solution that this won't be an issue (compatibility).

Another thing about security on IIS... IIS is hugely targed by virus writers and black hat hackers. Remember Code Red? That attacked IIS very quickly. I guess there may have been a second worm that traveled through IIS even faster some time after that, and MS had offered a patch that nobody applied. Supposedly even patched systems were vulnerable? I don't quite remember much of this, but basically anyone running IIS was targeted by it.


Meanwhile Apache simply returned a 404 error and logged it in the error log since the default.ida file or whatnot doesn't exist I think. On my own server, I found a 30MB file laying around and renamed it default.ida so that the 404 wouldn't show up in the error log. In a month's time my server had uploaded it many, many times; well over 1 GB uploaded... At the very least, while their infected servers were choking on the speed my 30MB file was uploaded to them they might not have been able to infect other people's servers. I haven't really heard of any major vulnerabilities about Apache, but every once in a while there are some big releases that many Linux System Admins (usually) quickly pick up. Recently keeping up to date in Linux has been made much easier with automated e-mails and such for OS like Red Hat Linux (Also known as Fedora Linux).


As long as they only allow needed web services to be open to the Internet (FTP/HTTP/HTTPS/Email, etc) stuff such as Net Bios doesn't come in to play. (Port 135, etc) Overall I think, those services are more secure on Linux. Plus Linux does better to prevent different users from modifying each other's stuff, so if someone else on the server (most times you will share a server with 10-20+ other people) has their website compromised for some reason or another such as a vulnerable script, you have less chance of losing your web sites data. Most any Microsoft Vulnerability I have seen recently has some code or another that grants System (Administrator) access. If someone's website is hacked and the hacker runs that code, in most cases that Windows box is doomed. In Linux, I think they are limited to the current user and gaining root access is more difficult. So even if someone looses their website to some vulnerability, your section on that server isn't threatened as much provided the Administrator of the server seperates the users logically.


Anyways, most of this information will come from testimonials. You will want to find out what other people thought of a web host before you sign up for them. My friend signed up to one that had good prices, and later found out they have regular network downtimes. They have been fairly friendly to him though, although in the end it is costing quite a bit more for him. Just so you know, he uses 1T3 as his host. I recommend that you stay away from them for your website though.

BTW, build a list of features you will need. You definately need encryption offered by HTTPS. You will need server-side scripting, and database access. PHP and mySQL are very popular. Also, one important thing is payment. IE how do they pay? Via credit-card you will need to work something out with invididual credit card companies, although I doubt that someone would want to give out credit-card information to a small business online. I don't really know much about this topic though, so you will need to do the research. Perhaps pay-pal? Payment methods definately need to be thought through. Good luck.


Misc Web Links Concerning What I Mentioned:
Something about supporting compression in HTTP, IIS, Apache, and other servers - http://itmanagement.earthweb.com/col...le.php/3068161
Pricing for Windows 2003 Servers - http://www.microsoft.com/products/in...3740d&type=ovr
Pricing for Windows 2000 Servers - http://www.microsoft.com/windows2000...ng/default.asp
Code Red - http://www.cert.org/advisories/CA-2001-19.html

[JagFire19]

Wow! Thanks alot! I think I'll get read some books and get more info on this subject before I begin the site. Thx again.

-Jagfire19

[SSJVegeta-Sei]

My friend and I owned our own (rather successful) e-business, and he is considered the best at e-business in Canada, so if you need some help, feel free to email me, and we'll lend a hand.

Regards,

SSJVegeta-Sei

[adiz]

If you don't want to drop alot of money on a pre-made shopping cart or you want to write your own. I would advise using PHP and SQL I like that combination running on a secure (As secure as you can get) Apache server with good firewalls (both hardware and software) and if you update security apps and keep everything tightened down that should keep you fine for along long while....and when I say along while i mean...



haha,
Adiz