How do you keep malicious people away from your public website?

Question

Hi community,

I'm currently building a website that allows public access after classic verification methods (captcha + email verif.) I do my best to sanitize all of the inputs and stay in control of the data flows. I am 100% sure that there will be people / bots who will try to hack the system away : changing post values, trying to insert xss or sql injections, etc...

As I sanitize my input, I see that I can detect those actions and therefore I ask myself : what should I do to discourage them to pursue? should I even try or will that make things worse?

I can log their activity, suspend their account, refuse data from their ever-so temporary IP address, return false information to give them the impression of success, etc... So many things and yet nothing perfect or annoying enough so that they just let it go.

So here goes my question : What do you do to keep malicious people away from your public websites?

Answer 1

• SQL Injection safeguards
• Log suspicious things (if you expect 14 fields of data, log anything < 14)
• Don't display any errors from the server side language... If you have to, use a soft error with a friendly description. No error at line 111 on htdocs/www/sensitive/data.php
• Log failed logins and limit time between failed logins. Make it exponential up to a safe limit (e.g. 30 minutes between logins)
• Sanitize everything! Don't assume values from select boxes, check boxes or radio boxes.
• And a lot more I'll add when I think of them...

Seb's answer has good advice: Don't tell the end user that there was an error. I'd imagine a hacker could only use the error's information for malicious purposes and increase his desire to go further with his/her hacking.

Answer 2

The best you can do is act as if nothing happened: if you receive malicious code, log the event (it could be the case you missed something and it's actually a coding error), show a small error page without giving any details and give a link to be redirected to another, hopefully useful, page.

I believe it's better not to tempt malicious users to keep trying, so you should avoid outputting things like "Nonoo, bad guy! Get out!" in favor of simple "we apologize" messages.

Answer 3

Well I was thinking of something a bit similar... Tell me what you think about it...

As I trap attempts to break the system, I log it into the user's data and increment a "sleep" counter. Every time the user makes future requests from the server, I will simply wait the right amount of time. It is then invisible to him, yet the system will just become slower and slower for his account as he tries to do his job... I was thinking I could even add a small ironic message such as : 'thank you for waiting...'