Technical Discussion
  >> Web Design / HTML / Web hosting Forum


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User RogerE
(committed) Wed 07-Aug-19 14:35:34
Print Post

How to prevent sub domain being found


[link to this post]
 
Sorry about title, not sure how to describe this.

A small charity I have done work for (Static Website) has a domain which is working fine.

I have created a HTML/PHP/MySQL admin system that has been running on a local PC (using WAMP server).

Now they want to have it hosted as a subdomain of their website so it can be reached by the admin people from home. Their hosting company allows this.

I have concerns about how to prevent the admin system pages being "found" by web crawlers, spiders etc.

The system has a login system with hashed passwords, and all of the pages check to ensure they arrived via the login, but other than that is there anything else I can do to protect them ?

Thanks
Standard User caffn8me
(eat-sleep-adslguide) Sat 10-Aug-19 02:50:15
Print Post

Re: How to prevent sub domain being found


[re: RogerE] [link to this post]
 
A lot depends on how much administrative control you have over the hosting server.

The sort of things you can do to make things more secure include;

  • Ensure server uses https with TLS v1.2 or newer
  • Use multi factor authentication - you can have a look at TOTP/HOTP with hardware tokens, Yubikey and authenticator apps, Duo (free up to ten users)
  • Restrict access to the subdomain to VPN users and set each user with VPN access
  • Run intrusion detection/prevention software (such as fail2ban)
  • If you have a fixed server IP address for the subdomain, don't publish a DNS entry for the subdomain but get remote users wanting access to add the subdomain's IP address to their computer's hosts file
  • Do client certificate authentication for the subdomain's https server and send client certificates to each admin user
  • Also monitor logs for suspicious activity (e.g. repeated failed logins or trying to run scripts which aren't present). If there are repeated attempts from specific IP addresses or ranges, block those.
  • Make sure all software on the server is patched and fully up to date.
Of these, the only one I haven't actually used yet is client certificate authentication but all other recommendations I do as standard.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
  Print Thread

Jump to