We go to great lengths to keep ocPortal secure, on many levels, including:
- having a security strategy
- having our own automated checking tools
- having an architecture within ocPortal for secure programming
- having constant scanning as ocPortal is used
To further improve security in version 3, we have added new features to tackle three widespread problems (in general: we haven't actually spotted these being used against ocPortal yet):
- DOS (denial of service) attacks. The nature of these is a lot simpler than they sound - essentially the computer which is responsible for operating your website is attacked by large quantities of requests per second from a hacker, and your computer then spends all of it's resources in an attempt to fulfill each one. Many DOS attacks end in the victim's computer becoming completely unresponsive, or simply crashing.
- 'Rooting' a server. This involves hacking the web server account and leaving a 'backdoor'. 'Rooting' is either done from some direction that ocPortal cannot monitor (such as via another web application), or done via a yet unknown vulnerability in ocPortal.
- Hacking a server by trial-and-error, but not getting caught and banished before damage is done (if for example, a user goes on holiday and hence cannot act on hack-attack e-mails)
DOS attacks are detected automatically, with attacking IP addresses automatically banned at a low-level such that they can not tie up further resources in any measurable way.
If numerous hack attack messages come from a single computer, the computer is automatically banned.
There is a special script that will help detect if ocPortal PHP files or critical/sensitive database settings are changed, by off-server comparison of data.
None of these methods are foolproof, but they do significantly raise the bar security-wise, reducing the chance that any particular hacker will be able to compromise your website.