Securing PHP webservers
PHP applications have a reputation for higher than average security problems. What configuration techniques do you use for making sure the application is secure as possible ?
I’m looking for ideas like:
- Using Hardened PHP/Suhosin
- Using mod_security
- Disabling register_globals and allow_url_fopen in php.ini
I normally use Linux, but feel free to suggest Windows solutions too.
By David Pashley?
APF installation error on VPS : unable to load iptables module (ip_tables), aborting.
While installing APF on your VPS you get the following error :
apf -s
apf(13665): {glob} status log not found, created
apf(13665): {glob} activating firewall
apf(13744): {glob} unable to load iptables module (ip_tables), aborting.
apf(13665): {glob} firewall initalized
apf(13665): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes.
You need to configure the APF for your VPS.
nano /etc/apf/conf.apf
modify
SET_MONOKERN=”0?
to
SET_MONOKERN=”1?
Read more…
Block IP Addresses With IPtables & APF
Have a user that keeps hammering your FTP or trying to login over and over and over again that you just want to ban and never see again? We’ll show a quick and dirty method to ban an IP address from the server.
We commonly receive questions like:
“I would like to ban that ip address to prevent the access to the server.
how can i ban that Ip address from the server?”
Simple !
Login to the server as root.
- If you are running iptables, you can enter:
iptables -A INPUT -s IP_ADDRESS -j DROP
Ex: Block IP 68.72.72.25
iptables -A INPUT -s 68.72.72.25 -j DROP
Stop PHP nobody Spammers
PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.
Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.
If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)
Requirements:
We assume you’re using Apache 1.3x, PHP and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system. Read more…
IP country block downloads
All country IP block files are provided in CIDR format, at this time. Please note that we compile these lists from regional IP space providers. To correct any errors please contact your local IP space provider e.g. for Europe it’s Ripe, for North America it’s Arin.
Zone files last updated: Mon Jun 15 05:07:15 EDT 2009
Download compressed tar archive with all zone files in it: all-zones.tar.gz
Read more…
Script to daily email APF status
You are running APF on your server, but sometimes you think “is APF running fine ?”
This script sends you an email with APF satus.
Log in to your server as root
Create the script:
nano apfstatus.sh
Put this on the file:
#!/bin/bash
tail -200 /var/log/apf_log | mail -s "APF Status" youemail@domain.com
Save and Exit
Ctrl+X and Y
Read more…
How To Secure /tmp and /dev/shm partition
Keep you server clean of rookits is a good idea to get a good security level. A sysadministrator can create a seperate partition for /tmp and mount it with noexec and nosuid parameters. And to do it is not necessary to reboot or repartition your drive.
1. First you should secure /tmp:
Read more…
.Htaccess IP Banning IP Block Bad Visitors
Increase your web site’s security by blocking bad visitors with .htaccess. If you have nuisance visitors, site scrapers, or spammers, you may want to add some lines of code to your .htaccess file that will block bad visitors by IP address or by blocks of IP addresses. You want to be careful though that you don’t ban blocks of IPs carelessly as you may end up banning potential customers or other valid site visitors. Also, nothing is completely foolproof as the user can always use another IP address, but I’ve found that this does reduce the number of troublesome incidents.
Secure Directories by IP Address and/or Domain
# allow all except those indicated here
order allow,deny
allow from all
deny from 190.115.67.200
deny from .*yourdomain\.com.*
Read more…
E-mail Alert on Root SSH Login
Want to be notified instantly when someone logs into your server as root? No problem, check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you’re dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.
So lets get started!
Read more…
How to install (D)DOS-Deflate
What is DOS-Deflate?
(D)DoS Deflate is a shell script developed by Zaf, originally for use on MediaLayer servers to assist in combating denial of service attacks. However, it was seen to be very effective for our purpose, and therefore was released as a contribution to the web hosting community. (D)DoS Deflate is now used by not only many web hosts, but by many people who run their own servers looking for additional security in dealing with such attacks.
How to install
Read more…