This article shows the basic steps in securing PHP, one of the most popular scripting languages used to create dynamic web pages. In order to avoid repeating information covered in the previous article, only the main differences related to the process of securing Apache will be described.
Operating system
Like in the previous article, the target operating system is FreeBSD 4.7. However, the methods presented should also apply on most modern UNIX and UNIX-like systems. This article also assumes that a MySQL database is installed on the host, and is placed in the “/usr/local/mysql” directory.
Functionality
Generally, functionality will be very similar to the one described in the previous article. However, there are some changes:
- The web server must handle the PHP scripting language
- The PHP component must be able to read and write users’ data in a locally installed MySQL database
Security assumptions
In case of security assumptions, the following have been added:
- The PHP configuration should take advantage of built-in security mechanisms
- PHP scripts must be executed in a chrooted environment
- The Apache server must reject all requests (GET and POST), which contain HTML tags (possible Cross-Site-Scripting attack) or apostrophe/quotation marks (possible SQL Injection attack)
- No PHP warning or error messages should be shown to the web application’s regular users
- It should be possible to store incoming GET and POST requests into a text file which will make it possible to use additional, host-based intruder detection system (HIDS), e.g. swatch.
Read more…
Cpanel Basics
Unlimited Web Hosting
CSF firewall known as Configserver Security and Firewall is the most trusted firewall on Cpanel servers. It’s very easy to install and manage firewall rules. It also comes with LFD which can be used as Intrusion Detection and Security application.
A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.
This CSF suite of scripts provides:
- Straight-forward SPI iptables firewall script
- Daemon process that checks for login authentication failures for:
- Courier imap, Dovecot, uw-imap, Kerio
- openSSH
- cPanel, WHM, Webmail (cPanel servers only)
- Pure-ftpd, vsftpd, Proftpd
- Password protected web pages (htpasswd)
- Mod_security failures (v1 and v2)
- Suhosin failures
- Exim SMTP AUTH
- Custom login failures with separate log file and regular expression matching
- POP3/IMAP login tracking to enforce logins per hour
- SSH login notification
- SU login notification
- Excessive connection blocking
- UI Integration for cPanel, DirectAdmin and Webmin
- Easy upgrade between versions from within cPanel/WHM, DirectAdmin or Webmin
- Easy upgrade between versions from shell
- Pre-configured to work on a cPanel server with all the standard cPanel ports open
- Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
- Auto-configures the SSH port if it’s non-standard on installation
- Block traffic on unused server IP addresses - helps reduce the risk to your server
- Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
- Suspicious process reporting - reports potential exploits running on the server
- Excessive user processes reporting
- Excessive user process usage reporting and optional termination
- Suspicious file reporting - reports potential exploit files in /tmp and similar directories
- Directory and file watching - reports if a watched directory or a file changes
- Block traffic on the DShield Block List and the Spamhaus DROP List
- BOGON packet protection
- Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
- Works with multiple ethernet devices
- Server Security Check - Performs a basic security and settings check on the server (via cPanel/DirectAdmin/Webmin UI)
- Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
- Alert sent if server load average remains high for a specified length of time
- mod_security log reporting (if installed)
- Email relay tracking - tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
- IDS (Intrusion Detection System) - the last line of detection alerts you to changes to system and application binaries
- SYN Flood protection
- Ping of death protection
- Port Scan tracking and blocking
- Permanent and Temporary (with TTL) IP blocking
- Exploit checks
- Account modification tracking - sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
- Shared syslog aware
- Messenger Service - Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
- Country Code blocking - Allows you to deny or allow access by ISO Country Code
- Port Flooding Detection - Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
- DirectAdmin UI integration
- Updated Webmin UI integration
- WHM root access notification (cPanel servers only)
- New in v5: lfd Clustering - allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
- New in v5: Quick start csf - deferred startup by lfd for servers with large block and/or allow lists
- New in v5: Distributed Login Failure Attack detection
- New in v5: Temporary IP allows (with TTL)
- New in v5: IPv6 Support with ip6tables
Steps to install :
1) Download CSF script from
http://www.configserver.com/free/csf.tgz
2) Untar File
tar -zxf csf.tar.gz
3) Install using following command
sh /csf/install.sh
That’s it! Wait for installation to finish.
Configuration settings:
Config Files
/etc/csf/csf.conf CSF Firewall configuration file
/etc/csf/csf.allow => Config file to allow IPs
/etc/csf/csf.deny => Config file to deny IPs
Once CSF installed you can manage CSF firewall from WHM >>CSF Security & Firewall option under “Plugin” section.
Cpanel Basics
Joomla-sites from an old server to my new webserver with suPHP the search engine friendly urls didn’t work anymore.
The main problem was that the layout was disappeared for all sites other than the main site.
In the source code of such a page I found that all CSS files had a wrong referral url:
/index.php/awards/big_awards
instead of
awards/big_awards
for example.
The starting “/index.php” should not be there.
Also in other links in these page a “/index.php” too much is in the links.
The issue was solved by entering a value for the variable
var $live_site = '';
in the configuration.php:
var $live_site = 'http://www.example.com';
Soruce:
http://www.vanachteren.net
Cpanel Basics
If your PHP scripts are reporting 500 Internal Server errors, please check the following:
Make sure the directory permissions are not greater than 755
Make sure the PHP file permissions are not greater than 755 - 644 is the default permissions for files uploaded by FTP and will work fine for most PHP files.
Make sure you do not have any .htaccess files which contain PHP flags/values or ForceType directives. These directives need to be handled differently, as explained above.
How to find and change existing users files permissions or ownerships to meet PHPSuexec or SuPHP guidelines ?
Set owner of all user files
Also you can run the following to ensure all users files are correctly owned.
You can do this running the following commands in shell as root;
for CPAccess in `ls -A /var/cpanel/users`; do chown -R $CPAccess:$CPAccess /home/$CPAccess/public_html; done
for CPAccess in `ls -A /var/cpanel/users`; do chown $CPAccess:nobody /home/$CPAccess/public_html; done
Set permissions of all user files
find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;
Cpanel Basics
If you want HTML files parsed as PHP… You can write following in .htaccess file.
For web servers using PHP as apache module:
AddType application/x-httpd-php .html .htm
For web servers running PHP as CGI:
AddHandler application/x-httpd-php .html .htm
For web servers using PHP as suphp module:
AddType application/x-httpd-php5 .htm .html
Cpanel Basics
/scripts/cpbackup is taking only one account backup and giving a log message backup is completed.
Problem is there might be a file called /etc/cpbackup-skip.conf which has all users to skip the backup.
check and remove the file, so that backup will start run for all users.
Cpanel Basics
I found the solution of “aff_check_security() error” , generally this error comes with blog.
Whenever you get the error like
======================================================
Fatal error: Cannot redeclare aff_check_security() (previously declared in /home/nodepo79/public_html/poker-affiliates-online.com/affconfig.php:61) in /home/nodepo79/public_html/poker-affiliates-online.com/affconfig.php on line 59
======================================================
You go to blog directory of that domain where the client install the blog.
Open the file “affiliate.php” and make the changes as below:-
================================================
change
Code:
include “affconfig.php”;
To
Code:
include_once “affconfig.php”;
================================================
after that you check the url . It will work.
Cpanel Basics
Advantages of using lite speed compared to apache:
===========================
1. Lite speed is 6 times faster than Apache.
2. When it comes to dynamic content, LiteSpeed is more than 50% faster in PHP content delivery than Apache with mod_php
3. Increases PHP performance and security while doubling server capacity.
4. Efficient CGI daemon
5. High performance Perl daemon
6. SECURE
* Strictest HTTP request validation
* Deny any buffer-overrun attempts
* Anti-DDoS: Throttling & Connection Accounting
* System overloading prevention
* Chroot web server process
* CGI/FCGI/LSAPI/PHP suEXEC
7.RELIABLE
* Watch Dog monitoring
* Recover from service failure instantly
* Zero down time graceful restart
8.SCALABLE
* Small memory footprint
* Thousands of concurrent connections
* Increase scalability of external web applications
9.LiteSpeed support a wide set of server API and scripting languages.
* CGI/1.1
* FastCGI
* LSAPI (LiteSpeed SAPI)
* JSP/Servlet via AJP 1.3
* Transparent Reverse Proxy (interface to any web server, application server support HTTP)
* PHP with 3rd party PHP Accelerators compatibilities (APC, eAccelerator, XCache).
* Perl/Python (CGI, FastCGI)
* Ruby/Roby on Rails
* C/C++ (CGI, FastCGI, LSAPI)
So, for shared hosting or vps hosting environment better to go for lite speed web server.
Cpanel Basics
We can increase the max emails per hour limit for a specific domain
vi /var/cpanel/maxemails
yourdomain.com=200
:wq (save & Quit)
Replace yourdomain.com with your own domain name.
Then run
/scripts/build_maxemails_config
Cpanel Basics
If Roundcube gives a blank page or any error please try the
below steps for a resolution.
Try following command
/usr/local/cpanel/bin/update-roundcube --force
if that did not help, make sure that
/usr/local/cpanel/3rdparty/bin/php and
/usr/local/cpanel/3rdparty/bin/php-cgi executable. otherwise do,
chmod 755 /usr/local/cpanel/3rdparty/bin/php-cgi
chmod 755 /usr/local/cpanel/3rdparty/bin/php
/scripts/makecpphp
if it is some database error, make sure that /tmp/mysql.sock is present.
If no, create symbolic link
ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock
Cpanel Basics