Operating system

Like in the previous article, the target operating system is FreeBSD 4.7. However, the methods presented should also apply on most modern UNIX and UNIX-like systems. This article also assumes that a MySQL database is installed on the host, and is placed in the “/usr/local/mysql” directory.

Functionality

Generally, functionality will be very similar to the one described in the previous article. However, there are some changes:

• The web server must handle the PHP scripting language
• The PHP component must be able to read and write users’ data in a locally installed MySQL database

Security assumptions

In case of security assumptions, the following have been added:

• The PHP configuration should take advantage of built-in security mechanisms
• PHP scripts must be executed in a chrooted environment
• The Apache server must reject all requests (GET and POST), which contain HTML tags (possible Cross-Site-Scripting attack) or apostrophe/quotation marks (possible SQL Injection attack)
• No PHP warning or error messages should be shown to the web application’s regular users
• It should be possible to store incoming GET and POST requests into a text file which will make it possible to use additional, host-based intruder detection system (HIDS), e.g. swatch.

The most important changes that should be made to improve PHP security are as follows:

Unlimited Web Hosting

CSF firewall known as Configserver Security and Firewall is the most trusted firewall on Cpanel servers. It’s very easy to install and manage firewall rules. It also comes with LFD which can be used as Intrusion Detection and Security application.

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

This CSF suite of scripts provides:

• Straight-forward SPI iptables firewall script
• Daemon process that checks for login authentication failures for:
  • Courier imap, Dovecot, uw-imap, Kerio
  • openSSH
  • cPanel, WHM, Webmail (cPanel servers only)
  • Pure-ftpd, vsftpd, Proftpd
  • Password protected web pages (htpasswd)
  • Mod_security failures (v1 and v2)
  • Suhosin failures
  • Exim SMTP AUTH
  • Custom login failures with separate log file and regular expression matching
• POP3/IMAP login tracking to enforce logins per hour
• SSH login notification
• SU login notification
• Excessive connection blocking
• UI Integration for cPanel, DirectAdmin and Webmin
• Easy upgrade between versions from within cPanel/WHM, DirectAdmin or Webmin
• Easy upgrade between versions from shell
• Pre-configured to work on a cPanel server with all the standard cPanel ports open
• Pre-configured to work on a DirectAdmin server with all the standard DirectAdmin ports open
• Auto-configures the SSH port if it’s non-standard on installation
• Block traffic on unused server IP addresses - helps reduce the risk to your server
• Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
• Suspicious process reporting - reports potential exploits running on the server
• Excessive user processes reporting
• Excessive user process usage reporting and optional termination
• Suspicious file reporting - reports potential exploit files in /tmp and similar directories
• Directory and file watching - reports if a watched directory or a file changes
• Block traffic on the DShield Block List and the Spamhaus DROP List
• BOGON packet protection
• Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
• Works with multiple ethernet devices
• Server Security Check - Performs a basic security and settings check on the server (via cPanel/DirectAdmin/Webmin UI)
• Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
• Alert sent if server load average remains high for a specified length of time
• mod_security log reporting (if installed)
• Email relay tracking - tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
• IDS (Intrusion Detection System) - the last line of detection alerts you to changes to system and application binaries
• SYN Flood protection
• Ping of death protection
• Port Scan tracking and blocking
• Permanent and Temporary (with TTL) IP blocking
• Exploit checks
• Account modification tracking - sends alerts if an account entry is modified, e.g. if the password is changed or the login shell
• Shared syslog aware
• Messenger Service - Allows you to redirect connection requests from blocked IP addresses to preconfigured text and html pages to inform the visitor that they have been blocked in the firewall. This can be particularly useful for those with a large user base and help process support requests more efficiently
• Country Code blocking - Allows you to deny or allow access by ISO Country Code
• Port Flooding Detection - Per IP, per Port connection flooding detection and mitigation to help block DOS attacks
• DirectAdmin UI integration
• Updated Webmin UI integration
• WHM root access notification (cPanel servers only)
• New in v5: lfd Clustering - allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes
• New in v5: Quick start csf - deferred startup by lfd for servers with large block and/or allow lists
• New in v5: Distributed Login Failure Attack detection
• New in v5: Temporary IP allows (with TTL)
• New in v5: IPv6 Support with ip6tables

Steps to install :

1) Download CSF script from

http://www.configserver.com/free/csf.tgz

2) Untar File

tar -zxf csf.tar.gz

3) Install using following command

sh /csf/install.sh

That’s it! Wait for installation to finish.

Configuration settings:

Config Files

/etc/csf/csf.conf CSF Firewall configuration file
/etc/csf/csf.allow => Config file to allow IPs
/etc/csf/csf.deny => Config file to deny IPs

Once CSF installed you can manage  CSF firewall from WHM >>CSF Security & Firewall option under “Plugin” section.

Packages enables you to create your own custom web hosting packages/plans and are a critical function in WebHost Manager for your Reseller Hosting Plan.
Web Host Manager (WHM) helps you in this process by allowing you to customize a large number of parameters, from disk space and bandwidth to the number of sub-domains and MySQL databases, as well as specifying whether CGI, shell access, and what CPanel default theme are provided.

Step-by-step procedure to create hosting packages in WHM reseller panel.

====================================================
IMPORTANT NOTE: do not put “unlimited” text in any fields while creating package as WHM takes “Unlimited” = 1. you can assign some number 99 or 999 or 9999 instead of “unlimited”. Enter “0″ (zero) when you do not want to allow that particluar feature.
====================================================

To add a package:

1) Click on the Add New Package link in the Packages menu.

2) Enter the name of the package and the maximum disk space the account can occupy in the Package Name and Quota fields.

3) Indicate whether Shell Access is allowed in the Shell Access tick box.

4) Enter the maximum number of items allowed in the Max Ftp Accounts, Max Email Accounts, Max Email Lists, Max SQL Databases, Max Sub Domains, Max Park Domains, and Max Addon Domains fields.
See above IMPORTANT information.

5) Never tick IP tick Box.

6) Indicate whether CGI access and Frontpage Extensions are allowed in the CGI Access and Frontpage Extentions tick boxes.

7) Enter the maximum bandwidth in megabytes allowed by the account in the Bandwidth Limit field.

8 ) Select default CPanel theme for the package in the Cpanel Theme
field.

9) Click on create button on top.

10) You can see status “Created the package yourusername_packagename”. WHM creates packages by adding your user name as prefix to package name.

Now you can start creating domains using this package.

MySQL Web Hosting

Sometimes we need to tune or optimize mySQL server configuration for better performance.

Before making any changes, I strongly recommend that you back up the file, so that you can restore it in case the service does not restart or any other problem happens:

Use the following Config for my.cnf.

1. Take backup of existing config with
cp /etc/my.cnf my.cnf.bak

2. vi /etc/my.cnf

3. Remove the whatever entry are there.

4. Add the following.

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
max_user_connections=25
max_connections=500
interactive_timeout=10
wait_timeout=10
connect_timeout=10
thread_cache_size=128
key_buffer=16M
join_buffer=1M
max_allowed_packet=16M
table_cache=1024
record_buffer=1M
sort_buffer_size=2M
read_buffer_size=2M
myisam_sort_buffer_size=64M
old-passwords = 1

[mysql.server]
user=mysqlbasedir=/var/lib

[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/lib/mysql/mysql.pid
open_files_limit=8192

[mysqldump]
quickmax_allowed_packet=16M

[mysql]
no-auto-rehash

[isamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M
[myisamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M

[mysqlhotcopy]
interactive-timeout

And restart mysql on server.
# /scripts/restartsrv_mysql

In the source code of such a page I found that all CSS files had a wrong referral url:
/index.php/awards/big_awards
instead of
awards/big_awards
for example.
The starting “/index.php” should not be there.
Also in other links in these page a “/index.php” too much is in the links.

The issue was solved by entering a value for the variable
var $live_site = '';
in the configuration.php:
var $live_site = 'http://www.example.com';

Soruce:

http://www.vanachteren.net

Make sure the directory permissions are not greater than 755

Make sure the PHP file permissions are not greater than 755 - 644 is the default permissions for files uploaded by FTP and will work fine for most PHP files.

Make sure you do not have any .htaccess files which contain PHP flags/values or ForceType directives. These directives need to be handled differently, as explained above.

How to find and change existing users files permissions or ownerships to meet PHPSuexec or SuPHP guidelines ?

Set owner of all user files
Also you can run the following to ensure all users files are correctly owned.
You can do this running the following commands in shell as root;

for CPAccess in `ls -A /var/cpanel/users`; do chown -R $CPAccess:$CPAccess /home/$CPAccess/public_html; done

for CPAccess in `ls -A /var/cpanel/users`; do chown $CPAccess:nobody /home/$CPAccess/public_html; done

Set permissions of all user files

find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;

Take the backup of httpd.conf and php.ini files.

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bk

cp /usr/lib/php.ini /usr/lib/php.ini.bk

Now run
/scripts/easyapache

go through the options and select suphp and complete the steps.

Once it is done, login to WHM - onfigure Suexec and PHP

Change the PHP 5 Handler from DSO to suphp.

Click on Save New Configuration.

Done, You have completed the installation and now you can check the top command to see php processes will run with user name instead of nobody. But still apache processes run as nobody.

Now we have to change the ownerships and permissions….

Set owner of all user files

for CPAccess in `ls -A /var/cpanel/users`; do chown -R $CPAccess:$CPAccess /home/$CPAccess/public_html; done

for CPAccess in `ls -A /var/cpanel/users`; do chown $CPAccess:nobody /home/$CPAccess/public_html; done

Set permissions of all user files

find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
find /home*/*/public_html -type f -perm 0777 -exec chmod 755 {} \;
find /home*/*/public_html -type f -perm 0666 -exec chmod 644 {} \;

find the .htaccess files which contains php settings like php_value

find /home/*/public_html -name .htaccess -type f | xargs grep -rl php_

It will give the list, so you can comment the php settings and add it on php.ini

For web servers using PHP as apache module:

AddType application/x-httpd-php .html .htm

For web servers running PHP as CGI:

AddHandler application/x-httpd-php .html .htm

For web servers using PHP as suphp module:

AddType application/x-httpd-php5 .htm .html

The simple yet powerful Enkompass interface offers a rich assortment of features that can save your business time and money.

Top Business Features

* Reduce software licensing costs
Quickly add servers as your business grows, paying only for the licenses you need on each type of server.
* Gain access to 30% more market share
According to Netcraft, Microsoft IIS7 is is one of the two leading web server technologies, installed on over 60,000,000 servers worldwide.
* Reduce support costs
Single sign-on provides easier management, greater time savings, and the ability to add new resources.
* Accurate & fast reporting
Easily run reports on bandwidth utilization, disk space utilization, active accounts, resource availability and more, for instant access to valuable decision-making tools.
* Offer premium hosting plans
As a commercial technology, Windows® web hosting can command premium prices. This provides you the opportunity to increase your bottom line.

For more information visit http://www.cpanel.net/windows/overview.html

The problem is relatively clear when you visit a big company’s website. There’s content — lots of it — but there’s relatively little effort put forward into converting that content into anything. There’s a ton of information, a list of contact details that puts the Yellow Pages to shame, and massive potential for SEO work. However, very few big businesses put their SEO muscle to work, and more than a few settle for websites that simply do not sell their services.

As easy as it is to blame the lack of SEO on established buying practices — in store orders, online stores, and resellers — it’s not the total problem. Much of it is simply the fact that a lot of corporations simply are not well educated on the ultra-competitive SEO world, and view search as something other than a major priority. If your company is sounding similar, it is time to take a different approach, and to embrace search for the incredible sales and lead generation machine that it is.

These three suggestions could be the difference between an unknown business website and a conversion-powered one. Implement one, two, or all three and you are sure to see a world of difference in website traffic, online sales and orders, and noticeable online PR.

#1: Add a blog to your company website.
Blogs are great for SEO, and they are even better for grassroots PR efforts. By adding a blog to your company website, you introduce a human element to an otherwise stale website. Even a simple blog can add some massive SEO power to your website, and if it attracts attention it is easy to convert that readership into a massive SEO resource.

#2: Experiment with dedicated SEO.
External SEO firms are often a waste of money, especially for small businesses. However, when your online presence has the potential to sell millions of dollars worth of services, products, or coverage per year, it is in your best interests to open yourself to as many channels as possible. Search is the biggest online referrer, and the small cost of retaining an SEO company is quickly paid back in the incredible order boost that you’ll receive.

#3: Use in-house SEO to lower costs and boost awareness.
Hiring a full time SEO for your company is less expensive than you would expect. While contractors are good for temporary assignments and one-off SEO boosts, if you want a dedicated SEO presence it is best to invest in someone that can work for you full time. Experiment with contract work and temporary SEO at first, then decide whether it is worth the expense of a full SEO team.

Sign up at ehostpros.com web hosting account for $2.99/mo. and you can start blogging in no time. We also offer Reseller Hosting and Domain Name Registrations.