Web-Server Security Guide
#1
Web-Server Security Guide
Introduction

When you create systems that store and retrieve data, it is important to protect the data from unauthorized use, disclosure, modification or destruction. Ensuring that users have the proper authority to see the data, load new data, or update existing data is an important aspect of application development. Do all users need the same level of access to the data and to the functions provided by your applications? Are there subsets of users that need access to privileged functions? Are some documents restricted to certain classes of users? The answers to questions like these help provide the basis for the security requirements for your application.

 
Picking the Right Web Host

This is a very crucial part of web-server security that no web-developers never really think about. Servers get rooted all the time, it happens. A hacker could just upload a shell and deface the one site, but most of the time they will go for gold and try to root the entire server. A good web host will protect you from this, so when picking just remember this:

Quote:Any free web host is a bad web host.In my own opinion the biggest free host to avoid is 000WebHost. They will take down your site within about a week of it being up, and force you to upgrade to get it back.

 
Staying Up-to-Date
 

Remember to keep all of your software up-to-date. Generally updates are to fix a few bugs, but sometimes they patch a few vulnerabilities in their software, and if you don't update the hacker can exploit that vulnerability and use it against you. All because you didn't take 3 minutes out of your precious life to go click a button. Checking for the latest updates on every plugin and the sites design itself is recommended to be done at least once every two weeks.

 

 
Delete the Installation Folder

 

After you install some software, like MyBB, the installation folder is left on your web-server. It is highly recommended to remove that folder after the installation is complete. If not then there are lots of things that could occur with that folder that you really wouldn't want to happen.

 

 
Passwords

 

This is very simple, and users don't even take the time to do it. Make sure to use strong passwords, not just your standard "blah1234" user something unique. Also don't make a password that meets the minimum length, that will definitely make it easy for a hacker to gain access by narrowing down the possible password combinations. There are many sites and softwares that can generate strong passwords for you. This one is probably the best:

RandomKeyGen

 

 

 
Prevent SQL, XSS, and More

This is something we use right here on OmegaForums. It is called PHP-Firewall, it filters out malicious codes. You can download it from here:

PHP-Firewall.info

Also, as a bonus, this is how you add it to the MyBB forum software:

Open global.php

Add This Code at Beginning:

Code:
define('PHP_FIREWALL_REQUEST_URI', strip_tags( $_SERVER['REQUEST_URI'] ) );define('PHP_FIREWALL_ACTIVATION', true );if ( is_file( @dirname(__FILE__).'/<Firewall Path>/firewall.php' ) )    include_once( @dirname(__FILE__).'/<Firewall Path>/firewall.php' );
Reply
#2
Great post, bookmarking this for future reference, also what web hosts do you recommend?
Reply
#3
Quote:Prevent SQL, XSS, and More

This is something we use right here on OmegaForums. It is called PHP-Firewall, it filters out malicious codes. You can download it from here:

PHP-Firewall.info

The industry standard web-app firewall is ModSecurity (https://www.modsecurity.org/), you can run it on Apache, ngnix, or IIS and there are many existing rule sets for blocking common web-app attacks, and you can create your own rules(regex patterns) pretty easily. This would also be faster than a PHP based implemntation.

That said it looks like php-firewall would work in an environment where you can't setup modsecurty like a restrictive shared host. So there is a place for both of them, I do highly recommend modsecurity though.
Reply
#4
(12-02-2015, 05:13 AM)dropzone Wrote: The industry standard web-app firewall is ModSecurity (https://www.modsecurity.org/), you can run it on Apache, ngnix, or IIS and there are many existing rule sets for blocking common web-app attacks, and you can create your own rules(regex patterns) pretty easily. This would also be faster than a PHP based implemntation.

That said it looks like php-firewall would work in an environment where you can't setup modsecurty like a restrictive shared host. So there is a place for both of them, I do highly recommend modsecurity though.

Definitely a vote for ModSecurity. A PHP Firewall seems like it would be horribly inefficient. Better than nothing... but I think I would recommend say, implement securing coding practices over PHP-Firewall any day.

(06-10-2015, 04:54 PM)Cryptography Wrote: This is something we use right here on OmegaForums.

If this is your site, you chose a horrible name. There is already a well established site/forum with this name, and even LOOKING for your website reveals nothing in google. unless you throw the word hacking in, in which case you get like, 2 results. the site seems to be misconfigured though.
Reply
#5
(12-02-2015, 06:49 AM)MuddyBucket Wrote:
(12-02-2015, 05:13 AM)dropzone Wrote: The industry standard web-app firewall is ModSecurity (https://www.modsecurity.org/), you can run it on Apache, ngnix, or IIS and there are many existing rule sets for blocking common web-app attacks, and you can create your own rules(regex patterns) pretty easily. This would also be faster than a PHP based implemntation.

That said it looks like php-firewall would work in an environment where you can't setup modsecurty like a restrictive shared host. So there is a place for both of them, I do highly recommend modsecurity though.

Definitely a vote for ModSecurity. A PHP Firewall seems like it would be horribly inefficient. Better than nothing... but I think I would recommend say, implement securing coding practices over PHP-Firewall any day.

(06-10-2015, 04:54 PM)Cryptography Wrote: This is something we use right here on OmegaForums.

If this is your site, you chose a horrible name. There is already a well established site/forum with this name, and even LOOKING for your website reveals nothing in google. unless you throw the word hacking in, in which case you get like, 2 results. the site seems to be misconfigured though.

it's an old forum I used to run, it's closed now.
Reply
#6
(12-02-2015, 12:29 AM)Enthusiasm Wrote: Great post, bookmarking this for future reference, also what web hosts do you recommend?

Get an old computer, install a Debian server on it, learn how to run a server via command line. Once you're ready get a VPS, avoid shared hosting no reason to ever use it. Always weak and always garbage. A good VPS that I like to use is DigitalOcean.
Reply
#7
(12-05-2015, 12:16 AM)NO-OP Wrote:
(12-02-2015, 12:29 AM)Enthusiasm Wrote: Great post, bookmarking this for future reference, also what web hosts do you recommend?

Get an old computer, install a Debian server on it, learn how to run a server via command line. Once you're ready get a VPS, avoid shared hosting no reason to ever use it. Always weak and always garbage. A good VPS that I like to use is DigitalOcean.

Also, if you use BlazingFast, ALWAYS use a dedicated server, as all of their servers they host their VPSes on are backdoored.
Reply
#8
(12-05-2015, 02:07 AM)Cryptography Wrote:
(12-05-2015, 12:16 AM)NO-OP Wrote:
(12-02-2015, 12:29 AM)Enthusiasm Wrote: Great post, bookmarking this for future reference, also what web hosts do you recommend?

Get an old computer, install a Debian server on it, learn how to run a server via command line.  Once you're ready get a VPS, avoid shared hosting no reason to ever use it.  Always weak and always garbage.  A good VPS that I like to use is DigitalOcean.

Also, if you use BlazingFast, ALWAYS use a dedicated server, as all of their servers they host their VPSes on are backdoored.

I heard this too. But is there any way to confirm it? Rumours can be rumours you know.
Reply
#9
(12-05-2015, 02:46 AM)Insider Wrote:
(12-05-2015, 02:07 AM)Cryptography Wrote:
(12-05-2015, 12:16 AM)NO-OP Wrote:
(12-02-2015, 12:29 AM)Enthusiasm Wrote: Great post, bookmarking this for future reference, also what web hosts do you recommend?

Get an old computer, install a Debian server on it, learn how to run a server via command line.  Once you're ready get a VPS, avoid shared hosting no reason to ever use it.  Always weak and always garbage.  A good VPS that I like to use is DigitalOcean.

Also, if you use BlazingFast, ALWAYS use a dedicated server, as all of their servers they host their VPSes on are backdoored.

I heard this too. But is there any way to confirm it? Rumours can be rumours you know.

I have a friend who used to run a forum off of a BF VPS and it had some "shady" activity in the logs. That combined with the rumors lead me to believe they are backdoored. I don't know if he has the logs anymore, but he showed them to me.
Reply
#10
(12-05-2015, 03:07 AM)Cryptography Wrote:
(12-05-2015, 02:46 AM)Insider Wrote:
(12-05-2015, 02:07 AM)Cryptography Wrote:
(12-05-2015, 12:16 AM)NO-OP Wrote:
(12-02-2015, 12:29 AM)Enthusiasm Wrote: Great post, bookmarking this for future reference, also what web hosts do you recommend?

Get an old computer, install a Debian server on it, learn how to run a server via command line.  Once you're ready get a VPS, avoid shared hosting no reason to ever use it.  Always weak and always garbage.  A good VPS that I like to use is DigitalOcean.

Also, if you use BlazingFast, ALWAYS use a dedicated server, as all of their servers they host their VPSes on are backdoored.

I heard this too. But is there any way to confirm it? Rumours can be rumours you know.

I have a friend who used to run a forum off of a BF VPS and it had some "shady" activity in the logs. That combined with the rumors lead me to believe they are backdoored. I don't know if he has the logs anymore, but he showed them to me.

It could also mean that his machine/vps was compromised by a third party. Such as the infamous chinese bruteforcers, knocking on your SSH ports :p You shouldn't assume anything. But tbh blazingfast is kind of bad imo. They removed my vps machines without notification, even if I had paid in time. Because of inactivity on the account. So money gone into the trashcan I guess... they ignored my ticket containing proof of purchase.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Web Dev Looking for job because of corona virus TwoDots 1 3,283 08-09-2020, 10:07 PM
Last Post: Insider
  LAMP, LDAP, and PostFix, Ubuntu VM security and monitoring measures? QMark 4 7,949 04-26-2019, 12:25 AM
Last Post: Insider
  CompTIA Security+ Study Notes Cypher 0 5,137 02-26-2018, 02:31 PM
Last Post: Cypher
  Need advice for a home file server - $500 Budget lunorian 1 4,627 05-22-2017, 05:48 AM
Last Post: Cypher