The popular English saying, prevention is better than cure, holds true when dealing with an organization’s network security.
An important part of ‘prevention’ is achieved through proper patch management – emphasis here on ‘proper’. There are certain procedures you have to follow before deploying patches, and after the patches have been installed. Cutting corners can cause those same issues you are trying to avoid. Here are the three main steps to take for proper patch management:
The importance of pre-deployment testing:
First of all you need to set up a proper test environment to mitigate the risk of system instability. Without a proper test environment, you’d be unable to ensure that the patches you are about to deploy do not conflict with your setup. In some cases, this might even prevent the system from starting up, something you would want to avoid at all costs. This test environment should closely mirror the actual environment where you will deploy the patches.
A patch in time…
Delaying patch deployment means that unpatched vulnerabilities can exploited by hackers until they are fixed. That said, one should not rush the deployment process – proper testing before deployment is crucial. It is also important to note that patches should be prioritized in terms of severity and applicability to your environment. Critical patches should be deployed as soon as possible; with the others following in batches until all systems are fully patched.
Double-checking goes a long way:
Failing to verify whether patch deployment has been successful can leave you just as vulnerable as if you did no patching at all. Patch deployment can fail for several reasons. If you do not re-scan the system after deployment to ensure that patches are no longer required, you are assuming that everything is fine. Only by double-checking that patches are no longer needed can you be sure the job is done – until the next round.
What’s your Plan B?
Failing to have a disaster recovery plan can prove to be a painful and costly oversight. No matter how many safety measures you take, you can never be sure that nothing will go wrong.
Even the most thoroughly tested patches can find an unexpected combination of software and hardware on the live network that causes the patch to fail, eventually taking the whole system down. It is essential that you are ready for such an eventuality. A disaster recovery plan will provide detailed instructions on what needs to be done in order to restore a system back to operational status as quickly as possible.
Proper patch management requires a bit of foresight and planning, but it’s definitely time invested sensibly. If all the right steps are followed, your patch management process will help you avoid many headaches and stress.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about the right patch management solution. All product and company names herein may be trademarks of their respective owners.
An open relay is “a mail server that does not verify that it is authorised to send mail from the email address that a user is trying to send from. Therefore, users would be able to send email originating from any third-party email address they want.”
Using open relay Someone could use your domain name to send emails from dummy accounts. It is a method of sending spam while ensuring they are neither identified nor blocked from sending future spam messages.
You can easily determine your PostFix mail server is an open relay by using a tool from spamhelp.org. If you found your server working as open relay, you can secure your PostFix mail server by setting proper authentication protocols. Edit PostFix configuration file /etc/mail/main.cf, and search to edit (or add new lines as below, if you don’t find in PostFix configuration file):
smtpd_delay_reject = no disable_vrfy_command = yes
These settings will force incoming requests to stop and identify themselves before accessing the SMTP server. Authenticated users will be allowed to pass through and send mail. Restart PostFix to apply changes:
In a previous post (How to Change Linux Server SSH Port), I write how to change the SSH port on Linux server from the standard port 22. that work fine for most cases, however you may face below error if you apply changes on Red Hat Enterprise Linux 6:
sshd[82123]: error: Bind to port 2222 on 192.168.4.5 failed: Permission denied
If you face above error message, you most likely setup SELinux (Security Enhanced Linux) enabled, as it is a standard feature of RHEL. In this version, SELinux blocks all other ports for access to SSH, except for the standard port 22. Fortunately, it is quite simple to change the settings to allow the port you want (i.e. 2222 in our other article).
Logon to your linux server as root and use “semanage” to display the current port settings. The command is below:
semanage port -l | grep ssh
This command produce output looks like below:
ssh_port_t tcp 22
You can add port 2222 to the list of acceptable ports with the following command:
semanage port -a -t ssh_port_t -p tcp 2222
You should re-check to make sure the changes were saved.
semanage port -l | grep ssh
The output should now look like this:
ssh_port_t tcp 2222,22
Make sure to configure your Linux server firewall rules to allow new SSH port (2222) and to block default SSH port (port number 22).
Verify the settings and restart OpenSSH in order to changes to take effect.
/sbin/service sshd restart
Now you should be able to connect to custom SSH port (2222 for our example).
The Linux SSH server (OpenSSH) listens on port 22. If you have security measures in your mind and willing to change default SSH port to custom follow the steps below in this article.
To change your SSH port, as root, edit the sshd_config file in your /etc/ssh directory.
vim /etc/ssh/sshd_config
Search for a line as below:
Port 22
Change the number 22 to the port number of your choice. You need to make sure your custom port should not used by other service on your server.
Port 2222
Note: you can use other number of your choice.
Make sure to configure your server firewall rules to allow new SSH port (2222) and to block default SSH port (port number 22).
Save the file and then restart sshd:
/etc/init.d/sshd restart
Note: by changing default SSH port, you add a thin layer of security to your Linux server. It will not stop more advanced bots etc…
The default network SMTP port for Postfix, Sendmail and most other mail servers is 25 that is used to send email, and most email clients use port 25 as default port for sending emails. Unfortunately internet service providers (ISP’s) have started to block port 25 to control high volume of spam sent through post 25 and they require their users to use the ISP’s SMTP server.
This is a the major reason why mail server administrators consider to change their default SMTP port from port 25 to someone else. While some server administrators use proxy servers to redirect mail traffic through SPAM and DNS filters before eventually resolving to another port.
To change Postfix SMTP port, you need to have root access to your server. Edit the Postfix configuration file: /etc/postfix/master.cf and comment out the following line:
# smtp innet n - n - - smtpd
Next, add this line:
2525 inet n - n - - smtpd
You can replace “2525″ with port number of your choice to use for your SMTP server.
Finally, restart Postfix:
/etc/init.d/postfix restart OR service postfix restart
You may need to configure your firewall (if you use any) to allow the new port and deny port 25.
SQL Server allow to create additional filegroups to spread storage of data and indexes to different disks to improve I/O performance. The issue is that when creating new data storage objects we are required to explicitly point to the new filegroup. Is there any option to use the new filegroup by default without explicitly specifying the filegroup when creating new tables and indexes?
Let me explain some terminology:
Database – is made up of multiple files for database objects and transaction logs
File – a physical file that is used to store database objects or transaction logs
Filegroup – this is a container that is made up of one or more files to store database objects
PRIMARY filegroup – this is the default filegroup that is created when you create a new database.
Default filegroup – when creating new tables and indexes this specifies which filegroup is the default if a filegroup is not specified
Based on explanation as above when creating a new database, the primary file group of a database is the default filegroupand the primary data file is created in it. When a table or index is created without specifying a filegroup, all pages will be allocated from the default filegroup. Note: only one filegroup at a time can be the default filegroup.
By default, the primary filegroup is the default filegroup, so all new objects are placed in this filegroup. However we can change the default filegroup to any other filegroup at any time. When you have multiple filegroups, changing the default filegroup from PRIMARY to another one is a good idea, because it eliminates the need to specify the filegroup when objects are created and makes sure that new objects are created in the correct filegroup.
Example
Let’s analyze the problem for which we are required to change the default filegroup from primary to something else.
The following script creates a database and then adds additional filegroups. Although additional filegroups can be created when creating a database, I added the filegroups later for simplicity and illustration. So in this case, the primary filegroup will be the default filegroup.
-- Script 1: Create DB and add additional file group
-- If DB pre exists then drop it
IF exists (SELECT * FROM sys.databases WHERE NAME = 'MSSQLTip')
USE MASTER
DROP DATABASE MSSQLTip
GO
-- Create new DB
CREATE DATABASE MSSQLTip
GO
-- Add file groups to DB
ALTER DATABASE MSSQLTip ADD FILEGROUP FG1
ALTER DATABASE MSSQLTip ADD FILEGROUP FG2
GO
-- Verify file groups in DB
USE MSSQLTip
GO
SELECT groupName AS FileGroupName FROM sysfilegroups
GO
At this point we have three file groups primary, FG1 and FG2 in our new database. Any new table or index will be created in the primary filegroup which is the default unless we specify the filegroup to use. If we want to create a data storage object in FG1 or FG2 then the only way is to specify the filegroup when creating the storage object.
Consider the following scenario where we want to create a table without specifying the filegroup. It is essential to provide explicit instructions for creating the data storage objects in other than the default filegroup. The only way to ensure the creation of new data storage objects on FG1 or FG2 without any additional consideration is to set the required filegroup as shown below.
-- Script 2: Create tables in file groups
-- tbl1 would be created on primary file group
CREATE Table tbl1 (ID int identity(1,1))
GO
-- tbl2 would be created on FG1
CREATE Table tbl2 (ID int identity(1,1), fname varchar(20))
ON FG1
GO
-- Verify file group of tbl1
sp_help tbl1
GO
-- Verify file group of tbl2
sp_help tbl2
GO
Now that we created the table on the new filegroup we can try to insert data as follows:
INSERT INTO tbl2 (fname) values ('Atif')
GO
Since we did not specify a file for this filegroup we get this error message:
Msg 622, Level 16, State 3, Line 1 The filegroup “FG1″ has no files assigned to it. Tables, indexes, text columns, ntext columns, and image columns cannot be populated on this filegroup until a file is added.
Another issue we have since we do not have a file associated with this filegroup is if we try to change FG1 to be the default filegroup as shown below:
ALTER DATABASE MSSQLTip MODIFY FILEGROUP FG1 DEFAULT
GO
We will get this error message, because a file group cannot be set as the default unless it has at least one data file.
Msg 5050, Level 16, State 1, Line 1 Cannot change the properties of empty filegroup ‘FG1′. The filegroup must contain at least one file.
Creating the Data File
A data file may be placed in a single filegroup and cannot be shared among filegroups. Files may be placed in the filegroup at DB creation time or at a later time. In the following script we create secondary data files for each filegroup (FG1 and FG2). (Note: if you do this on your server you will need specify the correct path for the file creation.)
-- Script 3: Add data files to file groups
-- Add data file to FG1
ALTER DATABASE MSSQLTip
ADD FILE (NAME = MSSQLTip_1,FILENAME = 'F:\DBs\2K5\MSSQLTip_1.ndf')
TO FILEGROUP FG1
GO
-- Add data file to FG2
ALTER DATABASE MSSQLTip
ADD FILE (NAME = MSSQLTip_2,FILENAME = 'F:\DBs\2K5\MSSQLTip_2.ndf')
TO FILEGROUP FG2
GO
-- Verify files in file groups
USE MSSQLTip
GO
sp_helpfile
GO
Setting New Default Filegroup
After creating the new files for filegroups FG1 and FG2, we can change the default filegroup and verify the new default by running the code below.
--Script 4: Set FG1 as default file group
-- Set FG1 as default file group
ALTER DATABASE MSSQLTip MODIFY FILEGROUP FG1 DEFAULT
GO
-- Create a table without specifying file group
Create table table3 (ID TINYINT)
GO
--Verify the file group of table3 is FG1
sp_help table3
GO
-- insert some data to make sure no errors
insert into table3 values (10)
GO
Using sp_help shows that table3 is created in FG1 even without specifying FG1 when creating the table.
Now let’s set FG2 as the default filegroup using SSMS. Right click on the MSSQLTip database and click onProperties. Go to the filegroups page and set FG2 as the default as shown below.
Checking the Default Filegroup
In addition to using SSMS to find what filegroup is the default, we can also check the default filegroup by querying sysfilegroups as shown below.
--Script 5: verify default filegroup
USE MSSQLTip
GO
SELECT groupname AS DefaultFileGroup FROM sysfilegroups
WHERE convert(bit, (status & 0x10)) = 1
GO
Summary
Setting the default filegroup does not stop you from using other filegroups it just means that you will need to specify the correct filegroup when creating a table or index otherwise it will be created on whatever filegroup is set as the default.
One of the best ways to securely provide Internet access to your users is to monitor Internet usage.
When you monitor Internet usage, you don’t have to parse log files of each and every website your users visit, nor do you have to question them about why they spent twenty minutes updating their status. The right way to monitor Internet usage is to use an Internet monitoring application that can automate all the different aspects of providing Internet access to your users in a safe and secure fashion, and that can enforce your company’s Internet Usage Policy while respecting users’ privacy, and administrators’ limited time.
There are a number of practices small to medium sized business should follow when monitoring Internet usage. The following should be a “must-do”:
1. Establish a clear policy Every company, no matter how large or small, needs to have a clear and concise policy that addresses what is, and is not, appropriate when employees are using the company’s computer resources. Whether you incorporate Internet access into your Acceptable Use Policy or Information Security Policy, make sure you clearly spell out what is acceptable and what is not.
2. Educate users Go over this policy with your employees. Do so at new hire orientation, and make it a part of your annual policy training with every user, every year. Keep the policy online where users can get to it, refer to it when appropriate, and consider some form of monthly or quarterly update/reminder so users are fully aware of what is expected.
3. Allow some personal use You will probably find out quickly that permitting some personal use of the Internet goes a long way towards improving morale. Whether you expect managers to ensure it does not get out of hand, or you use bandwidth or time filters to enforce limits, it’s worth it to permit user some degree of freedom. It shows trust, and softens the blow when users must take a call after hours, work late, or on the weekend.
4. Implement Internet monitoring Deploy an application that can perform Internet monitoring automatically. Using network sniffing or monitoring DNS logs is not a practical or scalable way to monitor Internet usage. Use a server-based application and ensure that all Internet access flows through this system with no way to circumvent it. If you deploy software to monitor Internet usage on your gateway, there won’t be a practical way to bypass or circumvent it. If you use a separate server and configure your browsers to use it as a proxy, make sure you block outbound web traffic from client subnets so no one can bypass it.
5. Protect users’ privacy When you monitor Internet usage, you are doing so to protect the company, not to play the role of an Internet cop or to pry into the activities of individual users. Look for Internet monitoring software that can aggregate log data, or otherwise protect individual users’ identities unless there is a reason to investigate a specific user’s actions.
6. Use categories and block phishing, compromised, and suspicious sites When you monitor Internet usage, use a solution that offers categorized lists of sites you can block based on the company’s policy, and that can also block phishing sites, hacked sites, and sites that are “suspicious”. Perfectly legitimate business websites are compromised every day, and your Internet monitoring software should be able to update and react quickly to new threats.
7. Provide a way to request exceptions You will find times when a user feels they need to access a blocked site. This could be because of a miscategorization or special need, or simply a misunderstanding. Whatever the reason, provide a way for users to request exceptions so they won’t look for ways to violate the policy.
8. Keep awareness up Make sure users are aware that the company monitors Internet usage, and why it does so. Send out updates when the Internet monitoring application blocks an infected download, prevents a user from accessing a compromised website, or blocks a phishing victim from visiting a fake site. This not only helps users to understand why the company monitors Internet usage, but can also help them be a little more cautious about what they do at home.
Implement these best practices for monitoring Internet usage within your organization, and you will provide your users with a safe, secure, and effective way to use the Internet, without anyone feeling untrusted or that their privacy has been violated.
This guest post was provided by Casper Manes on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need to monitor Internet usage.
All product and company names herein may be trademarks of their respective owners.
Mata description:
The MUST-DOs for organizations who want to monitor Internet usage the right way.
Keywords:
Monitor Internet usage, Internet monitoring software, Internet access, Internet usage policy, Acceptable Use Policy, Information Security, block phishing, hacked sites, bandwidth, DNS logs, privacy.
If you forgot your Windows 7 password, the best way is to reset a forgotten Windows password. How? There is third party software available to reset Windows 7 passwords. There are several free and commercial Windows 7 password recovery tools available in market. We will discuss 3 free tools in this article.
1. PC Login Now
PC Login Now is a free tool. Instead of discovering and displaying your current password, “PC Login Now” removes the password so that you can access your computer again and you can set new password. It works similar to the free and popular Offline NT Password & Registry Editor, it’s much easier to use.
Offline NT Password & Registry Editor erases your lost or forgotten password instead of recovering it. Infect it’s like a password reset tool, rather than a recovery tool. To use this utility, you need to boot to a burned CD created with the Offline NT Password & Registry Editor ISO file. Once you reset your password you can log in to your Windows account without password. It is text based program and a little inconvenient when you use it to regain access to the locked computer.
The Ophcrack is by far the most popular free Windows 7 password recovery tool available. Unlike Offline NT Password & Registry Editor motioned above, Ophcrack helps you recover the lost passwords by using LM hashes through rainbow tables.
With Ophcrack, you don’t need any access to Windows system to be able to recover your lost passwords. Simply visit the site, download the free ISO image, burn it to a CD and boot from the CD. The Ophcrack program starts, locates the Windows user accounts, and proceeds to recover (crack) the passwords automatically.
Open Cisco ASA 5505 from packing box, attach power cord and console cable.
Access ASA 5505 console through hyper terminal / putty program and you will see below interface:
ode:
Type help or ‘?’ for a list of available commands.
ciscoasa>
Type the command “enable” to get in enabled mode.
Code:
Type help or ‘?’ for a list of available commands.
ciscoasa> enable
Password:
ciscoasa#
You may see password prompt, just pres “Enter” key as there is no password configured with new appliance.
The 1st thing you want to do is type the command “write erase”. This will delete all the default configuration set by Cisco. You might wonder why but there is a lot of stuff in that configuration that you may not require and you may face some network issues if you connected your ASA 5505 security appliance with your your DHCP enabled network.
You will be prompted to confirm that you want to erase the default configuration. Press enter to proceed to erase content.
Once you erase your startup configuration you are required to reload the ASA to load clean configuration. Type “reload” command to load clean configurations.
Code:
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#
***
*** — START GRACEFUL SHUTDOWN —
Shutting down isakmp
Shutting down File system
***
— SHUTDOWN NOW —–
After ASA 5505 reload you will see below prompt to setup firewall through wizard, type “no” to setup ASA 5505 security appliance yourself manually.
Code:
Pre-configure Firewall now through interactive prompts [yes]?
Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config”.
Code:
ciscoasa# show running-config
Looks nice and clean right?
Now we can start manual configuration of ASA security appliance.
Load configuration mode. You can do this by issuing the command “configure terminal”
Code:
ciscoasa# configure terminal
ciscoasa(config)#
Notice the (config) behind the device hostname. This means you’re in configuration mode.
Change Cisco ASA hostname.
Code:
ciscoasa(config)# hostname MyASA
MyASA(config)#
You can see the hostname changes immediately.
Set a username and password to manage the ASA from your desk with SSH/Telnet/ASDM.
Code:
MyASA(config)# username example password example privilege 15
MyASA(config)#
Setting your privilege to 15 is very important if you’re the one that is going to manage the ASA. Privilege 15 is the highest of the privileges and gives you full control over the device.
Configure the inside (LAN) address of the ASA 5505 security appliance.
With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.
Code:
MyASA(config)# interface vlan 1
MyASA(config-if)# ip address 192.168.1.1 255.255.255.0
MyASA(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
All the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.
For the inside VLAN:
Configure outside (WAN) interface.
Depending on the provider you might have to do this a little bit different but we are configuring with a static IP address.
Code:
MyASA(config)# interface vlan 2
MyASA(config-if)# ip address 212.115.192.193 255.255.255.248
MyASA(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ExampleASA(config-if)# exit
ExampleASA(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.192
As you can see the ASA sets the security level of the interface called outside to 0. You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.
If your provider gives you a IP address trough DHCP the configuration is a little easier.
ode:
MyASA(config)# interface vlan 2
MyASA(config-if)# ip address dhcp set route
MyASA(config-if)# nameif outside
Now we need to attach the outside VLAN to one of the interfaces of the ASA. By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state. In this example I will attach the interface “Ethernet 0″ to the outside VLAN (VLAN 2) and make the port operational.
Now this interface is attached to VLAN 2 and operational. You need to make at least one other port operational for your inside network by typing the command “no shutdown”.
Code:
MyASA(config)# interface ethernet0/1
MyASA(config-if)# no shutdown
By default all the interfaces are attached to VLAN 1 so you don’t need to assign a VLAN to the interface.
Configure NAT to make internet work from your inside network.
For NAT fist step: you need to make a global interface to where all the addresses from the inside need to be translated to.
Code:
MyASA(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool
The number 10 in that line of configuration is a identifier. This way you can tell the NAT on the inside to wich outside IP address they should translate to. The interface part means that you use your interface IP address to translate to. In this case the outside interface.
For NAT second step we need to make a NAT rule for the inside network.
I use used the number 10 in this NAT rule. This links the inside network to the outside global. The subnet behind that states that the network 192.168.1.0/24 is allowed to be translated to the outside IP address.
Congratulations! You configured your ASA to allow internet for your internal LAN with 192.168.1.0 network.
If you want to manage the ASA security appliance remotely i.e without having access to console.
The ASA supports remote administration trough SSH and Telnet. The ASA also has a good graphical interface called the ASDM (Adaptive Security Device Manager). I will guide you to configure the ASA so you should able to connect with the ASDM (graphical) and with SSH (CLI).
Enable SSH on Cisco ASA 5505 security appliance. To enable SSH you will need to generate a key wich will encrypt the traffic between the user and the ASA.
Code:
MyASA(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait…
MyASA(config)#
Now we want to use the username we made earlier to connect to the ASA with SSH.
Code:
MyASA(config)# aaa authentication ssh console LOCAL
The LOCAL means that the ASA uses the local username database to authenticate users.
Setup ACL (access control list) to access ASA with SSH. In this example we only allow users on the inside to access the ASA with SSH.
PHP is an opensource server side scripting language and it is a widely used. The Apache web server provides access to files and content over HTTP OR HTTPS protocol. A misconfigured server side scripting language can create all sorts of problems. So, PHP should be used carefully. Here are twenty five php security best practices for sysadmins secure PHP configuration.
Sample Tips for PHP Security
DocumentRoot: /var/www/html
Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
Default php server TCP/UDP ports: none
Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell: $ php -v
Sample outputs:
PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
For demonstration purpose I’m going to use the following operating system: $ cat /etc/redhat-release
Sample outputs:
Red Hat Enterprise Linux Server release 6.1 (Santiago)
1: Know Your Enemy
PHP based apps can face the different types of attacks. I have seen the following types of attacks:
XSS - Cross-site scripting is a vulnerability in php web applications which attackers may exploit to steal users’ information. You can configure Apache and write secure code (validating all user input) to avoid xss attacks.
SQL injection - It is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
Spoofing
File uploads – It allows your visitor to place files on your server. This can result into to delete your files, database, get user details and much more. You can disable file uploads using php or write secure code (like validate and only allow image file type such as png or gif).
Including local and remote files – An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.
eval() - Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on server itself. You can configure php to disable eval().
Sea-surf Attack (Cross-site request forgery – CSRF) – This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
2: Find Built-in PHP Modules
To see the set of compiled-in PHP modules type the following command, enter: # php -m
Sample outputs:
[PHP Modules]
apc
bcmath
bz2
calendar
Core
ctype
curl
date
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
imap
json
libxml
mbstring
memcache
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
readline
Reflection
session
shmop
SimpleXML
sockets
SPL
sqlite3
standard
suhosin
tokenizer
wddx
xml
xmlreader
xmlrpc
xmlwriter
xsl
zip
zlib
[Zend Modules]
Suhosin
I recommends that you use PHP with a reduced modules for performance and security. For example, you can disable sqlite3 module by deleting (removing) file , OR renaming (moving) a file /etc/php.d/sqlite3.ini as follows: # rm /etc/php.d/sqlite3.ini
OR # mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable
Other compiled-in modules can only be removed by reinstallating (reconfigure or rebuild php rpms) PHP with a reduced configuration. You can download php source code and compile it as follows by with GD, fastcgi, and, MySQL support:
To restrict PHP information leakage set expose_php to Off. Edit /etc/php.d/secutity.ini and set the following directive:
expose_php=Off
This option disabled to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.3). The PHP logo guids are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. $ curl -I http://www.cyberciti.biz/index.php
Sample outputs:
Your PHP supports “Dynamic Extensions”. By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your webapps requires. To disable gd extension, type the following commands: # cd /etc/php.d/
# mv gd.{ini,disable}
# /sbin/service httpd restart
To enable module gd, enter: # mv gd.{disable,ini}
# /sbin/service httpd restart
5: Log All PHP Errors
Do not expose PHP error messages to all site visitors. Edit /etc/php.d/security.ini and set the following directive:
Turn on or off HTTP file uploads (disallow uploading unless necessary). Edit /etc/php.d/security.ini and set the following directive:
file_uploads=Off
If users of your application need to upload files, turn this feature on by setting maximum allowed size for uploaded files:
file_uploads=On
# user can only upload upto 1MB
upload_max_filesize=1M
7: Turn Off Remote Code Execution
The allow_url_fopen option allows PHP’s file functions such as file_get_contents() and the include / require statements, can retrieve data from remote locations, like an FTP or HTTP web site. Programmers frequently forget this and don’t do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. This option should be disabled. Edit /etc/php.d/security.ini and set the following directive:
allow_url_fopen=Off
I also recommend to disable allow_url_include for security reasons:
allow_url_include=Off
8: Enable SQL Safe Mode
Turn on or off SQL safe mode. Edit /etc/php.d/security.ini and set the following directive:
sql.safe_mode=On
If turned On, mysql_connect() and mysql_pconnect() ignore any arguments passed to them. Please note that you may have to make some changes to your code. Third party and open source application such as WordPress, and others may not work at all when sql.safe_mode set it to On. I also recommend that you turn off magic_quotes_gpc for all php 5.3.x installations:
magic_quotes_gpc=Off
9: Control POST Size
The HTTP POST request method is used when the client (browser or user) needs to send data to the Apache web server as part of the request, such as when uploading a file or submitting a completed form. This can be abused or can be used to crash server. Edit /etc/php.d/security.ini and set the following directive:
post_max_size=1K
The 1K sets max size of post data allowed by php apps. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize. I also suggest that you limit available methods using Apache web server. Edit httpd.conf and set the following directive for DocumentRoot /var/www/html:
<Directory /var/www/html>
<LimitExcept GET POST>
Order allow,deny
</LimitExcept>
# Add rest of the config here...
</Directory>
10: Resource Control
You can set maximum execution time of each php script, in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data and maximum amount of memory a script may consume. Edit /etc/php.d/security.ini and set the following directives:
# set in seconds
max_execution_time = 30
max_input_time = 30
memory_limit = 40M
11: Install Suhosin Advanced Protection System for PHP
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.ini using disable_functions directive:
PHP can be run using FastCGI or cgi. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://www.cyberciti.biz/cgi-bin/php/hackerdir/backdoor.php. Turn on cgi.force_redirect for security reasons. Edit /etc/php.d/security.ini and set the following directive:
cgi.force_redirect=On
14 PHP User and Group ID
PHP can be run as server. mod_fastcgi is a cgi-module for Apache web server. It can connect to php server. You need to make sure php run as non-root user. If PHP is executing as a CGI, look at a method of executing CGIs as a non-privileged user like Apache’s suEXEC ormod_suPHP. In this example, php-cgi is running as phpcgi user: # ps aux | grep php-cgi
Sample outputs:
You can use tool such as spawn-fcgi to start php server as phpcgi user (first, add phpcgi user to the system): # spawn-fcgi -a 127.0.0.1 -p 9000 -u phpcgi -g phpcgi -f /usr/bin/php-cgi
You can configure Apache, Lighttpd, and Nginx web server to use php running on port 9000 at 127.0.0.1 IP address.
NOTE: If you’re using the Apache module, use Apache users and group to run php.
15 Limit PHP Access To File System
The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen(), and others. If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround. For example only allow access to /var/www/html directory and not to /var/www, or /tmp:
open_basedir="/var/www/html/"
; Multiple dirs can be set as follows
; open_basedir="/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/"
16 Session Path
Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. This path is defined in /etc/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option. The default is as follows under RHEL/CentOS/Fedora Linux:
session.save_path="/var/lib/php/session"
; Set the temporary directory used for storing files when doing file upload
upload_tmp_dir="/var/lib/php/session"
Make sure path is outside /var/www/html and not readable or writeable by any other system users: # ls -Z /var/lib/php/
Sample outputs:
Note: Check php.net for the most recent release for source code installations.
18: Restrict File and Directory Access
Make sure you run Apache as a non-root user such as Apache or www. All files and directory should be owned by root user under /var/www/html: # chown -R root:root /var/www/html/
Make sure file permissions are set to 0444 under /var/www/html/: # chmod -R 0444 /var/www/html/
Make sure all directories permissions are set to 0445 under /var/www/html/: # find /var/www/html/ -type d -print0 | xargs -0 -I {} chmod 0445 {}
Make sure httpd.conf has the following directives for restrictive configuration:
<Directory / >
Options None
AllowOverride None
Order allow,deny
</Directory>
You should only grant access when required. Some web applications such as wordpress and others requires caching directories. You need to grant write access to those directroies: # chmod a+w /var/www/html/blog/wp-content/cache
### block access to all ###
# echo 'deny from all' > /var/www/html/blog/wp-content/cache/.htaccess
19: Write Protect Apache, PHP, and, MySQL Configuration Files
Use the chattr command to write protect files: # chattr +i /etc/php.ini
# chattr +i /etc/php.d/*
# chattr +i /etc/my.ini
# chattr +i /etc/httpd/conf/httpd.conf
# chattr +i /etc/
#20: Use Linux Security Extensions (such as SELinux)
Linux comes with various security patches which can be used to guard against misconfigured or compromised programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel and Apache web server. To list all Apache SELinux protection variables, enter: # getsebool -a | grep httpd
Sample outputs:
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
To disable cgi support, enter: # setsebool -P httpd_enable_cgi off
See Red Hat SELinux guide for more information.
## A few Examples ##
# Do not allow to open files in /etc/
SecFilter /etc/
# Stop SQL injection
SecFilter "delete[[:space:]]+from"
SecFilter "select.+from"
22 Run Apache / PHP In a Chroot Jail If Possible
Putting PHP and/or Apache in a chroot jail minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can use traditional chroot kind of setup with Apache. If possible use FreeBSD jails, XEN, KVM, or OpenVZ virtualizationwhich uses the concept of containers.
23 Use Firewall To Restrict Outgoing Connections
The attacker will download file locally on your web-server using tools such as wget. Use iptables to block outgoing connections from Apache user. The ipt_owner module attempts to match various characteristics of the packet creator, for locally generated packets. It is only valid in the OUTPUT chain. In this example, allow vivek user to connect outside using port 80 (useful for RHN or centos repo access):
/sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner vivek -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Here is another example that blocks all outgoing connections from apache user except to our own smtp server, and spam validation API service:
# ....
/sbin/iptables --new-chain apache_user
/sbin/iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables --append OUTPUT -m owner --uid-owner apache -j apache_user
# allow apache user to connec to our smtp server
/sbin/iptables --append apache_user -p tcp --syn -d 192.168.1.100 --dport 25 -j RETURN
# Allow apache user to connec to api server for spam validation
/sbin/iptables --append apache_user -p tcp --syn -d 66.135.58.62 --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d 66.135.58.61 --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d 72.233.69.89 --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d 72.233.69.88 --dport 80 -j RETURN
#########################
## Add more rules here ##
#########################
# No editing below
# Drop everything for apache outgoing connection
/sbin/iptables --append apache_user -j REJECT
24 Watch Your Logs & Auditing
Check the apache log file: # tail -f /var/log/httpd/error_log
# grep 'login.php' /var/log/httpd/error_log
# egrep -i "denied|error|warn" /var/log/httpd/error_log
Check the php log file: # tail -f /var/log/httpd/php_scripts_error.log
# grep "...etc/passwd" /var/log/httpd/php_scripts_error.log
Log files will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present or not. The auditd service is provided for system auditing. Turn it on to audit service SELinux events, authetication events, file modifications, account modification and so on. I also recommend using standard “Linux System Monitoring Tools” for monitoring your web-server.
25 Run Service Per System or VM Instance
For large installations it is recommended that you run static and dynamic content from different servers.
You run different network services on separate servers or VM instance. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services such as MySQL, e-mail server and so on. But, in the above example content are served as follows
static.lan.cyberciti.biz - Lighttpd or nginx for static assets such as js/css/images.
phpcgi1.lan.cyberciti.biz and phpcgi2.lan.cyberciti.biz - Apache server with php used for generating dynamic content.
mysql1.lan.cyberciti.biz - Database server.
mcache1.lan.cyberciti.biz - Memcached server is very fast caching system for MySQL. It uses libevent or epoll (Linux runtime) to scale to any number of open connections and uses non-blocking network I/O.
LB01 - It is a nginx web and reverse proxy server. Nginx used in front of Apache Web servers. All connections coming from the Internet addressed to one of the Web servers are routed through the nginx proxy server, which may either deal with the request itself or pass the request wholly or partially to the main web servers.
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.
You can use PHPIDS to detect malicious users, and log any attacks detected for later review. Please note that I’ve personally not used this tool.
PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.
You may come across php scripts or so called common backdoors such as c99, c99madshell, r57 and so on. A backdoor php script is nothing but a hidden script for bypassing all authentication and access your server on demand. It is installed by an attackers to access your server while attempting to remain undetected. Typically a PHP (or any other CGI script) script by mistake allows inclusion of code exploiting vulnerabilities in the web browser. An attacker can use such exploiting vulnerabilities to upload backdoor shells which can give him or her a number of capabilities such as:
Download files
Upload files
Install rootkits
Set a spam mail servers / relay server
Set a proxy server to hide tracks
Take control of server
Take control of database server
Steal all information
Open TCP / UDP ports and much more
Tip: How Do I Search PHP Backdoors?
Use Unix / Linux grep command to search c99 or r57 shell: # grep -iR 'c99' /var/www/html/
# grep -iR 'r57' /var/www/html/
# find /var/www/html/ -name \*.php -type f -print0 | xargs -0 grep c99
# grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/html/
Conclusion
Your PHP based server is now properly harden and ready to show dynamic webpages. However, vulnerabilities are caused mostly by not following best practice programming rules. You should be consulted further resources for your web applications security needs especially php programming which is beyond the scope of sys admin work.
PHP Security Guide: This guide aims to familiarise you with some of the basic concepts of online security and teach you how to write more secure PHP scripts. It’s aimed squarely at beginners, but I hope that it still has something to offer more advanced users.
Essential PHP Security (kindle edition): A book about web application security written specifically for PHP developers. It covers 30 of the most common and dangerous exploits as well as simple and effective safeguards that protect your PHP applications.
SQL Injection Attacks and Defense This book covers sql injection and web-related attacks. It explains SQL injection. How to find, confirm, and automate SQL injection discovery. It has tips and tricks for finding SQL injection within the code. You can create exploits using SQL injection and design to avoid the dangers of these attacks.
An open relay is “a mail server that does not verify that it is authorised to send mail from the email address that a user is trying to send from. Therefore, users would be able to send email originating from any third-party email address they want.”
The Linux SSH server (OpenSSH) listens on port 22. If you have security measures in your mind and willing to change default SSH port to custom follow the steps below in this article. 
