This might be a stupid question but I need to explore every option and can't gleam much from google on this one. Hope this is not too conversational.
I'm considering options to secure my php/mysql based admin system. One thing i've thought about is ip whitelisting with .htacess and only allowing my client access:
allow from xx.xx.xx.xxx
But I'm wondering if another method might be to not have the admin system installed online at all. Would it be possible to run the admin php locally (using wamp) and then have it connect to a live database?
Is this crazy?
Can I assume that your application is not hosted at your client's? Because if it is, then you can simply put the real application in a DMZ facing the internet and the admin application in the intranet without access from the internet.
If the application is not hosted at your client's, then your IP-based approach looks good. But you should not rely solely on the IP protection as an authentication mechanism, you should also secure the admin application with a login form asking for username and password. If you want to be super carefull, you could consider using two-factor authentication (token or Google Authenticator).
As jraede already pointed out, a local install with a remote database would be a pain in the butt to maintain. Also (and foremostly) a remote database would imply that you need the database to be accessible from the internet. That should be a security no-go if you can avoid it.
Related
I am trying to secure a PHP web application which runs out of a WAMP-style local installation.
Currently, passwords for the app's database are just in the .php files. I thought about encrypting them, but any person can just step through the code to decrypt them pretty easily.
This does not run on a web server, it runs on the user's PC. Has anyone here attempted to secure this type of application, and perhaps shipped a compiled program to return the passwords, or perhaps used an external keystore somehow?
Your thoughts are appreciated.
Clarification: The database is also on the local PC.
There are a LOT of very robust external authentication providers out there. Firebase and OAuth to name a few. Technically speaking, no system is 100% hack-proof, but Firebase and OAuth provide would-be hackers a tough road to success
You can use ENV variable in that case make .env file and store password in that and call the same in application.
You can create environment variable in Apache config file and call from there in your application this is more secure.
There is no way to protect a database connection credentials if you are giving the client / user the source code. Basically if your app can access it and the source code is there for them to use, read, parse then they have the same access as the software does.
Say, I want to have code and db backups? Where should I store them so that if a hacker hacked my site and have access to php and mysql I could restore them. Local server does not fit. Considering third-party services (DB, Google drive) a hacker would have success to them in case he hackes a server. If you could suggest where to store third-party API credential so that a hacker could not access them I would appreciate that.
But beside that is there a way to make and store backups by a server in a safe place (so that hacker could not get them)? As I see the only way is to make backups by outer services: from another server. I could do it from my computer. But it is a wrong solution. After I finished a project I should not have access to it. And in general It is not the best solution to rely on my computer at all.
I could not find anything worth in the internet. Is there a way to securely manage backups only from a (one) working server?
Can anyone share me any idea (free) that I can make my Laravel Application (costumer website) usable to only single IP or domain?
After I host the application into my client's end, I want my code to be secured from being used again for other projects.
I want to prevent my client from re-publish my code
for example: remote confirmed from my web service for Client IP (costumer website)
After I host the application into my client's end, I want my code to be secured from being used again for other projects.
What you're looking for is a legal protection, not a technological one.
This is related to the "problem" of client authenticity in that you cannot generally control the contents of the computer that's communicating with you. Any copy-protection mechanisms you install will be trivially bypassed. (I work with cryptography; I've seen a lot of attempts to be clever, and none of them have ever stopped me from bypassing or disabling them.)
Can anyone share me any idea (free) that I can make my Laravel Application (costumer website) usable to only single IP or domain?
The way that's worded sounds like you're asking StackOverflow to give you free work (or point you to a free alternative to snakeoil solutions like ionCube) which is not what this website is for.
I'm developing an enterprise cloud application and am addressing the security issues that I will face when using the PHP LDAP library to connect to customer networks to retrieve user objects.
Firstly there's the issue that my clients will have to open up their network to my webservers which, to many, is a huge security risk. Most would even say no to creating firewall rules allowing LDAP queries from my public IPs only.
Secondly the connection would have to remain available at all times so that my application can poll and detect new, disabled and deleted user objects. This further increases the risk factor for my clients.
The third issue is ensuring I only receive read rights to my clients AD server - how can I ensure that my clients do not accidentally give us write access to their AD? Can I, with PHP, query the permissions of the domain account provided and, if write is included, refuse to accept/store the credentials?
Does anyone have any better suggestions? I can establish an API on my end to listen for and accept instructions from a script my clients can host but that's a pain in the ass - definitely fixes up the security issues though.
There are so many ways of connecting to an LDAP server but not many articles about the best way of synchronising with an LDAP server in a private network from a server on the public network.
Advice desperately needed :)
Thank you!
Too many vauge statements, but here is a try.
The third issue is ensuring I only receive read rights to my clients
AD server - how can I ensure that my clients do not accidentally give
us write access to their AD? Can I, with PHP, query the permissions
of the domain account provided and, if write is included, refuse to
accept/store the credentials?
Sure, why not. But you may have rights to your entry but not others.
Does anyone have any better suggestions?
I could not even imagine getting access to any, and certainly not large, organizations LDAP over the Internet. Even if it were secure as an API. You really need an API interface like OAuth or OpenID Connect.
I used to work for a bank, that had a very cool feature in it's intranet. Once you logged in your computer, there were global variables set in PHP through Apache, and they contained the identity of the user that was logged on on the computer. Now I'm at a new job, and I'm wondering, how this thing worked! I would like to implement this kind of thing once again.
What I'm working with here:
FreeBSD server, version is unknown to me.
Apache 2.2 web server
PHP 5, some custom compilation, that for various reasons, I can't upgrade or modify.
MS AD
All of the users logging on to their computers are using active directory, all are in the same domain.
What I used to have was something like this:
echo $_SERVER['username']
which would print the username of the user currently logged in.
Could someone explain, how this could be done?
P.S. If any of my server settings are not what is required, say so, because then I will have a reason to ask the bosses to give me one of my own, with more control.
There's lots of ways this might be implemented. However a lot of them depend on having control over the client as well as the server.
Obvious sources of data include:
NTLM
Client side certificates
The Ident protocol (not very secure without the encryption extensions)
A long lasting cookie (again, not secure)
HTTP authentication methods
However none of these explain how the value appeared in the session - this must have been implemented within the PHP code.
So without knowing how it was implemented at your previous site we can't tell you:
Whether it was secure and correctly implemented
how to replicate the behaviour
Given your resource list, while it would be possible to implement authentication based on direct LDAP calls, passing the username and password through your application, I would strongly recommend using (e.g.) openId - but restricting the providers to just your openid provider - which would use the MSAD as the backend.
I did not understand correctly the question, so I edit my post...
you could use apache auth, you can make auth by ip's or hostnames
http://httpd.apache.org/docs/2.0/en/howto/auth.html