I'm wondering is there a difference of having my site within the /var/www or /home/myuser/public/sites. Just seen some tutorials that points to the former then others to the latter, but didn't mentioned some key benefits of having it placed there. If you know some articles that explains this best please share it with me.
Huge thanks.
The main difference that I can think of from one directory to another is if it's on a separate partition and you set different flags, such as noexec or nosuid. Apart from that, the actual directory you use doesn't matter.
However, with that said, by default a user's home directory is created within /home, so especially in something like a shared hosting server, it makes sense to have the DocumentRoot as a sub-directory of the user's home directory, which allows them to easily modify the files without having to worry about them needing give them permissions to leave their home directory, and thus making it easy to "lock" them in by things such as FTP or SFTP with chroot.
There are no pros or cons sir. You have the freedom to use what you want to.
Related
I was learning SQLite3 from here; it's really good and portable, but what if someone somehow get to know the database file name say test.db, and then simply downloads it ?
Probably it will be more dangerous than SQL injection, as the attacker can easily get an copy of whole database.
You can restrict .db files in your .htaccess file to do the same add this lines of code in your .htaccess file located in root
<Files ~ "\.db$">
Order allow,deny
Deny from all
</Files>
This will result in an 403 error and will also hide it from being listed in the files list if you (probably you wont) put an index file in an directory.
Just don't keep the data file in a directory that is accessible over HTTP.
If you were using Postgresql or MySQL, you wouldn't keep the data files they used under your web root. The only relevant difference is that databases built around servers tend not to ask you where they should store their data files each time you create a new database (and just stick them somewhere in /var/ based on their default configuration). Don't keep the SQLite files public either.
The question of whether giving people an entire copies of the database is more dangerous than SQL injection is debatable. On the one hand, they get very easy access to all the data, but on the other, they can't change anything on your website.
This question is a consequence of the ubiquity of shared hosting: there is a common view that everything in a project has to go in the web server's document root. However, where possible, it is much better to have a sub-folder in the project for the document root, such as www. You then set up a custom vhost to point to this folder within your project.
That means you are free to create folders elsewhere in the project for files that simply must not be downloadable. I tend to create a folder called /data for SQLite databases.
Unfortunately, not all hosts permit this, in which case #Subhanker's .htaccess approach is a nice solution.
I have a PHP enabled site, with directory-listing turned off.
But, when I used Acunetix: (web vulnerability scanning software) to scan my site, and other high-profile websites, it was able to list all directories & files.
I don't know what this is happening, but I have this theory: maybe the software is using English words, trying to see if a folder exists by trying names like "include/", "css/", "/images", etc. Then, maybe it is able to list files that way.
Because, if directory listing is off, I don't know what more there is to do.
So, I devised this plan, that if I give my folders/files difficult names like I3Nc_lude, 11css11, etc., maybe it would be difficult for the software to find the names. What do you think?
I know, I could be dead-wrong about this, and the idea might be laughable but, that is why I am asking for help.
How do you Completely! Forbid directory listing??
Ensure all directories from the root of your site have directory
listings disabled. It is typically on by default when you setup a
new server.
Assuming that directory listing in your webserver is not your issue,
keep in mind that any resources you have in your site: CSS files, JS
sources, and of course HREFs can be traversed with little or no
effort (typically a few lines of javascript). There is no way to
hide anything that you've referenced. This is most likely what you
are seeing reflected in the scan.
Alternatively, if you use SVN or other version control systems to
deploy your site, often these can be used to determine the path of
every file in your codebase.
Probably the most common mistake people make when first creating sites is that they keep all their files in the webroot, and it becomes somewhat trivial to figure out where things are.
IMHO the best approach is have your code in a separate directory outside the webroot, and then load it as needed (this is how most MVC frameworks work). You can control entirely then what can and can not be accessed via the web. You can have 100s of classes in a directory and as long as they are not in the webroot, no one will ever be able to see them, even if directory listing were to become enabled.
The checkers aren't using some kind of language-based brute force attack, that would be far too costly and invasive even for the most inept hacker. Your internet file sharing service (Apache, IIS, whatever) is serving up the structure to anyone who asks.
I found this solution at - it should apply to you, I hope.
http://www.velvetblues.com/web-development-blog/dont-get-hacked-6-ways-to-secure-your-wordpress-blog/
Hide Your Directory Structure
It is also good practice to hide your directory structure. By default, many WordPress installations enable any visitors to snoop and see all files in folders lacking an index file. And while this might not seem dangerous, it really is. By enabling visitors to see what files are in each directory, they can better plot their attack.
To fix this problem, you can do one of two things:
Option 1: Use An Index File
For each directory that you want to protect, simply add an index file. A simple index.html file will suffice.
Option 2: Use An .htaccess File
The preferred way of hiding the directory structure is to use the following code in an .htaccess file.
Options -indexes
That just sounds like a nightmare to manage. Focus on securing the files the best you can with all preventative measures. Don't rely on security through obscurity. If someone wants in, some random directory names will just slow them down slightly
I'm new to CodeIgniter. I notice that all CodeIgniter folders (cache, config, controllers, core, errors, etc...) contains an index.html file that basically says "Directory access is forbidden". Correct me if I'm wrong, but I don't think it is possible to get to any of these folders from the web based on CodeIgniter's default configuration.
What is the purpose of these index.html files? Can I just delete them, or do I leave them alone?
Thanks much.
The purpose of them is to prevent the contents of the directory from displaying if directory listing is enabled on your server. Apache servers by default have directory listing enabled.
There are several instances where given the right circumstances you might be able to attempt to browse to a folder directly. These would mainly be caused by a server which is not configured properly, or an exploit. Therefore it is really best if you just leave the index.html files alone (they aren't hurting anything, and they don't take up that much space).
I'd even go as far as to suggest that you too add an index.html file to any and all folders which you create.
They are there for fail-safes, ie. if for some reason the directory structure would get to be publicly browsable.
I can't see any reason to remove them.
If your codeigniter installation (system and app folders) is outside of your public server directory, then they're not going to help with anything since they could never be served. In that case, it doesn't matter whether they exist or not, since you could never get to their directories anyway.
I say remove them for two reasons:
1) If Apache is configured to allow directory browsing, then it doesn't matter what your index.html says. So claiming that "Directory access if forbidden" when it's really not, amounts to security through obscurity, which is an undesirable security strategy.
2) I disagree with the idea that "if it's not hurting anything, just leave it alone". I've spent many an hour trying to figure out the purpose of a particular piece of code, only later to find out that it wasn't doing anything at all. Remove unused code. The inheritors of your projects will curse you less.
They are for your security, if someone tries to access your folder on the server by your domain URL (if your server is configured in a wrong way), it will prevent you from loading those files by triggering that HTML file
It would be safe for you to keep the file indeed.
I'm looking to centralize a lot of my web applications code, so that multiple components have access to the same core functionality. This is how I have the website set up:
/var/www/website - domain.com
/var/www/subdomain1 - subdomain1.domain.com
/var/www/subdomain2 - subdomain2.domain.com
Naturally I've had a lot of trouble when it comes to the duplication of common functionality, as any changes made to one area would also need to be applied to other areas. My proposed solution is to create a new directory in /var/www which will contain all of the core scripts:
/var/www/code - core code
I would then set the PHP include directory to /var/www/code, so scripts can include these files without having to specify the absolute path.
Can you think of any more efficient ways of centralizing the code code?
Many thanks!
Your approach is good enough for this purpose.
Little suggestion:
store your front-end scripts in directory like /var/www/website/www instead of /var/www/website. There will be index file and ajax processors and scripts like that. But your project-based inclusions (as well as other miscellaneous stuff) would be stored in directory like /var/www/website/includes. It is simple yet efficient defense from hacker attacks on your inclusion files
so, your document roots will be in /var/www/website/www (domain) and /var/www/website/subdomain/www/ (subdomain)
It seems that you are thinking correctly :
Share Code between multiple PHP sites
It's only a suggestion, but you should put the public content in the /var/www/* which may end being publicly accessible—either because of your http server or because of some misconfiguration—and create some other directories for your shared code/libs like /usr/local/lib/php/*.
For more security you should frame it with open_basedir adding the private and public dirs—as well as upload and session dirs.
And don't forget to version your libs, e.g.:
/usr/local/lib/php/myLib-1.0
/usr/local/lib/php/myLib-1.2
etc.
Thus, you'll be able to make changes without breaking everything.
I am using SVN to manage a copy of my web site. The site runs a typo3 installation, which uses PHP to create the backend.
The problem is, all the stupid .SVN folders show up in the directory listing of PHP. I DO NOT mean the build in apache listing. I mean a directoy listing created by the PHP backend.
So, is there any way to hide special directories from PHP?
[NOTE]
Changing the PHP source code is not an option. Typo3 is too big, and each extensions uses its own code. Would be much more effort than an SVN export script.
Chris
PS: I do not want to setup a svn export --> web_root just to get rid of the files. And I know that I can prevent apache from serving the .SVN directories, I did that. But they still show up in the backend, when browsing the directory tree (which is created by PHP). And they are very annoying...
This is difficult, since you will have to change behavior of something somewhere between the filesystem and Typo3. You have:
Filesystem → Operating System → PHP → Typo3
The files must stay in the filesystem and must stay visible by the operating system, so you can use SVN. Changing Typo3 is not an option for you, and changing PHP has many other major undesirable consequences that you should avoid. So, what you have left is to insert something in between OS→PHP or PHP→Typo3.
The first case is actually possible, depending on what operating system you use, and if you have administrator (root) access. FUSE is part of the Linux kernel, and is also available for many other operating systems. Then, with fuse, you may install a filter like rofs-filtered, that allows you to filter which files and directories are visible in a mounted volume. You use it to create a filesystem that mirrors your SVN checkout directory, filtering the .svn directories.
So, is there any way to hide special directories from PHP?
No.
As long as the user PHP is run under has read access to the directory it will always produce all the files/directories in that directory. There is no way to hide files from certain processes, were this possible writing a root kit to hide from ls and other file system tools would be a lot easier.
The option you would want/need is a way to define files that Typo3 ignores, and have it be system wide and thus used by the extensions as well. You have specified however that you do not want to change the source code, and do not want to do svn export.
You are thus stuck with the .svn directories.
The short answer is "Not easily, simply, or sanely".
Run the website from an export of SVN, not a checkout, instead.
Try this.
<locationmatch "/.svn/">
order allow,deny
deny from all
</locationmatch>
Btw in your loop in PHP you can do a logic check to see if the filename is not ".svn", usually PHP directory tools do that to exclude "." and ".." directories.
The problem is, all the stupid .SVN
folders show up in the directory
listing of PHP. I DO NOT mean the
build in apache listing. I mean a
directoy listing created by the PHP
backend.
What application is doing the directory listing? Have you considered looking into the code of the PHP backend and adding something to prevent the display of the .svn directories?
Just find or write a very simple application that will synchronize your current directory with a new directory that will be exposed to the Web. You could have a service that watches for changes or use something like an rsync with exclusions or what have you. This would be much simpler since, based on another question, you are on Windows.
ther's an extension called np_subversion which will take care of fileadmin changes via subversion. As a nice plus it will hide folders for you
I do not want to setup a svn export --> web_root just to get rid of the files
Are you sure? That’s how SVN is designed: you check code out of SVN to work on it, and export code from SVN to deploy it. If you don’t like that, then SVN probably isn’t the right choice. As gahooa said, maybe switch to Git?
It’s a bit like saying “I want to save my Word document, but I don’t want this stupid .doc file showing up on my computer.” That’s just how the software works.
Sara Golemon's Runkit can do this. You can remap functions like glob(). However, I am not sure if it's a good idea to run it in a production server.
If you don't need the .svn folders, you can just delete them.
find ./ -name ".svn" | xargs rm -f *.svn