I have a classifieds website...
As you might imagine, as a webmaster (administrator) I need to sometimes remove classifieds, edit them etc etc.
I have my own Linux server, with root access offcourse.
Currently I have a section of my website with all administrative php scripts which I use to remove classifieds, edit them etc:
/www/adm/ //Location of administrative tools
This section above is protected today by a simple authentication using apache2.conf file:
<Directory /var/www/adm>
AuthType Basic
AuthName "Adm"
AuthUserFile /path/to/password
Require user username
</Directory>
My question is, is this enough to prevent outsiders access to my administrative tools?
Because it would be devastating if somebody with the wrong intentions got their hands on these tools. They would be able to delete all records from my databases... I do have backups, but it would mean tons of work...
What is usually done in cases like this?
Only thing I can think of is upload the administrative scripts whenever I plan on using them, and then remove them from the server after using them.
Other information which may help you decide what solution I should use:
I manage the website and server from only one and same computer
The IP adress is dynamic of that computer
I use secure ftp transfers of files to server
The administrative tools are PHP codes which communicate with the databases
I have IPTables firewall setup to only allow connections to database from my own server/website.
I backup all files every day
Thanks
If anybody else has access shell to the server, you should be very careful with permissions.
Otherwise, basic Apache auth is OK, but keep in mind that if you are using an unencrypted connection (not SSL), you password is sent as clear text across the web, so there's always the possibility of it being sniffed.
To enable SSL you need:
mod_ssl enabled on your apache
a self-signed (free) certificate
Change your apache configuration to include SSL port
You can refer to this tutorial on how to enable SSL on Debian.
A better option, on top of the usual password protection, IP restrictions, SSL, etc... is to host the tools on a completely seperate domain. Someone might guess that you have example.com/admin and try to brute force their way in, but hosting a simple login page on somecompletelydifferentdomain.com with no branding/markings to relate it to example.com is a better defence yet.
Apache auth can also restrict by IP address, so if you have a static IP, using that and a password should be pretty safe. I would also use AuthDigestFile instead of AuthUserFile if you're worried about attacks.
This page explains it well:
Unlike basic authentication, digest authentication always sends the password from the client browser to the server as an MD5 encryted string making it impossible for a packet sniffer to see the raw password.
If you must have direct remote access to the administrative tools, find an out-of-band way to prevent the web server from running them at all when they're not needed. You might, for example, do a chmod 000 /var/www/adm under normal circumstances, change it to something usable (say, 500) when you need to use them and back to 000 when you're done.
Better would be to secure the entire path between you and the administrative tools:
Use port knocking to enable SSH on some port other than 22 (e.g., 2222).
Lock down the sshd on that port to whatever your requirements.
Run a separate instance of your web server that listens on a port other than 80 (e.g., 8080) that can't be seen from the outside and has configuration to allow access to /var/www/adm but restrict access to the local host only.
When it comes time to use the administrative tools:
Knock to open the SSH port.
SSH into port 2222 and establish a tunnel from 8080 on the remote host to port 8080 on the server.
Use the remote browser to visit localhost:8080 and access your tools. The server will see the connection as coming from the local system.
Related
I am currently working on the release of my project management software to the internet. It is my first tool that I am going to deploy in the www and I am concerned about some Security Factors. At the moment the tool is running on Apache Port 80 (https is to be done) with MySQL and PHP. I got myself a domain name which links back to the public IP of my Windows Server on which Port 80 is open for access.
I am now thinking about deploying a letsencrypt certificate in combination with the win-acme letsencrypt client.
Can the procedure be considered as safe? I would be happy if you could provide me some feedback or improvements.
I have used Let's encrypt for many websites. I have never faced any problems with it. Just make sure you install it correctly.
I suggest using a Firewall and an SSH connection with strong passwords. Setup your Firewall to allow HTTPS incoming connections(PORT 443). You can deny HTTP connections if you want and allow specific IP addresses and port ranges.
Once you do it, it will depend on how efficient your code is. One of the common web hacking techniques is SQL injection. I suggest using PDO.
Hope it helps!
I need a solution, how to make a web application hosted in web server can be accessible to certain computer machines using PHP language or Java. I need to restrict a web application to certain computer machines. So please tell me how it can achieved??
Basically you have several options. You could secure your application using apache authentication which requires user to insert username and password. You could restrict access to the application using IP address or implement the authentication on the application layer.
I do not suggest using IP authentication tho, because it simply isn't secure.
Apache authentication: apache documentation
PHP Authentication: PHP Documentation
If you are using apache web server then you can restrict certain IPs in webserver configuration itself as suggested here.
This is not only in Apache but any webserver out there, you can do the same thing but configuration style differs.
You make a whitelist of IP addresses that are allowed to connect to the web server.
Then you can get the client's IP addresses in PHP:
$userIpAddress = $_SERVER['REMOTE_ADDR'];
or in Java:
String userIpAddress = request.getHeader("Remote_Addr");
Note that getting the real IP address of the user can be tricky. See these questions:
How can I retrieve IP address from HTTP header in Java
what is the right way to get request's ip
The easiest way, though, would be to restrict clients' access directly in the webserver configuration.
If I place a PHP script on a host, and in that script FTP a file (local to the script) to a FTP account also ending on that same host, my expectation is that the connection and transfer should be nearly instant as (I hope) no outbound traffic would be generated. But I don't have a way to test this. Is this really the case?
Update
The FTP host is not localhost, or 127.0.0.1. Say we have a
normal FTP account johndoe with a ******* password on
thehost.com. On this same thehost.com we execute our
out_of_jail.php script that will FTP /css/styles.css to
thehost.com.
This is supposed to work on host environments where
the admin does not have access to /etc/hosts to add thehost.com.
Let's define outbound traffic in the most restrictive way, by it,
we mean traffic that goes out to the network card. So, if it goes
out and returned as an inbound packet by some other device in the
same network, it would still be considered as outbound traffic.
If you point your FTP script to localhost or 127.0.0.1 then there should be no outbound traffic.
If all you're trying to do is get a file from Point A to Point B on the same server via a PHP script, there are other ways to do that besides FTP as well. Of course I do not know all the specifics of your scope or needs, so maybe the FTP approach is right for you. But if you can't get it working, look in to some other options.
I'm new to PHP, so I don't know how to explain it. I'm running WAMP on my computer and I would like to be able to access my localhost from another computer.
Is it possible? How can I do this?
This is provided that all machines are on the same network and that you have
administrative privileges on the machines (you'll have to edit some system files).
You can easily do this but it would have to be a manual process.
You have to create an entry in the hosts file -
On Windows machines is is located in %SystemRoot%\system32\drivers\etc\hosts
On UNIX like systems it is located in /etc/hosts
http://en.wikipedia.org/wiki/Hosts_(file)#Location_in_the_file_system.
See the link for details on where your hosts file is located. It depends on the operating system.
The following will have to be done on every machine that you would like
to have access to your localhost machine.
Add a line at the very end of your hosts file similar to this :
10.0.0.42 prathyash-localhost.com
The IP address (in the example above it is 10.0.0.42) is the address of your localhost; Your computers IP address. The domain name (prathyash-localhost.com) is what is mapped
to the IP address.
After you save that file, whenever that computer points to prathyash-localhost.com, it will be directed to your IP address. Firewalls are still a barrier - however the other answers covered that so I will not repeat their contribution.
Depending on your situation, manually editing tens maybe hundreds of files might not be feasible. In this case, you might want to consult the networks administrator (he probably hangs around on Server Fault), and he may have a better solution for you.
This problem can be fixed as follows.This is for one using a wamp server or a similar local server.
first ensure that you have modified the httpd.conf.scroll until you find this line:
# onlineoffline tag - don't remove
Order Allow,Deny
Allow from all
If you have a smartphone turn on your wifi hotspot to connect with your pc and the one you want to connect with.
Open the command prompt in your pc and type ipconfig. Note down the ip4 address of your pc (eg. 192.168.43.47) under wireless LAN adapter Wireless Network Connection.
In the pc you want to connect to set "Obtain IP address automatically".
Before you connect ensure your wamp server is online.
Open the browser of the client pc and type the IP address noted down earlier.This should work just fine. In some cases you may be required to switch off your antivirus.
Yes if they are on the same network, simply target the computer's IP address and ensure anything on either computer that would block access to port 80 (firewalls) is off
#Shaun Hare explained it pretty good, however, if those computers are not in the same network (my case, when remote presentation is needed) you would also need to set port forwarding on your router and remote side would need router's public IP address.
Basically, remote side would enter http://123.123.123.123/index.php in their browser and router would point that request (via port forwarding) to WAMP server installed at 192.168.10.10 (for instance).
You can't. Bind the appropriate daemon to 0.0.0.0/:: or an external interface and use the machine's IP address.
If it's for testing you could use a service like http://localhost.run/ or https://ngrok.com/ to temporarily put localhost on the internet.
Post forward port 80 on your router configuration. Start wamp. Now when your IP address is accessed from any external machine it will jump to the "www" folder and show the index file. If you are not able to do so, it means your firewall is blocking the request: Disable it and try again.
You could just tinker around the firewall. I found that the inbound and outbound rules were blocking all public network traffic (that is, all traffic to my router which is seen as public, even though it has a password) and proceeded to check the box to allow traffic on a public network (both inbound and outbound) for all the rules bearing the Apache name. Also, I did turn on the mySQL server, but that shouldn't do anything at all in this matter (though life has surprised me like this before where something insignificant turned out to be quite significant in the end, so I would do this as a last resort, but unlikely). Also, I think this should work at least over the same WiFi network (and I know that's a part of LAN, but just to clear up any ambiguity) since I only tested with my Android phone (oh how I wish I had a Windows Phone). Hope this of any use to anyone!
I've been learning to setup servers to use for my web-apps - and have found that my favourite (fastest and easiest to get going) setup is CentOS5.5/Lighttpd/fastcgi and SQL. I don't, however, know how secure these are out of the box - I installed them using Yum and have modified some settings to encourage PHP to play ball - is there anything I should be doing to increase my security levels, prevent tampering with my scripts?
The server doesn't have FTP, any additional users from root, mail or anything else installed at all, and all directories are owned by lighttpd:lighttpd and not CHMOD for any world use. The greater world won't ever be using the apps I'm writing, they are for personal and for my employees / partners to keep track of money and clients (hence my wish for them to be secure).
Thanks guys!
If you are talking about servers (plural) and you have the budget / ability I would encourage you to only have servers that are client facing that serve static content only. Move your PHP and SQL back to internal only.
Web server with 80 / 443 open to the world and the SSH port open only to trusted IP's or listening only on an internal interface you can access
Application server with port 80 listening only to requests from the front end web server through a private IP address (if possible). Otherwise, restrict it's access to the public IP of the front end webservers and consider having HTTPS (443) communications between the two.
Your SQL instance / server should have the same concept, only being accessible from the Application server.
This allows you to have multiple levels of security and dedicated resources to process specific tasks (FE webserving / Middleware Application serving / Backend data services)
In addition, if your FE is compromised, they wont have immediate access to your PHP source and the database content.
If it is a single server, ensure only 80/443 are open to the world and make sure you have a firewall, or firewall concepts in place, to restrict/deny access to all other ports except from trusted sources. Consider moving SSH from port 22 (default) to an alternate port ...