Here I am going to list some basic tips to protect your website form being attacked. We will start from preliminary counter measures and then move to advance level of security that everybody needs to apply to their website. So here we go.
1. First Golden rule is do not trust user input. All user input is evil. Filter user input. Do not let the go data in database/files unless it`s validated properly.
2. Check the length of the input to verify that it is less than the allowed value. Every input field must have length validation otherwise anyone can get slow down your server by inserting the huge amount of information/data.
3. Always escape single quotes. For e.g. in PHP with MySQL, use the function mysql_real_escape_string" when dealing with the database.
4. Always clean your data before inserting into the database and also before displaying to the user (to prevent XSS, Cross-Site Scripting,CSRF) .For eg.in PHP, you can use the functions "htmlentities" for textual output and "urlencode" for URI's.
5. Never accept user input for filenames. Write your own filename, perhaps based on predetermined format or an algorithm. Before you write the file, use the PHP functions "basename" and "realpath" (i.e. basename(realpath($filename)) ) in order to establish exactly where the file would end up if you do write it as is. Also very important, before creating the file, use the PHP function "umask," i.e. umask(077), so that files have their permissions locked down before they are created. This prevents someone from accessing the file before you have time to manually change the permissions. Always change the permission to read-only after manipulating the file/folders.
6. Whenever a user logs in, use the PHP function "session_regenerate_id" to prevent unauthorized access to their account or a session-fixation attack.
7. Register_globals must be off in your php configuration file(PHP.INI).
8. allow_url_fopen option should be off in your php configuration file(PHP.INI).
9. Always escape user input that you are going to use in your database queries or while inserting in database.
10. Make sure you've installed latest security patches
11. Hide the Apache Version number, Apache Modules,OS and other sensitive information.
There are two directives that you need to add, or edit in your httpd.conf file:
ServerSignature Off
ServerTokens Prod
The Server Tokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:
Server: Apache
12. Make sure apache is running under its own user account and group. Several apache installations have it run as the user nobody.
13. Ensure that files outside the web root are not served you would set it up as follows:
Order Deny,Allow
Deny from all
Options None
AllowOverride None
Order Allow,Deny
Allow from all
14. Turn off directory browsing You can do this with an Options directive inside a Directory tag.Set Options to either None or –Indexes
Options -Indexes
15. Turn off support for .htaccess files(If not required).This can be achieved by
AllowOverride None
16. Run mod_security mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O'Reilly press.
17. Disable any unnecessary modules.Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does.
18. Lower the Timeout value.The number of seconds Apache will wait for a subsequent request before closing the connection. By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.
Timeout 45
19. Limiting Concurrency.Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests.
20. Limiting large requests.Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default.If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:
LimitRequestBody 1048576
If you're not allowing file uploads you can set it even smaller.
21. Restricting Access by IP.If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration.
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
I will keep you updating with new security features and preventions tips with the help of which you can apply an extra layer of security to your web site.
Saturday, July 4, 2009
Subscribe to:
Posts (Atom)