Security Tips

We are listing few of the security tips which can be helpful for novice/beginner to start web hosting or to provide hosting services.  We have taken all the care while listing all the information, If any body found the information is having problem please contact us.

APACHE

  • Security By Obscurity: The default Apache installation options cause the server to add a signature that shows what version of Apache you are running, what operating system it is running on and even what modules you are using in your Apache configuration. This information makes it easier to exploit your system since hackers will have a great deal of information about the types and versions of your software and can easily search for vulnerabilities. To disable Apache’s signature and reduce the information included in the HTTP header, add the following options to your default httpd.conf file:
    ServerSignature Off
    ServerTokens Prod
  • Separate user and group for Apache: Some older configurations that ran the server as root, it can be problematic. If one of these other systems is comprised, the attackers would also have access to your Apache server and files. Using a separate user and group for Apache is recommended. You can set these in httpd.conf using the following:
    User apache
    Group apache
  • Control Directory and File Access: Apache has access controls that can be used to tighten your security. In particular, you want to block access to access to any files outside of your web root. The first is to add the following to your default httpd.conf file:<Directory />
    Order Deny,Allow
    Deny from All
    Options None
    </Directory>
  • .htaccess: A common technique is to block access to .htaccess. However, there are also often other files for which you want to block access. You might want to block access to all files with a .inc extensions (PHP includes) since they may contain sensitive information (such as database details) or if you use the Subversion source control system, you may need to block the .svn files generated when doing a code checkout. To block a specific file such as .htaccess, add this to your httpd.conf:
    <Files ~”^/.htacces”>
    Order Deny,Allow
    Deny from All
    </Files>

    To hide all files that end in .svn, you can use the following:

    <Files ~”/.svn$”>
    Order Deny,Allow
    Deny from All
    </Files>

  • Disable FollowSymLinks:  Symbolic links can expose files and directories on your file system that you did not intend to expose. Apache supports FollowSymLinks  as a setting for Options. When this option is set, Apache will allow a user to follow a symbolic link to a file that is outside of the web root. You can stop this behavior by using:Options Nonewithin a Directory block. Or if you are enabling other options you can use:

    Options -FollowSymLinks

PHP

  • Kill Register Globals: PHP used global variables to provide access to input variables from GET and POST requests. his feature was done away with because it provided a security loophole. PHP provides the register_globals setting in php.ini. When this is on, PHP will provide the earlier behavior and register global variables for the input values. To secure your PHP, installation you should always turn this off. Avoid scripts that require register_globals as it is usually a sign of a potentially insecure script or one that has not been maintained or updated recently.
  • Controlling File Access: One option you can use in php.ini is open_basedir. This option takes a sub-directory as its value such as /home/user/html/. It restricts PHP’s I/O to that sub-directory which prevents PHP from reading or writing files outside of that sub-directory.Safe_mode in php.ini can be used to control access to files. PHP is only able to open files that are owned by the same user as your web server. It also prevents PHP from executing binaries. If you need to allow PHP to access files that are owned by different owners you can use safe_mode_gid. This limits PHP’s access to only files that are owned by the group that your web server runs under.
  • Hiding PHP: Security by obscurity is not sufficient to protect your application, it does make it harder for potential hackers to exploit your site if they do not know what technologies are behind it. PHP exposes itself in a number of ways including inside the Apache headers and in the Apache footer signature. You can turn off this behavior with expose_php = off in php.ini.
  • Hiding display of errors: PHP exposes its presence is through the display of errors. These errors often include path information and other settings that a hacker will find invaluable. These error messages are invaluable during development for testing and debugging but they should be turned off on production sites. You can turn them off by setting: display_errors = Off in php.ini. A useful feature is to have the error messages logged to a log file instead which you can do by setting: log_errors = On in php.ini.
  • URL Rewriting: We can configure Apache to rewrite your URLs so as to hide the .php ending.


Disclaimer:

These tips can be informed and extremely useful but they should not take the place of professional advice. Security Tips should be used entirely at your own risk. If you wish to rely on or apply any of the information of this site you do so at your own risk and take full responsibility for your own actions.

Leave a Reply

Your email address will not be published. Required fields are marked *