21 Jul 10 Free Website Security Scan
As a PHP Programmer with 8+ years experience now, I’ve always specialized in web security, security standards, and secure programming. In the say 300+ websites that I’ve dealt with in the past, at least 200 have been vulnerable to some sort of moderate to high risk attack. By high risk, I mean the steal your database and deface your website type of attack.
Free Website Security Scan? Why? Well, most of the security audits that I conduct will usually begin with a basic audit that ultimately goes uncharged in light of the thorough audit and any repair works that follow. On that basis, I’m happy to offer a basic FREE no obligation security audit to anyone genuinely interested in using my services. I do not require any code or data from you, nor any access to your systems. All I ask is that you have a genuine intention of using my services to thoroughly audit and/or repair any vulnerabilitie in your site that I’m able to identify and demonstrate.
Interested? Contact me now.
Tags: free website security scan, php programmer, website security consultant
20 Jul 10 Need a helping hand?
If you need a skilled website security consultant or PHP programmer, then consider me. Get in touch with me for a quote, and I’ll be more than happy to discuss what I can do for you.
These days, your site can’t be too secure, and if you’re unsure of how to properly secure your site or your PHP code, As a php website security tester, I stand ready to assist you. I can help you ensure that your server is secure overall, reducing the chances of it being hacked. I can also go over your PHP code and ensure that it too is secure. After all, a secure server really does no good if the PHP code isn’t also secure.
Feel free to browse my site and read my articles. Then, get in touch with me, and let me know the details of your project!
Tags: adam palmer, php programmer, resume, website security consultant
17 Jul 10 A PHP programmer indeed
You may be browsing through my site, or maybe you came here because you’re looking for a PHP programmer. Allow me to introduce myself. I am Adam Palmer, and I’m a freelance website security consultant, developer, and, of course, a PHP programmer. I’m willing and able to do most any web, Linux, or hosting-related project.
If you have something along those lines that needs to be done, simply contact me, and we can discuss your needs in greater detail.
In addition to doing this sort of work, I run APNIC Solutions, Ltd., which is a leader in network and business integration. You can be confident that when you hire me for your PHP, web, or other needs, you are getting a competent, skilled industry leader who will do a smashing job for a reasonable fee.
Feel free to browse through my blog and read my articles on a variety of PHP and security topics. Then, get in touch with me to see what I can do for you! If all you need is a consultant to point you in the right direction and help you get to to the finish line, I would be more than happy and honoured to be that person.
Tags: Linux, PHP, php programmer, web, website security consultant
14 Jul 10 Securing PHPMyAdmin and SQL
PHP is of course a valuable tool, and PHPMyAdmin is an equally valuable asset for those that don’t like command line administration. The problem is that because it’s a valuable tool, it’s a security exposure. As a website security consultant, I see the problem often: people don’t secure the one thing that, if accessed by a malicious party, can give carte blanche for destruction.
One simple way to secure your installation is to slightly modify your config.inc.php file:
Look for this line:
$cfg['Servers'][$i]['auth_type'] = ‘config’;
Change “config” to “http”. By doing this, you will require that the database information (username and password) be entered prior to accessing PHPMyAdmin. Of course, this only addresses attacks over the web. If someone tries to remotely connect to your database and knows the root password, or the credentials for any of your database, then you’re still vulnerable.
One way to address the security of your config.inc.php file is to secure the directory that it’s stored in. This is especially important if you should be on a shared server.
Of course, there is still the matter of your SQL port, 3306, being open to remote attacks. The solution to this problem can be found in the /etc/my.cnf file.
You need to add this line to make it so that only your server can connect to the SQL server.
Ensure that it’s under the “[mysqld]” section:
bind-address = 127.0.0.1
This sets it so that the SQL daemon only listens for connections locally, i.e. on your server. Anyone who tries to connect remotely will be denied. Now, the argument could be made that you could also try to add “skip-networking” to your my.cnf file, and then specify the path to your socket file, but you still need a way to administer your SQL, preferably via SSH. By adding the “bind-address” command, you can do just that.
The name of the game is security, and assumption. You have to assume that everyone’s out to attack you. If you think like that, you’ll narrow down all the ports that are exposed, and secure your server. Your SQL server is, like your DNS server, vital. It most likely powers your site. If the database is attacked, the damage can be considerable. Do understand that if a hacker is intent enough, they will find a way in, but by making it as difficult as possible, you reduce the chances of that happening.
Tags: attacks, MySQL, PHP, php programmer resume, phpmyadmin, sql, website security consultant
08 Jul 10 An easy way to reduce attacks
The server hardening process can be a daunting task for someone who’s new to the process, or who’s new to hosting in general. The good news is that there’s one simple way to help reduce attacks on your server, or at least its PHP applications.
If you run an e-commerce site, chances are you run a CMS such as WordPress, and a shopping cart application such as WHMCS. Both of these applications, like nearly all others, have a login module for the administrators. Especially in the case of well-known programs, there are plenty of people know how to find your administrative log in panel, and that includes those with less than honourable intentions.
(more…)
Tags: htaccess, php programmer, secure, unix, website security consultant
07 Jul 10 Hardening your server
Hardening your server is perhaps the best way to prevent, or at least reduce, attacks on your server. What follows is a basic overview of what you should do to harden your server. If you are not completely comfortable doing this, you should retain the services of someone who is, to avoid data loss.
The key service you want to secure is SSH, as that is perhaps the most vulnerable. If someone should have access through this protocol, they would have complete power over your server, and all the sites on it.
(more…)
Tags: server hardening, ssh, website security consultant
04 Jul 10 Keeping your site secure
Obviously, keeping your site secure is one of your primary goals as an administrator. As discussed in an earlier post, filtering IP addresses is one piece of the puzzle.
But what other aspects are there to keeping your site secure? What follows is a brief list of ideas, which will be expanded upon in future posts. The security of your server simply cannot be ignored. Too often, administrators or webmasters throw caution to the wind, and leave things to chance. It’s really quite simple, although potentially time-consuming, to secure one’s server.
(more…)
Tags: php programmer, resume, website security consultant
30 Jun 10 Cross Site Scripting XSS
As a website security consultant, Cross Site Scripting or XSS vulnerabilities are something that I see just as often as the always popular SQL Injection attack.
Cross Site Scripting seems to have originally meant, placing some malicious code on your victim site, that would pull code (usually javascript, but sometimes vbscript) from another malicious domain. Each client that visited the victim site, would end up unknowingly having 3rd party malicious script code executed on his own browser. Now, it has become a term used to describe any type of malicious scripting attack.
The first example is a simple one. Many sites allow user comments. A user could quite easily enter:
This is my comment!<script type=”text/javascript”>
alert(“script!”);
</script>
Any user that hits this affected page, will now see a popup box with the text “script!”. The user could also just as easily have entered a script source of http://www.nastydomain.com/nastyscript.js which will be downloaded and executed.
The second option is to place some javascript code that steals the user’s cookies for that particular site, and then post them to a 3rd party site. His cookies may contain a login and password, or more likely a login hash. The attacker can then use these cookies to hijack the user’s session, and access possible sensitive areas of a site under that user’s account, as that hijacked user.
Fortunately the solution is simple. Either use htmlentities() to ‘escape’ HTML entities, i.e. converting <’s to < etc. Or, use strip_tags, to remove all HTML tag input.
Tags: cross site scripting, html, htmlentitie, javascript, PHP, strip_tags, website security consultant, xss
|
I'm Adam Palmer, and I'm a PHP Programmer, Web Security Consultant, and Linux Consultant.
I run 'APNIC Solutions Ltd' and spend most of my time consulting, managing server clusters, and writing PHP, whilst what little spare time I have is dedicated to playing with gadgets.
|
