Did my blog help you? Please link to me!
19 Jan 10 Website Security Scan
Websites get hacked every day, customers details taken, and it’s usually REALLY EASY to do. As a security consultant, I often get a call after a Google search turns up with my details as the guy to contact when this happens.
Shameless plug: Why not contact me BEFORE this happens for a FREE basic web scan.
Shameless plug over, why not consider some of the things that can be done to help prevent a website breach..
First, concentrate on the box and LAMP environment as a whole. Here’s a top 10:
- Restrict or disable .htaccess type files. A lot of sites these days allow uploading of files, in whatever form that may come. Often, the code can be tricked into allowing an attacker to upload htaccess files to certain directories which could allow for scripts to be executed, or visitors to be redirected.
- Check your apache config, after tightening up/disabling htaccess, disabling cgi directories you might not need, and modifying limits.
- Consider mod_security
- Check your apache, php, mysql and related modules are up to date
- Firewall mysql externally and any other services that should not be accessed directly from the outside or are not necessary.
- Check your list of mysql users and make sure you only have the necessary privileges assigned to the various users.
- It’s common to find users on their own webservers connecting to mysql from their web code as the root user. Don’t do it. Create a user account for that particular site/database and assign it the tightest privileges. Do not connect to mysql as root unless necessary.
- Take multi day backups of database, code AND logs.
- Check the machine for word readable/writable directories.
- Restrict limits on hits/sec from IPs
Next, look to your web code, here’s a top 5:
- Look for SQL Injection opportunities. SQL Injection is NOT just prevented with escaping incoming strings..
- Check all input areas for XSS (Cross Site Scripting)
- See my PHP Security post
- Session ID Protection – can users overwrite cookie/session variables that you have set and taken for granted the fact that they shouldn’t be changed by the user? This is easy to do overwrite/exploit with ‘curl’ or ‘wget’
- How are you handling user data input? Sniffing plaintext HTTP or plaintext anything for that matter is very simple. All sensitive data should be sent over HTTPS. On that matter, are you storing the data safely afterwards?
Anything to add to this list? Please let me know!
Tags: Apache, backups, code, cookie, cross site scripting, htaccess, LAMP, logs, mod_security, MySQL, PHP, php security, rate limit, restrict limit, Security Consultant, session, sniffing, sql injection, website security scan, xss
Reader's Comments
Leave a Comment
|
I'm Adam Palmer, and I'm a Freelance Embedded Linux/Embedded Hardware enthusiast and Security Consultant. I run 'APNIC Solutions Ltd' and spend most of my time managing server clusters, and doing some PHP/MySQL development, whilst what little spare time I have is dedicated to playing with gadgets. I'm always happy to consult on or manage any Linux related, Web Application or Hosting project. Please get in touch with me! |
You’ve created a very valuable list here.
I would like to add that one of the most frequent ways we’ve seen of website hacking is through compromised FTP credentials.
Many people immediately think of “cracking” FTP passwords, but that’s not even necessary.
What hackers do is take advantage of the fact that anti-virus companies are having a difficult time keeping up with the viruses. Some reports state that anti-virus companies have to create signatures for up to 30,000 new viruses a day. In order to keep up with this, the anti-virus companies have created more generic type signatures.
These generic signatures are ill-equipped for today’s intelligent cybercriminals. So viruses do get through.
What some hackers have done is create viruses that search the infected PC for certain files that contain the FTP login credentials for websites. That way, the hacker has access to infect hundreds or thousands more PCs.
Some FTP programs store these important credentials in plain text files. For instance, many people use Filezilla. It stores the FTP address, username and password saved by the user in a plain text file. Easy pickings for today’s viruses.
The viruses also “sniff” the FTP traffic leaving a PC. Since FTP transmits all data, including username and password, in plain text, it’s easy for the virus to steal the username and password that way as well.
So, in addition to the steps you’ve outlined above, please let people know that they also need to protect their PCs as well. Otherwise, they may be calling you to help them clean up their websites.