Thread Contributor: Hype
Web-Server Security Guide
#1
Web-Server Security Guide
Introduction
When you create systems that store and retrieve data, it is important to protect the data from unauthorized use, disclosure, modification or destruction. Ensuring that users have the proper authority to see the data, load new data, or update existing data is an important aspect of application development. Do all users need the same level of access to the data and to the functions provided by your applications? Are there subsets of users that need access to privileged functions? Are some documents restricted to certain classes of users? The answers to questions like these help provide the basis for the security requirements for your application.

Picking the Right Web Host
This is a very crucial part of web-server security that no web-developers never really think about. Servers get rooted all the time, it happens. A hacker could just upload a shell and deface the one site, but most of the time they will go for gold and try to root the entire server. A good web host will protect you from this, so when picking just remember this:

Quote:Any free web host is a bad web host.In my own opinion the biggest free host to avoid is 000WebHost. They will take down your site within about a week of it being up, and force you to upgrade to get it back.

Staying Up-to-Date
Remember to keep all of your software up-to-date. Generally updates are to fix a few bugs, but sometimes they patch a few vulnerabilities in their software, and if you don't update the hacker can exploit that vulnerability and use it against you. All because you didn't take 3 minutes out of your precious life to go click a button. Checking for the latest updates on every plugin and the sites design itself is recommended to be done at least once every two weeks.
 
Delete the Installation Folder
After you install some software, like MyBB, the installation folder is left on your web-server. It is highly recommended to remove that folder after the installation is complete. If not then there are lots of things that could occur with that folder that you really wouldn't want to happen.

Passwords
This is very simple, and users don't even take the time to do it. Make sure to use strong passwords, not just your standard "blah1234" use something unique. Also don't make a password that meets the minimum length, that will definitely make it easy for a hacker to gain access by narrowing down the possible password combinations. There are many sites and softwares that can generate strong passwords for you. This one is probably the best:

RandomKeyGen
 
Prevent SQL, XSS, and More
This is something we use right here on OmegaForums. It is called PHP-Firewall, it filters out malicious codes. You can download it from here:

PHP-Firewall.info

Also, as a bonus, this is how you add it to the MyBB forum software:

Open global.php

Add This Code at Beginning:

Code:
define('PHP_FIREWALL_REQUEST_URI', strip_tags( $_SERVER['REQUEST_URI'] ) );
define('PHP_FIREWALL_ACTIVATION', true );
if ( is_file( @dirname(__FILE__).'/<Firewall Path>/firewall.php' ) )
   include_once( @dirname(__FILE__).'/<Firewall Path>/firewall.php' );
[Image: QDcxlgI.png?1]

#2
I want to point out a few things here if it doesn't bother you.

Picking the Right Web Host
Yes, I agree. Picking the right host is important. People should go for big and highly reputable companies.
If you can buy a VPS go for it. You will have sudo(full) access to the server to do whatever you want with it(if you know system administration or have a sys-admin).

Staying Up-to-Date
This is the part where I disagree.
If you've ever owned a server(or worked with one) you would know that updating is a pain in the **** and it can't be done in 3 minutes, unless they are very minor updates.
Before you update something you should make sure the code you have supports the new version of the software you're going to update.
Take PHP for example. A lot sites still use PHP5, and PHP7 is out there. Why? The answer is pretty simple, a lot of functions got deprecated. Basically you need to go though all your files and make sure everything is going to work after the update. Also only because it's newer it doesn't mean it's safer.
You shouldn't go around updating everything once a newer version rolls out, unless you know what you're doing. Otherwise you're going to stare at an error and have no idea why. Hosting companies also will take some time before they will "fix" your problem, so expect a downtime.

Passwords
You're talking about brute-force. Using password generators just sucks. Who wants to use a random password can google a random password generator and use that. You should never force users to generate passwords.
If you're afraid of brute-force attacks you can easily block the IP for x minutes after x errors.
You can even set-up a 2-way authorization system.
There are a lot of things that you could do to protect yourself from brute-force attacks, without having direct impact on the user.
Also if the user is stupid enough to use a password such as "password123" they deserve what's coming for them.

Prevent SQL, XSS, and More
SQL Injection and XSS can easily be avoided by writing good code, same for other known attacks. You shouldn't rely on other software to protect your app. You should seek out and learn how to properly code an app so that you wont be vulnerable. 
If you always use something made by others, without seeking to learn how to do it yourself, you will never grow.
[Image: DRPkiTY.gif]

#3
(11-21-2016, 10:33 PM)On3. Wrote: I want to point out a few things here if it doesn't bother you.

Picking the Right Web Host
Yes, I agree. Picking the right host is important. People should go for big and highly reputable companies.
If you can buy a VPS go for it. You will have sudo(full) access to the server to do whatever you want with it(if you know system administration or have a sys-admin).

Staying Up-to-Date
This is the part where I disagree.
If you've ever owned a server(or worked with one) you would know that updating is a pain in the **** and it can't be done in 3 minutes, unless they are very minor updates.
Before you update something you should make sure the code you have supports the new version of the software you're going to update.
Take PHP for example. A lot sites still use PHP5, and PHP7 is out there. Why? The answer is pretty simple, a lot of functions got deprecated. Basically you need to go though all your files and make sure everything is going to work after the update. Also only because it's newer it doesn't mean it's safer.
You shouldn't go around updating everything once a newer version rolls out, unless you know what you're doing. Otherwise you're going to stare at an error and have no idea why. Hosting companies also will take some time before they will "fix" your problem, so expect a downtime.

Passwords
You're talking about brute-force. Using password generators just sucks. Who wants to use a random password can google a random password generator and use that. You should never force users to generate passwords.
If you're afraid of brute-force attacks you can easily block the IP for x minutes after x errors.
You can even set-up a 2-way authorization system.
There are a lot of things that you could do to protect yourself from brute-force attacks, without having direct impact on the user.
Also if the user is stupid enough to use a password such as "password123" they deserve what's coming for them.

Prevent SQL, XSS, and More
SQL Injection and XSS can easily be avoided by writing good code, same for other known attacks. You shouldn't rely on other software to protect your app. You should seek out and learn how to properly code an app so that you wont be vulnerable. 
If you always use something made by others, without seeking to learn how to do it yourself, you will never grow.

Well on the staying up to date part, it was geared more towards web apps like MyBB. The title may be a bit misleading as not everything has to do with web SERVER security, a bit of web app.

You're right, there are things like 2FA now, and this is also an old guide I made back when 2FA wasn't really a thing yet. So yes, that is a bit outdated.

I still stand by running a WAF, because this forum is a great example. Why? Because YOU didn't make this software, you just manage it. There might be a 0day discovered and because you didn't know about it and decided to not have a decent WAF you're website is hacked. Now, don't get me wrong, some WAFs can be bypassed and you should try to patch bugs instead of relying solely on a WAF, but it's always a good fallback.
[Image: QDcxlgI.png?1]



Users browsing this thread: 1 Guest(s)