Server / PHP Security
			Feb 27, 2007
				One one of our (linux) servers spammers are king. they apparently can control anything and place spam links throughout the files.
For example spammer inserts Iframes either above or below HTML tags. (some step57 related type of virus/trojan as it seems)
Our programmer did not find where the problem is in our applications, yet he is not a security expert.
Our server admin company made us install phpuexec, we apparently have been checked on the server end and have mod_security, but we still don't know what's going on...spam continues.
	
	View 6 Replies
  
    
	ADVERTISEMENT
    	
    	
        May 21, 2009
        I'm running CentOS 5.x and DirectAdmin and wondering how to do the following:
- Disable compilers and other known binaries. Should I chown WGET 550?
- Prevent Shell Fork Bombs
- Best way to create partitions for tmpfs, tmp since my host forgot them?
- Any other tips on securing a DA based server? (I already have taken care of the whole SSH side of things)
	View 3 Replies
    View Related
  
    
	
    	
    	
        Oct 9, 2007
        Trying to determine what I want to put on my server for security. I have secured my /tmp, /var/tmp, and /dev/shm. I am now contemplating mod_evasive, mod_security, and/or APF Firewall. 
 
1.) Should I install all three, or will APF Firewall, provide the same or similar security as mod_security, or vice versa? 
 
2.) Will they all work together without conflicts? 
 
3.) Does installing these services have any affect on overall server performance? 
 
4.) Any other services you might recommend installing and why?
	View 7 Replies
    View Related
  
    
	
    	
    	
        Aug 26, 2007
        I have recently installed and configured my webserver. Since I think security is very important I am curious for recommendations, tips, etc.
My server:
-CentOS 4.4 (installed by provider)
-Apache 2.0.52
-Php 4.3.9
-MySql 4.1.20
-No FTP
-Mod_security is running
The firewall that comes with CentOS is switched on and allows the following ports: http, ssh, smtp.
I have installed sendmail, but it is turned off by default. I need it approx. 3 times a week for 15 minutes or so and will turn it on then.
I have barely any budget so hardware firewalls etc. aren't  an option.
Furthermore it's a basic server, just like my knowledge, so advanced things like IDS aren't an option.
	View 14 Replies
    View Related
  
    
	
    	
    	
        May 8, 2007
        i want to know how can they make the directory  ( u--------- )
take a look on this php shell
[url]
what i mean is they make the directory secure against any phpshell with that trick and they hide the hard disk space
how can i make this
my apache is 1.3.37 and i using fc5 and i have mod_security and cfs
	View 6 Replies
    View Related
  
    
	
    	
    	
        Aug 31, 2008
        I am considering renting a server, but got one question first.
If I sign up for one unmanaged root server with a control panel, from a provider. And just put my website on the server, and let it run there.
Is that a security risk? Is it easy for people to hack into my server, or anything like that?
	View 5 Replies
    View Related
  
    
	
    	
    	
        Nov 6, 2009
        My server has been hacked, I need you please to help learn about Unix server security to protect my server.
	View 6 Replies
    View Related
  
    
	
    	
    	
        Jun 7, 2008
        I have a dedicated server which I access via remote desktop.
The firewall is not enabled. What kind of security should I have on my server?
Ive read that if I enable Windows Firewall my remote desktop connection will be blocked & this will mean me having to contact the server company via phone etc.
	View 9 Replies
    View Related
  
    
	
    	
    	
        Nov 20, 2008
        Does any body recommend we3cares server management services?
I need a very simple server management and hardening job and dont want to pay much. (not for a hosting company)
	View 8 Replies
    View Related
  
    
	
    	
    	
        Jan 4, 2008
        Currently working on securing my server and i think I'm doing quite well until I asked myself the question, have I done it right? Is there anyway to actually test how secure my server actually is? I'd rather not just wait and see if someone can hack me to bring to light what I did wrong...I was also thinking of hiring someone to secure my server but then how do I know that they've done anything different to me?
 
Are there any scripts or programs I can run to test server security?
	View 10 Replies
    View Related
  
    
	
    	
    	
        Jun 3, 2008
        Is there any script or method where I can test my server security?
	View 2 Replies
    View Related
  
    
	
    	
    	
        Aug 10, 2008
        after following the perfect server setup - centos5.2 guide I have setup a home server on my dsl connection and installed openfire with relative ease. I have a paid hosting server which runs my website but I want to have it access the userservice plugin of openfire to add/remove users (which is installed on my new home webserver).
After trying fopen and CURL to post GET data to my home server without any luck I did some reading and came accross the snoopy php class. The snoopy class now allows me to get the default apache test page on my home server but when i try to point snoopy to my openfire admin on port 9090 it throws up a timeout error (but i think this may be an error in the snoopy class?).
CURL and fopen allowed me to get data from google and some other sites but not from my home server.
	View 2 Replies
    View Related
  
    
	
    	
    	
        Jun 15, 2007
        what the way to protect dedicated server?
 
At present, My dedicated server have firewall and setting permision for each user/ data.
 
I have installed a anti-virus software.
 
I wonder that whenever my server can be hacked/ attached.
	View 8 Replies
    View Related
  
    
	
    	
    	
        Feb 13, 2007
        I'm in an environment where we have hundreds of users uploading content to a web site.  
With the current system, someone could potentially run a command that would wipe out hundreds of files (and it has recently happened).  We are currently looking at ways to improve security and prevent "accidents" by separating the public server into to parts.  
A public server and a quality assurance server.  Everyone would have access to the QA server, and the QA server would upload all changes to production.  
I personally see the benefit, but don't see the problem being completely solved.  Does anyone have any advice on this or link to articles or books that might help to set up a secure web server structure?
	View 5 Replies
    View Related
  
    
	
    	
    	
        Sep 1, 2007
        i have a dedicated server , some one else made the security for me, how could to be sure of its security? how could to be sure of all php functions contain risk are closed or disabled? how could to be sure of there are not any security gap?
 
way to understand and implement the steps.
	View 5 Replies
    View Related
  
    
	
    	
    	
        Jul 19, 2007
        Which methods is need to protect a hosting server?
	View 10 Replies
    View Related
  
    
	
    	
    	
        Dec 17, 2007
        I found a random proxy site running out of /var/www/temp. It seems to have been created yesterday, and I found about it via a DMCA notice from the planet. Is this apache's temporary directory? There was even an entry for it in the apache configuration and was running as a perl script out of its own cgi bin. I killed it and chmod'd it to 0. In the future, would setting permissions on this directory to non executable prove to be effective? Any idea if this type of breach is serious enough to warrant an OS reinstall?
	View 9 Replies
    View Related
  
    
	
    	
    	
        Nov 12, 2007
        If I understand correctly, on the main physical server, we cannot install any firewall, so customers in VPS can open any port on their VPS. So, I am wondering about the security of the main server? What if someone can *hack* into the main server, and delete all VPS there? Is there any case like that before?
	View 6 Replies
    View Related
  
    
	
    	
    	
        Dec 4, 2007
        i've set up an FTP server in my basement for me and a couple people i know to store files on. everything was good for the first couple days. Every day now i do a "netstat -a" to check whos connected and i always get a couple weird IP's that i dont know like 64.x.x.x or 215.x.x.x so i block them in various places (ftp settings,firewall,router) just to have another address pop up the next day. im running windows 2003 and i have the sygate personal firewall running along with the windows firewall. i also am behind 2 routers (i have one acting as a switch). ive gone to the point of denying every address on any port on any protocol on the second router. after that i obviously allowed our private addresses to access everything. even with that i still get random public ip's that i dont know. how do i block everyone i dont want? what are common things they would be doing to the computer when connected?
	View 6 Replies
    View Related
  
    
	
    	
    	
        Apr 4, 2008
        I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.  
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache".  This makes sense as it is the apache service running PHP that is actually creating the files.  
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site.  Any help would be much appreciated.  
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions?  I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
	View 10 Replies
    View Related
  
    
	
    	
    	
        Mar 30, 2009
        I am trying to setup the trial of Exchange 2007, everything is installed. However, I am unable to connect to the SMTP server
Quote:
452 4.3.1 Insufficient system resources
Connection to host lost.
After googling around, I found the solution, I changed the settings xml file and now I have to restart the service but I can't seem to find the "Restart Service" option in the EXCHANGE MANAGEMENT CONSOLE?
Also, how secure is exchange by default - any guides/tips so I can secure this test environment?
Any 3rd party Anti-virus/worm/spam solutions for Exchange that are affordable instead of MS Forefront?
	View 1 Replies
    View Related
  
    
	
    	
    	
        Apr 28, 2009
        develop and deploy a security strategy to make my single dedi and two VPSes (all with similar hardware configuration and running Linux Centos 5.2+ w/DirectAdmin CP and Xen virtualization), as secure ass possible, both internally and externally. 
I hope you'll freely share your best practices, recognizing that is the kind of thread multiple members will read for a long time to find out WHO the WHT experts are and what they recommended this newb do. While I hope you'll read the whole post because I may raise issues either you've never thought about or legitimate security issues you've tried to make others aware of but to no avail, I don't expect everyone to respond to every word of this long post. Please feel free to provide solutions-oriented comments and/or constructive direction, based on your area of expertise, only to the specific issues you want to address. 
A little background is helpful: 
I'm not a reseller nor will I be running anything that needs DDOS-like protection. I'll be running some virtual OS instances, trying out VoIP software and installing and running a virtual Linux desktop from my dedi and creating a mirror for the VPS for my websites, blogs, and email. One VPS will be the slave server to the dedi.  I will be running my own DNS, mail and virtual servers on both VPS and the dedi as well. I'll also be backing up data on one of the VPS. All of these activities, I know, present security issues I need to confront.
I'm looking for primarily open source solutions to protect my small server network since first, it fits my budget and, second, I find most proprietary software restrictive and easier to exploit with backdoors, etc. I'd prefer an open source alternative that's of the same high quality and security as a proprietary service. But, if you think a proprietary product or service far outstrips anything open source and you've deployed it for clients or used it for your own servers, let me know. (I prefer to hear actual, first person, end-user accounts/suggestions.)
I'm a quick study--in fact, warp speed--so can learn what I need to do if I have good direction, (which is why I came here to ask). But, since I'm not yet an expert, please expect clarification questions. 
So, here's what I want to know:
1) I will be logging in via secure, encrypted SSH to run commands and manage software but what's the best secure file and data transfer method/software to use? Can I make SSH more secure? Should I run a VPN from one of the boxes? Is using a secure web interface safe for managing or monitoring my server?
2) What's the best firewall for a dedi and will that firewall work for a VPS?
3) Same question for anti-malware (antispyware/antivirus/antispam) software. I see Kasperky and Dr. Web a lot as well as Spamassassin (which is open source) but what are some other options? Aren't server hackers expecting most servers to have the same protection software and doesn't that make them easier to hack?
4) What are some of the ways my servers can be exploited? For example, can others use my email servers to send spam or other servers to commit illegal acts? (I want to avoid getting my server taken down or my IPs blacklisted for someone else's activities). How do I prevent such exploitation?
5) What's the best and safest way to backup and/or sync my servers? What kinds of encryption should I use for the data on my servers? My internal servers like mail, file and virtual servers and appliances?
6) Other than software, what are some of the best methods for protecting my servers from DNS attacks, spam, viruses, hacking, etc.? Should I write specific commands into certain files or run them on a bash shell?
7) Are their GOOD websites or blogs that cover this subject? I can't afford to buy a library of books and wouldn't have time to read them. Also, by the time I do, the information would be outdated. I need to keep up. Finally, I learn best by doing and need to hit the ground running; information needs to be somewhat noob friendly and definitely actionable.
Also, what about implementing general server privacy practices? For example, I invest in truly private domain name registration (read: privacyprotect.org) and, in addition, private DNS for my website and blog domain names. I will be employing other (legal) techniques that prevent to much info from being revealed in my email headers without getting my email sent to spam. In some case, I use encrypted email.
If I'm taking those steps, so, doesn't make sense to implement a strategy that prevents as many people as possible from physically locating my servers in the first place--to force them to spend significant time (and money if they're serious) trying to figure out where my IP addresses goes by using some kind of stealth DNS? 
The analogy that comes to mind is using a correctly configured, encrypted and anonymous VPN, SSH tunnel or proxy server to mask the IP address that leads to your home ISP and, ultimately, to your house. Not to protect yourself from law enforcement because if you're doing illegal stuff online, you SHOULD be caught. But to protect myself from nefarious individuals, nosy neighbors, stalkers or ISPs logging your every internet move. Is there a way to do this with my dedi and VPSes, prevent unnecessary location thus targeting, logging, sniffing, etc?
What other things should I be thinking about? Tell me what I'm missing but please don't just share potential nightmare scenarios without telling me HOW to avoid them.
Again, the advice that's most helpful to me focuses on constructive, actionable solutions; what I CAN do, use, implement, deploy, etc. to develop and execute a strong security strategy for my servers. Again, if you share a negative scenario, please share a positive, effective solution. Tell me how I CAN effectively implement best security practices, even as a noob (since we ALL start as noobs, right?), 
I already know this won't be easy but I'm up for the challenge and like the control I'll have managing my own servers. So, I'm also not looking to pay anyone else to manage my digital assets (including my DNS) or for average end-user (retail) solutions designed for truly non-technical folks but ineffective for power users. Been there, done that, lost a lot of data, especially lately.
Finally, though I won't totally cheap out, I  don't have thousands of dollars to invest in enterprise level services I don't need for just one dedi and two small VPSes. To me, in terms of scale, this is not unlike securing my home network of a couple of laptops and a desktop workstation from drive by hacking and other threats. In addition to open source software, if I can do something myself, I'd rather, than paying someone else. 
If I can rebuild my Windows desktop from bare metal (more than once, in fact) and install a home network and secure both as well as any service can, I can do this.
	View 6 Replies
    View Related
  
    
	
    	
    	
        Jun 1, 2009
        any free tools or affordable tool online to check if a server is secure enough?
	View 5 Replies
    View Related
  
    
	
    	
    	
        Apr 28, 2008
        i have managed server. just i want sure if it is secured.
i want company  to test my server,  Security Scanner.
and give me report about my bugs.
	View 7 Replies
    View Related
  
    
	
    	
    	
        Feb 28, 2008
        Has anyone used Attacker.net for server admin work, especially on FreeBSD? My other Admin team bailed on me, so I am looking for a new team to Secure and Harden my box. I have searched the boards, and have not found a review on them yet.
	View 7 Replies
    View Related
  
    
	
    	
    	
        Mar 22, 2008
        I need a good and fast company that are experienced in Linux servers to secure my server, can you recommend anyone?
	View 0 Replies
    View Related
  
    
	
    	
    	
        Jul 15, 2009
        I heard that CSF firewall will block the ips but still its useful to install? or is there any other method to stop to automatically block the ips from csf? Just want to know about it.
	View 14 Replies
    View Related
  
    
	
    	
    	
        May 12, 2009
        If you have CSF installed, under its WHM section there is a quick security 'scan' you can run - just wondering what score you have?
I know it's not an infallible test, but the scan does test for some potentially large weaknesses hence why I'm asking here (mainly out of curiosity) what sort of scores people have.
Mine is 103/112 - the rest of the points were mainly for features I didn't want enabled for particular reasons (i.e. one of the recommendations is to force all cPanel visits to be through SSL, a feature which some clients don't want) plus sometimes it says I've got features enabled which are disabled, etc.
	View 12 Replies
    View Related
  
    
	
    	
    	
        Jun 17, 2009
        I would like to setup a new dedicated server with the following:
- Windows Server Standard 2008 64bit Edition
- Plesk control panel
Questions: 
Anyone know of a thorough tutorial on securing/optimizing a Windows 2008 server (even with Plesk) for a shared hosting environment?
Other?'s:
Considering Plesk's rip-off pricing, any free and quality alternatives to their products?
- plesk dr.web antivirus
- acronis trueimage backup
- plesk powerpack (I guess $24.99/mo lease isn't too horrible)
I basically want to replicate a Cpanel shared/reseller hosting environment, but with Plesk since Cpanel for Windows is not yet available and been delayed forever.
	View 1 Replies
    View Related
  
    
	
    	
    	
        Jan 20, 2008
        Currently configuring my VPS, have been for a while now, and am relooking at the security I'll need on it. The VPS will be running something similar to a CMS/Forum site and won't be offering webhosting. Alot of the security measures around here are webhosting orientated. What security procedures does everyone suggest for my situation? 
I've got APF, BFD and restricted root SSH access. Is there anything else?
	View 2 Replies
    View Related
  
    
	
    	
    	
        Mar 4, 2007
        This is my list (from my head) of things to install or do on a webhosting server to enhance security (not in any particualr order):
- rkhunter.
- chkrootkit.
- secure /tmp and similars.
- install mod_security.
- install mod_deflate.
- change ssh port.
- disable root login.
- install and tweak apf.
- install bfd.
- setup logwatch.
- add know "bad" IPs to apd list.
- enforce long and secure passwords.
- syctl.conf Hardening
- Mod_LimitIPConn
- System Integrity Monitor
- System Priority
- Process Resource Monitor
- Port Scan Attack Detection
- In php.ini, disable: 
exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen
- Prevent Apache and bind to show their versions.
	View 5 Replies
    View Related