Server Security - PHP CURL
Aug 10, 2008
after following the perfect server setup - centos5.2 guide I have setup a home server on my dsl connection and installed openfire with relative ease. I have a paid hosting server which runs my website but I want to have it access the userservice plugin of openfire to add/remove users (which is installed on my new home webserver).
After trying fopen and CURL to post GET data to my home server without any luck I did some reading and came accross the snoopy php class. The snoopy class now allows me to get the default apache test page on my home server but when i try to point snoopy to my openfire admin on port 9090 it throws up a timeout error (but i think this may be an error in the snoopy class?).
CURL and fopen allowed me to get data from google and some other sites but not from my home server.
View 2 Replies
ADVERTISEMENT
Dec 2, 2007
I have a script that does a PHP Curl call where it downloads a large file (~20meg) to the local server.
While its doing the Curl Call, I open up a new window and keep working with the site, (ie. opening a simple image) and the browser keeps saying "Waiting for reply". As soon as the Curl Call stops, then the server works again.
What could course this?
The server is dedicated and only me using it:
Intel Core2Quad Q6600
2GB DDR RAM
Linux - CentOS 5 32bit
While its doing the curl call, I ran uptime and the load is 0.0 0.0 0.0.
From my PHPINFO:
Code:
Apache Version Apache/1.3.39 (Unix) mod_ssl/2.8.30 OpenSSL/0.9.8b
Apache Release 10339100
Apache API Version 19990320
Hostname:Port localhost:80
User/Group apache(100)/500
Max Requests Per Child: 1000 - Keep Alive: off - Max Per Connection: 100
Timeouts Connection: 120 - Keep-Alive: 1
Server Root /etc/httpd
Loaded Modules mod_php5, mod_ssl, mod_setenvif, mod_so, mod_headers, mod_expires, mod_auth_anon, mod_auth, mod_access, mod_rewrite, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_info, mod_status, mod_negotiation, mod_mime, mod_log_referer, mod_log_agent, mod_log_config, mod_env, mod_vhost_alias, http_core
HTTP_CONNECTION Keep-Alive
php.ini
Code:
max_execution_time = 1000 ; Maximum execution time of each script, in seconds
max_input_time = 1000 ; Maximum amount of time each script may spend parsing request data
;max_input_nesting_level = 64 ; Maximum input variable nesting level
memory_limit = 128M ; Maximum amount of memory a script may consume (128MB)
[MySQL]
; Allow or prevent persistent links.
mysql.allow_persistent = Off
; Maximum number of persistent links. -1 means no limit.
mysql.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no limit.
mysql.max_links = -1
httpd.conf
Code:
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 1000
httpd-mpm.conf - changing this made no difference
Code:
<IfModule mpm_prefork_module>
StartServers 30
MinSpareServers 10
MaxSpareServers 20
MaxClients 200
MaxRequestsPerChild 0
</IfModule>
View 2 Replies
View Related
May 21, 2009
I'm running CentOS 5.x and DirectAdmin and wondering how to do the following:
- Disable compilers and other known binaries. Should I chown WGET 550?
- Prevent Shell Fork Bombs
- Best way to create partitions for tmpfs, tmp since my host forgot them?
- Any other tips on securing a DA based server? (I already have taken care of the whole SSH side of things)
View 3 Replies
View Related
Feb 27, 2007
One one of our (linux) servers spammers are king. they apparently can control anything and place spam links throughout the files.
For example spammer inserts Iframes either above or below HTML tags. (some step57 related type of virus/trojan as it seems)
Our programmer did not find where the problem is in our applications, yet he is not a security expert.
Our server admin company made us install phpuexec, we apparently have been checked on the server end and have mod_security, but we still don't know what's going on...spam continues.
View 6 Replies
View Related
Oct 9, 2007
Trying to determine what I want to put on my server for security. I have secured my /tmp, /var/tmp, and /dev/shm. I am now contemplating mod_evasive, mod_security, and/or APF Firewall.
1.) Should I install all three, or will APF Firewall, provide the same or similar security as mod_security, or vice versa?
2.) Will they all work together without conflicts?
3.) Does installing these services have any affect on overall server performance?
4.) Any other services you might recommend installing and why?
View 7 Replies
View Related
Aug 26, 2007
I have recently installed and configured my webserver. Since I think security is very important I am curious for recommendations, tips, etc.
My server:
-CentOS 4.4 (installed by provider)
-Apache 2.0.52
-Php 4.3.9
-MySql 4.1.20
-No FTP
-Mod_security is running
The firewall that comes with CentOS is switched on and allows the following ports: http, ssh, smtp.
I have installed sendmail, but it is turned off by default. I need it approx. 3 times a week for 15 minutes or so and will turn it on then.
I have barely any budget so hardware firewalls etc. aren't an option.
Furthermore it's a basic server, just like my knowledge, so advanced things like IDS aren't an option.
View 14 Replies
View Related
May 8, 2007
i want to know how can they make the directory ( u--------- )
take a look on this php shell
[url]
what i mean is they make the directory secure against any phpshell with that trick and they hide the hard disk space
how can i make this
my apache is 1.3.37 and i using fc5 and i have mod_security and cfs
View 6 Replies
View Related
Aug 31, 2008
I am considering renting a server, but got one question first.
If I sign up for one unmanaged root server with a control panel, from a provider. And just put my website on the server, and let it run there.
Is that a security risk? Is it easy for people to hack into my server, or anything like that?
View 5 Replies
View Related
Nov 6, 2009
My server has been hacked, I need you please to help learn about Unix server security to protect my server.
View 6 Replies
View Related
Jun 7, 2008
I have a dedicated server which I access via remote desktop.
The firewall is not enabled. What kind of security should I have on my server?
Ive read that if I enable Windows Firewall my remote desktop connection will be blocked & this will mean me having to contact the server company via phone etc.
View 9 Replies
View Related
Nov 20, 2008
Does any body recommend we3cares server management services?
I need a very simple server management and hardening job and dont want to pay much. (not for a hosting company)
View 8 Replies
View Related
Jan 4, 2008
Currently working on securing my server and i think I'm doing quite well until I asked myself the question, have I done it right? Is there anyway to actually test how secure my server actually is? I'd rather not just wait and see if someone can hack me to bring to light what I did wrong...I was also thinking of hiring someone to secure my server but then how do I know that they've done anything different to me?
Are there any scripts or programs I can run to test server security?
View 10 Replies
View Related
Jun 3, 2008
Is there any script or method where I can test my server security?
View 2 Replies
View Related
Jun 15, 2007
what the way to protect dedicated server?
At present, My dedicated server have firewall and setting permision for each user/ data.
I have installed a anti-virus software.
I wonder that whenever my server can be hacked/ attached.
View 8 Replies
View Related
Feb 13, 2007
I'm in an environment where we have hundreds of users uploading content to a web site.
With the current system, someone could potentially run a command that would wipe out hundreds of files (and it has recently happened). We are currently looking at ways to improve security and prevent "accidents" by separating the public server into to parts.
A public server and a quality assurance server. Everyone would have access to the QA server, and the QA server would upload all changes to production.
I personally see the benefit, but don't see the problem being completely solved. Does anyone have any advice on this or link to articles or books that might help to set up a secure web server structure?
View 5 Replies
View Related
Sep 1, 2007
i have a dedicated server , some one else made the security for me, how could to be sure of its security? how could to be sure of all php functions contain risk are closed or disabled? how could to be sure of there are not any security gap?
way to understand and implement the steps.
View 5 Replies
View Related
Jul 19, 2007
Which methods is need to protect a hosting server?
View 10 Replies
View Related
Dec 17, 2007
I found a random proxy site running out of /var/www/temp. It seems to have been created yesterday, and I found about it via a DMCA notice from the planet. Is this apache's temporary directory? There was even an entry for it in the apache configuration and was running as a perl script out of its own cgi bin. I killed it and chmod'd it to 0. In the future, would setting permissions on this directory to non executable prove to be effective? Any idea if this type of breach is serious enough to warrant an OS reinstall?
View 9 Replies
View Related
Nov 12, 2007
If I understand correctly, on the main physical server, we cannot install any firewall, so customers in VPS can open any port on their VPS. So, I am wondering about the security of the main server? What if someone can *hack* into the main server, and delete all VPS there? Is there any case like that before?
View 6 Replies
View Related
Dec 4, 2007
i've set up an FTP server in my basement for me and a couple people i know to store files on. everything was good for the first couple days. Every day now i do a "netstat -a" to check whos connected and i always get a couple weird IP's that i dont know like 64.x.x.x or 215.x.x.x so i block them in various places (ftp settings,firewall,router) just to have another address pop up the next day. im running windows 2003 and i have the sygate personal firewall running along with the windows firewall. i also am behind 2 routers (i have one acting as a switch). ive gone to the point of denying every address on any port on any protocol on the second router. after that i obviously allowed our private addresses to access everything. even with that i still get random public ip's that i dont know. how do i block everyone i dont want? what are common things they would be doing to the computer when connected?
View 6 Replies
View Related
Apr 9, 2009
I have a Linux-Debian server, I have Apache2, PHP ect setup for a basic website im running on it too, However I need cURL enabled, I cant seem to find any options in the php.ini files to enable cURL at all.
I know that you just uncomment it to enable it however I dont see it at all, even it being disabled. I opened it in notepad and used the SEARCH feature and it couldnt find it eithier.
View 5 Replies
View Related
Jan 9, 2009
Do you know what cURL Library means?
I have seen that in apthost.com reseller plan.
View 0 Replies
View Related
Oct 14, 2009
I got some one to help me install cURL. Now all I have to do is change the permissions for the /usr/bin file for the crons and such.
View 2 Replies
View Related
May 8, 2008
I'm now running curl 7.18.1 and would like to donwgrade it to the previous version.
View 4 Replies
View Related
Apr 12, 2008
I have PHP 5.2.5 compiled with GD library working on my webserver,
yesterday i wanted to add Curl Support, so i had to recompile php.
I downloaded and installed Curl latest version and tried to recompile PHP :
'./configure'
'--prefix=/usr/local/php'
'--enable-discard-path'
'--disable-force-cgi-redirect'
'--enable-shared'
'--disable-static'
'--disable-debug'
'--disable-rpath'
'--enable-pic'
'--enable-inline-optimization'
'--enable-memory-limit'
'--with-gd'
'--with-png-dir'
'--with-jpeg-dir'
'--with-config-file-path=/etc'
'--with-config-file-scan-dir=/etc/php'
'--with-pear=/usr/share/pear'
'--enable-magic-quotes'
'--enable-debugger'
'--enable-track-vars'
'--with-exec-dir=/usr/bin'
'--with-versioning'
'--with-mod_charset'
'--with-regex=php'
'--enable-track-vars'
'--enable-trans-sid'
'--enable-safe-mode'
'--enable-ctype'
'--enable-ftp'
'--with-gettext=/usr'
'--enable-posix'
'--enable-session'
'--enable-sysvsem'
'--enable-sysvshm'
'--with-openssl=/usr'
'--without-kerberos'
'--with-freetype-dir=/usr'
'--with-zlib=/usr'
'--with-zlib=/usr'
'--with-zlib-dir=/usr'
'--with-zlib-dir'
'--enable-xslt'
'--with-xslt-sablot'
'--with-iconv-dir=/usr/local/lib'
'--with-mysql-sock=/var/lib/mysql/mysql.sock'
'--with-mysql'
'--enable-mbstring=all'
'--enable-fastcgi'
'--enable-discard-path'
'--enable-force-cgi-redirect'
'--with-curl=/usr/local/curl'
I can't get it working, this is the error i get :
..
checking for T1lib support... no
checking whether to enable truetype string function in GD... no
checking whether to enable JIS-mapped Japanese font support in GD... no
checking for fabsf... yes
checking for floorf... yes
If configure fails try --with-jpeg-dir=<DIR>
checking for png_write_image in -lpng... yes
If configure fails try --with-xpm-dir=<DIR>
If configure fails try --with-freetype-dir=<DIR>
configure: error: GD build test failed. Please check the config.log for
details.
I think i'm not the only one who is experiencing this problem, take a look here:
[url]
Why do PHP.net don't give much importance to this BUG?
I'm using the same OS : Centos 5
View 4 Replies
View Related
Dec 5, 2007
I wanna install curl on my server its Centos 4.5 and SL told me I have around 30K mails pending on the serve can anyone tell me how to remove them from pending?
View 6 Replies
View Related
Mar 16, 2007
I am trying to install curl on my server...
wget [url]
make
make install
ldconfig -v
This is what I haved done so far. Where do I go from here?
"Then use --with-curl in PHP's configure" this was the last step on the instructions but i do not know what it means.
View 1 Replies
View Related
Feb 9, 2007
I have been attempting to get curl installed on my server, but seem to have run into a snag. When I type:
curl-config --version
I get a response that I have: libcurl 7.16.0
However, when I try to install WHMCS, it still shows I do not have Curl with SSL support. I have used /scripts/easyapache, however there was never an option under 6 or 7 with CURL. I also tried with Cpanel WHM and used the Apache Update to 4.4.4 and checked both Curl options and OpenSSL. However still no luck.
I have also restarted services and rebooted the server.
View 14 Replies
View Related
Apr 4, 2008
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
View 10 Replies
View Related
Mar 30, 2009
I am trying to setup the trial of Exchange 2007, everything is installed. However, I am unable to connect to the SMTP server
Quote:
452 4.3.1 Insufficient system resources
Connection to host lost.
After googling around, I found the solution, I changed the settings xml file and now I have to restart the service but I can't seem to find the "Restart Service" option in the EXCHANGE MANAGEMENT CONSOLE?
Also, how secure is exchange by default - any guides/tips so I can secure this test environment?
Any 3rd party Anti-virus/worm/spam solutions for Exchange that are affordable instead of MS Forefront?
View 1 Replies
View Related
Apr 28, 2009
develop and deploy a security strategy to make my single dedi and two VPSes (all with similar hardware configuration and running Linux Centos 5.2+ w/DirectAdmin CP and Xen virtualization), as secure ass possible, both internally and externally.
I hope you'll freely share your best practices, recognizing that is the kind of thread multiple members will read for a long time to find out WHO the WHT experts are and what they recommended this newb do. While I hope you'll read the whole post because I may raise issues either you've never thought about or legitimate security issues you've tried to make others aware of but to no avail, I don't expect everyone to respond to every word of this long post. Please feel free to provide solutions-oriented comments and/or constructive direction, based on your area of expertise, only to the specific issues you want to address.
A little background is helpful:
I'm not a reseller nor will I be running anything that needs DDOS-like protection. I'll be running some virtual OS instances, trying out VoIP software and installing and running a virtual Linux desktop from my dedi and creating a mirror for the VPS for my websites, blogs, and email. One VPS will be the slave server to the dedi. I will be running my own DNS, mail and virtual servers on both VPS and the dedi as well. I'll also be backing up data on one of the VPS. All of these activities, I know, present security issues I need to confront.
I'm looking for primarily open source solutions to protect my small server network since first, it fits my budget and, second, I find most proprietary software restrictive and easier to exploit with backdoors, etc. I'd prefer an open source alternative that's of the same high quality and security as a proprietary service. But, if you think a proprietary product or service far outstrips anything open source and you've deployed it for clients or used it for your own servers, let me know. (I prefer to hear actual, first person, end-user accounts/suggestions.)
I'm a quick study--in fact, warp speed--so can learn what I need to do if I have good direction, (which is why I came here to ask). But, since I'm not yet an expert, please expect clarification questions.
So, here's what I want to know:
1) I will be logging in via secure, encrypted SSH to run commands and manage software but what's the best secure file and data transfer method/software to use? Can I make SSH more secure? Should I run a VPN from one of the boxes? Is using a secure web interface safe for managing or monitoring my server?
2) What's the best firewall for a dedi and will that firewall work for a VPS?
3) Same question for anti-malware (antispyware/antivirus/antispam) software. I see Kasperky and Dr. Web a lot as well as Spamassassin (which is open source) but what are some other options? Aren't server hackers expecting most servers to have the same protection software and doesn't that make them easier to hack?
4) What are some of the ways my servers can be exploited? For example, can others use my email servers to send spam or other servers to commit illegal acts? (I want to avoid getting my server taken down or my IPs blacklisted for someone else's activities). How do I prevent such exploitation?
5) What's the best and safest way to backup and/or sync my servers? What kinds of encryption should I use for the data on my servers? My internal servers like mail, file and virtual servers and appliances?
6) Other than software, what are some of the best methods for protecting my servers from DNS attacks, spam, viruses, hacking, etc.? Should I write specific commands into certain files or run them on a bash shell?
7) Are their GOOD websites or blogs that cover this subject? I can't afford to buy a library of books and wouldn't have time to read them. Also, by the time I do, the information would be outdated. I need to keep up. Finally, I learn best by doing and need to hit the ground running; information needs to be somewhat noob friendly and definitely actionable.
Also, what about implementing general server privacy practices? For example, I invest in truly private domain name registration (read: privacyprotect.org) and, in addition, private DNS for my website and blog domain names. I will be employing other (legal) techniques that prevent to much info from being revealed in my email headers without getting my email sent to spam. In some case, I use encrypted email.
If I'm taking those steps, so, doesn't make sense to implement a strategy that prevents as many people as possible from physically locating my servers in the first place--to force them to spend significant time (and money if they're serious) trying to figure out where my IP addresses goes by using some kind of stealth DNS?
The analogy that comes to mind is using a correctly configured, encrypted and anonymous VPN, SSH tunnel or proxy server to mask the IP address that leads to your home ISP and, ultimately, to your house. Not to protect yourself from law enforcement because if you're doing illegal stuff online, you SHOULD be caught. But to protect myself from nefarious individuals, nosy neighbors, stalkers or ISPs logging your every internet move. Is there a way to do this with my dedi and VPSes, prevent unnecessary location thus targeting, logging, sniffing, etc?
What other things should I be thinking about? Tell me what I'm missing but please don't just share potential nightmare scenarios without telling me HOW to avoid them.
Again, the advice that's most helpful to me focuses on constructive, actionable solutions; what I CAN do, use, implement, deploy, etc. to develop and execute a strong security strategy for my servers. Again, if you share a negative scenario, please share a positive, effective solution. Tell me how I CAN effectively implement best security practices, even as a noob (since we ALL start as noobs, right?),
I already know this won't be easy but I'm up for the challenge and like the control I'll have managing my own servers. So, I'm also not looking to pay anyone else to manage my digital assets (including my DNS) or for average end-user (retail) solutions designed for truly non-technical folks but ineffective for power users. Been there, done that, lost a lot of data, especially lately.
Finally, though I won't totally cheap out, I don't have thousands of dollars to invest in enterprise level services I don't need for just one dedi and two small VPSes. To me, in terms of scale, this is not unlike securing my home network of a couple of laptops and a desktop workstation from drive by hacking and other threats. In addition to open source software, if I can do something myself, I'd rather, than paying someone else.
If I can rebuild my Windows desktop from bare metal (more than once, in fact) and install a home network and secure both as well as any service can, I can do this.
View 6 Replies
View Related
