Webmaster Security

Security - Ubuntu [LINUX] and others

Submitted by CryptAlchemy, , Thread ID: 5140

Thread Closed
28-06-2015, 12:19 AM
#1
So here are some tips for securing your website if you're on Ubuntu [Linux]:

-Never log in as 'root' user
-Disallow root login through settings
-Create an account with a secure password and grant it sudo privileges
-Do not share sudo privileges
-Do not use FTP, use SFTP

If you are on ANY system and using MySQL, be sure to prepare your statements and properly bind parameters.

What I mean by this is to secure yourself from something called SQL INJECTION.

To test your site if it is vulnerable for SQL INJECTION, put a single quotation ' at the end of your URL.

To prepare statements, simply put ->prepare instead of ->query before your statement and use bindParam.

Ex of above: WRONG: $con->query("SELECT * FROM cats WHERE id=:id"); RIGHT: $con->prepare("SELECT * FROM cats WHERE id=:id");

To bindParam, never use php variables in statements as they are a direct injection vulnerability, but use words with semicolons before them.

For the sake of an example, we will pretend that $id is the $_GET['id'].
So in php it would look like this:

$id = $_GET['id']

An example of an incorrect statement is:

$query = $con->prepare("SELECT * FROM cats WHERE id = $id");
$query->execute();

An example of a correct statement is:

$query =$con->prepare("SELECT * FROM cats WHERE id= :id");
$query->bindParam(':id',$id);
$query->execute();

This is how you secure SQL on your site.

I hope you enjoyed this tutorial Smile

RE: Security - Ubuntu [LINUX] and others

#2
Good job. One of the ways how to secure or lessen the ways on how to SQL inject your site :yus:

RE: Security - Ubuntu [LINUX] and others

#3
Amazing. Will this works on CentOS too ?
| A | v4hl| Addicted | Senpai | Sui | Sensei | H | fdigl |


RE: Security - Ubuntu [LINUX] and others

#4
Here is few of my personal tips from my experience.

#1 Fail2ban for blocking brute force attacks
#2 APF (Advanced Policy Firewall) to automatically blacklist malicious IPs, and fully utilize IPTABLES (firewall).
#3 NAXSI (NGINX) or Mod_Security (Apache2) for WAF (Web Application Firewall) to prevent MySQL injections, and other malicious attacks (cross site scripting, backdoor uploading, etc..)
#4 sysctl tweaks to prevent spoof or other minor (D)Dos attacks.
#5 Use Incapsula (NOT CloudFlare or Blazingfast) for additional security for websites.

The reason why I've mentioned not to use CF or BF is because their performance may be the top-notch, but their security system aren't. Not to mention, their uptime isn't very satisfying, either. If you are curious or need an evidence for that claim, simply Google. Feel free to criticize / correct me if I am mistaken.

RE: Security - Ubuntu [LINUX] and others

#5
Is mysqli_real_escape_string safe?

RE: Security - Ubuntu [LINUX] and others

#6
18-07-2015, 11:59 PM
Crg97 Wrote:
Is mysqli_real_escape_string safe?

1. WTH are you talking about?
2. The answer is: Yes and no. Google around to find out. There is a great explanation given on a thread on Stackoverflow. I don't have the link, sorry.
Do not let your difficulties fill you with anxiety, after all it is only in the darkest nights that stars shine more brightly. - Ali(a.s)

Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.

RE: Security - Ubuntu [LINUX] and others

#7
webmin as file manager and much more function
fail2ban
disable root.

it's enought for me

RE: Security - Ubuntu [LINUX] and others

#8
18-07-2015, 11:59 PM
Crg97 Wrote:
Is mysqli_real_escape_string safe?

Fuck the dude that told you to google it.
The definition of the function - Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.

Which means, in a situation like this:

Code:
$id = "' or 1=1-- -'";
$x = $con->query("SELECT * FROM cats WHERE id='".mysqli_real_escape_string($id)."'");
The function will work as intended, and you cannot do anything, because you cant escape the quotes. - '
But, if it's like this:

Code:
$id = "1 or 1=1";
$x = $con->query("SELECT * FROM cats WHERE id=".mysqli_real_escape_string($id));

This will not do anything, since there arent any special characters in $id, but is still an SQLi and you can do everything that you can do with a string-based SQLi.

RE: Security - Ubuntu [LINUX] and others

#9
wow.. very useful.. thank you

RE: Security - Ubuntu [LINUX] and others

#10
Thanks for the tips Tongue I was following most of them already but the remaining I didn't know about.

Users browsing this thread: