Security - Ubuntu [LINUX] and others

by CryptAlchemy - 28-06-2015, 12:19 AM
Member
Posts:
133
Joined:
Jun 2015
Likes:
5
Credits:
3
Reputation:
2
2 Years of Service
#1
OP
Posted: 28-06-2015, 12:19 AM
So here are some tips for securing your website if you're on Ubuntu [Linux]:

-Never log in as 'root' user
-Disallow root login through settings
-Create an account with a secure password and grant it sudo privileges
-Do not share sudo privileges
-Do not use FTP, use SFTP

If you are on ANY system and using MySQL, be sure to prepare your statements and properly bind parameters.

What I mean by this is to secure yourself from something called SQL INJECTION.

To test your site if it is vulnerable for SQL INJECTION, put a single quotation ' at the end of your URL.

To prepare statements, simply put ->prepare instead of ->query before your statement and use bindParam.

Ex of above: WRONG: $con->query("SELECT * FROM cats WHERE id=:id"); RIGHT: $con->prepare("SELECT * FROM cats WHERE id=:id");

To bindParam, never use php variables in statements as they are a direct injection vulnerability, but use words with semicolons before them.

For the sake of an example, we will pretend that $id is the $_GET['id'].
So in php it would look like this:

$id = $_GET['id']

An example of an incorrect statement is:

$query = $con->prepare("SELECT * FROM cats WHERE id = $id");
$query->execute();

An example of a correct statement is:

$query = $con->prepare("SELECT * FROM cats WHERE id = :id");
$query->bindParam(':id',$id);
$query->execute();

This is how you secure SQL on your site.

I hope you enjoyed this tutorial Smile
Member
Posts:
141
Joined:
Jun 2015
Likes:
7
Credits:
59
Reputation:
1
2 Years of Service
#2
Posted: 28-06-2015, 12:08 PM
Good job. One of the ways how to secure or lessen the ways on how to SQL inject your site :yus:
لا إله إلا الله‎
Posts:
6,330
Joined:
Jan 2015
Likes:
300
Credits:
322
Reputation:
162
2 Years of Service
#3
Posted: 28-06-2015, 01:18 PM
Amazing. Will this works on CentOS too ?
| Monopoly- Best forever .. | v4hl - ;) | Addicted | Senpai | Nyan | Sensei | H | fdigl |
[Image: gZD4Fba.png]

Shady User
Prime
Posts:
146
Joined:
May 2015
Likes:
8
Credits:
138
Reputation:
2
2 Years of Service
#4
Posted: 30-06-2015, 03:37 PM
Here is few of my personal tips from my experience.

#1 Fail2ban for blocking brute force attacks
#2 APF (Advanced Policy Firewall) to automatically blacklist malicious IPs, and fully utilize IPTABLES (firewall).
#3 NAXSI (NGINX) or Mod_Security (Apache2) for WAF (Web Application Firewall) to prevent MySQL injections, and other malicious attacks (cross site scripting, backdoor uploading, etc..)
#4 sysctl tweaks to prevent spoof or other minor (D)Dos attacks.
#5 Use Incapsula (NOT CloudFlare or Blazingfast) for additional security for websites.

The reason why I've mentioned not to use CF or BF is because their performance may be the top-notch, but their security system aren't. Not to mention, their uptime isn't very satisfying, either. If you are curious or need an evidence for that claim, simply Google. Feel free to criticize / correct me if I am mistaken.
Novice
Posts:
25
Joined:
Jul 2015
Likes:
0
Credits:
18
Reputation:
0
2 Years of Service
#5
Posted: 18-07-2015, 11:59 PM
Is mysqli_real_escape_string safe?
Nan Ihier Gelair Mordor
Posts:
2,631
Joined:
Jan 2015
Likes:
293
Credits:
8,068
Reputation:
89
2 Years of Service
#6
Posted: 27-07-2015, 09:24 PM
(18-07-2015, 11:59 PM)Crg97 Wrote: Is mysqli_real_escape_string safe?

1. WTH are you talking about?
2. The answer is: Yes and no. Google around to find out. There is a great explanation given on a thread on Stackoverflow. I don't have the link, sorry.
Do not let your difficulties fill you with anxiety, after all it is only in the darkest nights that stars shine more brightly. - Ali(a.s)

Developer( PHP, Python, C++, HTML+CSS, JS I am available for Hire. Message Me for details.
Novice
Posts:
40
Joined:
May 2015
Likes:
1
Credits:
20
Reputation:
0
2 Years of Service
#7
Posted: 27-07-2015, 09:29 PM
webmin as file manager and much more function
fail2ban
disable root.

it's enought for me
Junior Member
Posts:
53
Joined:
Jul 2015
Likes:
6
Credits:
155
Reputation:
8
2 Years of Service
#8
Posted: 30-07-2015, 11:10 PM
(18-07-2015, 11:59 PM)Crg97 Wrote: Is mysqli_real_escape_string safe?

Fuck the dude that told you to google it.
The definition of the function - Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.

Which means, in a situation like this:

Code:
$id = "' or 1=1-- -'";
$x = $con->query("SELECT * FROM cats WHERE id='".mysqli_real_escape_string($id)."'");
The function will work as intended, and you cannot do anything, because you cant escape the quotes. - '
But, if it's like this:

Code:
$id = "1 or 1=1";
$x = $con->query("SELECT * FROM cats WHERE id=".mysqli_real_escape_string($id));

This will not do anything, since there arent any special characters in $id, but is still an SQLi and you can do everything that you can do with a string-based SQLi.
Novice
Posts:
25
Joined:
Sep 2015
Likes:
0
Credits:
25
Reputation:
0
1 Year of Service
#9
Posted: 01-09-2015, 02:49 PM
wow.. very useful.. thank you
Novice
Posts:
46
Joined:
Feb 2015
Likes:
2
Credits:
1
Reputation:
1
2 Years of Service
#10
Posted: 16-09-2015, 02:25 PM
Thanks for the tips Tongue I was following most of them already but the remaining I didn't know about.
The last reply on this thread is older than a month. Please do not unnecessarily bump it.
Register an account or login to reply
Create an account
Create a free account today and start posting right away. It only takes a few seconds.
Login
Log into an existing account.
1 Guest(s)