Security - Ubuntu [LINUX] and others

So here are some tips for securing your website if you're on Ubuntu [Linux]:

-Never log in as 'root' user
-Disallow root login through settings
-Create an account with a secure password and grant it sudo privileges
-Do not share sudo privileges
-Do not use FTP, use SFTP

If you are on ANY system and using MySQL, be sure to prepare your statements and properly bind parameters.

What I mean by this is to secure yourself from something called SQL INJECTION.

To test your site if it is vulnerable for SQL INJECTION, put a single quotation ' at the end of your URL.

To prepare statements, simply put ->prepare instead of ->query before your statement and use bindParam.

Ex of above: WRONG: $con->query("SELECT * FROM cats WHERE id=:id"); RIGHT: $con->prepare("SELECT * FROM cats WHERE id=:id");

To bindParam, never use php variables in statements as they are a direct injection vulnerability, but use words with semicolons before them.

For the sake of an example, we will pretend that $id is the $_GET['id'].
So in php it would look like this:

$id = $_GET['id']

An example of an incorrect statement is:

$query = $con->prepare("SELECT * FROM cats WHERE id = $id");
$query->execute();

An example of a correct statement is:

$query =$con->prepare("SELECT * FROM cats WHERE id= :id");
$query->bindParam(':id',$id);
$query->execute();

This is how you secure SQL on your site.

I hope you enjoyed this tutorial

Good job. One of the ways how to secure or lessen the ways on how to SQL inject your site :yus:

Amazing. Will this works on CentOS too ?

Here is few of my personal tips from my experience.

#1 Fail2ban for blocking brute force attacks
#2 APF (Advanced Policy Firewall) to automatically blacklist malicious IPs, and fully utilize IPTABLES (firewall).
#3 NAXSI (NGINX) or Mod_Security (Apache2) for WAF (Web Application Firewall) to prevent MySQL injections, and other malicious attacks (cross site scripting, backdoor uploading, etc..)
#4 sysctl tweaks to prevent spoof or other minor (D)Dos attacks.
#5 Use Incapsula (NOT CloudFlare or Blazingfast) for additional security for websites.

The reason why I've mentioned not to use CF or BF is because their performance may be the top-notch, but their security system aren't. Not to mention, their uptime isn't very satisfying, either. If you are curious or need an evidence for that claim, simply Google. Feel free to criticize / correct me if I am mistaken.

Is mysqli_real_escape_string safe?

18-07-2015, 11:59 PM

Crg97 Wrote: Is mysqli_real_escape_string safe?

1. WTH are you talking about?
2. The answer is: Yes and no. Google around to find out. There is a great explanation given on a thread on Stackoverflow. I don't have the link, sorry.

webmin as file manager and much more function
fail2ban
disable root.

it's enought for me

18-07-2015, 11:59 PM

Crg97 Wrote: Is mysqli_real_escape_string safe?

Fuck the dude that told you to google it.
The definition of the function - Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.

Which means, in a situation like this:

The function will work as intended, and you cannot do anything, because you cant escape the quotes. - '
But, if it's like this:


This will not do anything, since there arent any special characters in $id, but is still an SQLi and you can do everything that you can do with a string-based SQLi.

wow.. very useful.. thank you

Thanks for the tips I was following most of them already but the remaining I didn't know about.