Tag Archives: security

Securing web application

Below are things to do to secure your web application

  1. Database user user for the system can only has access to insert, select, update, delete. Not other datase utilities like drop, create etc.
  2. Use recaptcha if wrong login attempt exceeds x times
  3. Never display id on url, use hashed id instead – checkout hashids.org
  4. Always check a user can’t view, access or update any data not belong to him/her. Especially on multi-tenant system
  5. Force at least 8 character length for user password. Better to include numbers, capital letters and special symbols
  6. If use cookies, make sure don’t save sensitive data and always save something that is encrypted that need to be decrypted by server in order to use. For example, for a remember me cookie, use user IP plus the username to construct the an encrypted “token” to be stored in cookie.
  7. Check again input at the back end even it has been check on front-end using javascript
  8. Make the 2-FA (2 factor authentication) available for user to choose
  9. Use SSL/HTTPS
  10. Always use production-standard settings. Not development-standard settings. For example, never display detail errors to the users such as sql error that show table and fields.
  11. Give developers/admins different username and access to what they can only do

Web application security

Below are some security checklist for a web application.

  1. Login screen
    1. to avoid brute force attack, display captcha after 3-5 attempts from same IP
    2. enforce longer password more than 8
  2. Registration (or open form)
    1. display captcha for all form to submit
  3. SSL is a must. free or paid
  4. displaying primary id for table in URL must be avoided, use other ID instead. E.g. a secure id consisting of unique 10 randomized alphanumeric

DigitalOcean – Notes

This is my notes on digital ocean.

Click here to register with DigitalOcean and get free USD10 to start using the service.

I used to install Ubuntu 14.04 with LAMP on it. With this also get SFTP ready.

Manage users and groups

Change root password. If logged in as root

  • passwd

Add new user

  • adduser is perl script to simplify original useradd function
  • command – adduser username_here
  • just answer all questions asked
  • This add user function will …
    • Create the user named username.
    • Create the user’s home directory (default is /home/username and copy the files from /etc/skel into it.
    • Create a group with the same name as the user and place the user in it.
    • Prompt for a password for the user.
    • Prompt for additional information on the user.
  • allow user for sudo mode (optional) – usermod -a -G sudo <your username>
  • add user to group – adduser username groupname
  • more on adduser
  • and more

Manage groups for user

  • list group – cat /etc/group
  • add user to group – adduser usrname groupname

Manage services

Connect to server via SSH, in terminal type the following:

  • ssh username@yourdomain_or_ip

To get default MySQL root password, write this in terminal. Remove the file once done change the MySQL root password.

  • cat /etc/motd.tail

To enter mysql console

  • mysql -u root -p

Secure MySQL server. Run following command and answer all the questions.

  • mysql_secure_installation

To change MySQL root password:

  • mysqladmin -u root -p’oldpassword’ password newpass

To only allow certain IP to access directly to database

  • edit file /etc/mysql/my.cnf
  • comment line with IP 127.0.0.1
  • restart service – service mysql restart
  • enter following command in mysql command line
    • type mysql -u root -p
    • enter password when asked
  • mysql> GRANT ALL ON database_name.* TO user@xx.xxx.xx.xx IDENTIFIED BY ‘your_password’;
    • xx.xxx.xx.xx is the remote IP to access the server

Enable .htaccess (mod rewrite)

  • enable mod rewrite – sudo a2enmod rewrite
  • update file /etc/apache2/apache2.conf
  • change Override none to Override all for web root directory
  • restart service

To restart services (can also use stop and start)

  • service mysql restart
  • service apache2 restart

Install sendmail service (used by PHP mail function)

  • apt-get install sendmail
  • Run the sendmail config and answer ‘Y’ to everything: sendmailconfig

Server general settings

Change permission for directory (especially for ‘upload’ directory)

  • chmod 755 /path/directorypath

Change the timezone. By default using US time zone

  • sudo dpkg-reconfigure tzdata
  • follow instruction on screen
  • check if the date is correct by typing – date

To turn off server

  • sudo shutdown -h now
  • OR
  • sudo poweroff

Check for disk utilization

  • to check for disk utilization
    • df -h
  • to check for huge files location
    • sudo du -a / | sort -n -r | head -n 10
  • check for huge file (another option)
    • find / -size +50M -ls

Securing the server

To update/upgrade OS

  • aptitude update
  • aptitude upgrade

Disable root login on SSH

  • edit /etc/ssh/sshd_config
  • set PermitRootLogin no
  • restart ssh – service ssh restart

Block IP’s from accessing certain services

Other measures:

  1. Disallow access to server via root username
  2. Disallow access directly to database from outside
  3. Close all unused ports. Left only web, SFTP, MySQL, SSH
  4. auto patch?

To explore

  • using VPN
  • using SSH key
  • creating ftp user to access only certain directory
  • virtual host (multiple domains for a server)
  • security for 777 chmod directory
  • change ssh port to different port (but still below 1024)
  • install fail2ban to protect against brute force attack

Additional tools

  1. Ansible.com
  2. Docker.com

Other reading and references

  1. Securing the server (SSH, VPN etc)
  2. Initial setup for Ubuntu 14.04

Editors

vi, vim, nano

Click here to register with DigitalOcean and get free USD10 to start using the service.