Internet, Web Site, Security

May 4, 2010 | By greg | Posted in Networking

Neither the best passwords, nor .htaccess, nor php.ini files, nor a super-helpful hosting co., will protect your web site if your pc is infected with a key-stroke-logger sending crooks your every id and password - every time you use and or change one of them!
There are many types of software threats: viruses, spyware, Trojan horses, worms, bots, and rootkits - all running on Microsoft Windows. Attackers know the common broadband and dial-up IP address ranges, and scan them regularly. Numerous worms are circulating on the Internet continuously scanning for new (Windows) computers to exploit, identities to steal, as well as new web sites. As a result, the average time-to-exploitation ... for an unprotected (Windows) computer [connected to the internet] is measured in minutes. This is especially true in the address ranges used by cable modem, DSL, and dial-up providers. Use caution when opening email attachments, visiting unfamiliar web sites, downloading "Free" stuff (it may cost you dearly!) or when using peer-to-peer file sharing. (If you share files on your home network, require user authentication and set hard-to-crack passwords) Never click on email attachments from untrusted sources (you know your friend, but do you know where they got the attachment?) however tempting and attractive such attachments may seem [especially the "tempting and attractive" ones!]. Similarly, never click on links in email to unknown sites. [especially if you don't download your email!(deleting it off the server when downloaded) See example Gmail threat below.] Keep email deleted off the email server - especially containing jeopardizing information!

More complete information is at
http://www.encinojon.com/comintsec/ : COMPUTER INTERNET SECURITY Class and Website, L.A., Calif.
http://www.us-cert.gov/reading_room/before_you_plug_in.html : US-CERT Tips (United States Computer Emergency Readiness Team, National Cyber Alert System, Carnegie Mellon University)
http://www.pcmag.com/article2/0,2817,2311934,00.asp : P.C.Magazine
http://www.techsupportalert.com/how-to-secure-your-pc.php : Gizmo's tech support alert
http://www.firewallguide.com/overview.htm : an extensive list of sites/articles including these, above.

Feb. 4, 2010
(CNET) Google is finalizing an agreement with the National Security Agency to help the search giant ward off cyberattacks, according to the Washington Post. The NSA is to help analyze a cyberattack on Google that the company said originated in China and defend it from future attacks. ...

Very Scary:
"On December 24th, 2007 there was, a Google security infection that can affect every Gmail user on the planet?" see WARNING: Google’s Gmail security failure leaves my business sabotaged

"The victim visits a web page while being logged into Gmail. Upon loading, the page ... injects a filter into the victim's Gmail filter list. The attacker writes a filter, which simply looks for emails with attachments and forwards them to an email of their choice. This filter will automatically transfer all emails matching the attacker's rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google." [it was fixed, several months later]

July 10, 2009; By Michael Horowitz

Just that morning, I had installed a new router on my LAN so I checked the activity log in my new router After only 1 day of operation, my router had blocked five unsolicited inbound connection attempts, from three different IP addresses, and they were all in China!

A router protects a computer from just these types of attacks. Everyone should do their computing behind a router. You can test how well the firewall in your router is protecting you with Steve Gibson's Shields Up!: [https://www.grc.com/x/ne.dll?bh0bkyd2]

see Michael's full article "Help! Chinese Hackers are Attacking my PC" at
http://itmanagement.earthweb.com/secu/article.php/3829211/

April 18, 2010; Greg

I went to www.grc.com, above, again, and found that my home router is still doing a great job operating in stealth mode. I have left Windows permanently, and use Linux now. However, I have 2 web sites, www.pwsdb.com, and www.fuel-efficient-vehicles.org

I had learned how to suppress comment spam on my sites some months ago with and without a "captcha" question, and, also read how to lock-out spammers and hackers with some programming and use of the htaccess file. I bookmarked the information then, and recently, began implementing it.

The first thing that happened was, I discovered that attempts were being made to hack this (and every) web site - and most were from China! (read up on Indy Library) When I am finished, I will post the information you can use to protect your site, if you have one.

April 19, 2010

The surest control over security is with /etc/httpd/conf/httpd.conf when possible, or in .htaccess files otherwise. Read the post "Unix-Apache .htaccess" for basic information first, if you are not familiar with this.

It will be best if you have your site duplicated on a test pc (your desk or laptop pc?) where you can test out any changes to your httpd.conf or .htaccess file before committing them to your server.

Web Site Security

One possibility is to CHMOD your files.
chmod .htpasswd files 640 chmod .htaccess files 644 chmod php files 600 chmod files that you really dont want people to see as 400 NEVER chmod 777, if something requires write access use 666 only directories need 7's or 5's and they should be 755. even php's only need 644 or less. (600?)

A config.ini file that contains sensitive password information should not be served to the web. One should create an .htaccess file to tell Apache NOT to serve this (or any) .ini file. (or any include file [*.inc] ) or any log file, any .txt file (?)

The .htaccess file (or better yet, httpd.conf) should contain:

< FilesMatch "\.(ini|inc|log|txt)$">
Deny from all
# Allow from env=REDIRECT_STATUS
< /FilesMatch>
< FilesMatch robots.txt>
Allow from all
< /FilesMatch>

/robots.txt is the only .txt file that has to be readable by visitors = Google, Yahoo, etc., if you have one.

some have added the statement to specifically allow [internal] requests that have the REDIRECT_STATUS environment variable set, to access .ini and .inc files, however, on my 2 web sites it is not needed, and commented out. I display it here in case you need it in some other situation.
When a visitor requests /index.php, Apache or whatever server you are using does a subrequest/internal request to the php interpreter to include the ini's and then the index.php requests the .inc's, and for internal requests like that it adds some special environment variables that are normal variables prefixed with a REDIRECT_.

In the directory /includes/ which contains no pages, only include files, we have an .htaccess file containing only the one line:

Options Includes

Because of this .htaccess file, CGI execution is not permitted, in this folder or below, as only Options Includes is in effect, which completely overrides any earlier setting that may have been in place.

restrict or deny access to folders

A typical example would be an "includes/" folder (or themes/, or plugins/). Your site's pages can call these included scripts all they like, but you don't want users accessing these files directly, over the web. In that case you would drop an .htaccess file in the includes folder with content something like this..

# no one gets in here!
deny from all

which would deny ALL direct access to ANY files in that folder. You can be more specific with your conditions, for instance limiting access to a particular IP range, here's a handy top-level rule for a local test server..

NO ENTRY outside of the LAN!: from 192.168.0.0 to 192.168.0.255

# no nasty crackers in here!
order deny,allow
deny from all
allow from 192.168.0.
# this would allow all from 192.168.0.0 through 192.168.0.255
# this would allow from 192.168.4.24 through 192.168.4.27
#allow from 192.168.4.24 192.168.4.25 192.168.4.26 192.168.4.27

of course, the same is true of the htaccess file itself which, universally, has this directive in every httpd.conf:
< Files .htaccess>
order allow,deny
deny from all
< /Files>
to confirm that it is as it should be, open up a tab in your browser and enter http://www.YourWebSite.com/.htaccess and, even if you don't have an .htaccess file, it should give you a "forbidden" error message.

Control access ...

by IP address

If you are the only person logging in to admin and you have a permanent IP from you home internet connection provider, put an .htaccess, in your admin folder to block anyone from getting into admin, even if they have your correct id and password. This will stop any cross scripting, any remote attempts to access anything, real or imagined in you admin folders.

If a person's site is still being hacked, till you can find a better way to keep them out, you should be the only one going in.

To keep everyone but you out of admin, make sure no one but you knows your FTP password. Change it before you do this and again afterwards. Several ftp id's and pw's can be created by a hacker once he is in. Go to your cPanel (?) and make sure that there are none created that you do not know about - probably none. period. If a hacker can get in with ftp, they can shoot down your htaccess file also.


order deny, allow
deny from all
allow from 123.168.1.10

Where 123.168.1.10 is your IP.
or

Allow from 123.168.1.10 123.168.1.205
or
Allow from 123.168.1.10
Allow from 123.168.1.205
if you have 2 ip's you want allowed.

To allow a specific IP range:
Allow from 123.168.1.
to allow from 123.168.1.0 to 123.168.1.255

or
I have read that these work, but they didn't for me
Allow from 123.168.1.195 - 123.168.1.203
Allow from 123.168.1.195 - 203
to allow from ~.195 to ~.203
to itemize them was all i could get to work:
Allow from 123.168.1.195 123.168.1.196 123.168.1.197 123.168.1.198
Allow from 123.168.1.199 123.168.1.200 123.168.1.201 123.168.1.202 123.168.1.203

If you think you have identified the hacker's IP address, one site where you can look it up to get more information about it is http://whois.domaintools.com/ or do a google search "who is 123.168.1.205", for example.

If it comes back looking like a hacker, block them totally. However, keep in mind that they may have a collection of ip addresses they use. Better yet, the robot program they use may be known and blockable. Best yet, if you can block direct access to (nearly?) everything but the index page, all your pages, that are there for the public, that might be the best protection.

Protect by folder

example1: folder wp-content, containing (potentially vulnerable) themes and plug-ins
Denies any Direct request for files ending in php|html|htm|txt with a 403 Forbidden ...  Needs to be tested, case-by-case, as it may break a plugin or theme [401]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .* - [F,NS,L]

example2: similar, folder wp-includes,
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* - [F,NS,L]

Leave a Reply

Website url (required)

Comment / Question