Over the past year, we have covered many server security issues. Here is a brief summary of some of the highlights.

1. Do not allow direct root/administrator login
2. Make sure passwords are secure and changed regularly (by force if necessary)
3. Use a network firewall, such as APF
4. Use an application firewall, such as ModSecurity
5. Chroot all non-root users to keep them out of system directories
6. Use virus scanners and spam filters
7. Close mail server open relays
8. Keep all software and scripts up-to-date
9. Test your server for security holes
10. Keep up on the latest security news
11. Use SSL for secure data transactions
12. Set permissions as strictly as possible on any web-accessible files

Image Source: Wikimedia Commons

Continue reading: Server Security Tips

Tehtri Security research Laurent Oudot has determined that most people who attack servers get their hacking software from freely available malware kits on the Web, rather than creating their own custom scripts. These kits often contain poorly written code that can itself be exploited.

What does all of that mean to you? Oudot says it means that you can fight fire with fire, turning the attacker’s own malware against him. The next time someone attacks your server, hacking the malware can reveal a trail of IP addresses that may even lead all the way back to the attacker’s personal computer.

Oudot admits that there may be legal issues if you decide to turn into a cyber-Batman, but says that he demonstrated that it could be done, at the SyScan 2010 security conference in Singapore, in order to “open new way[s} to think about IT security worldwide”. Right, Mr. Oudot. You just handed every victim a loaded gun and told them there may be “legal issues” in retaliating. Malware attackers, you’ve been warned.

Source: BBC
Photo: Flickr

Continue reading: Server Attacked? Fight Back

Question: I have heard that enabling root login in SSH can be a security risk. Is that true, and if so, how do I disable it?

Answer: The truth is that having root logins enabled is not in itself a security risk. The real risk comes from having an easily hacked root password or non-secure web applications on your server that allow hackers to decipher the root password. Disabling root login gives those hackers one less avenue to exploit, and if you do not need to login directly as root through SSH, there is really no reason to have it enabled.

Actually disabling the root login is not nearly as complicated as my above explanation. Just follow these steps:

1. Login to your server via SSH
2. Become root:
su
3. Edit /etc/ssh/ssh_config
4. Add the following line:
PermitRootLogin no
5. Save and exit

Photo Source: Flickr

Continue reading: How to Enable/Disable Root Login in SSH

Generally speaking, it is a sound idea to keep the default packages, kernel, and drives installed on your server when you first purchased it or when you first installed your Linux-based operating system. Recompiling a kernel is usually something taken up by adventurers and computer science students. Despite that general trend, there are some rare cases when compiling the Linux kernel from source might be beneficial or necessary.

Pros:
1. Kernels compiled for specific hardware are generally faster.
2. You can exclude modules and other components you do not need.
3. If you have specific requirements, you can add them or even change parts of the source code completely.

Cons:
1. You become responsible for updates, security patches, etc.
2. Something could go terribly wrong if you do not compile a good kernel.
3. It takes a long time and requires a good deal of technological expertise.

It is truly up to the system administrator to decide whether a custom kernel is necessary on a dedicated server. Choose wisely.

Image Source: Wikimedia Commons

Continue reading: Rolling Your Own Kernel: Pros and Cons

Here are a few more Joomla security tips to help you make sure your Joomla installation is rock-solid.

1. Create strong passwords. You should change your administration password often and use a combination of upper and lowercase letters and numbers. Avoid using dictionary words, and make sure your password is at least eight characters long.

2. Monitor crack attempts. If you have your own VPS or dedicated server, you can run TripWire or SAMHAIN to frequently check for attempts to comprise your server’s security.

3. Create scripts to automate security tasks. With a busy schedule, you may forget to check for new versions of Joomla and any extensions you have installed. Setup scripts to make the process automatic.

4.. Check logs often. Many times, simply looking over access and error logs can reveal thinly-veiled attempts to intrude on your server, particularly if the attacker is trying to do so through a web application like Joomla.

5. Run checks for SQL injection vulnerabilities. There are free tools on the web that will perform these checks for you.

The important thing to remember is to always be diligent. Create a security routine and stick to it. Do not let months go by before you decide to check on your Joomla installation. You may find your site has already been comprimised.

Source: Joomla Security Checklist

Continue reading: Joomla Security Tips Part 4

In the two previous parts of the Joomla security series, we looked at various configuration settings both prior and after installation. Here are some important security steps to take during installation.

1. Move the configuration.php outside of the root document directory. For example, if you directory is /home/user/www/public_html, you can move configuration.php up to /home/user/www where outside visitors cannot possibly access it. Read this guide for the detailed procedure.

2. Disable XML-RPC, if not needed. Unless you need to access and publish to your Joomla installation from another application (without logging into your website), this component just presents a security risk.

3. Check 3rd-party extension vulnerability. Joomla publishes a list of vulnerable extensions. Avoid them.

4. Use SSL for all logins and publishing. Joomla 1.5 has increased support for SSL.

Previous Joomla Security Tips:

Part 1

Part 2

Continue reading: Joomla Security Tips Part 3

Servers handle command and application execution differently, depending on the operating system. From a security perspective, executable files should be tightly controlled. Only the server administrator should be allowed to install and run executables, and the server should not respond to file execution from within unauthorized directories.

On a Windows server, file executables typically have .exe, .com, or .bat extensions. Without question, any emails or other transfers that contain such attachments should be blocked. Many attackers have adapted to mail scanners that block those extensions and will often send files with alternative extensions like .zip, but the files are still actually executables. You can decide what types of files to restrict and how to scan and monitor incoming files.

On a Linux server, any file can potentially be executable when it is assigned the correct permissions. In fact, standard executables have no file extensions at all. This means you have to be extra cautious about unauthorized scripts. You can deny executable privileges to any directories/partitions except the ones owned by root. This should greatly reduce the chances of security exploits. Usually, a Linux mail server will still receive Windows virus executables intended for home Windows computers. You should, therefore, configure a mail scanner to detect them and quarantine them.

Photo Source: Flickr

Continue reading: Security: Windows and Linux Executables

Yesterday, I highlighted some of the critical Joomla security issues that you should consider. Here are a few more you should add to your list:

All of these can be set within your local php.ini directory (if your server allows it), rather than manipulating the global one for the server.

1. Use the “disable_functions” to prevent the use of some dangerous PHP functions:
Example: disable_fuctions = show_source, exec, phpinfo

2. Use open_basedir. This will limit which files PHP can opened to the directory tree specified (i.e. in your home folder)
Example: open_basedir = /home/webguy/www/html

3. Disable register_globals. Joomla will actually warn you if you have this enabled:

Example: register_globals = 0

4. Disable allow_url_fopen. This is used when you want to create PHP wrappers to open remote URLs. You can probably imagine the dangers that would create if exploited.
Example: allow_url_fopen = 0

Source: Joomla Security Checklist

Continue reading: More Joomla Security Tips

Joomla is a powerful free and open source content management system. It has become very popular, and many web hosting provider offer instant installer scripts that can automatically install Joomla onto a customer’s website. In certain, situations, however, you may prefer to install Joomla yourself. When you do, there are certain security issues you should know.

1. Delete the “install” directory. Joomla tells you to do this, and if you forget, the results can horrific.

2. Chmod configuration.php to at least 644. No one should be able to access your configuration.php file. The only reason to even leave it as 644 and not 600 is that some web servers on shared hosts require PHP files to be readable by the web server, which is a different user than the site owner.

3. Backup early and often - Create backups of Joomla’s MySQL database. If anything ever does go wrong, you will have a backup.

4. Install mod_security - ModSecurity is an application firewall designed for web applications like Joomla. It will protect you where a network firewall cannot.

5. Secure your database - Setup Joomla to access the database with a user with limited privileges, and make sure the password is not easy to guess.

There are many more security issues you should consider. Over the coming days, I will highlight some of them. Hopefully, they will help you keep your Joomla installation stable and secure.

Continue reading: Joomla Security Tips

You want to make sure your website visitors can contact you, and you have made every effort to make sure they can find the “Contact Us” page, but what do you want to include on the page? Should you list your email addresses, have only a contact form, or provide both?

Both can potentially present security issues. An email address presented in text can be harvested by spam bots. A contact form can be hacked and used to send spam or gain access to the server. But both can be prevented with extra security measures. Furthermore, both can be setup to point to the same email account on your server.

The real advantage for contact forms is that you can customize them and lead users to provide certain information. This could help them formulate ideas and come up with better questions. You can also gain certain useful data from them that might help determine how best to assist them. Finally, a contact form script that collects statistical data can help you when it’s time to evaluate your website. Ideally, it is probably best to provide both options, just in case a user prefers one over the other.

Continue reading: E-mail Address vs Contact Form

A “safe mode” in general is a term used to refer to software that has all but the most critical components disabled in order to increase stability. Often times when there is a stability or security issue, running in safe mode will allow the user to still access the system and fix any problems.

In PHP, safe mode is primarily a security option that prevents would-be attackers from using PHP scripts to execute operating system commands. Theoretically safe mode is supposed to be a method for increased web application security. It is intended to be run in shared hosting environments and is not needed on a VPS or dedicated server. In PHP 6, safe mode will be removed.

The downside of PHP Safe Mode is that certain scripts and web applications do not function properly with it enabled. Server administrators can disable it and take other security measures to harden their Web applications, and individual users can also work around it, although they should check with their web host first to make sure they do not compromise security.

Most web developers and website owners dislike safe mode because of the limitations it places on scripts. If you feel strongly about it, you should find out if a web host uses it before subscribing to their service.

Photo Source: Flickr

Continue reading: What is PHP Safe Mode?

Whether you have a single small website or a data center filled with servers, security should always be at the top of your agenda. One of the most basic security holes that attackers often exploit is the weak password. It is important for you and any users on your server to use secure passwords.

There are certain practices you can use to make your passwords more secure:

• Use a mixture of letters and numbers
• Mix lowercase and uppercase letters
• Make the password at least 8 characters long
• Change default passwords given to you
• Do not use a real dictionary word in any language
• Do not use acronyms that are easily deciphered
• Never give your password to anyone, even someone claiming to be a web host or system administrator
• Do not use the same password you use for other things
• Do not use letters or numbers that relate to personal information (birthdays, names, etc.)
• Change your password often.

If you need help creating a password, consider using a password generator. PC Tools has a free online password generator that will allow you to specify length, types of characters, and similarities. Best of all, it will allow you to create multiple passwords at once. Now you have no excuses left for having a password that is easy to guess.

Continue reading: Creating Good Passwords