Basic security guidelines

November 2, 2011     0 comments

Make sure your local computer is safe. For this purpose use reliable updated antivirus software such as:

          o Norton Internet Security, offering Antivirus, Antispyware, Two-way firewall, Antiphishing, etc.
            or
          o Kaspersky Internet Security, offering Integrated protection from all Internet threats, such as Parental Control, a personal firewall, an anti-spam filter, Privacy Control and more.

Check whether all of your web applications are up-to-date. This includes any modules, components and addons you have added and / or integrated;

Pick strong passwords for the main DirectAdmin account, MySQL, FTP and EMail users. Never use the same passwords for different users. For example a MySQL user should not have the same password as your DirectAdmin user or an FTP user. It is essential that your DirecrtAdmin user's password is not found in any file on your account by any means;

Avoid having directories with permissions above 755. If your applications require such directories, try to revert the permissions to 644 after any installations, or place a .htaccess file in them containing "deny from all" to restrict public access to these files. Our servers will run scripts and directories with the default permissions.

PHP 5.2+ has an improved handling of remote code which reduces greatly security problems.

Tweak your local PHP settings for better security. This can be done by disabling unnecessary functions and options. Here are some sample recommended directives and ones that we have implemented:

allow_url_fopen=off

disable_functions = proc_open , popen, disk_free_space, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru
Note that the above directives "can" cripple your code's functionality.

Deny perl and other bots from accessing your site. This can be easily done with the following rules in your .htaccess:

SetEnvIfNoCase User-Agent libwww-perl bad_bots
order deny,allow
deny from env=bad_bots


If you are not using Perl scripts, add a bogus handler for these files. In your home directory create a .htaccess file with the following content:

##Deny access to all CGI, Perl, Python and text files
<FilesMatch "\.(cgi|pl|py|txt)">
Deny from all
</FilesMatch>
##If you are using a robots.txt file, please remove the
# sign from the following 3 lines to allow access only to the robots.txt file:
#<FilesMatch robots.txt>
#Allow from all
#</FilesMatch>


The above will prevent Perl scripts to be executed. Many exploits / backdoors are writtent in Perl and the above will prevent them from running. This directive will apply to all your subdirectories.

Filter possible intrusions with Apache's Mod Security. Mod Security is an Application firewall integrated with Apache. We have this installed as default.

We also recommend reading this article as well.

IMPORTANT: Once your account has been compromised, it is very likely that the intruder will leave a backdoor to easily gain access later. That's why only fixing your vulnerable code might not be enough. Finding the backdoors will be time-consuming and expensive (requiring a professional developer). That's why you might prefer to start from scratch again.

How helpful was this article to you?

FraudLabs Pro Secured Seal