Websites get hacked every day, customers details taken, and it’s usually REALLY EASY to do. As a security consultant, I often get a call after a Google search turns up with my details as the guy to contact when this happens.
Shameless plug over, why not consider some of the things that can be done to help prevent a website breach..
First, concentrate on the box and LAMP environment as a whole. Here’s a top 10:
- Restrict or disable .htaccess type files. A lot of sites these days allow uploading of files, in whatever form that may come. Often, the code can be tricked into allowing an attacker to upload htaccess files to certain directories which could allow for scripts to be executed, or visitors to be redirected.
- Check your apache config, after tightening up/disabling htaccess, disabling cgi directories you might not need, and modifying limits.
- Consider mod_security
- Check your apache, php, mysql and related modules are up to date
- Firewall mysql externally and any other services that should not be accessed directly from the outside or are not necessary.
- Check your list of mysql users and make sure you only have the necessary privileges assigned to the various users.
- It’s common to find users on their own webservers connecting to mysql from their web code as the root user. Don’t do it. Create a user account for that particular site/database and assign it the tightest privileges. Do not connect to mysql as root unless necessary.
- Take multi day backups of database, code AND logs.
- Check the machine for word readable/writable directories.
- Restrict limits on hits/sec from IPs
Next, look to your web code, here’s a top 5:
- Look for SQL Injection opportunities. SQL Injection is NOT just prevented with escaping incoming strings..
- Check all input areas for XSS (Cross Site Scripting)
- See my PHP Security post
- Session ID Protection – can users overwrite cookie/session variables that you have set and taken for granted the fact that they shouldn’t be changed by the user? This is easy to do overwrite/exploit with ‘curl’ or ‘wget’
- How are you handling user data input? Sniffing plaintext HTTP or plaintext anything for that matter is very simple. All sensitive data should be sent over HTTPS. On that matter, are you storing the data safely afterwards?
Anything to add to this list? Please let me know!