Ethernet over mains power lines

July 26th, 2010

I’ve been using a really clever device for the last few years that a lot of people seem to be unaware exists. It’s an ethernet over powerlines adapter – one such example is the Devolo dLAN. In a nutshell, you plug it into the mains, and connect the Ethernet socket to your network device. You can then plug as many others as you like to various other powerpoints and extend your network wherever the power stretches. Devolo do ones that run up to 200mbit. It’s a theoretical maximum, although I’ve got 177mbit before which is impressive. It has a couple of downsides:

1. It won’t traverse 3 phase power. I’ve tried it, and I’ve ended up with a very weak/nonexistant signal which is probably more inductance than anything else.
2. Obviously it doesn’t handle bad cables well – it doesn’t much like extension cables either.
3. Different circuits work about as well as 3 phase power, the only signal you will get is probably inductance between the two circuits.

Some advantages:
1. It travels pretty far. I’ve had over 150mbit between adapters at opposite ends of the house.
2. No new cabling
3. Fully supports standard Ethernet so all network protocols will work just fine over it.
4. I love it

For anyone running a home or office network and not fortunate to have Ethernet points cabled in, I strongly recommend these devices, you’ll never know the difference.

The importance of redirects

July 19th, 2010

Yesterday, I discussed how you can redirect your HTML files to PHP files. Why is it important to do so?

There are certainly no security concerns involved here, but you probably don’t want to lose your visitors who may bookmark certain pages, nor do you want to lose search engine traffic, because the HTML links will still show up in those engines until they crawl your changes.

That’s where the 301 redirect comes in. This is the best sort of redirect to use, because it is search engine friendly. What it tells search engines is that the page has moved permanently to the forwarding location you provide, which in this case is a PHP file. Essentially, if you do it this way, the search engines won’t skip a beat, and you’ll keep your traffic. The last thing you want to do is let search engines crawl 404 errors.

If you need help with these sorts of things, or if you need a skilled PHP programmer to help you sort out your conversion, I would be more than happy to take a look at your specific needs, and devise a plan for you. This includes making sure that your PHP code and your setup is secure, as PHP is a valuable tool, but a potential security risk if not handled correctly.

My rates are reasonable, and I offer a wealth of experience that can benefit you. Simply get in touch with me for a custom quote!

Redirecting all HTML files to PHP files

July 18th, 2010

Let’s say that you want to rename all your HTML files to PHP files to begin PHP Programming. However, you don’t want to lose all your inbound links to your HTML files. Here’s a quick and easy way to automatically convert all .html incoming addresses to .php files on your server, allowing you to switch to PHP and also keeping all your existing .html links working.

Create a .htaccess file, and enter:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*).html $1.php [R=301,NC]

This creates a permanent working 301 redirect (Search Engine Friendly) to your new .PHP file.

Passing PHP variable data through POST

July 16th, 2010

Recently, I was developing an API for a PHP application I’d built, to be utilized by other php programmers. Essentially, the php programmer passes a load of data to our API though a POST variable. This is as follows:

$api->process($to_process, $data, $opt1, $opt2);

$to_process is an array, as follows;

$to_process = Array( Array(“FOO”, “BAR”, 1, 2), Array(“BAR”, “FOO”, 5, 3), Array(“HELLO”, “World”, 9, 10) );

And $data is a ~5k string containing HTML code.

My best option so far, has been $data_array = Array(); $data_array[] = $to_process; $data_array[] = $code; $data_array[] = $opt1; $data_array[] = $opt2;

We can then send urlrawencode(serialize($data_array)); from our PHP script to the web API via curl through POST data. On the remote API server, we don’t need to use urlrawdecode() as the web server handles this for you. It’s also worth ensuring that magic_quotes_gpc is off. Simply, $data_array = unserialize($_POST[‘variable’]); should do just fine.

Another PHP tip

July 15th, 2010

While it’s all well and good to spend considerable time securing your PHP applications, there is something else that you can do, or rather not do. As a PHP programmer, I see people do one alarming thing: they download and install PHP applications from questionable sources.

While there are a lot of honourable programmers who offer their scripts for free, there are plenty of hackers who enjoy deploying applications that cause harm to others. I discussed this earlier, but it bears repeating: trust your source. Know your source.
Read the rest of this entry »

Securing PHPMyAdmin and SQL

July 14th, 2010

PHP is of course a valuable tool, and PHPMyAdmin is an equally valuable asset for those that don’t like command line administration. The problem is that because it’s a valuable tool, it’s a security exposure. As a website security consultant, I see the problem often: people don’t secure the one thing that, if accessed by a malicious party, can give carte blanche for destruction.

One simple way to secure your installation is to slightly modify your config.inc.php file:

Look for this line:

$cfg[‘Servers’][$i][‘auth_type’] = ‘config’;

Change “config” to “http”. By doing this, you will require that the database information (username and password) be entered prior to accessing PHPMyAdmin. Of course, this only addresses attacks over the web. If someone tries to remotely connect to your database and knows the root password, or the credentials for any of your database, then you’re still vulnerable.

One way to address the security of your config.inc.php file is to secure the directory that it’s stored in. This is especially important if you should be on a shared server.

Of course, there is still the matter of your SQL port, 3306, being open to remote attacks. The solution to this problem can be found in the /etc/my.cnf file.

You need to add this line to make it so that only your server can connect to the SQL server.

Ensure that it’s under the “[mysqld]” section:

bind-address = 127.0.0.1

This sets it so that the SQL daemon only listens for connections locally, i.e. on your server. Anyone who tries to connect remotely will be denied. Now, the argument could be made that you could also try to add “skip-networking” to your my.cnf file, and then specify the path to your socket file, but you still need a way to administer your SQL, preferably via SSH. By adding the “bind-address” command, you can do just that.

The name of the game is security, and assumption. You have to assume that everyone’s out to attack you. If you think like that, you’ll narrow down all the ports that are exposed, and secure your server. Your SQL server is, like your DNS server, vital. It most likely powers your site. If the database is attacked, the damage can be considerable. Do understand that if a hacker is intent enough, they will find a way in, but by making it as difficult as possible, you reduce the chances of that happening.

Validate your input

July 13th, 2010

An important thing to consider when accepting input from users is validation. When PHP is used, powerful functions can be performed. The problem is that it can also do powerful and bad things if a malicious user is entering data which isn’t validated.

Consider this: you accept input asking for a month or year. The problem is that a user decides to enter “”;rm -rf *” after the year, and in so doing could cause the deletion of your whole website. Obviously, this is not a good thing, so what to do? Data validation is the answer. As the name suggests, it validates or verifies data, ensuring that it complies to form.
Read the rest of this entry »

The importance of secure PHP code

July 12th, 2010

In recent days, I’ve talked about the importance of server hardening and security, but there’s another aspect of the integrity of your server that must not be ignored: PHP code.

If you don’t have secure PHP code, you may find yourself the victim of numerous type of attacks, including SQL injection attacks, which as the name suggest, goes directly after your database, which in most cases is the very heart of your website or application.
Read the rest of this entry »

SSL increases confidence

July 9th, 2010

If you run a commerce website, you’ve probably heard about SSL certificates. Depending upon the level of certificate that you have, they verify the validity of your domain, up to detailed information about your company. An SSL certificate isn’t handy just for commerce sites, however. It’s a vital website security component for any site that deals with personal information of any sort.

These days, attacks on severs are commonplace, and website users are wary, especially when it comes to entering sensitive information. That’s where an SSL certificate comes in handy. It increases consumer confidence, and confidence of visitors in general. It shows that you’re serious about what you’re doing.
Read the rest of this entry »

An easy way to reduce attacks

July 8th, 2010

The server hardening process can be a daunting task for someone who’s new to the process, or who’s new to hosting in general. The good news is that there’s one simple way to help reduce attacks on your server, or at least its PHP applications.

If you run an e-commerce site, chances are you run a CMS such as WordPress, and a shopping cart application such as WHMCS. Both of these applications, like nearly all others, have a login module for the administrators. Especially in the case of well-known programs, there are plenty of people know how to find your administrative log in panel, and that includes those with less than honourable intentions.
Read the rest of this entry »

Hardening your server

July 7th, 2010

Hardening your server is perhaps the best way to prevent, or at least reduce, attacks on your server. What follows is a basic overview of what you should do to harden your server. If you are not completely comfortable doing this, you should retain the services of someone who is, to avoid data loss.

The key service you want to secure is SSH, as that is perhaps the most vulnerable. If someone should have access through this protocol, they would have complete power over your server, and all the sites on it.
Read the rest of this entry »

Disabling phpinfo

July 6th, 2010

The phpinfo() function is a very powerful one; through it, you can learn quite a lot about your PHP installation. The problem is, so can someone else. PHP, of course, is a very powerful application, but it is also a very powerful tool that can be used to compromise your server’s security if used by the wrong person.

The best way to combat the potential problems that someone using phpinfo() can cause is, of course, to not have a script accessible to the public that runs the command. Sometimes, during the testing process, you need to upload a simple script that executes the command, for your own reference. It’s simply phpinfo(), inserted into PHP brackets.

If you should forget to delete the script when you’re done, it’s possible that someone who’s intent on compromising your system could try to find the page, especially if you name it something simple such as test.php or phpinfo.php. If you’re the extremely cautious sort, there’s something you can do.

You can completely disable phpinfo(), and then re-enable it later should you need to perform more testing. To do this, find your php.ini file. The location can be found by executing the phpinfo() command, as the precise location depends on your operating system and distribution. Once you’ve found the file and opened it with your favourite text editor, insert the following command:

disable_functions = phpinfo

Reboot your server, and you’re secure. Just remember to re-enable it if you should need to do further testing on PHP.

There are all sorts of things you can do to make your server secure. Securing PHP is one of the most vital things, because PHP can be used a gateway into your system, even being used to perform SQL injection attacks. Of course, one would really have to know what they’re doing to gain access to your system, but you never want to give out too much information. By disabling phpinfo(), you can accomplish that, at least as far as PHP is concerned.

Keeping your site secure

July 4th, 2010

Obviously, keeping your site secure is one of your primary goals as an administrator. As discussed in an earlier post, filtering IP addresses is one piece of the puzzle.

But what other aspects are there to keeping your site secure? What follows is a brief list of ideas, which will be expanded upon in future posts. The security of your server simply cannot be ignored. Too often, administrators or webmasters throw caution to the wind, and leave things to chance. It’s really quite simple, although potentially time-consuming, to secure one’s server.
Read the rest of this entry »

PHP Developer – Base64

July 3rd, 2010

Base64 is a type of encoding (NOT encryption). Essentially, you can take any binary data and encode it into one of 64 characters for more information on the encoding process and how this is done, visit http://en.wikipedia.org/wiki/Base64.

It is useful for a variety of things, specifically encoding non standard characters that may not be safe to pass around such as in a browser address bar or in a plaintext email..

Here’s one example..

<?php
$obj = new stdClass();
$obj->a = “test”;
$obj->b = “string”;
$obj->c = 12345;
$output = base64_encode(serialize($obj));
echo $output;

?>

This returns ‘Tzo4OiJzdGRDbGFzcyI6Mzp7czoxOiJhIjtzOjQ6InRlc3QiO3M6MToiYiI7
czo2OiJzdHJpbmciO3M6MToiYyI7aToxMjM0NTt9’

We could now pass this as an HTTP safe string between pages; decoding using $v = unserialize(base64_decode());

This is obviously not an optimal way of storing or passing this example data between various pages however is one example of how base64 encoding can be used.

The value of iptables

July 2nd, 2010

A system administrator’s work is never done, especially with DDOS attacks and other security concerns. How do you block traffic from malicious sources? With the iptables command line program, it’s quite easy for an administrator to set up rules based on IP addresses or blocks of addresses.

Rather than discuss the details of the program, let’s discuss the value of installing it on your server in the first place. The rules are easy to set up, and in essence, you can easily block traffic from sources that have proven to be malicious. In theory, you could block traffic on a preemptive basis, such as refusing traffic from blocks belonging to certain ISP’s or countries. The problem with this approach is that you run a severe risk of blocking legitimate traffic.
Read the rest of this entry »