Frogg logo

Frogg's web tools

Hand Crafted Tools

Home > Articles > Website securities
Welcome on Frogg's web tools | Current date :
11/12/2018

Tutorial Website securities

Webserver Apache security

Server configuration

# [ Server Signature ] (only if like me you don't care about defiance)
ServerSignature Off
# [ Server tokens info ]
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
ServerTokens Prod
# [ Trace Mode ]
TraceEnable Off
# [ Prevent DDOS ]
# Limit timeout to 45
Timeout 45
# Limit request to 2Mb
LimitRequestBody 2096576
# Limit xml size to 1Mb
LimitXMLRequestBody 10485760

HTTPS

Check your level of security on web sites like www.ssllabs.com, then set your configuration to prevent exploit.

This is the configuration i use for an A ranking :
# [ HTTPS Site ]


SSLEngine on
SSLOptions +StrictRequire
SSLProxyEngine off
SSLHonorCipherOrder on

#SSL Compression (CRIME attack)
SSLCompression off

#HSTS
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

SSLCertificateFile /opt/web/ssl/home.frogg.fr.crt
SSLCertificateKeyFile /opt/web/ssl/home.frogg.fr.key
SSLCertificateChainFile /opt/web/ssl/sub.class1.server.ca.pem


    SSLRequireSSL



Blocking bad bots & bad requests

  • Limit request method to GET, HEAD & POST
  • Block empty user agent & suspicous user agent
  • Bloc request trageting localhost (if you are not configured to receive request on it)
  • Bloc request not strating with / (if you don't use proxy)
  • Bloc suspicious referer, a normal referer should start with http or being empty

This is the configuration i use to redirect bad traffic to 406 page :

RewriteCond %{HTTP_USER_AGENT} ^-?$|curl|perl|python|\\x.*?\\x [NC,OR]
RewriteCond %{HTTP_HOST} localhost [OR]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$ [OR]
RewriteCond %{REQUEST_URI} !^/ [OR]
RewriteCond %{HTTP_REFERER} "!^$|^http"
RewriteRule .* - [END,R=406]

File upload security

Upload system

  • Check File extensions and Mime Types
  • Make sure that the file name not bigger than 250 characters.
  • Save file with a new filename
  • Use move_uploaded_file function (for php)

Upload folder

prevent file execution in upload folder
RemoveHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .exe
Options -Indexes
Options -ExecCGI 
php_flag engine off

Send mail security

$to      = "bob@domain_example.co.za";
$subject = $_REQUEST["subject"];
$body = $_REQUEST["body"];
$email = $_REQUEST["email"];

function is_valid_email($email) {
  return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}

function contains_bad_str($str_to_test) {
  $bad_strings = array(
                "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
		,"Content-Transfer-Encoding:"
                ,"bcc:"
		,"cc:"
		,"to:"
  );
  
  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test))) {
      echo "$bad_string found. Suspected injection attempt - mail not being sent.";
      exit;
    }
  }
}

function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "newline found in $str_to_test. Suspected injection attempt - mail not being sent.";
     exit;
   }
} 

if($_SERVER['REQUEST_METHOD'] != "POST"){
   echo("Unauthorized attempt to access page.");
   exit;
}

if (!is_valid_email($email)) {
  echo 'Invalid email submitted - mail not being sent.';
  exit;
}

contains_bad_str($email);
contains_bad_str($subject);
contains_bad_str($body);

contains_newlines($email);
contains_newlines($subject);

$headers = "From: $email";
mail($to, $subject, $body, $headers);
from http://www.phpbuilder.com/columns/ian_gilfillan20060412.php3?page=2

A php function exist to test email validity :
filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
Page created by the 15/09/2016 21:02
Generated in 0.009 sec & displayed in ... sec