smartfaq
SmartFAQ is developed by The SmartFactory (http://www.smartfactory.ca), a division of InBox Solutions (http://www.inboxsolutions.net)

How can I protect my site from malicious attack?
Requested and Answered by Carnuke on 2004/11/27 10:25:11 (18953 reads)
There are several basic steps outlined elsewhere in these FAQs, such as correct use of file/folder permissions, htaccess, index redirects, rejection of uploading unsafe mime-types and regular backups. It is also good policy to use your groups system to filter users, allowing extended priviledges only to trusted members. There are also extra measures you can take to protect your site. Here is an extract froma module called "Protector" Please also see the forum thread Protector module usage. Quote:
Xoops Protector is a module to defend XOOPS2 from various and malicious attacks. This module can protect four kind of attacks like: - DoS - SQL Injection - XSS - System global variable pollution Xoops Protector defends you XOOPS from these attacks, and it records into its log. Of course, all vulnerablities can't be prevented. Be not overconfident, please. However, I recommend installing this module to all XOOPS users. = RELATION to AntiDoS-P = The antecedent of Xoops Protector was AntiDoS-P. Since all functions of AntiDoS-P has been succeeded in Xoops Protector, you'd better to uninstall AntiDoS-P. = USAGE = Please install it as well as a usual module. Turn "Protector block" on and put the block top of left side by blocks admin. Turn the block's permission on to all groups by groups admin. You can do that easily by using Blocks&Groups Admin of Protector. I strongly recommend calling this module from mainfile.php also. After Xoops Protector is installed, edit your mainfile.php like this:
define('XOOPS_GROUP_ADMIN''1');
    
define('XOOPS_GROUP_USERS''2');
    
define('XOOPS_GROUP_ANONYMOUS''3');

    include( 
XOOPS_ROOT_PATH '/modules/protector/include/precheck.inc.php' ) ;

    if (!isset(
$xoopsOption['nocommon'])) {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }
Insert a line just before the line of if (!isset($xoopsOption['nocommon'])) { Both pre-check and block-check are needed. If you needs the feature of "IP Ban", turn on "System admn" -> "Preferences" -> "General" -> "Enable IP Bans" When you turn this on, you have to check if your IP is included in "Enter IP addresses that should be banned from the site".
Protector is available from PEAK XOOPS http://www.peak.ne.jp/xoops/ There is also a good article on protecting the mainfile.php from ever displaying sensitive information in the event of a php failure The article can be found on Xoops-Tips Protecting mainfile.php Besides the tips given here there are more things to do. I like to prevent attempts to even try pulling the file in a browser.
<Files "mainfile.php">
Order allow,deny
Deny from all
</Files>
This will log a Forbidden error in your server logs. Another way is to encrypt the file itself. Most of the PHP addon accelerators/compilers have an encryption feature. Typically these are used for commercial applications so that the customer can't see the code. Also handy for sensitive files like this. The file becomes unreadable except to the webserver and only if the server is using the same engine. Zend products and MMCache are two that I've tried. Since you rarely need to edit the file this is a useful trick. You store the raw file somewhere safe so you can edit and reencrypt it later. I don't see this as much different than an SSL key file that also must be protected. If your server gets rooted you have other problems. See also this forum post here for more details on protector module. Monitoring Recently there has been another xoops module developed and released called Netquery This module offer a number of security checks and traces on visitors to your site See also more security related FAQs here: Can users upload viruses to my site? How can I ban a user? Why should there be an index.html file in all directories? What are spiders and bots and how do I control what they do? How secure will my Xoops website be? How do I CHMOD to 0444? What is CHMOD? What are the correct file permissions?


The comments are owned by the author. We aren't responsible for their content.
  • XOOPS is my life!

 allow_url_fopen

One of the Protector module's security checks is whether the PHP configuration option allow_url_fopen is on.

Note that allow_url_fopen can only be changed in the main Apache configuration file (httpd.conf) or the PHP configuration file (php.ini), and not in an Apache per-directory configuration file (.htaccess) or via the PHP ini_set() function.

This was a change effected in PHP 4.3.5, and older PHP Manuals may incorrectly show allow_url_fopen's changeability as PHP_INI_ALL, while it is actually PHP_INI_SYSTEM.

The files httpd.conf and php.ini are normally changeable only by a server administrator, so someone with a web hosting account would not be able to modify those files.

Here's an example of disabling allow_url_fopen in httpd.conf:

<Directory "/opt/lampp/htdocs/xoops">
php_admin_flag allow_url_fopen off
</Directory>

References:
http://bugs.php.net/bug.php?id=28497
http://www.php.net/ChangeLog-4.php
http://us3.php.net/manual/en/function.ini-set.php
http://www.php.net/manual/en/configuration.changes.php

 
  • Just popping in

 STEP by STEP

Quote:

After I activate the block, should I be able to see it as webmaster? It is checked off as "visible" but no block is showing.
Protector Module Usage

No, you shouldn't. Since there is no visible block in protector module at all.

All you have to do is as following:

0. Edit your mainfile.php
define('XOOPS_GROUP_ADMIN''1');
    
define('XOOPS_GROUP_USERS''2');
    
define('XOOPS_GROUP_ANONYMOUS''3');

    [
b]include( XOOPS_ROOT_PATH '/modules/protector/include/precheck.inc.php' ) ;[/b]

    if (!isset(
$xoopsOption['nocommon'])) {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }

1. Install Protector like the other modules.

2. Go to Protector > Protect Center

3. Confirm whether "IP Ban" is turned on or not.

4. It should be turned on by default. If not, go to the next step first, and then turn it on.

5. Confirm that your IP is not registered as one of the Bad IPs.

6. Go to Protector > Preference

7. Set "Rescue password"(It is recommended to use a different password from the others: webmaster's, SQL's, and so on...)

8. Go to Protector > Blocks&Groups Admin

9. The block must be the first to be loaded. So set the values as following: Side: "Left", Weight: "0" Visible in: "All pages "Cache lifetime: "No cache".

10. The block should be "accessible" by all groups though the block itself remains "invisible"...
In other owrds, just check the block permission for all groups, which usually makes it "visible" to all groups; however, this one is just invisible.
Bear in mind that you don't need to give "Module Admin rights" and "Module Access rights" to any group other than Webmaster.

11. Go to Preference > Block

12. Confirm that there is no other Left-Block with its Weight "0" in order to make the Protector block the first one.

13. Go to Protector > Security Advisory

14.
Quote:

'register_globals' : on Not secure
'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
'mainfile.php' : patched ok
'Password for rescue' : ok

This is a common report if you use a shared server, probably. You may turn off the first two by using .htaccess, though it depends on your circumstances.
Quote:

php_flag register_globals off
php_flag allow_url_fopen off

Once you've finished installing Xoops, it's rather difficult to change XOOPS_DB_PREFIX... Follow the advise if you're not familiar with MySQL...

15. At last, it's time to examine its protection! Be prepared? Remember your "Rescue password"?

16. Click the two links on the bottom.

17. Ah... you must be facing the nortorious phenomenon --- Blank/White Page!!!

18. But don't worry. Just access "http://(your xoops)/modules/protector/admin/rescue.php", and input the password.

19. Go to Protector > Protect Center

20. Can you see your records? Just remove both of them, and turn on IP bans.

 
  • Home away from home

 Re: STEP by STEP

Thanks Dave_l and Olorin for valuable supplementary information on this important subject. I would like to make a concise and comprehensive guide from this FAQ especially in light of the recent forum thread 'Xoops on crack' Any more information, gratefully received by all.

 
  • Just popping in

 Re: STEP by STEP

Hey, all (if anyone out there is listening)--

In the installation instructions, where the edits to mainfile.php are explained, it says

Quote:

Both pre-check and block-check are needed.


Does that mean that the line:

Quote:
include( XOOPS_ROOT_PATH . '/modules/protector/include/precheck.inc.php' ) ;


needs to be repeated, but with "include/blockcheck.inc.php" at the end?

mongrel

 
  • XOOPS is my life!

 Re: STEP by STEP

No.

"block-check" refers to enabling the Protector block, as discussed earlier in the README.

Or maybe it's a typo, and is supposed to be "pre-check and post-check".

 
  • Just popping in

 Re: STEP by STEP

Thanks, Dave!

One other question if you or anyone else has time to answer it:

2. When clicking Protector's "Security Advisory" report, I get a "Not Secure" pertaining to 'register_globals' : on.

The recommendation is:

Quote:

If you can put .htaccess, edit or create...

/home/(XYZ)/public_html/.htaccess

php_flag   register_globals   off


When I add that to the .htaccess file, in that directory, NOBODY can access ANY portion of the site. So, what's the deal? Is there more code that's not mentioned that is supposed to be included in .htaccess? Should .htaccess file with this line go in some other directory. I'm confused!

I posted over at Protector's site, peak.ne.jp, and got:

Quote:
I'm sorry that I'm too busy to answer about FAQ.

You should lean about .htaccess by yourself.


I'm trying to learn a million and one Xoops-related things mostly by myself right now. And I DID read up about .htaccess. On several sites, including the ones mentioned here. But I'm a journalist, not a programmer, so right now, I'd like get my site secured ASAP while I'm learning.

I sure will appreciate any advice/answers anyone can provide. Thanks!

mongrel

 
  • XOOPS is my life!

 Re: STEP by STEP

I suggest reposting your questions in the forums. Having discussions like this in the FAQ makes it harder for people to use the FAQ as a reference.

 
  • XOOPS is my life!

 Re: STEP by STEP

@mongrel
The second line you need to add to mainfile.php is missing from the instructions shown above. The post-check line follows the xoopsOption code after the brace:

include( XOOPS_ROOT_PATH '/modules/protector/include/precheck.inc.php' ) ;

    if (!isset(
$xoopsOption['nocommon'])) {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }
include( 
XOOPS_ROOT_PATH '/modules/protector/include/postcheck.inc.php' ) ;

Also, in protector 2.40RC + there is no longer the requirement to add the 'protector' block. You just install the module and configure it.

 
  • Friend of XOOPS

 Re: STEP by STEP

Also add follwing to the .htaccess file to make sure no one can read that:

<Files .htaccess>
order allow,deny
deny from all
</Files>