Archive for the ‘Web Administration’ Category

Simple Linux Server Security Tips

Thursday, August 18th, 2011

Linux is one of the secured operating system. However, With the world of crackers (Evil minded Geeks & Hackers) Linux is also not so secure as we think.

Step 1: How to secure SSH port in Linux server?

Gaining SSH root access is the primary goal of every crackers around. Once they could get root access., They will install rookkits, keyloggers, mail bombs and etc. So, They usually try to gain access to your server using some formal password combinations.  They attempt to login to your server using bruteforce method.

SSH always runs on port number 22

You have to change it to some non-default number like., 2323 or 3009  some number that is hard to guess.

/etc/ssh/sshd_config

above file is the default ssh configuration file. You can change its “Port” value by opening it using Vi or Nano.  CentOS Documentation has clear information about how to change linux server ssh port to a non-standard number. This instructions applies for any redhat kernel based distro.

Step 2: Always check your /tmp folder

It is like., Checking your trash can of your bedroom for any hidden cams. Yes., Some crackers upload a *.php  *.py *.sh files to your server’s /tmp file and let them to become a primary spamming bot in your server.  You have to always try to find if there are any suspicious file around there in /tmp and delete them.  Usually deleting the file wont pay off. You have to find the source loop hole that allows such file in /tmp . You have to audit your web applications that allows file-uploads and anonymous FTP uploads to your server.

Step 3: Disable Anonymous FTP Service

Enabling anonymous FTP service is most like., Inviting robbers by opening your house window.

 

/etc/proftpd.conf

/etc/vsftpdvsftpd.conf

Simply disable anonymous FTP.

Step 3:  Always use SFTP and completely stop using FTP

SFTP is more secure than you think. Most windows based ftp clients such as filezilla, smartftp & coreftp could be affected by many malwares and it will upload “Trojan Horse JavaScript” code to your website files. I personally got affected my many javascript trojans because of virus infected ftp client transfers.  This wiki page has clear & simple information about how to install SFTP

Step 4:  How to disable direct file or image hotlinking?

Lets say you have a cool picture file in your website. http://mywebsite.com/images/picture.jpg  . If  a guy puts your file in his website and lets say his website has thousands of visitors per day., Then, You will be endup paying money for your excessive bandwidth. Disabling hotlink is like., Saving money in your server bandwidth. This is one of the best tool that lets your to generate .htaccess code for hotlink protection.

 

 

Now Check Your Website Worth

Thursday, May 8th, 2008

Here is the tool to meassure your website’s worth ;)
Put the banner on your pages & cheat if someone is willing to buy yours.. LOL

Calculate it at : http://www.websiteoutlook.com/www.secureslash.com


My site is worth $4321.6.
How much is yours worth?

Apache Benchmark Results – PHP vs PERL

Thursday, May 8th, 2008

I have used Apache Benchmarking tool and ran it for 1000 requests with
concurrenncy 2

You can learn about this tool on http://httpd.apache.org/docs/2.0/programs/ab.html

Testing PHP

This is the result of Processing the Whole secureslash.com/index.php . We have sent 1000 request to
it to see how it performs.

PHP Results:

*
Requests per second:    85.96 [#/sec] (mean)
Time per request:       58.168 [ms] (mean)
Time per request:       11.634 [ms] (mean, across all concurrent requests)
*

This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 1997-2005 The Apache Software Foundation, http://www.apache.org/

Benchmarking secureslash .com (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Finished 1000 requests

Server Software:        Apache/2.2.6
Server Hostname:        secureslash.com
Server Port:            80

Document Path:          /
Document Length:        23188 bytes

Concurrency Level:      5
Time taken for tests:   11.633571 seconds
Complete requests:      1000
Failed requests:        0
Write errors:           0
Total transferred:      24052000 bytes
HTML transferred:       23188000 bytes
Requests per second:    85.96 [#/sec] (mean)
Time per request:       58.168 [ms] (mean)
Time per request:       11.634 [ms] (mean, across all concurrent requests)
Transfer rate:          2018.98 [Kbytes/sec] received

Connection Times (ms)
min  mean[+/-sd] median   max
Connect:        0    2   4.0      1      27
Processing:    26   55 114.2     37    1357
Waiting:       21   44 114.2     28    1349
Total:         26   57 114.5     39    1364

Percentage of the requests served within a certain time (ms)
50%     39
66%     45
75%     51
80%     54
90%     65
95%     77
98%    195
99%    804
100%   1364 (longest request)

—————————————————————————————————————————–

Testing Perl

This Is a result of JUST HELLOWORLD Program in cgi bin — > secureslash.com/cgi-bin/index.cgi see the
times below it is SLOWER than php .

PERL Results

*
Requests per second:    86.01 [#/sec] (mean)
Time per request:       58.131 [ms] (mean)
Time per request:       11.626 [ms] (mean, across all concurrent requests)*

This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 1997-2005 The Apache Software Foundation, http://www.apache.org/

Benchmarking secureslash.com (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Finished 1000 requests

Server Software:        Apache/2.2.8
Server Hostname:        secureslash.com.com
Server Port:            80

Document Path:          /cgi-bin/index.cgi
Document Length:        12 bytes

Concurrency Level:      5
Time taken for tests:   11.626206 seconds
Complete requests:      1000
Failed requests:        0
Write errors:           0
Total transferred:      258320 bytes
HTML transferred:       12000 bytes
Requests per second:    86.01 [#/sec] (mean)
Time per request:       58.131 [ms] (mean)
Time per request:       11.626 [ms] (mean, across all concurrent requests)
Transfer rate:          21.68 [Kbytes/sec] received

Connection Times (ms)
min  mean[+/-sd] median   max
Connect:        0    0   0.0      0       0
Processing:     5   56 206.2      7    2441
Waiting:        5   56 205.9      7    2441
Total:          5   56 206.2      7    2441

Percentage of the requests served within a certain time (ms)
50%      7
66%     11
75%     13
80%     15
90%     25
95%    508
98%    821
99%   1027
100%   2441 (longest request)

———————————–

Moral is PHP is faster than CGI-Perl.

How To Improve Your Alexa Ranking?

Sunday, April 20th, 2008

I am not talking about Alexa Vega
Alexa vega

I am about www.Alexa.com . So, You like to improve your site’s Alexa Rank. Recently Alexa announced a major change its ranking approach.

Here are some great alexa rank improvement tips

1. Install an Alexa Toolbar a simple Search Status Firefox Extension and make your website as homepage.

When it works: If you have “Dynamic IP Address” it will work

2. Who are your site visitors? If they are SEO Learners, Web Marketers, Web 2.0 Webmaster? If yes, then you can promote “Alexa Toolbar” or “Search Status Extension” Installation.

How it works: Alexa pings your site info

3.Add an Alexa Ranking Widget in all pages of your site, Look at this page bottom for an example.

How it works: Lets say you get 800-1200 visitors per day. So, Alexa will ping your site 1000 times daily. So, It will surly increase your ranking.

4. Create an Alexa Blog Category & Write something about alexa ranking.

How it works: Tell me who will search for “How to increase alexa ranking” in google? only seo guys, market researchers & web masters like you only search for it. 80% of tech savvys installed alexa,google toolbar or alexa related extension in their browser. If you dont have install alexa tool bar now.

Download search status

5. Edit your site info in Alexa website & update your site thumbnail periodically.

6. Do not do anything black hat at “http header”. It wont be a long time solution, as alexa is improving in these days…

IE6 & 7 Flicker or Flashing Problem

Tuesday, March 18th, 2008

You may have a site that has background other than White.

<!– ckey=”72D5D611″ –>

And sometimes when using css/javascript menus,etc when the people navigate to other pages , you will see a Big Flash entering the eyes

Not to mention, average users will get Annoyed by this and leave the site unless you provide something that makes them cope that behavior of the browser

You may not notice this in famous Firefox browser but IE is prone to this kind of behavior
Foxkeh banners for Firefox 2

To fix the problem easily we can ask all users to switch to firefox but this is not always the case so

Here is the fix for Internet Explorer

we have tried some advice from fellow webmasters that you can setup cache on IIS webserver,etc.. most people dont have previlage to do that or their hosting admins may not be interested in doing that.

So without any ones help you can fix this yourself by using an Iframe

Make a new file like iframe.html or index.html whatsoever

Make the background to the color of your site background <body bgcolor = “xxxx”>

then make a iframe with this code

  • <iframe src=”http://secureslash.com/” allowtransparency=”true” align=”left” frameborder=”0″ height=”1024″ scrolling=”no” width=”100%”></iframe>

change the secureslash.com with your site url.

And dont forgot that, You need to use some javascript to change the browser address bar url according to the current source of iframe. Google or Live it for doing this.

Thats it , Enjoy Cheers

Paimpozhil

PHPBB Guest visitors info listing

Sunday, January 13th, 2008

Sometimes, We need to monitor that, Who is visiting our forum without logging in. People who struggled a lot with spammers on their phpbb board should need some monitoring script to trace the guests.

PHPBB Logo

Save the below code as “infolist.php”;

<?php

include "config.php";

mysql_connect($dbhost,$dbuser,$dbpasswd);

mysql_select_db($dbname);

$sql = mysql_query("SELECT * FROM `phpbb_sessions` where

`session_user_id` = '-1' group by `session_ip` order by `session_time`

asc ");

echo ("IP Address - HostName - Start Time - End Time -  VisitingPage<br

/> ");

while(($result = mysql_fetch_assoc($sql)))

{

$r = $result;

echo decode_ip($r["session_ip"])  .  " - " .

gethostbyaddr(decode_ip($r["session_ip"])) . " - <b>" . date("M d Y

H:i:s",$r["session_start"]) .  " - " . date(" H:i:s",$r["session_time"])

. "</b>" ;if ($r["session_page"]!=0){

echo '<a href="/forums/viewforum.php?f=' . $r["session_page"]  . '"

target=_blank > Looking into Page </a>';

}

echo "<br />";

}

mysql_close();

function decode_ip($int_ip)

{

    $hexipbang = explode('.', chunk_split($int_ip, 2, '.'));

    return hexdec($hexipbang[0]). '.' . hexdec($hexipbang[1]) . '.' .

hexdec($hexipbang[2]) . '.' . hexdec($hexipbang[3]);

}

?>

Upload the infolist.php to the phpbb forum root folder.

Code will work fine on any phpbb 2.x.x release.

Hope, It will help someone who fights with blind spammers on their phpbb.

How to completely redirect a subdomain to a domain

Thursday, December 20th, 2007

Write a simple .htaccess file to redirect your subdomain to a domain. This .htaccess will redirect all dead subdomains to a domain name. Ex: It will redirect http://dead.domainname.com to http://IamMRabc.com.

#############################
#############################
####Subdomain to Domain redirection###
####From SecureSlash.com##########
RewriteEngine On
RewriteCond %{HTTP_HOST} dead\.domainname\.com
############Place your subdomain info###
RewriteRule ^(.*) http://IamMrAbc.com$1
############Place the destination domain
############################
############################

Save above code as .htaccess and place it under your subdomain folder,
Ex: /subdomains/dead/.htaccess
/public_html/dead/.htaccess

It depends upon server’s directory structure.

Crap Free webhosting sites

Thursday, April 12th, 2007

I went to see how is free hosting market. Just googled for “php free hosting”

i got “http://phpnet.us” in first SERP

After filling the signup form i got this url
http://phpnet.us/created.php?username=lkajsdf&password=lkjlkj

Great secured PHP Hosting site…. I got some other username/pass of phpnet.us users in google. Thank you Google.

Same crap registration system in few other sites…
http://www.netfast.org
&
http://www.my-place.us

I am posting this flaw here. Because they must improve their security to protect user privacy.

Add Paypal Button

Thursday, April 12th, 2007

You can add Paypal button in your website easily.

DO NOT Scroll this page as it is.. Just download the IPN class file and read below. Else it wont looks nice.

I tried my level best to explain important code lines.

You can use that button for getting donation or selling some products. Here is one Paypal IPN class in PHP. It is absolutely easy to setup and use.

Download the compressed file and extract it in your document root.
download and use the Paypal IPN class

And you have to edit some lines in paypal.php
at line 37
switch ($_GET['action']) {

case ‘process’: // Process and order… // There should be no output at this point. To process the POST data,
// the submit_paypal_post() function will output all the HTML tags which
// contains a FORM which is submited instantaneously using the BODY onload
// attribute. In other words, don’t echo or printf anything when you’re
// going to be calling the submit_paypal_post() function.

// This is where you would have your form validation and all that jazz.
// You would take your POST vars and load them into the class like below,
// only using the POST values instead of constant string expressions.

// For example, after ensureing all the POST variables from your custom
// order form are valid, you might have:
//
// $p->add_field(‘first_name’, $_POST['first_name']);
// $p->add_field(‘last_name’, $_POST['last_name']);

$p->add_field(‘business’, ‘YOUR PAYPAL (OR SANDBOX) EMAIL ADDRESS HERE!’);
$p->add_field(‘return’, $this_script.’?action=success’);
$p->add_field(‘cancel_return’, $this_script.’?action=cancel’);
$p->add_field(‘notify_url’, $this_script.’?action=ipn’);
$p->add_field(‘item_name’, ‘Paypal Test Transaction’);
$p->add_field(‘amount’, ’1.99′);

$p->submit_paypal_post(); // submit the fields to paypal
//$p->dump_fields(); // for debugging, output a table of all the fields
break;

case ‘success’: // Order was successful…

// This is where you would probably want to thank the user for their order
// or what have you. The order information at this point is in POST
// variables. However, you don’t want to “process” the order until you
// get validation from the IPN. That’s where you would have the code to
// email an admin, update the database with payment status, activate a
// membership, etc.

echo “<html><head><title>Success</title></head><body><h3>Thank you for your order.</h3>”;
foreach ($_POST as $key => $value) { echo “$key: $value<br>”; }
echo “</body></html>”;

// You could also simply re-direct them to another page, or your own
// order status page which presents the user with the status of their
// order based on a database (which can be modified with the IPN code
// below).

break;

case ‘cancel’: // Order was canceled…

// The order was canceled before being completed.

echo “<html><head><title>Canceled</title></head><body><h3>The order was canceled.</h3>”;
echo “</body></html>”;

break;

case ‘ipn’: // Paypal is calling page for IPN validation…

// It’s important to remember that paypal calling this script. There
// is no output here. This is where you validate the IPN data and if it’s
// valid, update your database to signify that the user has payed. If
// you try and use an echo or printf function here it’s not going to do you
// a bit of good. This is on the “backend”. That is why, by default, the
// class logs all IPN data to a text file.

if ($p->validate_ipn()) {

// Payment has been recieved and IPN is verified. This is where you
// update your database to activate or process the order, or setup
// the database with the user’s order details, email an administrator,
// etc. You can access a slew of information via the ipn_data() array.

// Check the paypal documentation for specifics on what information
// is available in the IPN POST variables. Basically, all the POST vars
// which paypal sends, which we send back for validation, are now stored
// in the ipn_data() array.

// For this example, we’ll just email ourselves ALL the data.
$subject = ‘Instant Payment Notification – Recieved Payment’;
$to = ‘YOUR EMAIL ADDRESS HERE’; // your email
$body = “An instant payment notification was successfully recieved\n”;
$body .= “from “.$p->ipn_data['payer_email'].” on “.date(‘m/d/Y’);
$body .= ” at “.date(‘g:i A’).”\n\nDetails:\n”;

foreach ($p->ipn_data as $key => $value) { $body .= “\n$key: $value”; }
mail($to, $subject, $body);
}
break;
}

Save paypal.php

And use the below code to display paypal button image.

<form action=”paypal.php”>
<input type=”image” src=”https://www.paypal.com/en_US/i/logo/paypal_logo.gif” border=”0″ name=”submit” alt=”Make payments with PayPal – it’s fast, free and secure!”>
</form>

action=”paypal/paypal.php” change it based on your directory structure.

Logging Website Visitor Information

Thursday, April 12th, 2007

Every one needs to promote their website. So we takes care on the content, designing ,etc… after launching our site we will start getting more hits everyday. But we have to trace all the hits. We must log the visitors ip address and referrer address alltime. Because someone may try to attack your server based on url. Just log the details everytime. It will be fine for you.

Step 1:
Include the below code in your footer.php or in footer or header area of all of your pages.

$remote = $_SERVER['REMOTE_ADDR'];
$remote .= “–”;
$remote .= $_SERVER['HTTP_REFERER'];
$date = date(“d-n-Y”);
$remote .= “– “;
$remote .= $date;
$remote .= “\r\n”;
$filename = ‘home.txt’;
if (is_writable($filename))
{
// In our example we’re opening $filename in append mode.
// The file pointer is at the bottom of the file hence
// that’s where $somecontent will go when we fwrite() it.
if (!$handle = fopen($filename, ‘a’))
{
// echo “Cannot open file ($filename)”;
exit;
} // Write $somecontent to our opened file.
if (fwrite($handle, $remote) === FALSE)
{
// echo “Cannot write to file ($filename)”;
exit;
}
//echo “Success, wrote ($remote) to file ($filename)”;
fclose($handle);}

else
{
//echo “The file $filename is not writable”;
}

If you like to see the script’s status then just remove the comment lines.
Step 2:
Create a text file named home.txt and chmod it to 0777

We are just writing information in to a file using php. Just do the above two steps and start logging your visitors.

PHP Login Script 2

Thursday, April 12th, 2007
Form Design:

<form id=”form1″ name=”form1″ method=”post” action=”login.php”>
<table width=”300″ border=”0″>
<tr>
<td>Username</td>
<td><input type=”text” name=”username_field” /></td>
</tr>
<tr>
<td>Password</td>
<td><input type=”text” name=”password_field” /></td>
</tr>
<tr>
<td> </td>
<td><input type=”submit” name=”login” value=”Login” /></td>
</tr>
</table>
</form>

Save it as “form.html”

<?php
session_start(); #3
include(‘config.php’); //Listen #1
$username = $_POST[‘username_field’];
$password = $_POST[‘password_field’];
if(($username == $user) && ($password == $pass))
{
$hash = md5($pass); //Listen #2
$_SESSION[‘hash’] = $hash;
echo(“Welcome $username<br>”);
}
else
echo(“Incorrect username/password<br>”);
?>

Save it as “login.php”

Listen #
#1: We are just including one php script within this login.php.
Let us say config.php looks like below:

<?php
//Configuration settings
$user = “rob”;
$pass=”p123”;
?>

#2: This is the main code in login.php
md5(); is a function which generates hash code for given value.
We are assigning the hash value of $pass in to a session variable.

#3:
session_start(); we have to start the session in every page where ever we use session variables. It should be very first code of the script before producing any output.
For example:

<?php
echo(“First line”);
session_start();
—-

?>
This will produce an error. So it should be like

<?php
session_start();
echo():
?>
<html>
<head>
<title>title</title>
</head>
<body>
Html codes
</body>
</html>
<?php
echo(“last line”);
?>

Why we need Session variables?

Let us say, you are going to develop an admin panel or user area. We need to allow authorized users only in some pages. So we must check his authority at any time. We cannt put form every where to get username and password from user. We are getting username and password only once from user and keeping his identity in login.php and other scripts. So we are storing the hash value of his password in a session variable and checking it in all pages. Seems confusing? Ok see this example it may help.

<?php
session_start();
//Account Area
include(‘config.php’);
if($_SESSION[‘hash’] == (md5($pass)))
{
echo(“Welcome $user”);

}
else
{
echo(“You are not authorized to visit this page!”);
} ?>
Why we are checking hash instead of original password? Because there are some security problem with php register globals setting. This method is some what secured with session variables.There is a problem with this script. Can you guess? Yes this will stuck if any two of users having same password. Yes there is no chance for duplicate username. But there is many chances for duplicate passwords. So what is the solution? Yes we have to store the hash of username in a session variable and have to check it in everywhere.
Like below:

If(($_SESSION[‘username_hash’] == (md5($user))) && ($_SESSION[‘password_hash’] == (md5($pass))))
{
}

Sounds good? We are just getting username and password from a config file (config.php) you can manipulate this mechanism by retrieving username/password from database tables.

PHP Login Script

Thursday, April 12th, 2007

PHP Tutorial for people who is going to develop some real-time applications in PHP-MySQL . I am not going to say what is a variable and what is “for” loop syntax. If you want to know very basic about php then go to Zend PHP Tutorials . My tutorial is fully application based.

I assume that you know basic programming knowledge in php. Like for loop, while loop, session & mysql database connectivity.

Ok we are just going to develop one login system now.

What are the steps?

  1. Get username & Password from user
  2. Validate them
  3. If valid then let user to use the system
  4. else show an error message

These are basic considerations.

We can achieve this by writing a single php file.

1. PHP login form design

Design notes: Use tables to show form fields in aligned manner.

Code for simple table with 6 cells

<table width=”300″ border=”0″>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
</table>

I hope you know for printing a blank space. Enclose the table tags with a form tag.

<form id=”form1″ name=”form1″ method=”post” action=”login.php”>
<table width=”300″ border=”0″>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
</table>
</form>

Note: action = “login.php” login.php is current file name. you can change its name.

<form id=”form1″ name=”form1″ method=”post” action=”login.php”>
<table width=”300″ border=”0″>
<tr>
<td>Username</td>
<td><input type=”text” name=”username_field” /></td>
</tr>
<tr>
<td>Password</td>
<td><input type=”text” name=”password_field” /></td>
</tr>
<tr>
<td> </td>
<td><input type=”submit” name=”login” value=”Login” /></td>
</tr>
</table>
</form>

Note: input type=”password” because Password field will carry password characters.

You know these are just <html> tags.

<?php
$username = $_POST[‘username_field’];
$password = $_POST[‘password_field’];
$user = “user1”;
$pass = “123456”;
If(($username == $user) && ($password == $pass))
Echo(“Welcome $username<br>”);
Else
Echo(“Incorrect username/password<br>”);
?>

Note: $_POST[‘username_field’]; and $_POST[‘password_field’]; are POST method values. $user & $pass are variables which holds the username/password.
Continue to page 2
This is not a full login system. This is for showing how it will be.