Remote access Via SSH or Telnet

There are several ways you can administer a Windows XP machine remotely, I cover 2 here; SSH (Secure Shell) and Telnet (not secure):

Secure:

SSH can be set up on Windows XP using Cygwin (make sure you Login as Administrator, or as a user with Administrator privileges). Cygwin is maintained by Red Hat.

md c:\cygwin

Download setup.exe from Cygwin into c:\cygwin

Start -> Run -> c:\cygwin\setup.exe

Make sure “Local Package Directory” is c:\cygwin

Click the small “View” button for “Full”

Scroll down to “OpenSSH” line, click on the word “skip” so that an appears in Column B,

Continue with the install, depending on what you selected, and your connection speed, this could take a while.

Once done; Right click “My Computer” -> Properties -> Advanced -> Environment Variables

Select “New” to add a new entry to system variables:

variable name: CYGWIN

variable value: ntsec tty

Right click “My Computer” -> Properties -> Advanced -> Environment Variables

Select the “Path” variable and click the “Edit” button and append ;c:\cygwin\bin to the end of the existing line.

Start -> All Programs -> Cygwin -> Cygwin Bash Shell

type ssh-host-config and answer as follows:

“privilege separation”: yes

“local user”: yes

“install sshd as a service”: yes

“CYGWIN=”: ntsec tty

Then type net start sshd OR cygrunsrv --start sshd (to stop the sshd service, type net stop sshd).

To test if the ssh server is working, type: ssh $USERNAME@127.0.0.1 (type exit or ctrl-d to exit).

If you have any prolems, type ssh-user-config.

Further things to do:

cp /etc/passwd /etc/passwd.bak
passwd (enter your current Windows password)

For Windows XP SP2:

Control Panel -> Administrative Tools -> Windows Firewall -> Exceptions

Select “Add Port”. Name: SSH, Port: 22.

One of the great things about installing SSH is that you get SFTP installed along with it, so in the next section, you don’t need to setup the FTP server.

To connect to this machine from another Windows machine, you can use an SSH client like PuTTY, or if you have Cygwin installed, or you’re connecting from Linux or another machine with an SSH client installed use: ssh -l username IPAddress (if the username on the remote machine is the same as the username on the machine you’re connecting from, you can leave out the “-l username” part.

Note: Once you’re connected to the remote machine via ssh or sftp, the directory stucture is a little strange, for example if you want to change to C:\ you yould type: cd /cygdrive/c. You can also sometimes just switch the back-slash to a forward slash; for example \\myserver\c$ would become //myserver/c$, and c:\ would become c:/

 

Non-so-secure:

If you want to access your machine, but don’t want to install Cygwin, setup telnet:

Control Panel -> Administrative Tools -> Windows Firewall -> Exceptions
Select "Add Port". Name: Telnet, Port: 23.
Control Panel -> Administrative Tools -> Services
Right-click on "Telnet" select "Properties"
Set "Startup type" to be Automatic
Click on "Start".
Control Panel -> Administrative Tools -> Local Security Policy
Security Settings -> Local Policies -> Security Options
Right-click on "Network Access: Sharing and security model for local accounts", 
select properties.
Select "Classic - local users authenticate as themselves".

To connect to this machine: telnet -l username IPAddress

 

 

Remote access via SFTP or FTP

See the link in the above section.

If you have installed SSH (in the above section), then you can skip this section as you can connect using sftp.

Note: As with Telnet, ftp has its vunerabilities.

Install an FTP Server:

Download Filezilla Server. Configure it to the users on your workstation (don’t forget to set passwords and home folders).

To connect from another machine type ftp username@ipaddress

source : http://roqet.org/ssh_and_telnet_on_windows.html

tambahan penulis :

bagi pengguna linux, terutama administrator tentu lebih tahu bahwa bekerja dengan modus teks (cli) lebih mudah dan powerfull dibanding bekerja dalam modus gui.

 


sigma grid example

Ini bermula ketika saya harus membuat sebuah aplikasi helpdesk untuk kantor saya bekerja saat ini. Helpdesk itu sendiri adalah suatu aplikasi yang berfungsi untuk merekam trouble log dan komplain dari klien yang diterima oleh support kami. Kebutuhan yang unik membuat saya memutuskan untuk menggunakan platform opensource agar lebih mudah nantinya untuk saya recode ulang sesuai kebutuhan. Karena pemrograman yang paling saya kuasai adalah PHP, tentunya yang pertama kali menarik perhatian saya adalah mencari aplikasi opensource sejenis yang dibuat dengan PHP. Ternyata ada banyak sekali, dan masing-masing memiliki kelebihan dan kekurangannya sendiri. Banyak sekali yang sudah saya coba, mulai dari iTop , osTicket, GLPI, dan Trellis Desk. Akhirnya pilihan saya jatuh pada yang terakhir tadi, dengan mempertimbangkan fiturnya yang sedikit banyak sesuai dengan kebutuhan perusahaan, dan dibuat dengan pendekatan OOP, sehingga memudahkan saya untuk membaca source code dan memodifikasinya.

Salah satu kekurangan Trellis Desk ini adalah minimnya fitur reporting. Karena justru reporting inilah yang pada akhirnya diminta oleh manajemen sebagai output aplikasi trouble log yang akan dibuat, maka mau tidak mau saya harus membuat modul sendiri untuk mengimplementasikannya. Dalam bayangan saya, reporting tersebut setidaknya memiliki berbagai fitur sebagai berikut : 
  1. bisa menampilkan tabel data yang dibutuhkan.
  2. bisa generate chart dari tabel yang dihasilkan.
  3. dan bisa export ke pdf maupun excel dari tabel data tersebut.
  4. terakhir adalah paging yang memudahkan pengguna untuk browsing tabel data yang dihasilkan.

Berbekal list fitur tadi, saya mulai mencari library yang mungkin akan saya butuhkan. Perhatian saya tertuju pada datagrid yang sedikit banyak memang menarik untuk dibuat menjadi data report. Berbekal kemampuan jquery seadanya, saya mulai mencari librari yang ada, mulai openflash chart, hingga jqgrid saya coba. Namun pilihan saya justru jatuh pada sigma grid yang notabene jauh dari library jquery yang sebelumnya menjadi pondasi pengetahuan saya.  

Ah, kenapa harus takut untuk mempelajari hal baru? demikian pikir saya untuk memacu diri sendiri agar berani mengimplementasikannya. Setelah yakin dengan licensi sigma grid yang open. saya pun mulai mempelajarinya. Kesulitan pertama yang muncul adalah bagaimana mengimplementasikannya di framework yang dipakai oleh trellis desk sebagai aplikasi induknya???
Saat ini saya masih mencoba mencari cara terbaik untuk implementasinya. Bersambung ke part 2 nanti … see you guys!

Programmer Competency Matrix

Posted: 3 April 2012 in Lain-lain

Note that the knowledge for each level is cumulative; being at level n implies that you also know everything from the levels lower than n.

Computer Science
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
data structures Doesn’t know the difference between Array and LinkedList Able to explain and use Arrays, LinkedLists, Dictionaries etc in practical programming tasks Knows space and time tradeoffs of the basic data structures, Arrays vs LinkedLists, Able to explain how hashtables can be implemented and can handle collisions, Priority queues and ways to implement them etc. Knowledge of advanced data structures like B-trees, binomial and fibonacci heaps, AVL/Red Black trees, Splay Trees, Skip Lists, tries etc.
algorithms Unable to find the average of numbers in an array (It’s hard to believe but I’ve interviewed such candidates) Basic sorting, searching and data structure traversal and retrieval algorithms Tree, Graph, simple greedy and divide and conquer algorithms, is able to understand the relevance of the levels of this matrix. Able to recognize and code dynamic programming solutions, good knowledge of graph algorithms, good knowledge of numerical computation algorithms, able to identify NP problems etc. Working with someone who has a good topcoder ranking would be an unbelievable piece of luck!
systems programming Doesn’t know what a compiler, linker or interpreter is Basic understanding of compilers, linker and interpreters. Understands what assembly code is and how things work at the hardware level. Some knowledge of virtual memory and paging. Understands kernel mode vs. user mode, multi-threading, synchronization primitives and how they’re implemented, able to read assembly code. Understands how networks work, understanding of network protocols and socket level programming. Understands the entire programming stack, hardware (CPU + Memory + Cache + Interrupts + microcode), binary code, assembly, static and dynamic linking, compilation, interpretation, JIT compilation, garbage collection, heap, stack, memory addressing…
Software Engineering
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
source code version control Folder backups by date VSS and beginning CVS/SVN user Proficient in using CVS and SVN features. Knows how to branch and merge, use patches setup repository properties etc. Knowledge of distributed VCS systems. Has tried out Bzr/Mercurial/Darcs/Git
build automation Only knows how to build from IDE Knows how to build the system from the command line Can setup a script to build the basic system Can setup a script to build the system and also documentation, installers, generate release notes and tag the code in source control
automated testing Thinks that all testing is the job of the tester Has written automated unit tests and comes up with good unit test cases for the code that is being written Has written code in TDD manner Understands and is able to setup automated functional, load/performance and UI tests
Programming
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
problem decomposition Only straight line code with copy paste for reuse Able to break up problem into multiple functions Able to come up with reusable functions/objects that solve the overall problem Use of appropriate data structures and algorithms and comes up with generic/object-oriented code that encapsulate aspects of the problem that are subject to change.
systems decomposition Not able to think above the level of a single file/class Able to break up problem space and design solution as long as it is within the same platform/technology Able to design systems that span multiple technologies/platforms. Able to visualize and design complex systems with multiple product lines and integrations with external systems. Also should be able to design operations support systems like monitoring, reporting, fail overs etc.
communication Cannot express thoughts/ideas to peers. Poor spelling and grammar. Peers can understand what is being said. Good spelling and grammar. Is able to effectively communicate with peers Able to understand and communicate thoughts/design/ideas/specs in a unambiguous manner and adjusts communication as per the context This is an often under rated but very critical criteria for judging a programmer. With the increase in outsourcing of programming tasks to places where English is not the native tongue this issue has become more prominent. I know of several projects that failed because the programmers could not understand what the intent of the communication was.
code organization within a file no evidence of organization within a file Methods are grouped logically or by accessibility Code is grouped into regions and well commented with references to other source files File has license header, summary, well commented, consistent white space usage. The file should look beautiful.
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
code organization across files No thought given to organizing code across files Related files are grouped into a folder Each physical file has a unique purpose, for e.g. one class definition, one feature implementation etc. Code organization at a physical level closely matches design and looking at file names and folder distribution provides insights into design
source tree organization Everything in one folder Basic separation of code into logical folders. No circular dependencies, binaries, libs, docs, builds, third-party code all organized into appropriate folders Physical layout of source tree matches logical hierarchy and organization. The directory names and organization provide insights into the design of the system. The difference between this and the previous item is in the scale of organization, source tree organization relates to the entire set of artifacts that define the system.
code readability Mono-syllable names Good names for files, variables classes, methods etc. No long functions, comments explaining unusual code, bug fixes, code assumptions Code assumptions are verified using asserts, code flows naturally – no deep nesting of conditionals or methods
defensive coding Doesn’t understand the concept Checks all arguments and asserts critical assumptions in code Makes sure to check return values and check for exceptions around code that can fail. Has his own library to help with defensive coding, writes unit tests that simulate faults
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
error handling Only codes the happy case Basic error handling around code that can throw exceptions/generate errors Ensures that error/exceptions leave program in good state, resources, connections and memory is all cleaned up properly Codes to detect possible exception before, maintain consistent exception handling strategy in all layers of code, come up with guidelines on exception handling for entire system.
IDE Mostly uses IDE for text editing Knows their way around the interface, able to effectively use the IDE using menus. Knows keyboard shortcuts for most used operations. Has written custom macros
API Needs to look up the documentation frequently Has the most frequently used APIs in memory Vast and In-depth knowledge of the API Has written libraries that sit on top of the API to simplify frequently used tasks and to fill in gaps in the API E.g. of API can be Java library, .net framework or the custom API for the application
frameworks Has not used any framework outside of the core platform Has heard about but not used the popular frameworks available for the platform. Has used more than one framework in a professional capacity and is well-versed with the idioms of the frameworks. Author of framework
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
requirements Takes the given requirements and codes to spec Come up with questions regarding missed cases in the spec Understand complete picture and come up with entire areas that need to be speced Able to suggest better alternatives and flows to given requirements based on experience
scripting No knowledge of scripting tools Batch files/shell scripts Perl/Python/Ruby/VBScript/Powershell Has written and published reusable code
database Thinks that Excel is a database Knows basic database concepts, normalization, ACID, transactions and can write simple selects Able to design good and normalized database schemas keeping in mind the queries that’ll have to be run, proficient in use of views, stored procedures, triggers and user defined types. Knows difference between clustered and non-clustered indexes. Proficient in use of ORM tools. Can do basic database administration, performance optimization, index optimization, write advanced select queries, able to replace cursor usage with relational sql, understands how data is stored internally, understands how indexes are stored internally, understands how databases can be mirrored, replicated etc. Understands how the two phase commit works.
Experience
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
languages with professional experience Imperative or Object Oriented Imperative, Object-Oriented and declarative (SQL), added bonus if they understand static vs dynamic typing, weak vs strong typing and static inferred types Functional, added bonus if they understand lazy evaluation, currying, continuations Concurrent (Erlang, Oz) and Logic (Prolog)
platforms with professional experience 1 2-3 4-5 6+
years of professional experience 1 2-5 6-9 10+
domain knowledge No knowledge of the domain Has worked on at least one product in the domain. Has worked on multiple products in the same domain. Domain expert. Has designed and implemented several products/solutions in the domain. Well versed with standard terms, protocols used in the domain.
Knowledge
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
tool knowledge Limited to primary IDE (VS.Net, Eclipse etc.) Knows about some alternatives to popular and standard tools. Good knowledge of editors, debuggers, IDEs, open source alternatives etc. etc. For e.g. someone who knows most of the tools from Scott Hanselman’s power tools list. Has used ORM tools. Has actually written tools and scripts, added bonus if they’ve been published.
languages exposed to Imperative or Object Oriented Imperative, Object-Oriented and declarative (SQL), added bonus if they understand static vs dynamic typing, weak vs strong typing and static inferred types Functional, added bonus if they understand lazy evaluation, currying, continuations Concurrent (Erlang, Oz) and Logic (Prolog)
codebase knowledge Has never looked at the codebase Basic knowledge of the code layout and how to build the system Good working knowledge of code base, has implemented several bug fixes and maybe some small features. Has implemented multiple big features in the codebase and can easily visualize the changes required for most features or bug fixes.
knowledge of upcoming technologies Has not heard of the upcoming technologies Has heard of upcoming technologies in the field Has downloaded the alpha preview/CTP/beta and read some articles/manuals Has played with the previews and has actually built something with it and as a bonus shared that with everyone else
2n (Level 0) n2 (Level 1) n (Level 2) log(n) (Level 3) Comments
platform internals Zero knowledge of platform internals Has basic knowledge of how the platform works internally Deep knowledge of platform internals and can visualize how the platform takes the program and converts it into executable code. Has written tools to enhance or provide information on platform internals. For e.g. disassemblers, decompilers, debuggers etc.
books Unleashed series, 21 days series, 24 hour series, dummies series… Code Complete, Don’t Make me Think, Mastering Regular Expressions Design Patterns, Peopleware, Programming Pearls, Algorithm Design Manual, Pragmatic Programmer, Mythical Man month Structure and Interpretation of Computer Programs, Concepts Techniques, Models of Computer Programming, Art of Computer Programming, Database systems , by C. J Date, Thinking Forth, Little Schemer
blogs Has heard of them but never got the time. Reads tech/programming/software engineering blogs and listens to podcasts regularly. Maintains a link blog with some collection of useful articles and tools that he/she has collected Maintains a blog in which personal insights and thoughts on programming are shared

Thanks to John Haugeland for a reformatting of it that works much more nicely on the web.

Sumber informasi : http://www.indiangeek.net/wp-content/uploads/Programmer%20competency%20matrix.htm

 


PHP is an open-source server-side scripting language and it is a widely used. The Apache web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.

Our Sample Setup For PHP Security Tips
  • DocumentRoot: /var/www/html
  • Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
  • Default PHP configuration file: /etc/php.ini
  • Default PHP extensions config directory: /etc/php.d/
  • Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
  • Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
  • Default php server TCP/UDP ports: none

Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell:
$ php -v
Sample outputs:

PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

For demonstration purpose I’m going to use the following operating system:
$ cat /etc/redhat-release
Sample outputs:

Red Hat Enterprise Linux Server release 6.1 (Santiago)
#1: Know Your Enemy

PHP based apps can face the different types of attacks. I have noticed the different types of attacks:

  1. XSS – Cross-site scripting is a vulnerability in php web applications, which attackers may exploit to steal users’ information. You can configure Apache and write more secure PHP scripts (validating all user input) to avoid xss attacks.
  2. SQL injection – It is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
    Spoofing
  3. File uploads – It allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete database, get user details and much more. You can disable file uploads using php or write secure code (like validating user input and only allow image file type such as png or gif).
  4. Including local and remote files – An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.
  5. eval() – Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval().
  6. Sea-surf Attack (Cross-site request forgery – CSRF) – This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
#2: Find Built-in PHP Modules

To see the set of compiled-in PHP modules type the following command:
# php -m
Sample outputs:

[PHP Modules]
apc
bcmath
bz2
calendar
Core
ctype
curl
date
dom
ereg
exif
fileinfo
filter
ftp
gd
gettext
gmp
hash
iconv
imap
json
libxml
mbstring
memcache
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
readline
Reflection
session
shmop
SimpleXML
sockets
SPL
sqlite3
standard
suhosin
tokenizer
wddx
xml
xmlreader
xmlrpc
xmlwriter
xsl
zip
zlib
[Zend Modules]
Suhosin

I recommends that you use PHP with a reduced modules for performance and security. For example, you can disable sqlite3 module by deleting (removing) configuration file , OR renaming (moving) a file called /etc/php.d/sqlite3.ini as follows:
# rm /etc/php.d/sqlite3.ini
OR
# mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable
Other compiled-in modules can only be removed by reinstallating PHP with a reduced configuration. You can download php source code from php.net and compile it as follows with GD, fastcgi, and MySQL support:

./configure --with-libdir=lib64 --with-gd --with-mysql --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --cache-file=../config.cache --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d  --enable-fastcgi --enable-force-cgi-redirect

See how to compile and reinstall php on Unix like operating system for more information.

#3: Restrict PHP Information Leakage

To restrict PHP information leakage disable expose_php. Edit /etc/php.d/secutity.ini and set the following directive:

expose_php=Off

When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.3). The PHP logo guids (see example) are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. When expose_php enabled you can see php version using the following command:
$ curl -I http://www.cyberciti.biz/index.php
Sample outputs:

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.3
Content-type: text/html; charset=UTF-8
Vary: Accept-Encoding, Cookie
X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wikiToken;string-contains=wikiLoggedOut;string-contains=wiki_session
Last-Modified: Thu, 03 Nov 2011 22:32:55 GMT
...

I also recommend that you setup the ServerTokens and ServerSignature directives in httpd.conf to hide Apache version and other information.

#4: Minimize Loadable PHP Modules (Dynamic Extensions)

PHP supports “Dynamic Extensions”. By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your webapps requires. For example, to disable gd extension, type the following commands:
# cd /etc/php.d/
# mv gd.{ini,disable}
# /sbin/service httpd restart

To enable php module called gd, enter:
# mv gd.{disable,ini}
# /sbin/service httpd restart

#5: Log All PHP Errors

Do not expose PHP error messages to all site visitors. Edit /etc/php.d/security.ini and set the following directive:

display_errors=Off

Make sure you log all php errors to a log file:

log_errors=Onerror_log=/var/log/httpd/php_scripts_error.log
#6: Disallow Uploading Files

Edit /etc/php.d/security.ini and set the following directive to disable file uploads for security reasons:

file_uploads=Off

If users of your application need to upload files, turn this feature on by setting upload_max_filesize limits the maximum size of files that PHP will accept through uploads:

file_uploads=On# user can only upload upto 1MB via phpupload_max_filesize=1M
#7: Turn Off Remote Code Execution

If enabled, allow_url_fopen allows PHP’s file functions — such as file_get_contents() and the include and require statements — can retrieve data from remote locations, like an FTP or web site.

The allow_url_fopen option allows PHP’s file functions – such as file_get_contents() and the include and require statements – can retrieve data from remote locations using ftp or http protocols. Programmers frequently forget this and don’t do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. Edit /etc/php.d/security.ini and set the following directive:

allow_url_fopen=Off

I also recommend to disable allow_url_include for security reasons:

allow_url_include=Off
#8: Enable SQL Safe Mode

Edit /etc/php.d/security.ini and set the following directive:

sql.safe_mode=On

If turned On, mysql_connect() and mysql_pconnect() ignore any arguments passed to them. Please note that you may have to make some changes to your code. Third party and open source application such as WordPress, and others may not work at all when sql.safe_mode enabled. I also recommend that you turn off magic_quotes_gpc for all php 5.3.x installations as the filtering by it is ineffective and not very robust. mysql_escape_string() and custom filtering functions serve a better purpose (hat tip to Eric Hansen):

magic_quotes_gpc=Off
#9: Control POST Size

The HTTP POST request method is used when the client (browser or user) needs to send data to the Apache web server as part of the request, such as when uploading a file or submitting a completed form. Attackers may attempt to send oversized POST requests to eat your system resources. You can limit the maximum size POST request that PHP will process. Edit /etc/php.d/security.ini and set the following directive:

; Set a realistic value herepost_max_size=1K

The 1K sets max size of post data allowed by php apps. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize. I also suggest that you limit available methods using Apache web server. Edit, httpd.conf and set the following directive for DocumentRoot /var/www/html:

 <Directory /var/www/html>    <LimitExcept GET POST>        Order allow,deny    </LimitExcept>## Add rest of the config goes here... ##</Directory>
#10: Resource Control (DoS Control)

You can set maximum execution time of each php script, in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume. Edit /etc/php.d/security.ini and set the following directives:

# set in secondsmax_execution_time = 30max_input_time = 30memory_limit = 40M
#11: Install Suhosin Advanced Protection System for PHP

From the project page:

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

See how to install and configure suhosin under Linux operating systems.

#12 Disabling Dangerous PHP Functions

PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.ini using disable_functions directive:

 disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
#13 PHP Fastcgi / CGI – cgi.force_redirect Directive

PHP work with FastCGI. Fascgi reduces the memory footprint of your web server, but still gives you the speed and power of the entire PHP language. You can configure Apache2+PHP+FastCGI or cgi as described here. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://www.cyberciti.biz/cgi-bin/php/hackerdir/backdoor.php. Turn on cgi.force_redirect for security reasons. Edit /etc/php.d/security.ini and set the following directive:

; Enable cgi.force_redirect for security reasons in a typical *Apache+PHP-CGI/FastCGI* setupcgi.force_redirect=On
#14 PHP User and Group ID

mod_fastcgi is a cgi-module for Apache web server. It can connect to an external FASTCGI server. You need to make sure php run as non-root user. If PHP executes as a root or UID under 100, it may access and/or manipulate system files. You must execute PHP CGIs as a non-privileged user using Apache’s suEXEC or mod_suPHP. The suEXEC feature provides Apache users the ability to run CGI programs under user IDs different from the user ID of the calling web server. In this example, my php-cgi is running as phpcgi user and apache is running as apache user:
# ps aux | grep php-cgi
Sample outputs:

phpcgi      6012  0.0  0.4 225036 60140 ?        S    Nov22   0:12 /usr/bin/php-cgi
phpcgi      6054  0.0  0.5 229928 62820 ?        S    Nov22   0:11 /usr/bin/php-cgi
phpcgi      6055  0.1  0.4 224944 53260 ?        S    Nov22   0:18 /usr/bin/php-cgi
phpcgi      6085  0.0  0.4 224680 56948 ?        S    Nov22   0:11 /usr/bin/php-cgi
phpcgi      6103  0.0  0.4 224564 57956 ?        S    Nov22   0:11 /usr/bin/php-cgi
phpcgi      6815  0.4  0.5 228556 61220 ?        S    00:52   0:19 /usr/bin/php-cgi
phpcgi      6821  0.3  0.5 228008 61252 ?        S    00:55   0:12 /usr/bin/php-cgi
phpcgi      6823  0.3  0.4 225536 58536 ?        S    00:57   0:13 /usr/bin/php-cgi

You can use tool such as spawn-fcgi to spawn remote and local FastCGI processes as phpcgi user (first, add phpcgi user to the system):
# spawn-fcgi -a 127.0.0.1 -p 9000 -u phpcgi -g phpcgi -f /usr/bin/php-cgi
Now, you can configure Apache, Lighttpd, and Nginx web server to use external php FastCGI running on port 9000 at 127.0.0.1 IP address.

#15 Limit PHP Access To File System

The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen(), and others. If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround. For example only allow access to /var/www/html directory and not to /var/www, or /tmp or /etc directories:

; Limits the PHP process from accessing files outside; of specifically designated directories such as /var/www/html/open_basedir="/var/www/html/"; ------------------------------------; Multiple dirs example; open_basedir="/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/"; ------------------------------------
#16 Session Path

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. This path is defined in /etc/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option. The default is as follows under RHEL/CentOS/Fedora Linux:

session.save_path="/var/lib/php/session"; Set the temporary directory used for storing files when doing file uploadupload_tmp_dir="/var/lib/php/session"

Make sure path is outside /var/www/html and not readable or writeable by any other system users:
# ls -Z /var/lib/php/
Sample outputs:

drwxrwx---. root apache system_u:object_r:httpd_var_run_t:s0 session

Note: The -Z option to the ls command display SELinux security context such as file mode, user, group, security context and file name.

#17 Keep PHP, Software, And OS Up to Date

Applying security patches is an important part of maintaining Linux, Apache, PHP, and MySQL server. All php security update should be reviewed and applied as soon as possible using any one of the following tool (if you’re installing PHP via a package manager):
# yum update
OR
# apt-get update && apt-get upgrade
You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.

Note: Check php.net for the most recent release for source code installations.

#18: Restrict File and Directory Access

Make sure you run Apache as a non-root user such as Apache or www. All files and directory should be owned by non-root user (or apache user) under /var/www/html:
# chown -R apache:apache /var/www/html/
/var/www/html/ is a subdirectory and DocumentRoot which is modifiable by other users since root never executes any files out of there, and shouldn’t be creating files in there.

Make sure file permissions are set to 0444 (read-only) under /var/www/html/:
# chmod -R 0444 /var/www/html/
Make sure all directories permissions are set to 0445 under /var/www/html/:
# find /var/www/html/ -type d -print0 | xargs -0 -I {} chmod 0445 {}

A Note About Setting Up Correct File Permissions

The chown and chmod command make sures that under no circumstances DocumentRoot or files contained in DocumentRoot are writable by the Web server user apache. Please note that you need to set permissions that makes the most sense for the development model of your website, so feel free to adjust the chown and chmod command as per your requirements. In this example, the Apache server run as apache user. This is configured with the User and Group directives in your httpd.conf file. The apache user needs to have read access to everything under DocumentRoot but should not have write access to anything.

Make sure httpd.conf has the following directives for restrictive configuration:

 <Directory / >    Options None    AllowOverride None    Order allow,deny</Directory>

You should only grant write access when required. Some web applications such as wordpress and others may need a caching directory. You can grant a write access to caching directory using the following commands:
# chmod a+w /var/www/html/blog/wp-content/cache
### block access to all ###
# echo 'deny from all' > /var/www/html/blog/wp-content/cache/.htaccess

#19: Write Protect Apache, PHP, and, MySQL Configuration Files

Use the chattr command to write protect configuration files:
# chattr +i /etc/php.ini
# chattr +i /etc/php.d/*
# chattr +i /etc/my.ini
# chattr +i /etc/httpd/conf/httpd.conf
# chattr +i /etc/

The chattr command can write protect your php file or files in /var/www/html directory too:
# chattr +i /var/www/html/file1.php
# chattr +i /var/www/html/

#20: Use Linux Security Extensions (such as SELinux)

Linux comes with various security patches which can be used to guard against misconfigured or compromised server programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel and Apache web server. To list all Apache SELinux protection variables, enter:
# getsebool -a | grep httpd
Sample outputs:

allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off

To disable Apache cgi support, enter:
# setsebool -P httpd_enable_cgi off
See Red Hat SELinux guide for more information.

#21 Install Mod_security

ModSecurity is an open source intrusion detection and prevention engine for web applications. You can easily install mod_security under Linux and protect apache and php based apps from xss and various other attacks:

 ## A few Examples ### Do not allow to open files in /etc/SecFilter /etc/ # Stop SQL injectionSecFilter "delete[[:space:]]+from"SecFilter "select.+from"
#22 Run Apache / PHP In a Chroot Jail If Possible

Putting PHP and/or Apache in a chroot jail minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can use traditional chroot kind of setup with Apache. However, I recommend FreeBSD jails, XEN virtulization, KVM virtulization, or OpenVZ virtualization which uses the concept of containers.

#23 Use Firewall To Restrict Outgoing Connections

The attacker will download file locally on your web-server using tools such as wget. Use iptables to block outgoing connections from apache user. The ipt_owner module attempts to match various characteristics of the packet creator, for locally generated packets. It is only valid in the OUTPUT chain. In this example, allow vivek user to connect outside using port 80 (useful for RHN or centos repo access):

 /sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner vivek -p tcp --dport 80 -m state --state NEW,ESTABLISHED  -j ACCEPT

Here is another example that blocks all outgoing connections from apache user except to our own smtp server, and spam validation API service:

 # ..../sbin/iptables --new-chain apache_user/sbin/iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables --append OUTPUT -m owner --uid-owner apache -j apache_user# allow apache user to connec to our smtp server/sbin/iptables --append apache_user -p tcp --syn -d 192.168.1.100 --dport 25 -j RETURN# Allow apache user to connec to api server for spam validation/sbin/iptables --append apache_user -p tcp --syn -d  66.135.58.62 --dport 80 -j RETURN/sbin/iptables --append apache_user -p tcp --syn -d  66.135.58.61 --dport 80 -j RETURN/sbin/iptables --append apache_user -p tcp --syn -d  72.233.69.89 --dport 80 -j RETURN/sbin/iptables --append apache_user -p tcp --syn -d  72.233.69.88 --dport 80 -j RETURN########################### Add more rules here ############################ No editing below# Drop everything for apache outgoing connection/sbin/iptables --append apache_user -j REJECT
#24 Watch Your Logs & Auditing

Check the apache log file:
# tail -f /var/log/httpd/error_log
# grep 'login.php' /var/log/httpd/error_log
# egrep -i "denied|error|warn" /var/log/httpd/error_log

Check the php log file:
# tail -f /var/log/httpd/php_scripts_error.log
# grep "...etc/passwd" /var/log/httpd/php_scripts_error.log

Log files will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present or not. The auditd service is provided for system auditing. Turn it on to audit SELinux events, authetication events, file modifications, account modification and so on. I also recommend using standard “Linux System Monitoring Tools” for monitoring your web-server.

#25 Run Service Per System or VM Instance

For large installations it is recommended that you run, database, static, and dynamic content from different servers.

///////////////
/ ISP/Router /
//////////////
  \
   |
   Firewall
     \
      |
     +------------+
     | LB01       |
     +------------+                 +--------------------------+
                  |                 | static.lan.cyberciti.biz |
		  +-----------------+--------------------------+
                                    | phpcgi1.lan.cyberciti.biz|
                                    +--------------------------+
                                    | phpcgi2.lan.cyberciti.biz|
                                    +--------------------------+
                                    | mysql1.lan.cyberciti.biz |
                                    +--------------------------+
                                    | mcache1.lan.cyberciti.biz|
                                    +--------------------------+

(Fig.01: Running Services On Separate Servers)

Run different network services on separate servers or VM instances. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services running on the same server (such as MySQL, e-mail server and so on). But, in the above example content are served as follows:

  1. static.lan.cyberciti.biz – Use lighttpd or nginx server for static assets such as js/css/images.
  2. phpcgi1.lan.cyberciti.biz and phpcgi2.lan.cyberciti.biz – Apache web-server with php used for generating dynamic content.
  3. mysql1.lan.cyberciti.biz – MySQL database server.
  4. mcache1.lan.cyberciti.biz – Memcached server is very fast caching system for MySQL. It uses libevent or epoll (Linux runtime) to scale to any number of open connections and uses non-blocking network I/O.
  5. LB01 – A nginx web and reverse proxy server in front of Apache Web servers. All connections coming from the Internet addressed to one of the Web servers are routed through the nginx proxy server, which may either deal with the request itself or pass the request wholly or partially to the main web servers. LB01 provides simple load-balancing.
#26 Additional Tools

From the project page:

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.

You can use PHPIDS to detect malicious users, and log any attacks detected for later review. Please note that I’ve personally not used this tool.

From the project page:

PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Security Information About PHP Application

Fig.02: Security Information About PHP Application

See Linux security hardening tips which can reduce available vectors of attack on the system.

A Note About PHP Backdoors

You may come across php scripts or so called common backdoors such as c99, c99madshell, r57 and so on. A backdoor php script is nothing but a hidden script for bypassing all authentication and access your server on demand. It is installed by an attackers to access your server while attempting to remain undetected. Typically a PHP (or any other CGI script) script by mistake allows inclusion of code exploiting vulnerabilities in the web browser. An attacker can use such exploiting vulnerabilities to upload backdoor shells which can give him or her a number of capabilities such as:

  • Download files
  • Upload files
  • Install rootkits
  • Set a spam mail servers / relay server
  • Set a proxy server to hide tracks
  • Take control of server
  • Take control of database server
  • Steal all information
  • Delete all information and database
  • Open TCP / UDP ports and much more

Tip: How Do I Search PHP Backdoors?

Use Unix / Linux grep command to search c99 or r57 shell:
# grep -iR 'c99' /var/www/html/
# grep -iR 'r57' /var/www/html/
# find /var/www/html/ -name \*.php -type f -print0 | xargs -0 grep c99
# grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/html/

Conclusion

Your PHP based server is now properly harden and ready to show dynamic webpages. However, vulnerabilities are caused mostly by not following best practice programming rules. You should be consulted further resources for your web applications security needs especially php programming which is beyond the scope of sys admin work.

References:

  1. PHP security – from the official php project.
  2. PHP security guide – from the PHP security consortium project.
  3. Apache suseexec – documentation from the Apache project.
  4. Apache 2.2 – security tips from the Apache project.
  5. The Open Web Application Security Project – Common types of application security attacks.

Recommended readings:

  1. PHP Security Guide: This guide aims to familiarise you with some of the basic concepts of online security and teach you how to write more secure PHP scripts. It’s aimed squarely at beginners, but I hope that it still has something to offer more advanced users.
  2. Essential PHP Security (kindle edition): A book about web application security written specifically for PHP developers. It covers 30 of the most common and dangerous exploits as well as simple and effective safeguards that protect your PHP applications.
  3. SQL Injection Attacks and Defense This book covers sql injection and web-related attacks. It explains SQL injection. How to find, confirm, and automate SQL injection discovery. It has tips and tricks for finding SQL injection within the code. You can create exploits using SQL injection and design to avoid the dangers of these attacks.

Please add your favorite php security tool or tip in the comments.

Updated for accuracy!

sumber dari : www.cybercity.biz


Pendahuluan

Sebagai pendahuluan kita baca dulu, apa itu Apache Solr dari blog http://bengkeljava.posterous.com/apache-solr.

Apa itu solr? dapet dari situ resminya http://lucene.apache.org/solr/ sih ini katanya : “Solr is the popular, blazing fast open source enterprise search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing distributed search and index replication, and it powers the search and navigation features of many of the world’s largest internet sites.”. Kalau bingung ngartiinnya (saya juga agak bingung tuh bacanya baru dapet tadi 😀 ) saya jelasin pake pengalaman saya pake solr nya aja deh. Kalau udah pada tau lucene, gampangnya solr ini servernya dari lucene : “Lucene is an open source, high-performance text search engine library. Solr can be described succinctly as the server-ization of Lucene.”.  Solr ini salah satu fungsinya ngebantu kita dalam pencarian data(fitur full-text search dan indexing), ketika kita punya banyak sekali document dan kesulitan untuk melakukan pencarian pada document tersebut bisa menggunakan solr agar lebih mudah. Fungsi – fungsi yang lain, bisa ngebantu dalam klasifikasi (fitur more like this), faceting, dll.

Mungkin ada yang bertanya – tanya, kok ga pake “database biasa”/RDBMS aja kayak postgre, oracle , dll? Kata ebook yang saya baca sih gini, perbedaan utamanya adalah solr atau lucene menggunakan satu table tanpa ada dukungan relasi antar table berbeda dengan RDBMS pada umumnya. Aneh memang, tapi katanya dengan cara itu indexing akan berisi data yang mendukung pencarian bukan malah berisi data yang akan dicari. Pada database umumnya kita melakukan pencarian dengan menggunakan suatu substring, misalkan SELECT * FROM anyTable WHERE anyField LIKE ‘%Books%’ hasilnya bisa ‘MyBooks’ atau ‘CookBooks’, dengan menggunakan solr bisa didapatkan bentuk lain dari kata tersebut misalnya book:singular, bahkan phonetic(sounds of human speech) matches mungkin dilakukan. Dengan ada nya kemampuan pemberian skor pada hasil pencarian, solr bukan hanya menampilkan hasil berdasarkan kata yang cocok tetapi juga terurut berdasarkan berapa banyak kata yang cocok dengan pencarian yang dilakukan atau skoring berdasarkan faktor – faktor lain.

Daripada makin bingung(yang ngejelasinnya yang bingung maksudnya :D), kita coba aja langsung.

1.       Pastikan java (minimal jre) sudah terinstall.
2.       Downloading solr, akses http://apache.the.net.id/lucene/solr/3.3.0/ . download file yang dirasa paling cocok untuk operating system anda.
3.       Extract file hasil download.
4.       Secara default solr akan running pada port 8983, untuk mengubahnya ada pada file etc/jetty.xml , cari SystemProperty dengan name jetty.port.
5.       Execute file start.jar , pada command prompt/terminal dapat dilakukan dengan java -jar start.jar
6.    Akses http://localhost:8983/solr/admin/ untuk memastikan apakah solr berjalan dengan benar. Coba click tombol search dibawah text area query. Pada saat pertama kali running data pada solr akan kosong, karena memang kita belum melakukan input apa pun.
7.       Pada folder example/exampledocs terdapat post.jar untuk mengisi document – document dummy yang dipersiapkan solr untuk kita melakukan beberapa experiment. Execute post.jar. lalu lakukan kembali search.

Ok, seharusnya ketika mencoba melakukan search ‘solr’ terdapat beberapa document yang muncul sebagai result. Kalau sudah berhasil sampai situ berarti solr nya sudah berhasil di install.

Buku-buku penunjang

Buku penunjang untuk belajar apache solr bisa didownload di www.torrentku.com. Untuk mendownload buku aslinya kita bisa menggunakan software torrent klien seperti utorrent, atau vuze untuk mengeksekusi file torrent yang didapat dari http://www.torrentku.com tadi. Saya sengaja memilih torrent sebagai sarana berbagi file karena, kemungkinan file tersebut korup sangat kecil. 
Selanjutnya kita akan membahas salah satu buku yaitu yang berjudul Apache Solr 3 Enterprise Search server.
Apache Solr 3
Bersambung di posting berikutnya …