Security - Ubuntu [LINUX] and others.

[Bill Clinton]

So here are some tips for securing your website if you're on Ubuntu [Linux]:

-Never log in as 'root' user
-Disallow root login through settings
-Create an account with a secure password and grant it sudo privileges
-Do not share sudo privileges
-Do not use FTP, use SFTP

If you are on ANY system and using MySQL, be sure to prepare your statements and properly bind parameters.

What I mean by this is to secure yourself from something called SQL INJECTION.

To test your site if it is vulnerable for SQL INJECTION, put a single quotation ' at the end of your URL.

To prepare statements, simply put ->prepare instead of ->query before your statement and use bindParam.

Ex of above: WRONG:

$con->query("SELECT * FROM cats WHERE id=:id"); RIGHT: $con->prepare("SELECT * FROM cats WHERE id=:id");

To bindParam, never use php variables in statements as they are a direct injection vulnerability, but use words with semicolons before them.

For the sake of an example, we will pretend that $id is the $_GET['id'].
So in php it would look like this:

$id = $_GET['id']

An example of an incorrect statement is:

query = $con->prepare("SELECT * FROM cats WHERE id = $id");
$query->execute();

An example of a correct statement is:

$query = $con->prepare("SELECT * FROM cats WHERE id = :id");
$query->bindParam(':id',$id);
$query->execute();

This is how you secure SQL on your site.

I hope you enjoyed this tutorial 🙂

 

[Deleted member 8254]

Oh i use FTP (filezilla) and you recommend SFTP how is it different?

 

[mav3n]

Oh i use FTP (filezilla) and you recommend SFTP how is it different?

FTP isn't secure, all data sent in and out is clear text. Someone sitting in the middle could use a packet sniffer to intercept the traffic and see your TCP traffic, including EVERYTHING you type into the GUI or CLI. SFTP uses encryption to secure the traffic. Someone could still intercept the traffic, but they wouldn't be able to make anything out of it.

 

[Azareal]

Deploying things with Git is usually nice and usually defaults to something sensibly secure.
It also means that you don't fuss with nonsense on your computer when you could just run a command to pull something down.

FTP: Half an hour and involves fiddling around with permissions and what-not and the thing screams if it tries to overwrite things. I've been there many, many years ago.

Git: A few seconds.

wget: A few seconds.

Also, you don't need to fiddle around with setting up FTP accounts which adds a whole layer of insecurity.

And the biggest way to avoid security issues over anything else is to use something that is not PHP, you could literally run anything else with root and it would probably still be a hundred times more secure, although I would advice not running web facing applications as root.

https://gosora-project.com/topic/what-is-a-sql-injection.35
And speaking of SQL Injections, I go over it a bit there, although you do need to consider XSS and to really tackle that, you need a good modern template system.

Also, if you're using PHP, then there's a remote code execution vulnerability (the highest and worst class of security vulnerabilities) in deserialize(), never ever, ever use that.

An adversary can do anything with it, including potentially stealing the credentials for the VPS' accounts, they can dump the database, they can install a virus, they can do anything that PHP can do.
vB5 got bitten by it and a bunch of others. Use JSON instead.

I have a more verbose article for this sort of stuff somewhere on FP.

 

[simonweb]

Oh i use FTP (filezilla) and you recommend SFTP how is it different?

You can still use SFTP in Filezilla, just change to the SFTP connection on your server settings in Filezilla.