Mscott's mindless security tips

It is 4am in beautiful Orlando Florida and I can't sleep... so what better to do with my time in the wake of recent events than to spurt out trivial tricks and tips to secure your site... here we go:

1. Rename your files and directories

Hackers are LAZY (if they weren't they would be "security consultants") and they do most of their hacking "blindly".. what I mean is they find sites and files to exploit through "bots" that search the internet and randomly try their luck. Have you ever looked at your log and seen tons of hits for files that don't exist? These are bots looking for files that have been found to be exploitable. In Dolphin some files and directories are EASY to rename.. lets take our famous "plugins" directory, just rename it to whatever you like through ftp and then edit /inc/header.inc.php to reflect the change. In the header you will see a line that defines what the directory is like this:

$site['plugins']           = "{$site['url']}plugins/";

Just change it to whatever you named the directory.. for example:

site['plugins']           = "{$site['url']}ihatehackers/";

That will STOP all the automated attempts to exploit any file in that directory. 

Will this work for all directories? No, some are hardcoded.. like "/inc". But if you unzip a copy of Dolphin on your harddrive and use a file search utility it IS possible to change ANY filename or directory in Dolphin.. some are just more work than others.

2. Hide the homepage 

Several of the hacking groups only do one thing when they DO get in.. they change your homepage to their logo (defacement). Just like #1 this is automated.. they overwrite index.php or add one. Well what if your homepage isn't index.php?? Even if their bot gets one in none of your visitors will ever know :-)  How? Simple, rename your index.php (in this example myindex.php) and then put this in your .htaccess:

DirectoryIndex myindex.php

and inside the mod_rewrite block:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.yoursite.com/ [R=301,L]

So any request for http://www.yoursite.com/index.php will be directed to http://www.yoursite.com/  and the new homepage is really myindex.php

If you do this then you need put a line setting it back to index.php inside all the other directories (like admin and ray) OR change it in them too.

Let them wrap their minds around why they got their bogus file in but it isn't showing :-)

3. LOCK down the admin directory

Let's make it so even if a hacker gets his credentials in your database he STILL can't get in the admin... put this inside the .htaccess that is in your /admin directory:

 order deny,allow
 deny from all
 allow from 55.242.132.133
 allow from 141.111.42.41

Just make sure those two IP numbers are your work and home.. or work and girlfriend.. you get the idea. If you have a dynamic ip this won't work, but I think most cable/dsl companies offer a static one free now. This way even if someone gets YOUR password and login they STILL can't get inside the admin area.

4. If you don't need a file or directory DELETE IT!

What am I talking about? Dolphin has lots of files and directories that some of us don't use or need.. if you don't use the built in Dolphin database backup in admin then you don't need the "backup" dir.. it is one of the ones set to 777. If you don't use affiliates then you don't need the affiliates directory. See where I'm going with this? If you don't use groups DELETE it, it is FULL of 777 dirs. If you aren't sure rename the directory and then test everything out to make sure it isn't needed.

5. Put appropriate .htaccess files in the 777 dirs.

.htaccess files are recursive meaning that if you put one in a directory all the subdirectories are effected. So in my media directory I block ALL scripts like this:

<LimitExcept GET>
order deny,allow
deny from all
</Limit>

<FilesMatch "\.(cgi|pl|py|bak|txt|htaccess|htpasswd|log|zip|asp|sh|shtml|js.*|gz|tgz|tar|php.*|htm.*)$">
Deny from all
</FilesMatch>

That "limitexcept" blocks all "put" and "post" requests too. You CAN'T use this in a directory that has .php files inside it.. or any of the sub-dirs. But it SHOULD be inside ALL the /files directories for each ray widget, and the /media directory.

6. Block "libwww" bots and "remote file includes"

These lines in your home directories .htaccess will block ANY thing with the user agent "libwww" or "Wget".. they are both bad guys 99%  of the time

RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

This lines will block any remote file from being included in a local file, which is what is happening with this recent deal:

RewriteCond %{QUERY_STRING} ^http   [OR]
RewriteCond %{QUERY_STRING} ^.+www\.  [OR]
RewriteCond %{QUERY_STRING} ^.+https  [OR]
RewriteCond %{QUERY_STRING} ^.+\.txt  [OR]
RewriteCond %{QUERY_STRING} ^ftp
RewriteRule .* - [L,F]

These COULD block legitimate things too.. (google search bar I know).. anything that calls a file like www.yoursite.com/filegetter.php?file=http://www.othersite.com/file.txt will be blocked by this.. luckily most things don't use this.

IN SUMMATION

This isn't everything.. just the more sneaky stuff. Remember by doing these things you are being PROACTIVE.. when the next "security advisory" hits even if you DO have a file that is vulnerable and you DO have register_globals on (for GOD SAKES  DON'T have it on!!!) then they won't be able to find that file.

Remember most of these tips combat the lazy hackers, but as luck would have it that is 90% of them. Also, these are mostly for the people on shared hosting.. if you have access to mod_security then you have a whole seperate bag of tricks..

If anyone has read this far THANKS!

Good night and good luck

Mike