What are your Site Hardening Tips?

1    27 May 2018 05:55 by u/TheOmniscientOne

I have a php class for sql injection and I also use stored procedures as well as the mysqli injection protection.

I have integrated fail2ban triggers into my site code and am currently looking at low level hooks in my apache implementation to provide front-line ddos protection. When I say low level, I mean even sitting below where mod_rewrite would live but where I can still parse the request a little bit.

What's new and good in that arena? I am using Debian, so I have a lot of options. Can't get into any detail on my firewalls/netcode but those layers are there.

10 comments

0 u/boredTech 27 May 2018 06:28

a php ...

You're doomed.

0 u/TheOmniscientOne [OP] 27 May 2018 06:55

What do you suggest as a front end language?

My entire codebase is hand-written at this point and therefore doesn't have any heavy frameworks or bloat. Mysql/InnoDB does most of the heavy lifting so it's really just a display app.

0 u/boredTech 27 May 2018 07:10

You're starting from the wrong end if you want to build a strong app.

If you're looking to lock things down you need your own server. From there you need to isolate it in a vm off of your network (you do not want the same IP as your home system). Setup a firewall on your router, host OS, and vm OS. From there you should lock down the vm OS to only work with the local IP address and remote into the host for modifying the system. Drop on docker so that it creates an image that you can take down and bring back up. Have it setup so that you can cycle these every 15 minutes. You also should have a load balancer to send to the correct systems.

This is just getting started. You are basically toying with XAMPP stack, which is fine for beginner projects, but if you want to build anything further then a toy you're going to have to learn a shit ton more.

Also, my preferred language for building webapps is haskell. Fuck, I wish it wasn't built by the jews.

0 u/TheOmniscientOne [OP] 27 May 2018 07:28

Thanks for the notes.

Assuming I had my own server, why would a VM be any more secure than just running a masqueraded address/virtualhost? Physically same NIC and hardware etc, so you're assuming the VM somehow jails them into the VM environment? I'm not arguing with you, just that I generally prefer the reduction of complexity. A firewall on the host system is going to be performing the same functions whether port 80 is coming from a VMware host or a Web Server frontend.

I am using a Virtual Server on one project with really old code base though. What's your favorite these days?

1 u/boredTech 27 May 2018 08:01

why would a VM be any more secure than just running a masqueraded address/virtualhost?

And when it all goes to shit can you just bounce open an image from when the system wasn't going to shit. It's not the best solution, but it saves your work. Take Murphy's Law to heart.

Physically same NIC and hardware etc, so you're assuming the VM somehow jails them into the VM environment?

No, but it does provide an extra layer of defense. Jails can always be broken, but it requires a specialized worm to get through them. Whoever is attacking you will have to have that specialized bit of code to break the jail. Look at https://www.qubes-os.org/ for an idea of why they do this.

just that I generally prefer the reduction of complexity

In my experience, that's a good principle, but what you think of as complexity to somebody else comes as common sense and easy. You learn the tech and tinker with it. When it's no longer a complex thing to diagram and work with then it's just there as a wrapper around what you're already working with. You have the concept for what you want, you're looking into how to defend it. To a security person it may be more annoying to design a webpage (because they don't know how to make it easy) then it is to secure a server. Different areas of knowledge.

I am using a Virtual Server on one project with really old code base though. What's your favorite these days?

I don't have one. I work with assholes that push shit on me (updates, updates, updates) and the things I like are taken away. Honestly, windows isn't that bad, but flakey. Linux is solid (flavor really doesn't matter) but annoying to get stuff done on. But, in the end if you don't have full control over the server then you're hoping that the VS isn't on a shit system that lets the servers chat with one another and bang viruses everywhere (usually they're better then that, but I'm paranoid and get irritated when I have to put in a ticket to get something fixed (and then it doesn't)).

0 u/TheOmniscientOne [OP] 27 May 2018 08:05

Qubes is cool. You can use the same concept and just put your Webserver into one and your DB into another and a tiny little squid proxy in the only one facing the public. When you roll your own they have to as well! I haven't used qubes yet but I have used a partitioned OS before. For now though I just use firejail+apparmor.

Thanks for the ideas, I think they will help further me along.

0 u/i_scream_trucks 27 May 2018 08:17

lots and lots of black nasty.

that will keep anything secure.

permanently.

0 u/TheOmniscientOne [OP] 27 May 2018 09:09

https://efukt.com/21627_Mother_Fucking_T_Rex.html

0 u/maelask3 27 May 2018 19:38

what the fuck.

0 u/TheOmniscientOne [OP] 28 May 2018 06:44

Black Nasty and Security.

Do u even MetaCognition Bro :?