Page 1 of 1

Securing files

Posted: Sat May 27, 2006 1:36 pm
by evropa
ive been reading an article on php security but i still have the following questions:

1) should i place my connect file(for php scripts) somewhere other then public html?

2) is it normal that users can access files if they know the exact name when i have set index as forbidden?

3) my htaccess file has some ban list which looks like the following:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteRule ^.* - [F,L]

i didn't past the whole ban list, but my question is there something i should include in my htaccess to prevent attacks?

4) what files should be placed in public html and what shouldn't?

5) do password protected directories actually work? and when should they be used?

6) i am already validating my users using sessions, stripping slashes/html characters, and encrypting passwords should i be doing anything else?

7) any genereal suggestions on how to secure my files/web server?

Re: Securing files

Posted: Sat May 27, 2006 5:35 pm
by RobertGonzalez
evropa wrote:ive been reading an article on php security but i still have the following questions:

1) should i place my connect file(for php scripts) somewhere other then public html?
Yes, pleace it in your server/virtual server root, onelevel up from public_html.
evropa wrote:2) is it normal that users can access files if they know the exact name when i have set index as forbidden?
You might want to change permissions of a file at the file level (maybe to 000), but that would make essentially unusable.
evropa wrote:3) my htaccess file has some ban list which looks like the following:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteRule ^.* - [F,L]

i didn't past the whole ban list, but my question is there something i should include in my htaccess to prevent attacks?
It takes work, but I think even .htaccess files are succeptable to attack. I could be wrong about this though.
evropa wrote:4) what files should be placed in public html and what shouldn't?
Any files you want the gereral public to be able to access.
evropa wrote:5) do password protected directories actually work? and when should they be used?
If you are talking about .htaccess protection, it is a fair, but very annoying, way to protect a directory. What are you trying to protect?
evropa wrote:6) i am already validating my users using sessions, stripping slashes/html characters, and encrypting passwords should i be doing anything else?
Dude, this is a question with implications far beyond this little thread. I would take a look at googling 'Securing protecting <insert_server_OS_here>'. On another note, I would also suggest developing with security in mind. There are a lot of little things you can do in your code to make files and directories unreadable.
evropa wrote:7) any genereal suggestions on how to secure my files/web server?
See the previous response.