Fedora Security :: Securing PHP And PostgreSQL

Nov 19, 2009

I'm still new to PHP and SQL, but all the tutorials I've found connect to the database like this:

PHP Code:

Right now I'm just doing local network tests before exposing everything to the Internet.

Wouldn't leaving the password in there as plain text be a huge security issue? I tried downloading the php file off the server, and it just comes down blank. So does PHP already have a security feature that doesn't allow anyone to just nab PHP files off the server?

And for Postgre, I have pg_hba.conf set up to "trust" it's own IP address:

Code:

Would I need to use something like Kerberos, PAM, or ident authentication? Right now the only plan is to use it as login system for a website. The clients themselves won't be accessing the DB itself, because all the DB access will be through PHP.

View 4 Replies


ADVERTISEMENT

Security :: Securing My Postgresql Database ?

Jan 5, 2010

I run Slackware 13.0 and I have an apache server 2.2.13 with a postgresql 8.4.1 database attached to it via php 5.3.0. Both the apache server and the postgresql database are on the same machine.

I have the apache server port 80 exposed to the WAN. It is not a fqdm, it's just a simple IP address. On my index page, a user can login with a user/password that encrypts to md5 via postgresql and takes them into the database.

Here is the vulnerability. Can't a hacker just scan port 80 and find my ip address running apache. Go to my index page, see that I accept user/password for authentication into my postgresql database. Then they could setup a script to simply inject html GET requests of random users and passwords and use those values on the php page(the one where the action link is pointing to in the form tag) that contains user login/password in php to login to my postgresql database. There's nothing stopping that. It would be a simple dictionary attack.

I checked out postgresql documentation and it suggested using ldap, kerberos, or md5 and not trust. I'm using md5 already. I currently use fail2ban for proftpd and sshd and it works great. After 6 failed user/pass attempts on either of these services, the IP gets banned via iptables for 24 hours. I love it. I was wondering if I could use that. Of course postgresql port is not exposed to the WAN which is a good thing. I know that when I put in a wrong user/pass from my index page, I get sent to a default postgresql pg_connect warning page. Perhaps I can increase the verbosity of postgresql's logger, find the phrase that it spits out when there's been a bad login and create a filter using that.

I understand that the way it is currently setup, my server is pretty secure, but where there's a will there's a way. I just feel that my postgresql database is unprotected even tho the postgresql port is not exposed to the WAN. They could just bruteforce from the apache server.

View 12 Replies View Related

Fedora Security :: Securing An FTP Server ?

Mar 11, 2010

I am creating an FTP server using VSFTP. It will be in the wild, initially at least only functioning as an FTP server. I have the iptables config from the previous box I set up 3-4 years ago. I have also got private/public key authentication running with SSH to eliminate brute force attacks.

Here is where is my specific question. On the old server I set up something that allowed my clients to log in using accounts that were not system accounts but would translate to a single system account that was limited to FTP. I remember setting up a passwd account that had username / password pairs that FTP used for authentication.

What app is this? Is it just part of VSFTP or maybe SELInux? I really want to utilize this.

View 2 Replies View Related

Fedora Security :: Securing Security Lab

Jun 29, 2010

I ran the LiveCD of Fedora SecurityLab and noticed these ports open, 111,631, 34526.How can I close them and what runs behind them. I know 111 is rpcbind, 631 ipp and 34526 is unknown.

View 4 Replies View Related

Fedora Security :: Securing A Server For Deployment In Untrusted Zone?

Apr 1, 2010

I have to deploy a server to some customers that should not be given access to the server itself. I know that nothing is 100% secure but I've searched without finding a decent answer (maybe I googled for the wrong terms ?)I need some advice about encrypted filesystem. * The server must boot without asking for a passphrase (the server will be in a restricted access area so typing a password could take a while). I can't store the password for luks in an unencrypted file so it seems a loop to me. The only way out I can see is to store the passphrase in the boot binaries (better than nothing...) but this results in more work for me.* possibly the customer should not be able to move the hard disks to another pc, i.e. reading the passphrase from some unique hardware ID. This is risky but I could add a master passphrase to be used in case of hardware replacement

View 3 Replies View Related

Fedora Security :: Help Securing My Fedora 11 Server

Nov 19, 2009

I am pretty new to the Fedora 11 world. I have maradns installed on it and I'm using it as my server. What is the best way to make my machine secure. This is just a project of mine so I can become familiar with sys admin on Fedora. It doesn't have to be ultra secure, just a decent level of security would be nice. Any links or information would be greatly appreciated. Btw, I currently have selinux disabled. I'm not familiar with it and it was giving me problems so I had to disable it.

View 4 Replies View Related

Fedora Security :: Steps To Securing Fedora 12

Jan 18, 2010

I am relatively new to linux having only used ubuntu 9.10. Trouble is for all the talk of how secure ubuntu is, truth is it kept getting remote hacked (I have a stalker who is messing with me) over and over so now I am going to try fedora in hopes of finally having a secure system. My question is, what steps do I need to take to try to secure Fedora 12?

View 9 Replies View Related

Security :: Securing Port80 From Upload ?

Nov 19, 2010

I am using a linux fedora 12.0 with L7 filter and proxy as the main firewall for my system composed of some several hundred pcs. The port 80 is open for certain mac addresses these computers, that is to say that , only a few of these computers have access to internet and others have been denied. However, they have access to two specific websites on internet .

I would like to know that if there is a virus attack through these websites in form of executable adwares or malwares, can this linux firewall detect any information that might be directed out of those computers to the attacking source? In other words, is there s tuning in L7 filter or any other filter that can detect transfer of files or some bites through port 80 unrelated to normal http requests?

View 1 Replies View Related

Security :: Securing A Linux Centos VPS

Feb 7, 2011

I was looking for some help getting a good list of IP tables and other security measures on my new Linux Centos VPS.. I have some files I wan't no one other than myself to have access to.. I will be running some gameservers on it on ports 7777 and 7778 though and I want to have VSFTPD running for fast file transfers.

View 1 Replies View Related

Security :: Securing Backups Via Rsync And SSL?

Apr 27, 2011

There are multiple servers to be backed up. Different access rights exist in each server. There are two backup servers with plenty of disk space, one local, and one offsite. The local one feeds to the offsite one. The rsync command is being used to make a replica of backed up data. Deleted data is also being archived. There are two methods that have been considered: One is to have the individual servers run rsync which logs in to the backup server to push data. Two is to have the backup server run rsync which logs in to each individual server to pull data. Because system data is involved and meta information (like owning user) must be stored, root is required to access the data as well as to store it. That means everything runs as root both ends. So method one was quickly dismissed because each server would effectively have rights to access ALL the data on the backup server since it logs into the backup server as root. The security containment here involves different groups using different servers, and they need to be isolated from each other.

But even method two involves some risks that are a concern. This means one machine has access rights to every server. If the backup server were compromised, every machine could be compromised.What I'd like to find is some way to allow backups to be run without either machine granting root access to the other, while still running as root, or something equivalent, that allows accessing all data and storing all metadata. So I was looking at setting up an rsync daemon on each individual server (running as root so it can access what it is specified to access), and running an rsync client on the backup server (as root so it can store metadata). This opens network access issues. Any user on the network can connect to the rsync daemon. So password protection is needed. But this communication is also not encrypted, which exposes the password and the data should the network be sniffed.

So now I'm thinking about a non-root ssh login between machines. The backup server would login to a non-privileged user on each individual server and set up a secure forwarding channel to the rsync daemon. Is this the best that can be done? Is there a way to run rsync via SSL with key verification so it can all be done together? I'd like to have the rsync daemons configured to always talk SSL, and always verify the client's key against a list of authorized keys, and likewise the client verify the server's key against the known public key for that server.

View 14 Replies View Related

Security :: Securing Machine Before Opening Up SSH Login?

May 12, 2010

I'm currently using Slackware 13.0 and have my machine behind a Linksys DD-WRT router. I believe the DD-WRT software has all ports blocked by default so opening up my machine for SSH login would only leave my system vulnerable at that port. To give an extra layer of security for that opened port, I've created the following script that would be invoked as the users' shell.

#!/bin/sh
#if SSH_CLIENT defined run nail with $SSH_CLIENT as an argument
if [[ -n ${SSH_CLIENT} ]]; then

[code]....

View 10 Replies View Related

Security :: Securing System For Email Abuse

Jun 25, 2010

I have a mail server that accepts to relay from system in the trusted network. One of the systems in the trusted network is a webserver. On the webserver there are several scripts that send email.Let's focus on the PHP scripts. These use the mail() function for that.I am looking for means to reduce the potential abuse of the mail server when one of the PHP scripts is hacked.For the situation that the code is modified by a hacker or a new script is installed I would like to take this approach:

1) scan the system for scripts using the mail() function
2) generate a checksum list from these scripts
3) intercept email (being sent to sendmail) from these scripts
4) check if they match the checksum list

In theory (I will still have to implement it) this would take care of the situation in which new/modified scripts try to send email.

However, there is also the option of an exploit of some script. Are there any ideas on means to prevent email abuse for this situation (other that: make sure scripts cannot be exploited )?

View 2 Replies View Related

Security :: Tools For Securing Mail Server?

May 21, 2011

iam working on mail server in redhat centos. i want to know how to secure my mail server for heavy loading , any monitoring tools in GUI or console , is any essential tool which is used in Like MNC for mail server..

i know few command in like top,netstat,etc through google but i willing to know some more

View 8 Replies View Related

Ubuntu Security :: Securing SSH Connection For SFTP Server

Jan 19, 2011

I'm running an SFPT server which my clients logon to using an FTP client. at the moment each client has a user name and password.

Thus far to improve security I've disabled root login but an looking for futrhrt ways to protect it from attack, having researched using google some of the security features suggested prevent the FPT clients from connecting.

Questions:
1- what further things can i do to secure my server that still allows it to be usable for FTP clients?
2- specifically is it possible to use non login pre-share key authentication?

How i set up the server is shown here: [url]

View 3 Replies View Related

Ubuntu Security :: Securing Bare-minimum Checklist?

Jul 10, 2011

That's the title of article at[URL]Did ubuntu do all this already or is it that ubuntu isn't secure out of the box that it is assumed to be?explain if these steps are applicable to ubuntu and why/why not.

View 5 Replies View Related

General :: Security - Securing A Server When There Is Potential Physical Access?

Jun 9, 2011

We want to set up a Linux server (hosting Git or later SVN repositories) which should have all stored data strongly encrypted, so that if one steals the server the data cannot be read. For example, our notebooks have all important data stored on a "true-crypted" partition.

We plan to access it with SSH private keys and only after successful login should the data be readable. The server would be located in our office, shut down at night and not be connected to the Internet directly, but only accessible in our intranet.

View 1 Replies View Related

Ubuntu Security :: 'Securing' A .pdf File And Changing The Listed Author?

Aug 18, 2010

I had some help via email from someone drafting my CV into the correct table format with open office. It's a .pdf file but now unfortunately lists the author in the document tab of properties as that person.

Is there anyway to change it to my own name, and also how do I 'secure' the document so that it's not easy for people viewing it to copy and paste, I've heard this is why many people now use .pdf for their CVs/rsums?

View 2 Replies View Related

Security :: ISC Praises Momentous Step Forward In Securing The Domain Name System?

Jul 17, 2010

Quote:

ISC joined other key participants of the internet technical community in celebrating the achievement of a significant milestone for the Domain Name System today as the root zone was digitally signed for the first time. This marked the deployment of the DNS Security Extensions (DNSSEC) at the top level of the DNS hierarchy and ushers the way forward for further roll-out of DNSSEC in the top level domains and DNS Service Providers.

View 3 Replies View Related

Fedora :: Setting Up An Securing An FTP Server

Mar 19, 2009

I am having trouble trying to setup an FTP server, so i made a video lesson to show how it is done PROPERLY. I actually had this before, but it was poor quality, and i went through it a little fast; so this time it is better quality and i explain more details. You can find it here:

[Code]...

View 2 Replies View Related

Fedora Servers :: Securing Apache From Php-shell

May 8, 2010

About apache security. How to protect web-server from programms like phpshell [url]?

View 8 Replies View Related

Fedora :: Practice Securing & Scanning System

Nov 29, 2010

Recently I've been going over a few resources (like Guide to the Secure Configuration of Red Hat Enterprise Linux 5) some forum members have provided and I've been using other resources I use for work (like the UNIX STIG requirements). I would like to improve my skill-set on hardening a linux server (for work and personal interest). Is there a specific linux distro I can install that is purposely corrupted/vulnerable where the sole goal is to secure it, and then have the means to scan it to make sure all vulnerabilities are patched and secured?

View 6 Replies View Related

Fedora :: F12 : Downgrading Postgresql To 8.3 ?

Nov 24, 2009

I upgraded my server machine to F12 without realising that postgresql gets upgraded to 8.4, and without realising that 8.4 can't work with 8.3 databases.

Is there a way to install postgresql 8.3 on F12, preferably from Fedora repositories?

Alternatively, is there a way to migrate an 8.3 database to 8.4? I know that the recommended approach is to dump and restore the DB, but now that I have upgraded to F12, the pg_dump command doesn't work anymore.

There is also this open-source tool called pg_migrator but I couldn't find a package for it and it requires a complicated compilation and installation procedure.

The simplest solution seems to me to remove pg 8.4 and install 8.3 on Fedora 12.

View 5 Replies View Related

Fedora :: Postgresql Won't Start In F15

May 31, 2011

I upgraded some days ago from F14 to F15, I once had postgresql-server configured and running, but now I'm getting errors when starting the service and I can't understand where the issue is.

Here some infos

Code:
# /etc/init.d/postgresql start
Starting postgresql (via systemctl): Job failed. See system logs and 'systemctl status' for details.
[FAILED]
Code:
# systemctl --failed
UNIT LOAD ACTIVE SUB JOB DESCRIPTION

[Code]....

View 8 Replies View Related

Fedora Servers :: Downgrading PostgreSQL To 8.2.x?

Feb 1, 2009

Is there any simpler method to downgrading to PostgreSQL 8.2.x? I am installing an application that requires it. I have removed postgresql 8.3 and tried to install some older fedora packages, but it did not go well.

My next step was to compile from scratch. However, I'm not real experienced with make/compiling and am fond of the organizational structure of RPMs.

The other option I could pursue is keeping 8.3 and installing an isolated 8.2 server for exclusive use by this app.

View 1 Replies View Related

Fedora Installation :: How To Start With Postgresql

Jun 30, 2010

I want to know how to start with postgresql

os using : fedora 10
installed postgresql with the DVD rom , by clicking the check box while installing fedora

i tried postmaster , initrd , psql commands.... (command not found error coming)

i created a local user ...........]#adduser postgresql password : 123456
for working with postgre.

as one of my friend told i installed phpPgAdmin also ...........]# yum install phpPgAdmin

now i just want to work with the postgresql....!!!

and i need full steps as i am a beginner...

View 2 Replies View Related

Fedora Servers :: Unable To Connect To The Postgresql

Jun 21, 2009

I have recently Installed Fedora 11. I have installed postgres like yum install postgresql but I wonder there is no user created for postgres when I tried su postgres system says, no identity for user postgres. even when I tried to connect postgres server using psql then it says

Code:

psql: could not connect to server: No such file or directory

Is the server running locally and accepting connections on Unix domain socket "/tmp/.s.PGSQL.5432"?

View 1 Replies View Related

Fedora Servers :: Cannot Create DB On PostgreSQL Ascultaţi

Feb 6, 2011

I have tried to create a Postgresql DB from Konsole, but it could not. I received the following messages:

root@fedora-system ~]# chkconfig postgresql on
[root@fedora-system ~]# /etc/init.d/postgresql initdb
Initializing database: [ OK ]

[code]....

View 4 Replies View Related

Fedora :: PostgreSQL's PgAdmin3 Query Mode Crashes On 15 X86-64

Aug 11, 2011

this is my first post right here. I'm running on my first Fedora full experience, then I'm not so experienced about the specific details of the distro. Coming from Ubuntu (and certainly sad about Unity bugs), I wanted to know other distros, so I've adopted Fedora as my main OS. I often had some bugs and try to resolve them by myself but, this time, I've no idea about what can I do. So, there it goes:

Recently I've been trying to set up my PostgreSQL server for development purposes. Then I went to EnterpriseDB website and downloaded the x86-64 GUI install bundle, as I always did in Ubuntu (I never had this bug with Ubuntu). After the download, I went on with the installation, doing these steps:

Code:

sudo chmod +x postgresql-9.0.4-1-linux-x64.bin
sudo ./postgresql-9.0.4-1-linux-x64.bin

I run the installation with no problem, doing it alright, then I finish the installation and open pgAdmin3, for set up my databases. I log onto my server, put my password for postgres user and create a new server. It's all OK, so when I go to Query Mode tool (Ctrl + E), it crashes along with the pgAdmin.I decided to run the pgadmin script on terminal, looking for more details, then:

Code:

/opt/PostgreSQL/9.0/pgAdmin3/bin/pgadmin3: /opt/PostgreSQL/9.0/lib/libuuid.so.1: no version information available (required by /usr/lib64/libSM.so.6)
/opt/PostgreSQL/9.0/scripts/launchpgadmin.sh: line 3: 4890 Segmentation fault (core dumped) LD_LIBRARY_PATH=/opt/PostgreSQL/9.0/pgAdmin3/lib:/opt/PostgreSQL/9.0/lib:$LD_LIBRARY_PATH G_SLICE=always-malloc /opt/PostgreSQL/9.0/pgAdmin3/bin/pgadmin3

View 1 Replies View Related

Red Hat / Fedora :: Installation Of Php - Platform With Remote Postgresql Support

Oct 18, 2010

I have two machines. One is for web server and the other is for database server.I need to install php in the web server and postgresql in the database server. I installed postgresql. But could not install php as it needs postgresql library during configuration steps.

View 1 Replies View Related

Red Hat / Fedora :: Postgresql Giving Connection Timed Out Because Of Iptables?

Jul 14, 2011

In our development box we are configured postgresql to work with Jboss. The thing is we have firewall iptables in our linux box. when the iptables is stopped we can connect the postgres db locally using -h option, also we can connect thru a weblink we have created using Jboss. But when the iptables is started we can't connect the db locally using the -h option and the web is giving the below error. Caused by:

org.postgresql.util.PSQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
at org.postgresql.core.v3.ConnectionFactoryImpl.openC

[code]....

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved