Recent Posts


« | Main | »

Securing your Web Site(s), Blog(s)

By Dale Reagan | November 20, 2008

Web server security is something that we all want, but usually, we only want it when it is convenient. (This also applies to other parts of our lives when security is a factor.)

Convenience for us usually means:

Convenience for our site visitors usually means that a web visitor can easily access your web pages; the casual visitor simply wants your information – they are not interested in login processes nor are they typically interested in your security measures.

Please note that the information below is a starting point – you will eventually need to read the documentation for .htaccess and httpd.conf as well as the documentation from your ISP in order to implement these approaches. If you are using WordPress then consider reviewing and installing the security related plugins (i..e AskApache as well as Security Scan) – well worth your time.

There are three basic levels access control for your web server:

  1. Network level – usually beyond the reach of all except network administrators; if you have access to the firewall on your server then you can add this to your defense arsenal.
  2. Host/Server level – securing access to your web applications and folders  through careful use of file permissions and application setup and/or adding an application firewall
  3. Application level – i.e. WordPress Blacklist filtering

Securing your server – host/server level – three simple steps:

  1. patch your software/OS  whenever there is a need! (your ISP probably handles this.)
  2. limit access to authorized users (you may be able to control this – .htaccess is one approach)
  3. remove/discourage/limit access from nefarious bots, hackers, or other negative connections via an application level firewall (access filtering)

Your access to the items discussed below will depend upon the type of web-hosting account you have:  a) full access accounts will allow you to change system/server-wide level controls or b) limited access accounts *may* allow you to use .htaccess in combination with any software-level controls you might have.

Limiting web server access:

If you have access to server-level configurations (i.e. you are using virtual private server or some other type of server with system level access) then you can both:  a) reduce generic web server attacks and b) just about eliminate web/blog SPAM by installing and tweaking mod_security.

Some examples – using .htaccess to limit posting access to your WordPress blog

If your Apache server configuration supports it (some ISPs won’t allow you to take this approach) AND If you know who the bad guys are then don’t allow them to access your server.  Place the IP addresses of known bad_guys in a .htaccess file which is located at the top level of any folder tree that you wish to protect.  Place this in your root folder and all folders are protected.  Place it in a sub-folder and that folder and any folders below it are protected.  A loose translation of the setup below is:  For any GET or POST request allow the connection UNLESS it is from one of the listed bad IP addresses. NOTE – WordPress users will find it easier to use the above mentioned Blacklist option..

<Limit GET POST>
order allow,deny
allow from all
################## deny access from IP addresses listed below
deny from

In this approach we only allow good guys – If you are using WordPress AND if your PC always has the same IP address (a static IP) then you can use .htaccess to only allow postings or blog changes from your PC.  You would place this restrictive .htacess file in your wp-admin folder on your web server. If your IP address changes then you will need to update the .htaccess file with your new IP address (or you will also be locked-out…)  In the example below the Good Guy (you!) has an IP address of AAA.BBB.CCC.DDD – you would replaces AAA.BBB.CCC.DDD with your IP address.  A rough translation of the setup below is:  For any GET or POST request ONLY allow access from AAA.BBB.CCC.DDD; any other request is denied.

<Limit GET POST>
order allow,deny
allow from AAA.BBB.CCC.DDD
deny from  all

A related option, again using WordPress as an example, would be to combine .htaccess login requirement along with your WordPress login; using this approach you have to login twice: a) first at the web-server level and then b) at the WordPress level.  This is similar to the preceding example but more flexible (and perhaps less convenient since you have to login twice) since you can connect from any IP address. Using this approach you typically need shell level access to create a password database (using a command like htpasswd.)  You add your valid users to this database AND then you grant them access to the desired locations by, again, placing the .htaccess file in the folder(s) that you wish to protect (in this case the .htaccess file would be under your wp-admin folder.)  Note that you can also do this within your httpd.conf file.  A rough translation of the file below:  Check the submitted login information for a match in the file web_users.passwd and only allow access if we have a valid combination of USER and PASSWD – in this case the only valid user is Joe_The_Wonderful_User.

AuthUserFile    /path_to_passwd_file/web_users.passwd
AuthGroupFile    /dev/null
AuthName    Good_Folks
AuthType    Basic

<Limit    GET    POST    PUT>
require    user    Joe_The_Wonderful_User

Once you enter the valid password for Joe_The_Wonderful_User THEN you would be presented with the login for WordPress – if you take this approach then I would encourage you to use different login names and passwords for each authentication step; it does not have to be especially difficult, just different.

Some examples – using mod_security to filter SPAM posts

ModSecurity is a web application firewall (WAF) that allows you to both filter incoming requests – and block them based on your choice of criteria.  This is an loadable Apache module so you will either need to have your ISP install it or use shell access to install it.  Depending upon how your Apache server is configured, you would use filters similar to those listed below (placing them either under you Apache configuration – providing server-wide filtering; or place entries in your .htaccess file(s).)  Mod_Security versions are available for both Apache 1.x and 2.X – there are differences so you will need to review the documentation. A few sample filters follow:

  1. SecFilterSelective “POST_PAYLOAD” “(mortgage|viagra)”
  2. SecFilterSelective “REMOTE_ADDR” “^$”
  3. SecFilterSelective “HTTP_REFERER” “(viagra|mortgage|texasholdem)”

Rough translations of the preceding mod_security filters:

  1. reject any payload containing the text ‘mortgage’ or ‘viagra’
  2. reject any connection from the IP address
  3. reject any request originating from a domain matching ‘viagra’, ‘mortgage’ or ‘texasholdem’

ModSecurity provides both prevention and just-in-time patching solutions – probably the only defense possible for zero-day attacks (new approaches used by the bad guys…)   More examples coming soon – including real-world examples of zero-day filtering from 2008.

Topics: Computer Technology, System and Network Security, Unix-Linux-Os, Wordpress Software | Comments Off on Securing your Web Site(s), Blog(s)

Comments are closed.

YOUR GeoIP Data | Ip:
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...

Georgia-USA.Com - Web Hosting for Business