I have (recently) read the sitepoint “top 7 security blunders” and a host of other such resources. There is a lot to learn and to digest.
What follows is a question, not an assertion. I won’t try to cover anything about coding here (like cleaning input, session handling, etc) because that topic is too broad for a mini-post. I do have a few sysadmin policy ideas I need help with.
Everything under the document root (except log files) are owned by user me, so the apache pseudo user cannot write to anything important. Log files go into directories that have apache write permission. All other files and all other directories are not writable by apache.
I run fail2ban. I need to learn how to configure fail2ban to look for repeated form/login submissions as well as ssh logins. Have not done that yet. But it’s on my agenda. Use captcha for all such forms.
I cannot ( or do not want to ) disable system and exec. I don’t use them often. But sometimes it’s necessary. I’ve been told many vulnerabilities end up exploiting wget. So I set wget’s permissions to root only, so the apache process cannot run it. Anything that does do a system command should be rigorously checked first.
I said I wouldn’t talk about code. But there is a low-level policy concept that’s important.
Make everything you do derive from a class that cleans all input, and puts it into class variables with names like $_myGets and or $_myPosts, etc. Then you don’t have to mess with it thereafter. Never use $_GET or $_POST directly ever again. Always use the cleaned class variables, as set in the base class.
mail forms are tricky and notoriously vulnerable. I won’t go into details. But instead of checking for double newlines in From: that might push
a long list of addresses down into the CC field, I hard-code the from address and force the user to put their return email address into the body of the message.
What did I get wrong?
What am I missing?