Web security notes

1.                  Users/UserGroups/Files/Permissions

a)                 References

2.                  PHP error reporting

a)                 References

3.                  FTP security

a)                 SFTP vs FTPS?

b)                 IXW FTP access security Ref

  1. In Linux host in root directories with inheritance down

ftp.allow - ALL: xxx.xxx.xxx.xxx (use What is my IP address tool)

ftp.deny - ALL: ALL

  • Will need to allow for
    1. Mobile Broadband FTP access and
    2. Anyone else's authorised access

4.                  Email/Spam Protection

a)                 General

  • §Make sure you have standard security features in place, including CAPTCHAs, to make it harder for spammers to create accounts en masse. Watch out for unlikely behavior - thousands of new user accounts created from the same IP address, new users sending out thousands of friend requests, etc. There is no simple solution to this problem, but often some simple checks will catch most of the worst spam.
  • §Use a blacklist to prevent repetitive spamming attempts. We often see large numbers of fake profiles on one innocent site all linking to the same domain, so once you find one, you should make it simple to remove all of them.
  • §Watch out for cross-site scripting (XSS) vulnerabilities and other security holes that allow spammers to inject questionable code onto their profile pages. We've seen techniques such as JavaScript used to redirect users to other sites, iframes that attempt to give users malware, and custom CSS code used to cover over your page with spammy content.
  • §Consider nofollowing the links on untrusted user profile pages. This makes your site less attractive to anyone trying to pass PageRank from your site to their spammy site. Spammers seem to go after the low-hanging fruit, so even just nofollowing new profiles with few signals of trustworthiness will go a long way toward mitigating the problem. On the flip side, you could also consider manually or automatically lifting the nofollow attribute on links created by community members that are likely more trustworthy, such as those who have contributed substantive content over time.
  • §Consider noindexing profile pages for new, not yet trustworthy users. You may even want to make initial profile pages completely private, especially if the bulk of the content on your site is in blogs, forums, or other types of pages.
  • §Add a "report spam" feature to user profiles and friend invitations. Let your users help you solve the problem - they care about your community and are annoyed by spam too.
  • §Monitor your site for spammy pages. One of the best tools for this is Google Alerts - set up a site: query along with commercial or adult keywords that you wouldn't expect to see on your site. This is also a great tool to help detect hacked pages. You can also check 'Keywords' data in Webmaster Tools for strange, volatile vocabulary.
  • §Watch for spikes in traffic from suspicious queries. It's always great to see the line on your pageviews chart head upward, but pay attention to commercial or adult queries that don't fit your site's content. In cases like this where a spammer has abused your site, that traffic will provide little if any benefit while introducing users to your site as "the place that redirected me to that virus."
  • §Used http://www.openspf.org/ as reference

b)                 Set Up Sender Policy Framework on Domains

  1. oUsed openspf.org wizard to create code for austega.com with optusnet.com.au and bigpond.com as additional senders
  2. oLogged into IXWebhosting and then to DNS records for austega.com and added custom TXT record with wizard text without “ input into final field
  3. oWait for a week or so as test of unintended consequences before extending to other austega.com DNS record domains, and then later to nswagtc.org.au and giftedservices.com.au
  • §Hosts with Control Panel –
  1. oEmail Authentication | Enable SPF
  2. oAdd other mail sending domains eg gmail.com
  3. oApparent problem with non-host root domains?? (eg BGI)

c)                  DKIM (Domain Key Identified Mail) protection