making a site more hacker resistant

Stern-69

Since I am faily new to php, I figure some of the great minds here may be able to give me a few pointers on making my site more resistant to hackers. I have been hacked twice now (i think both times through a php forum with i will not use again)

I have area's where members log in to enter data, and also admin area's restricted to a few. To log in I use a user name and password (safe) to open a session. The admin access is checked via listed users in a database table.

After this last attack, I noticed entries in the server error log, but am unsure if this is a sign of attack or just something else;

[Mon Feb 11 11:40:58 2008] [error] [client 88.218.40.83] mod_security: Warning. Pattern match "8[789].[0-9]+.[0-9]+.[0-9]+" at REMOTE_ADDR [severity "EMERGENCY"] [hostname "globalnavalstrikeforce.com"] [uri "/forums/index.php?act=task"]

[Mon Feb 11 12:41:46 2008] [error] [client 87.246.19.7] mod_security: Warning. Pattern match "8[789].[0-9]+.[0-9]+.[0-9]+" at REMOTE_ADDR [severity "EMERGENCY"] [hostname "www.globalnavalstrikeforce.com"] [uri "/main.php"]

I have no idea how to stop these (if they are important) as they are going on right now, even though my data base is dead :-(

Any help would be appreciated.

Paul

bpat1434

Well, I'm going to guess (based upon the url used) that you were using IPBoard? I'd suggest you report these attacks & hacks to IPB. Also, since you have mod_security enabled, I'm wondering what happened and why it was allowed to happen. Usually that stops stuff from happening....

The best way to make your site "hacker-proof" is to ensure that any data you use via user submission is properly escaped and "checked" (i.e. if you expect numbers, use [man]int_val/man or [man]ctype_digit/man to get or check the value of the submission.

You also want to make sure that you escape items before you insert into a database. For MySQL databases, you want to use [man]mysql_real_escape_string/man to properly escape strings for the database.

There are other security measures you can take, but your best bet is to spend the like $20 and pick up "Essential PHP Security" by Chris Shiflett. That helps you start your way towards security in PHP. Another good book is "Pro PHP Security" published by Apress. Two good books that can really help you out.

Stern-69

Thank very much for the advise, I will do just that (get the books). Yea, its a IP board which we had set up that only members could even see. About a week ago I opened a small guest section up to allow non members to see our activities, which was probabaly a big mistake.

I am assuming that these "REMOTE_ADDR [severity "EMERGENCY"] " things mean its an attack. I think for now I may simply block all IP ranges from these servers (coincidentally, all of which show in the netherlands).

I never ceases to amaize me that some ????? get a kick out of detraoying things instead of creating.

Thanks again, Im sure I will eventually get good enough at php to be able to come here and help out other new people like myself. Makes me feel really good to see people helping and creating.

Paul

Stern-69

I have taken your advise and ordered both books. All the input for user and PW are done with mysql_real_escape_string(), and i will now add that to any data being placed in the database.

Quick question on mysql_real_escape_string(). I have one database file that has an imbed for pictures. one feild has simply data with codes for display (like <br>) and one for pictures that are also located in an image database file. The code imbeded would be something like;

Would mysql_real_escape_string() allow this to be done, or should I remove all commands (echo) from the database completly and use another way of getting the php code to do the display.

Thank you

Paul

bpat1434

You don't need to edit any input. mysql_real_escape_string just escapes specific mysql characters so that other arbitrary code can't be run instead of what you expect. It has no bearing on data at all.

Stern-69

Thanks for the info, as im new at this. I used it on all password/user name entries, but never thought about using it on data just before sending it to the database. I spent the good part of the day looking at posts and checking different articles on security. When ever they manage to fix the database on the site I will make a lot of changes (if they can, because it sure wont let me upload my db backups :-( )

Anyone have any suggestions on a good hack (or reasonably hack) proof buliten board. Was using IPB, but that was hacked 3 times in a year (even when you need to sign up and be validated before you can even see anything).

Thank for the help

Paul

bpat1434

I personally use Simple Machines Forum (SMF). That's essentially the "free" version of IPB and vB. Granted, not as many features, but it's "enterprise-class", or coming close.

Other SMF there's phpBB which gets a lot of notice.

The thing you need to remember about any third-party software is that you need to keep it updated. So if they release an update, you need to update ASAP to prevent your site from being hacked. I'd be careful with phpBB as it seems to be hacked more often since it's more prominent. But that doesn't mean that because SMF or vanilla board (another BBS) aren't known means they're not hacked. The trick is to watch your board, do nightly or weekly back-ups off-site, and then watch your board like a hawk for strange things. Keep an eye on your error logs too.

I saw you had mod_security enabled. SMF actually doesn't "like" mod_security and will actually ask you to "disable" it since SMF can handle it's own data sanitizing. I haven't had issue with it yet, and I've got a fairly nice board.

Choose one you like the best, and go with it. You can even look at Forum Matrix for a "side-by-side" feature comparison. Here is a comparison of what I think are the top competitors. With the exception of IPB and vB they're all free.

Do note that SMF is working on a 2.0 release to be sometime soon. With that, they've added multiple database support which wasn't available in the 1.x branch. They've also added a WYSIWYG editor of their own making.