I’ve been using a really clever device for the last few years that a lot of people seem to be unaware exists. It’s an ethernet over powerlines adapter – one such example is the Devolo dLAN. In a nutshell, you plug it into the mains, and connect the Ethernet socket to your network device. You can then plug as many others as you like to various other powerpoints and extend your network wherever the power stretches. Devolo do ones that run up to 200mbit. It’s a theoretical maximum, although I’ve got 177mbit before which is impressive. It has a couple of downsides:

1. It won’t traverse 3 phase power. I’ve tried it, and I’ve ended up with a very weak/nonexistant signal which is probably more inductance than anything else.
2. Obviously it doesn’t handle bad cables well – it doesn’t much like extension cables either.
3. Different circuits work about as well as 3 phase power, the only signal you will get is probably inductance between the two circuits.

Some advantages:
1. It travels pretty far. I’ve had over 150mbit between adapters at opposite ends of the house.
2. No new cabling
3. Fully supports standard Ethernet so all network protocols will work just fine over it.
4. I love it

For anyone running a home or office network and not fortunate to have Ethernet points cabled in, I strongly recommend these devices, you’ll never know the difference.

Yesterday, I offered a free website security scan. Why would you need a scan? I went into a little detail then, but I’d like to expand on what I wrote about, that being my offering my services as a PHP programmer.

If you’re an online merchant, your server needs to be PCI compliant. Otherwise, you not only run the risk of being hacked and losing customer data, but you also run the risk of facing major fines. One fine would be enough to wipe just about any small business out.

New security challenges arise every day. In fact, they arise every hour, it seems. Will your site stand up to the challenge? Will it meet that challenge? Only by regular security scans will you know. Even if you’re not a merchant, you need scans, because I am willing to bet that you don’t want to be hacked. All sorts of unsavory things can occur if that happens.

You could lose your databases. You could lose all data on your server. Your users’ information could be compromised. There are many things that could happen, and none of them are pleasant.

So, contact me for your free security scan today. As I wrote earlier, all I ask in return is that you have a sincere intent of using my services.

As a PHP Programmer with 8+ years experience now, I’ve always specialized in web security, security standards, and secure programming. In the say 300+ websites that I’ve dealt with in the past, at least 200 have been vulnerable to some sort of moderate to high risk attack. By high risk, I mean the steal your database and deface your website type of attack.

Free Website Security Scan? Why? Well, most of the security audits that I conduct will usually begin with a basic audit that ultimately goes uncharged in light of the thorough audit and any repair works that follow. On that basis, I’m happy to offer a basic FREE no obligation security audit to anyone genuinely interested in using my services. I do not require any code or data from you, nor any access to your systems. All I ask is that you have a genuine intention of using my services to thoroughly audit and/or repair any vulnerabilitie in your site that I’m able to identify and demonstrate.

Interested? Contact me now.

If you need a skilled website security consultant or PHP programmer, then consider me. Get in touch with me for a quote, and I’ll be more than happy to discuss what I can do for you.

These days, your site can’t be too secure, and if you’re unsure of how to properly secure your site or your PHP code, I stand ready to assist you. I can help you ensure that your server is secure overall, reducing the chances of it being hacked. I can also go over your PHP code and ensure that it too is secure. After all, a secure server really does no good if the PHP code isn’t also secure.

Feel free to browse my site and read my articles. Then, get in touch with me, and let me know the details of your project!

Yesterday, I discussed how you can redirect your HTML files to PHP files. Why is it important to do so?

There are certainly no security concerns involved here, but you probably don’t want to lose your visitors who may bookmark certain pages, nor do you want to lose search engine traffic, because the HTML links will still show up in those engines until they crawl your changes.

That’s where the 301 redirect comes in. This is the best sort of redirect to use, because it is search engine friendly. What it tells search engines is that the page has moved permanently to the forwarding location you provide, which in this case is a PHP file. Essentially, if you do it this way, the search engines won’t skip a beat, and you’ll keep your traffic. The last thing you want to do is let search engines crawl 404 errors.

If you need help with these sorts of things, or if you need a skilled PHP programmer to help you sort out your conversion, I would be more than happy to take a look at your specific needs, and devise a plan for you. This includes making sure that your PHP code and your setup is secure, as PHP is a valuable tool, but a potential security risk if not handled correctly.

My rates are reasonable, and I offer a wealth of experience that can benefit you. Simply get in touch with me for a custom quote!

Let’s say that you want to rename all your HTML files to PHP files to begin PHP Programming. However, you don’t want to lose all your inbound links to your HTML files. Here’s a quick and easy way to automatically convert all .html incoming addresses to .php files on your server, allowing you to switch to PHP and also keeping all your existing .html links working.

Create a .htaccess file, and enter:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)\.html $1.php [R=301,NC]

This creates a permanent working 301 redirect (Search Engine Friendly) to your new .PHP file.

You may be browsing through my site, or maybe you came here because you’re looking for a PHP programmer. Allow me to introduce myself. I am Adam Palmer, and I’m a freelance website security consultant, developer, and, of course, a PHP programmer. I’m willing and able to do most any web, Linux, or hosting-related project.

If you have something along those lines that needs to be done, simply contact me, and we can discuss your needs in greater detail.

In addition to doing this sort of work, I run APNIC Solutions, Ltd., which is a leader in network and business integration. You can be confident that when you hire me for your PHP, web, or other needs, you are getting a competent, skilled industry leader who will do a smashing job for a reasonable fee.

Feel free to browse through my blog and read my articles on a variety of PHP and security topics. Then, get in touch with me to see what I can do for you! If all you need is a consultant to point you in the right direction and help you get to to the finish line, I would be more than happy and honoured to be that person.

Recently, I was developing an API for a PHP application I’d built, to be utilized by other php programmers. Essentially, the php programmer passes a load of data to our API though a POST variable. This is as follows:

$api->process($to_process, $data, $opt1, $opt2);

$to_process is an array, as follows;

$to_process = Array( Array(”FOO”, “BAR”, 1, 2), Array(”BAR”, “FOO”, 5, 3), Array(”HELLO”, “World”, 9, 10) );

And $data is a ~5k string containing HTML code.

My best option so far, has been $data_array = Array(); $data_array[] = $to_process; $data_array[] = $code; $data_array[] = $opt1; $data_array[] = $opt2;

We can then send urlrawencode(serialize($data_array)); from our PHP script to the web API via curl through POST data. On the remote API server, we don’t need to use urlrawdecode() as the web server handles this for you. It’s also worth ensuring that magic_quotes_gpc is off. Simply, $data_array = unserialize($_POST['variable']); should do just fine.

While it’s all well and good to spend considerable time securing your PHP applications, there is something else that you can do, or rather not do. As a PHP programmer, I see people do one alarming thing: they download and install PHP applications from questionable sources.

While there are a lot of honourable programmers who offer their scripts for free, there are plenty of hackers who enjoy deploying applications that cause harm to others. I discussed this earlier, but it bears repeating: trust your source. Know your source.

This includes scripts that people offer for download on forums you may visit. There are plenty of good people out there who merely want to share their scripts and help, but your server’s security is very important.

A hacker doesn’t even need to gain access to your server. He or she can write a script and gain satisfaction from knowing their work is causing damage around the world.

Just be careful. Download from known and trusted sources, or if you have a script you’re unsure of, run it by someone you trust. You can even contact me, and I’d be more than happy to share my resume, and show you what I can do to help you secure your scripts and keep your server safe.

PHP is of course a valuable tool, and PHPMyAdmin is an equally valuable asset for those that don’t like command line administration. The problem is that because it’s a valuable tool, it’s a security exposure. As a website security consultant, I see the problem often: people don’t secure the one thing that, if accessed by a malicious party, can give carte blanche for destruction.

One simple way to secure your installation is to slightly modify your config.inc.php file:

Look for this line:

$cfg['Servers'][$i]['auth_type'] = ‘config’;

Change “config” to “http”. By doing this, you will require that the database information (username and password) be entered prior to accessing PHPMyAdmin. Of course, this only addresses attacks over the web. If someone tries to remotely connect to your database and knows the root password, or the credentials for any of your database, then you’re still vulnerable.

One way to address the security of your config.inc.php file is to secure the directory that it’s stored in. This is especially important if you should be on a shared server.

Of course, there is still the matter of your SQL port, 3306, being open to remote attacks. The solution to this problem can be found in the /etc/my.cnf file.

You need to add this line to make it so that only your server can connect to the SQL server.

Ensure that it’s under the “[mysqld]” section:

bind-address = 127.0.0.1

This sets it so that the SQL daemon only listens for connections locally, i.e. on your server. Anyone who tries to connect remotely will be denied. Now, the argument could be made that you could also try to add “skip-networking” to your my.cnf file, and then specify the path to your socket file, but you still need a way to administer your SQL, preferably via SSH. By adding the “bind-address” command, you can do just that.

The name of the game is security, and assumption. You have to assume that everyone’s out to attack you. If you think like that, you’ll narrow down all the ports that are exposed, and secure your server. Your SQL server is, like your DNS server, vital. It most likely powers your site. If the database is attacked, the damage can be considerable. Do understand that if a hacker is intent enough, they will find a way in, but by making it as difficult as possible, you reduce the chances of that happening.

An important thing to consider when accepting input from users is validation. When PHP is used, powerful functions can be performed. The problem is that it can also do powerful and bad things if a malicious user is entering data which isn’t validated.

Consider this: you accept input asking for a month or year. The problem is that a user decides to enter “”;rm -rf *” after the year, and in so doing could cause the deletion of your whole website. Obviously, this is not a good thing, so what to do? Data validation is the answer. As the name suggests, it validates or verifies data, ensuring that it complies to form.

In other words, when you validate data, you ensure that a user entered numbers for a year, and not a malicious command as shown above. Unfortunately, many webmasters have fallen victim to this, all because they didn’t tighten security on their server.

One solution would be to enter data in this manner:

$month = $_GET['month'];
$year = $_GET['year'];

if (!preg_match(”/^[0-9]{1,2}$/”, $month)) die(”Invalid entry. Please try again.”);
if (!preg_match(”/^[0-9]{4}$/”, $year)) die(”Invalid entry. Please try again.”);

exec(”cal $month $year”, $result);
print “

";
foreach ($result as $r) { print "$r
"; }
print "

“;

What this code does is this: it allows your user to enter a month and a year, say for a credit card or date of birth, but it also double checks the data, ensuring that it is in fact numeric data that a user entered, and not code that could cause you hours of grief.

Of course, there is more extensive code you can write which will validate further, but this data pertains strictly to the security of your server. You can, of course, add code that will ensure that a year is between, say 1900 and 2020, and that a month is between 1 and 12.

As an administrator or webmaster, you need to consider all data that a user enters questionable. By using this mindset, you’ll be in a position to prevent yourself from being vulnerable to malicious injection attacks. Too often, a webmaster has chosen not to take security measures because he or she assumed that no one would try something so awful as to delete someone’s data. As we see every day, however, there are people who think nothing of ruining peoples’ hard work, data, and electronic property.

In recent days, I’ve talked about the importance of server hardening and security, but there’s another aspect of the integrity of your server that must not be ignored: PHP code.

If you don’t have secure PHP code, you may find yourself the victim of numerous type of attacks, including SQL injection attacks, which as the name suggest, goes directly after your database, which in most cases is the very heart of your website or application.

Sometimes, the most basic adjustments will go along way. One example is this variable:

register_globals

If you look in your php.ini file, and find that this variable is enabled, you may be putting yourself at risk, for all anyone has to do is add “?authorized=1″ to a URL on your site, and they will then gain access to sensitive information that you likely don’t want the average user to see.

The best solution here is to simply set register_globals to “off”.

Another mistake that many people make is that they fail to suppress PHP errors. When a PHP error occurs, and error reporting is fully enabled, a user can see a lot of information about your site, including exact paths. Of course, you don’t want this information to be readily available, so it would be a wise decision to suppress the errors so that they do not display in the web browser.

You actually need not change the error_reporting variable itself, because you still want to be able to see errors as the administrator. You just don’t the whole world to see them, too. To accomplish this goal, simply look for the “display_errors” variable, and set it to “Off”.

You will also want to set the “log_errors” variable to “ON”, so that the errors show up in your error log. If you turn both logging and display off, the potential exists for errors to still display, because the errors do need to be reported somewhere. But by confining it to the error_log, you and anyone else you grant administrative powers to will be the only ones who see them.

By doing this, you will prevent error messages from showing up on a user’s web browser, potentially giving them a detailed road map to the compromising of your server.

Also, make sure that there are no settings for error reporting in your .htaccess file, because these settings could override your default php.ini settings for that particular website.

These are just two examples of easy ways that you can secure PHP. There are, of course, many others. Though these solutions are simple, they go a long way, and the time invested in making these adjustments will pay dividends in the form of a secure server.

If you run a commerce website, you’ve probably heard about SSL certificates. Depending upon the level of certificate that you have, they verify the validity of your domain, up to detailed information about your company. An SSL certificate isn’t handy just for commerce sites, however. It’s a vital website security component for any site that deals with personal information of any sort.

These days, attacks on severs are commonplace, and website users are wary, especially when it comes to entering sensitive information. That’s where an SSL certificate comes in handy. It increases consumer confidence, and confidence of visitors in general. It shows that you’re serious about what you’re doing.

An SSL certificate is really a must if you plan to accept any sort of sensitive data, including passwords, personal information, or payment credentials. While it’s not a must to have an SSL certificate if you only have a message board on your site, you would be well advised to purchase one if you collect any sort of personal information, including real names and addresses.

An SSL certificate is really mandatory if you run a commerce website. Credit card companies require this, and there are very few customers who are willing to enter payment or personal information without the blue or green bar, or the lock logo, depending upon the browser.

It’s quite easy to install an SSL certificate if you have a control panel of any sort, but the process is a little bit more involved if you do it in your SSH shell. You will first need to enable the mod_ssl module in Apache. It’s included in the default installation, but it is not enabled as a default. The module requires the OpenSSL library.

As you can see, it’s a very involved process to install an SSL certificate if you don’t have a control panel. It’s important that it be installed correctly, because there’s a certain chain to follow, and if link in the chain is broken, your certificate won’t validate, and even worse, your users could get an error message warning them about potential safety issues, which is not something that any webmaster wants.

If you are not comfortable with doing the process manually, have someone help you. Even if you must pay for their services, it’s money well spent, because the increased sales or usage your site will get as a result will be the return on investment.

Sadly, an SSL certificate is something that many well-meaning webmasters or merchants neglect to get, and apart from violating the terms of the credit card companies’ merchant agreements, it’s simply not good for business.

It would be well advised to use the https:// protocol for any section of your website that accepts a password, personal information, or payment information. Doing so will make the experience far more pleasant for both yourself and your users or customers.

The server hardening process can be a daunting task for someone who’s new to the process, or who’s new to hosting in general. The good news is that there’s one simple way to help reduce attacks on your server, or at least its PHP applications.

If you run an e-commerce site, chances are you run a CMS such as WordPress, and a shopping cart application such as WHMCS. Both of these applications, like nearly all others, have a login module for the administrators. Especially in the case of well-known programs, there are plenty of people know how to find your administrative log in panel, and that includes those with less than honourable intentions.

You can easily give them one more hurdle to leap over before they get to your administrative panel, and attempt to exploit its lost password features, or simply try to gain access with a brute force attack. By setting up an additional username and password for each directory, anyone who needs access will need to successfully by pass that prompt, as well as the administrative prompt.

If you have a control panel such as cPanel, Plesk, or DirectAdmin, this process is automated, but what if you run no control panel? No worries, it’s quite simple.

1.) In your SSH account, as root, navigate to the directory above your public_html folder that contains the folder you want to secure. So, if you want to secure the /store/admin folder on your website, you’d navigate above the public_html folder.

2.) Issue this command:

htpasswd -c .htpasswd [username]

or..

/home/user/admin/domains/yourdomain.com/.htpasswd bill

You will then be prompted for a password for “bill”, or whichever username you’ve chosen.

As with any password, ensure that you choose a mixture of uppercase and lowercase letters, numbers, and special characters. Save the file. We have placed it outside of your web-accessible directory in order to prevent hacking or cracking.

Issue this command chmod go+r .htpasswd

This will secure the file.

3.) Navigate to the actual directory you wish to be secured.

4.) Create a file called .htaccess. In it, place this information:

AuthUserFile /full/path/here/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require user webadmin

Issue this command: chmod go+r .htaccess. Note that above, you need to place the full path of the .htpasswd file, next to “AuthUserFile”. If you don’t know this, go back to the path where you edited .htpasswd and then issue the “pwd” command. Or failing that, you can issue the command:

locate .htpasswd

Save the file. At this point, you will need to restart Apache:

apachectl -k restart

You should now have a secured directory, which will require a separate login from whatever login script the application itself has. This will make it harder for a hacker to gain access to your vital applications.

Hardening your server is perhaps the best way to prevent, or at least reduce, attacks on your server. What follows is a basic overview of what you should do to harden your server. If you are not completely comfortable doing this, you should retain the services of someone who is, to avoid data loss.

The key service you want to secure is SSH, as that is perhaps the most vulnerable. If someone should have access through this protocol, they would have complete power over your server, and all the sites on it.

If you log in to your server by using the “root” username, that is the first thing you want to fix. Log in, and then create a new user:

adduser [user] -G wheel

By doing this, you’ve just created a user that is added to the wheel, or list of users who can gain root authority.

Next, give the username a password:

passwd [username]

Now you’ll want to open up a new SSH window, and try logging in under the new username and password. If this works, you can then su to root. This way, a hacker would need to bypass security on two usernames instead of one. If the worst happens, and a hacker gains access to your administrative username, but does not have the root password, he or she can’t visit complete havoc upon your server.

Next, you’ll want to change the port that your SSH protocol is on. The default is 22, and this is common knowledge. So, you’ll want to choose another port to make it harder for hackers to find and potentially exploit your SSH protocol:

Open the following file, substituting “nano” for “vi,” or any other favourite text editor.

nano /etc/ssh/sshd_config

Look for the following elements:

Port– It’s currently 22. Change it to an unused port such as 2199.
PermitRootLogin- If it’s commented out with a “#,” uncomment it, and change it to “no.”

You will now need to restart SSH to make your changes effective. You can accomplish this by issuing the following command:

/etc/init.d/sshd restart

Now your SSH protocol is secure, and you’ve checked one item off the list of ways to harden your server. I will discuss in future posts yet more ways you can harden your server, including disabling unused services, and securing your e-mail and FTP ports.