3

I'm building a web service (a control panel for clients) (PHP on linux apache) and trying from the design to make it the most secure as I can,

Can anyone provide me with some kind of a check-list of things I need to be focusing on?

I already implemented:

  1. SQLi protection,
  2. per session CSRF token,
  3. secure password hashing storing to database with php 5.5 password_hash(with need_rehash check),
  4. added recaptcha for all spam robots,

  5. sessions manager for the user (view who logged in to my account and

    close remote sessions & alert if someone accessed my account).

    1. SSL certificate, full communication over HTTPS. (i redirect all http -> https)

Questions:

  1. Do I need some kind of auto ban IP system?

  2. Failed login IP banning & logging?

  3. Any linux-server security modifications? I did not modify anything yet

  4. How do I protect my website from all spam bots/spiders? identify&ban

It will be helpful if someone can prove a guideline/checklist to all security points for a website, to go an check/secure one by one...

I think my service is secure then the most... but clearly it's not gonna change the fact that there are some skilled people chat can hack anything... - I do want to make it a bit of a challenge if someone try messing with my system... I want a website service that is more secure then others.

Improve this question
5
  • 4
    Sounds like you need this! owasp.org/index.php/… Commented Apr 24, 2015 at 9:29
  • 1
    thanks, i'm reviewing it, but i will love some personal opinions of experience users, what are the most common and unknown mistakes developers do that hackers loves to exploit ;) Commented Apr 24, 2015 at 10:00
  • 2
    Experienced users are not more authoritative than OWASP I'm afraid! Speaking of which, the most common mistakes...? owasp.org/index.php/Top10#OWASP_Top_10_for_2013 (I promise I'm not working for OWASP!) Commented Apr 24, 2015 at 10:01
  • Take a look at this answer from Programmers.SE: programmers.stackexchange.com/questions/46716/… Then look under: Security It's a very good answer in general and it's very detailed. Commented Apr 24, 2015 at 11:05
  • From a pen tester's perspective, I have this list Commented Apr 24, 2015 at 14:59

2 Answers 2

Reset to default
3

To respond directly to your questions:

do i need some kind of auto ban ip system? failed login ip banning & logging?

Yes, don't try to reinvent anything and use fail2ban (just a good regex expression and you are protected.)

any linux-server security modifications? i did not modify anything yet

I would recommend selinux with domains and all that stuff, but is pretty hard. A good firewall, tcpwrappers and updates should be enough.

how do i protect my website from all spam bots/spiders? identify&ban

  1. Captcha as system is ok.
  2. Check referrer
  3. Use javascript before submitting.
  4. https://stackoverflow.com/questions/677419/how-to-detect-search-engine-bots-with-php

As checklist I recommend you OWASP top 10 (https://www.owasp.org/index.php/Top_10_2013-Top_10). If you want more details get OWASP Cheatsheets Book: https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf

Regarding security options on server side I also recommend:

  1. WAF (mod_security + OWASP rule set) will be essential on your web app.
  2. Chroot Webserver.
  3. Hide webserver Signature
  4. Disable Directory Listing
  5. Use mod_evasive (agains DOS)
  6. Turn off Server Side Includes and CGI Execution if you don't use them.
  7. Uninstall everything what is not necessary.
  8. Force yourself and do not install anything from sources, it will be harder to upgrade.

Good luck.

Improve this answer
1

Checklists in general are an ok place to start a conversation about security. The OWSAP top ten is pretty good.

But it's nearly impossible to design a security system for you without knowing what you're doing, what you're trying to protect, and who you're trying to protect it from. A bank needs different security than a Target store for instance.

Designing an entire security system is far beyond the scope of a question here. My advice is to hire someone with experience designing security and who can guide you through that process. If you're starting out the conversation asking for checklists, you clearly need more experienced help.

Improve this answer
2
  • the best way to learn is doing it yourself the hard way and pick up new things on the way... i just asked for a checklist of common security points need to be address on a web site, e.g add csrf token, use captcha etc... so i will learn each one deeply and implement it on this project an the next's to come... if you hire someone to do your job, you ending up learning nothing... Commented Apr 25, 2015 at 17:07
  • @itai It's true you can learn on the job, but you're risking the security of your website. You can also absolutely learn a hell of a lot if you pay someone to do the job, you just have to be part of the process rather than be ignorant. Commented Apr 25, 2015 at 20:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.