Setting Freeway Permissions

From FreeWay

Read this text to learn what you can do to protect your shop and information as well as how to set the proper permissions.

Contents 1 Security Essentials 2 What Freeway can do for you? 3 Test, test, test! 4 2 is more than 1 5 Being generous is not always secure 6 Lock with your biggest lock! 7 Change the default administrative account name 8 More about mod_security and mod_rewrite

[edit] Security Essentials

One of the most important elements of a computer related project is the specification of security guidelines that will be used before implementing that project. A common scenario includes the following assumptions:

• The host operating system must be hardened as much as possible, both against local and remote exploits
• Unnecessary server software should be disabled; an attacker looks for the weakest links in the chain, so if you maintain a very long chain, chances for the attacker to succeed are increased
• Web server modules should also be installed only if absolutely necessary
• Any diagnostic Web pages and automatic directory indexing service must be turned off
• The server should disclose the least amount of information about itself (“Knowledge is power” so don't give too much details about the way you do it and the tools you’re doing it)
• Set up your web server to use a unique UID/GID which is not in use by another system process
• Limit the web server's access to the local file system by chrooting the process
• Don't provide shell programs in the chrooted environment like /bin/sh, /bin/csh, etc
• The PHP configuration should take advantage of built-in security mechanisms
• The Apache server must reject all requests (GET and POST), which contain HTML tags (possible Cross-Site-Scripting attack) or apostrophe/quotation marks (possible SQL Injection attack)
• No PHP warning or error messages should be shown to the web application's regular users
• It should be possible to store incoming GET and POST requests into a text file which will make it possible to use additional, host-based intruder detection system (HIDS)
• Use Secure FTP. Choose a host that requires SFTP (Secure FTP) for transferring files; this prevents others from snooping your user name and password from packets as they travel over the Internet
• Seek PHP flexibility: Choose a host that allows you to use either PHP4 or PHP5
• Choose a host that stays up-to-date with the latest stable versions of core applications, including the operating system, database, and scripting languages
• Require raw log access: Be sure you have access to raw server logs; reading these logs is a vital part of site security and recovery
• Because performance matters, choose a host that limits the number of users per machine and the average CPU load per machine to some reasonable number (depending on hardware); be sure they proactively move user sites as needed to balance load; check the number of domains on a server using reverse IP lookup

In a shared environment you cannot control all these aspects, they fall into the hands of your service provider administrator. To obtain maximum security, a dedicated, own administered server is preferred. A shared server is to be avoided if you don’t know or you can’t trust all the other users and their code security.

[edit] What Freeway can do for you?

Freeway is improving on daily basis, so the first step in securing your online installation is by updating the shop to the latest stable version available. If you're familiar with versioning systems like subversion you'll find it very easy to revert to a previous installed version.

[edit] Test, test, test!

We recommend that you always test your newly installed shops on previous prepared test environments. This can help you avoid problems that you didn’t foresee and will increase your experience in installing/maintaining/updating your shop.

[edit] 2 is more than 1

Additional layers of security will definitively give you more protection. For example protect your sensitive directories by adding .htaccess files. Allow that these be accessed only from your trusted networks or by asking an additional password (it's not only the fact that you can have 2 different passwords. It's also about having two different types of authentication. If one is to be broken, than the other one will not end the same way). Also use security modules for your server, like Apache's mod_security or mod_rewrite (further discussed below).

[edit] Being generous is not always secure

Take care about the permissions you give over directories and especially when using tools like PHPSuexec. Misusing them can make your site vulnerable. From the database point of view, create a dedicated limited user for the site that can only access the shop's database.

[edit] Lock with your biggest lock!

This is more a basic rule to be followed. Using complicated passwords is a good practice. You can use secure password generators and savers like Password Safe http://passwordsafe.sourceforge.net/ … you never know when you might forget it and if you’re site is safe enough you could end up on the outside :)

[edit] Change the default administrative account name

As of 1.5 Beta, this issue seems to not apply. The Admin Page login is now using the email address, not the user's name, "admin"...still, this advice applies in general, and to a lot of programs. Certainly, you should change the email address in the default administrator record, because even that is easy for a potential hacker to find.

All new installations start with a Super Administrator account called, 'admin'. During the installation process, you will be asked to give this account a password. That's great as far as it goes, but because the user name of this highly-confidential account is generally well known, 50% of the security of the username/password combination is already exposed. Now all anyone needs to do is guess the password and they're in.

By changing the user name to something more difficult to guess, you greatly increase the difficulty of accessing the account. An attacker must correctly guess both the user name and password at the same time to gain access. This is several magnitudes more difficult than simply guessing the right password.

[edit] More about mod_security and mod_rewrite

ModSecurity is an Apache module that functions as an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. It is also an open source project that aims to make web application firewall technology available to everyone. ModSecurity configurations are far too varied and complex to describe here. To learn more, see the following resources:

http://www.modsecurity.org/

http://www.modsecurity.org/projects/modsecurity/apache/index.html

ModRewrite gives you the ability to “rewrite” requested URL’s on the fly. It’s power and flexibility is well known and needs further documentation. See also the following resource: http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html