Development

Technology related articles.

LAMP hardening techniques

0
1608 days
by in Development

We’re launching a new small business server product in the coming weeks, ideal for small businesses that need automated backups (and restores), shared internet, shared files, and one or two other goodies. The server is only available for rent starting at 200€/month (including maintenance). This product is, to some degree, the culmination of about 3 years of running our own, small, hosting environment which, as far as we can tell, has not (yet) been compromised. I doubt we could keep a determined hacker from getting in but we’ve so far been able to keep the script kiddies at bay. Here are some of the things we’ve learned along the way.

Use a firewall, even a software-based firewall such as the Endian Firewall. You’ll have to work some magic internally if you want to use host-based routing, but more complication just makes hacking more complicated and unless you have a really juicy target, most hackers will go elsewhere (we presume). Install and configure mod_security (claims to protect against xss and many other things automagically). We haven’t been able to verify its functionality, but just knowing there’s another layer there makes us feel better :D

PHP

  • turn off fopen wrappers
  • turn off register globals
  • turn off expose_php
  • disable unused functions and classes
  • install only the extensions you’re sure you’ll need

Disable other server side scripting engines and CGI (assuming you are running PHP as an apache module) Turn off other unused services

  • email
  • telnet
  • ftp
  • ssh
  • etc.

Uninstall unneeded software (such as the whole Gnome interface and anything that requires runlevel 5 to function – this is a server after all). You might even consider starting building the server with a base in stall of Debian or Ubuntu Server (both of which fit in 64 MB of memory). Log everything and increase the log history (double-edged sword).

Don’t expose what web server you are running (or PHP or any other server-side technologies) in HTTP responses. In fact, if possible, alter the server signature (and fingerprint) to something unrecognizable or too generic to be of much help.

I’m sure there are more tips I’m forgetting, but these should help you get started. I’d love to hear others experiences and tips if you care to share…

Real Semantic Markup

2
1615 days
by in Development

Roger Johansson over at 456 Berea Street, reflecting on a series of articles by John Allsopp regarding HTML semantics, asks the question: “Should there be another way of extending and improving the semantics of HTML without requiring the specification to be updated?”

Personally, I think the issue revolves around the misuse of HTML to mark up something other than research papers.

It is my understanding that HTML is a subset of SGML, a markup language used to mark up research papers for mass reproduction on offset printers. As such, the vocabulary (the tags) in HTML reflect the type of data being marked up. Consequently, when HTML is used to mark up documents that are not academic in nature (are not research papers), authors are left cobbling together solutions to retain the semantic value, but that rarely works. For example, if you want to mark up a mathematic equation, you’ll need the MathML specification precisely because HTML doesn’t have the vocabulary necessary for describing the content.

I find it a little ironic that Tim Berners-Lee has basically turned everyone into an academic in some sense, by enabling them to do massive research and post their findings. However, current technology limits us to “browsing” research papers, even though we’ve creatively found ways to publish much, much more than that.

I think the world is missing a browser that is able to render a variety of markup languages (vocabularies), including HTML, MathML, XHTML, XHTML2, XForms, SMIL, and others (although the last 2 are not technically markup languages). I can imagine a world in which marketers define their own markup specification for sharing data (a problem I think microformats are trying to solve) safely. In fact, markup languages can be defined for nearly any field. The problem is, we don’t have web browsers capable of rendering the data in the source documents in any meaningful fashion because no formatting information is associated with any of the elements of these foreign markup languages. In fact, I find it hard to imagine what a marketing database or recipe list would look like if not some kind of document.

So, in conclusion, I’m not sure if I’ve made my point, but basically I think any semantic improvements in HTML will come from focusing on the domain it was originally intended for (academia) than by trying to extend it to other domains that have little or nothing to do with writing research papers.

My name is not Google

0
1643 days
by in Development

As a young boy, whenever I asked for the definition of something I was told to “look it up”. I hated that answer! It seemed so futile: if the task was to get something done and you knew the answer, why should I look it up?

It is clear to me now that I was told to look it up as a young boy to get me into the habit of being independent, of being able to fend for myself, and probably more importantly, not bothering busy people when the answer was available elsewhere.

In fact, that response has ended with me:

Learning to read by looking up words in the dictionary.

Learning to juggle by dropping lots of balls.

Reading El Quijote in Spanish the same way I learned how to read.

Learning to connect to the Oxford English Dictionary hosted at the University of Illinois Urbana-Champagne from home via a 2400 baud modem and a connection to the dial-up lines at UIC-Chicago the same way I learned how to read (and by bothering more than one techie…).

Along the way I also learned:

  • how to use PowerPoint (via Aldus Persuasion, which in my opinion was infinitely more powerful)
  • how to write HTML
  • how to write JavaScript
  • how to program in Perl, PHP, XSLT, ASP, JSP, JavaScript, AppleScript, Java, .Net, Fusebox, VBA, C, C++, Bash, SQL (Server), HyperCard, Director, Authorware, MS Office Macros, Photoshop Actions, Flash (yes, I even learned how to program in Flash), and more that I’m forgetting…

And remember, I started out not knowing how to read.

I guess my teachers weren’t so dumb after all.

And the next time you consider asking someone you know for the answer to a question just as easily answered by Google, consider looking it up first. Just look where it might lead you!

How to compile mod_dav_svn.so

0
1649 days
by in Development

Based on these instructions on how to compile mod dav svn, I managed to get our old Red Hat server serving our public subversion repository.

I’m a little surprised by how little documentation there is on how to do this considering it is such a great way to make a code repository available to authorized users. I was unable to find any clear information on how to do this on subversion.tigris.org or on apache.org.

So, how do I know what name to use with the Apache configuration option –enable-MOD_NAME? The configure option –enable-mods-shared=all is a nice shortcut, but not very realistic in a real hosting environment. I’ve read in several places that you should only enable the modules you are really going to use and enabling all just seems like a bad idea. Can anyone help?

« Previous
Next »
Go to Top