Detailed guidance on how to secure the maximum for your website / forum 99% to avoid the risk of Local Attack
Dienstag, 27. Mai 2014
Due to the growing nhìu thieves, the number of days you are attacked increases 
-> Write a tutorial guide you better website security. If you follow his good + server config, it will certainly reduce the risk of DC 99% local attack In
his talk is here for website security, not in the forum, which means
you just use what I wrote the following for your entire website, do not
need to know you are taking or blog or forum ..... However, because you're spending the majority vBulletin forum so I took vBulletin regarded as modeling.
Now we begin:
I'll cover the steps we will take. 1. Changing the location database file contains information (config.php) 2. Protected procedure config.php file 3. CHMOD protected areas lie within the range of the attacker 4. Changing position AdminCP 5. AdminCP area protection with htaccess 6. Configure user permissions on database 7. 1 some advice
Before you proceed to check out my code was not sticky shell, because if there is then how sticky these attacks may be only + In admincp, go to Plugin Manager plugin wonder whether you? Especially under Product Plugin vBulletin + See also this article: http://sinhvienit.net/forum/threads...rong-database/ + Down the entire code on the machine, use one strong antivirus scan through the code to detect whether there is anything? I recommend Avira 10: http://dlpe.antivir.com/package/wks_...premium_en.exe Copyright ©: http://sinhvienit.net/forum/threads...quyen-3-thang/ 1 & 2. Changing the location database file contains information (config.php) & tricks to protect this file * Note: For use with the mod you should not work vBSEO they change positions because config.php file vBSEO calling for this file. the change will cause errors. And I also recommend not to use if you spend vBSEO haty VPS shared hosting because of the extremely resource-consuming server - You create one folder includes folders par with any name, this folder will contain config.php file later. But note, this new folder will be created named her the # at the beginning there. For example, I create a folder named
* Note: You create this folder via ftp Next, you open the file includes / class_core.php Search
PHP Code:
includes / config . php
replaced by
PHP Code:
#skin/config.php
* You will find 3 seats in place (including 2 seats are code, place the footnote 1) Explanation: The directory name will be the # at the beginning of DC very much limited risk of attack, why? Since # is the separator particular address, for example: http://sinhvienit.net/test.php # IT -> The browser will send a request to file http://sinhvienit.net/test.php and the page load is finished it will scroll to the ID card is IT So if someone reads config.php file using shell ligament term If in the normal way, then it will call as follows:
Code:
http://victim/c99.php?act=f&f=config.php&d=/home/user/public_html/forum/ # skins
examples here alone with c99 shell, as you can see in the link on the #'ve separated out the chain link skin What would be the equivalent link on the following link
Code:
http://victim/c99.php?act=f&f=config.php&d=/home/user/public_html/forum/
-> No longer true, -> not read DC config.php file content 3. CHMOD protected areas lie within the range of the attacker * For your host uses cPanel, I encourage you to file CHMOD 400 # skins / config.php includes / class_core.php * For the host you use DirectAdmin, I encourage you to file CHMOD 004 # skins / config.php includes / class_core.php After 2 files chmod to finish * For your host uses cPanel, I encourage you to CHMOD 100 to # skins folder and includes * For the host you use DirectAdmin, I encourage you to CHMOD 001 to # skins folder and includes This is the second lowest level acceptable to the host. You
will not have to CHMOD CHMOD DC via ftp that through hosting controler
(DirectAdmin, cPanel ..) When CHMOD so you also do not own the DC access
to files and directories, so if you want to edit, then chmod go back to
its original (644 files, 755 folders) new doc or backup DC
4. Changing position AdminCP Open config.php file find the line
PHP Code:
$config [ 'Misc' ][ 'admincpdir' ] = 'admincp' ;
Instead of
PHP Code:
$config [ 'Misc' ][ 'admincpdir' ] = 'style' ;
such Then you use to host a style change admincp folder So now you not to enter into admincp by domain.com / forum / admincp / again which is domain.com / forum / styles / 5. AdminCP area protection with htaccess This one you can refer to this post: http://sinhvienit.net/forum/showthread.php?t=5497 I ask the guide for DirectAdmin and cPanel hosting a. cPanel, the hosts find your login to the following:
Browse to the folder you need protection, you click on the folder icon to the folder on the tip. Click on the folder name to configure. Here, click on its folder icon for admincp folder located in this folder
Click admincp folder to configure protection
Enter your message at the login window when the user into this directory
Configure the username and password
a. DirectAdmin, you login to your host to find the following:
Browse to the folder where the need to protect
Configure login
1 folder the user can add, edit, or want to manage your passwords in the following
And here is the result:
If the login fails or Click Cancel
6. Configure user permissions on database For database management system, each user is assigned to one fixed powers. When
you create a user for the database, we also have distribution rights
for it, distributed it to have power over this database. As usual, you usually give full rights. But there is one little rights we used to but the advantage of DC attacker to Drop database. It is right to DROP.So to limit the risk of being Drop database clean the attacker took DC Database account information will give this right away. a. For cPanel host Add users to the database when you place this notice:
b. For DirectAdmin Login into your host to find the following
Choose Database
Click on the Modify Privileges for decentralization
Drop Skip for user rights
7. 1 some advice + When you know yourself at risk of attack, quickly and Backup all files on the host database (database Priority ago) See more backup data does not become corrupted: http://sinhvienit.net/forum/showthread.php?t=36677 + Regularly backup the database, please backup regularly at possible + Always to 1 carbon copy on your host machine at + Website regularly monitor, log, see panel abnormalities not uncommon + Password Keep it carefully, avoid exposing pass and should pass soon change if you feel you may have been exposed. Least pass email +
When you change the position should not go config.php file transfer
would leave config.hp which includes one copy of the config.php file
with database information is not correct. If one can create fake databse and information on this config file of the database are false. + His measures outlined above are approximate, one really knowledgeable attacker will know what I say pass. However,
the vast majority of victims attacker defacements are still young with
your desire to explore and experiment to know what's new, yet took a
deep knowledge should help you safely can 
Database
author himself says here is true for the database you created, the
table full of code but little or no content, I will not use this
database. Hence if there is DC attacker info on this database for its data masturbating with a value not 
Thank OSP Viet Nam has supported host cPanel and BeeHost Vietnam to support its host DirectAdmin complete this Tutorial
Kiến thức mạng
» Security
» Detailed guidance on how to secure the maximum for your website / forum 99% to avoid the risk of Local Attack
All comments [ 0 ]
Your comments