Tag Archives: security

Update 2/22/2010: It looks like changing .htaccess is no longer necessary. After you select PHP 5.x, your site will begin using version 5.2.5 without any further configuration.

The following applies to older domains. As of early 2009, newly purchased linux hosting plans are running PHP 5.2.8, while older plans, once updated, only go up to PHP 5.2.5. I’ve had Ardamis.com hosted at GoDaddy since 2005, and quite awhile ago I thought I had upgraded to PHP version 5 from 4.3.11, but tonight I happened to check with phpinfo and found I was still on version 4.

In the unheard of ten minutes that I was on hold waiting for technical support, I figured out how to really run my pages on PHP 5.x (in this case, 5.2.5).

Log in and go to your Hosting Control Center. You must be running Hosting Configuration 2.0 to go any further, so if you haven’t touched your domain in years, do that first.

Click on Content, then Add-On Languages. Next to PHP Version, select PHP 5.x and click Continue. You’ll get a message that “Changing to PHP 5.x may make your PHP files run incorrectly.” Highly unlikely these days, but OK, you’ve been warned. Notice, too that it says “PHP 5.x will be activated“. Click Update.

It may take awhile for this change to be processed by the server, but once your Account Summary is displaying PHP Version: 5.x, it’s time for the really important part.

You see, you’ve only made PHP 5.x available at this point. Your *.php files are still running in 4.x. Go ahead and check phpinfo again.

Now, you could simply edit .htaccess to change the extensions, like so:

AddHandler x-httpd-php5 .php
AddHandler x-httpd-php .php4

More details at http://help.godaddy.com/article/1082

But if you’re squeamish about changing .htaccess yourself, there’s another way to set 5.x to be the default handler for *.php files. All the following does, strangely enough, is to add the AddHandler x-httpd-php5 .php to the beginning of your .htaccess file.

Back in the Hosting Control Center, click on Settings, then File Extension. If the change to 5.x has been completed, you’ll see at the bottom of the available extensions list, “Extension -> .php | Runs Under -> PHP 5.x” If it’s not there, stop here and come back in an hour or so.

Click on Custom Extensions at the left. This should be empty, with a message stating “No custom extensions have been created.”

Click on Default Extensions and then click on the Edit button (it looks like a piece of paper and a pencil) to the right of .php | PHP 5.x. Click on Continue.

Click again on the Custom Extensions button on the left, and you should now see “Extension -> .php | Runs Under -> PHP 5.x”. Check your phpinfo page one more time, and it should report PHP 5.x.

It’s unfortunate we even have to do this for our older domains, but I asked the tech support guy if I could somehow get on to PHP 5.2.8, and he said nope, that the newer servers have the more recent version but the older servers are stuck back in 2007.

A little over a year ago, I wrote a post about a PHP script I had created for protecting a download using a unique URL. The post turned out to be pretty popular, and many of the comments included requests to extend the script in useful ways. So, I’ve finally gotten around to updating the script to generate multiple URLs (up to 20) at a time, to allow different files to be associated with different keys, and to allow brief notes to be attached to the download key.

I’ve also added a simple page that prints out a list of all of the keys generated the date and time that each key was created, the filename of the download on the server that the key accesses, the number of times the key was used, and any attached note. This should make it easier to generate gobs of keys, drop them into an Excel spreadsheet, and help the files’ owner keep track of who’s getting which file, and how often.

The scripts themselves are a little more involved this time around, but the general idea is the same. A unique key is generated and combined with a URL that allows access to a single file on the server. Share the URL/key instead of the URL to the file itself to allow a visitor to download the file, but not to know the location of the file. The key will be valid for a certain length of time and number of downloads, and will stop working once the first limiting condition is met. This should prevent unauthorized downloading due to people sharing the keys.

How it works

There are six main components to this system:

  1. the MySQL database that holds each key, the key creation date and time, the maximum age of the key, the number of times the key has been used, the maximum times the key may be used, the file associated with the key, and the note attached to the key, if any
  2. a generatekey.php page that generates the keys and outputs the corresponding unique URLs
  3. a download.php page that accepts the key, checks its validity, and either initiates the download or rejects the key as invalid
  4. a report.php page that returns all of the data in the database
  5. a config.php file that contains variables such as number of downloads allowed, the maximum allowable age of the key, and the filenames of the downloads, along with the database connection information
  6. the .zip file(s) to be protected

The files

The files, along with two example downloads, are available for download as a .zip file.

Download the protecting multiple downloads PHP script

The MySQL database

Using whatever method you’re comfortable with, create a new MySQL database named “download” and add the following table:

CREATE TABLE `downloadkeys` (
  `uniqueid` varchar(12) NOT NULL default '',
  `timestamp` INT UNSIGNED,
  `lifetime` INT UNSIGNED,
  `maxdownloads` SMALLINT UNSIGNED, 
  `downloads` SMALLINT UNSIGNED default '0',
  `filename` varchar(60) NOT NULL default '',
  `note` varchar(255) NOT NULL default '',
  PRIMARY KEY (uniqueid)
);

How to use the scripts

The scripts require a little setup before they’re ready to be used, so open config.php in your text editor of choice.

Change the values for $db_host, $db_username, $db_password, $db_name to point to your database.

Set the variable $maxdownloads equal to the maximum number of downloads (actually, the number of page loads).

Set the variable $lifetime equal to the keys’ viable duration in seconds (86400 seconds = 24 hours).

Set the variable $realfilenames to the real names of actual download files on the server as a comma-separated list (this is optional; you can also use a single filename or just leave it as empty double-quotes: “”). If you have more than one file to protect, enter the names as a comma-separated list and the script will create a drop-down menu as the Filename field. If you leave the variable blank, the form will display an empty input box as the Filename field.

Set the variable $fakefilename to anything – this is what the visitor’s file will be named when the download is initiated.

I would strongly recommend renaming generatekey.php, as anyone who can view it will be able to create unlimited numbers of keys, and worse, they’ll be able to see the filenames (if you set them in config.php). I would also recommend that the directory you put these files into, and each directory on your site (/images, /css, /js, etc.), contain an index.html file. This is a simple security measure that will prevent visitors from snooping around a directory and viewing its contents (though access to the directory contents is usually prohibited by a setting on the server).

Place all the PHP scripts and your .zip file(s) into the same directory on your server.

That’s all there is to it. Whenever you want to give someone access to the download, visit the generatekey.php page and fill out the form. It will generate a key code, save it to a database, and print out a unique link that you can copy and paste into an email or whatever. The page that the unique link points to checks to see if the key code is legitimate, then checks to see if the code is less than X hours old, then checks to see if it has been used less than X times. The visitor will get a descriptive message for the first unmet condition and the script will terminate. If all three conditions are met, the download starts automatically.

Errors and issues

Note: The download will not initiate automatically, and will actually be output as text on the page, if the download.php page is changed to send headers or any output to the browser. Be careful when making modifications or incorporating this script into another page.

Check the HTTP headers (Google for an online service that does this, or install the LiveHTTPHeaders Firefox plugin) of the download link. If the script is working correctly, you should see Content-Transfer-Encoding: binary and Content-Type: application/octet-stream in the headers. If you’re getting a page of text instead of the zip file, you’ll probably see Content-Type: text/html.

Example HTTP headers for a correctly working download

If the script is working correctly, the HTTP headers will look something like this:

HTTP/1.1 200 OK
Date: Sun, 20 Jun 2010 13:31:50 GMT
Server: Apache
Cache-Control: must-revalidate, post-check=0, pre-check=0, private
Content-Disposition: attachment; filename="bogus_download_name.zip"
Content-Transfer-Encoding: binary
Pragma: public
Content-Length: 132
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

Update 9.8.12: It has been three years since I wrote this article, and most of the wireless networks that I can see today are protected with WPA2, probably because modern routers are now secured using WPA2 by default. I’ve update the post a little, but good advice in 2009 remains solid in 2012.

Of the seven wireless networks that I can see from my living room, five are secured, or at least appear as such in the available networks list. That’s a good start, but most of my neighbors could be doing a better job of protecting their networks from intrusion.

In addition to slowing down your network connection, someone who connects to your WLAN may be able to:

  • Send spam or perform illegal activities with your Internet connection
  • Monitor the Web sites you visit, read your e-mail and instant messages as they travel across the network, and copy your usernames and passwords
  • View files on your computers and spread dangerous software

IT security needs to use a layered approach. While no single layer of security is enough to withstand every attack, each additional layer serves to further harden your system and discourage would-be attackers and free-loaders. When it comes to your home wireless network, one aim is to make it obviously more difficult to hack than your neighbor’s network. Consider the old joke about the two explorers on the plain in Africa when they hear the roar of a nearby lion. One explorer quickly starts putting on running shoes, to the amazement of the other. “You must be crazy if you think you can outrun a Lion” says the second explorer. “I don’t need to outrun the lion” responds the first explorer, “I just have to run faster than you!”

To some extent, your wireless security works the same way. Unless your network is selected at random, or someone is just looking for a challenge, the amateurs and free-loaders are probably going to pick the weakest visible network to intrude upon. (And the availability of wireless hacking software makes it easy to poke around at neighboring networks.)

Here are five settings on your router which, if properly configured, will better protect your network, your computers, and your data.

  1. Change the default password for the administrator account on your wireless router or access point. This is absolutely essential and should have been the very first thing you did after you unboxed it. Don’t use a word in the dictionary or anything easily guessed.
  2. Change your SSID (network name). A router’s default SSID (Service Set Identifier) can be used to identify your hardware, which could help a hacker determine the default administrator password (see step 1). A default SSID also suggests that the network was poorly configured, making it appear to be an easier target. Change it to something you and your family would recognize (your pet’s name, for example), but that’s not publicly identifiable (don’t use your name, your address, etc.).
  3. Disable WiFi Protected Setup (WPS). WPS has become one of the easier ways to hack a wireless network, due to a vulnerability with the PIN function.
    Source: http://www.pcmag.com/article2/0,2817,2398435,00.asp
  4. Use the strongest encryption form supported by your router and all of your other devices. The best choice is WPA2 with the “TKIP+AES” algorithm, which is the newest type of wireless encryption and provides the highest level of encryption available. WPA2 has been available on most devices manufactured in the past few years. WPA-PSK, also called WPA-Personal, encryption is the next best, and 128-bit WEP is the weakest level of encryption and is barely better than no security at all. Use a strong password, ideally a string of at 20+ random alpha-numeric characters. You can find such random strings at https://www.grc.com/passwords.htm.
  5. Disable remote administration. The ability to remotely administer your WLAN router via the Internet should be turned off unless you absolutely need this. It is usually turned off by default, but it’s a good idea to check. The only downside to this is that you will have to physically connect a computer to the router in order to configure it, which isn’t necessarily a downside at all.

There are also some myths and incorrect assumptions around security your router. Two of the most common are MAC address filtering and not broadcasting the SSID.

  1. Myth: Limit access to your wireless LAN by using MAC address filtering. A MAC address (also called the physical address) is an identifier unique to each network adapter. MAC address filtering involves looking up the MAC address of each device that will connect to the WLAN and adding them to a list in the router’s control panel. MAC addresses can be spoofed, so filtering offers a false sense of security.
  2. Myth: Disable SSID broadcasting Disabling SSID broadcasting will prevent casual browsers from finding your network, but your devices will periodically ping your SSID, making it discoverable. Not broadcasting your SSID does nothing to secure your network, it just makes it less obvious to your neighbors.
    Source: http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/

With the router and WLAN now well-configured, hacking your home network will be much more difficult. Below are a few more suggestions to further increase your protection.

The farther the Wi-Fi signal reaches, the easier it is for others to detect and exploit it. If possible, place the router where it will have the most difficulty broadcasting the signal outside your home, such as in the basement, in a closet, or toward the center of your home. While not a feature of all wireless routers and access points, some allow you to change the transmitter power. If possible, adjust it so that you still get a decent signal inside, but it doesn’t leak too far outside your home.

If you can afford a second NAT router, you can dramatically improve your LAN’s security. Basically, you create a second LAN by connecting the wireless router to the modem, connecting a second, wired router to the wireless router and then putting one or more of your PCs behind the second, wired router. This means that anyone who accesses your WLAN still can’t get to the PCs behind the second, wired router.

Read more about using a second NAT router to create an even more secure LAN at GRC.com.

McAfee Wi-FiScan surveys your current Wi-Fi connection, your wireless equipment, and local environment to assess security risks introduced by your wireless network. Wi-FiScan uses an ActiveX control to gather information. If security or performance issues are found, McAfee will suggest ways to reduce your risk.
http://us.mcafee.com/root/wsc/default.asp

Netstumbler, by Marius Milner, will determine your network’s vulnerabilities and unauthorized access points, and also reveal the sources of network interference and weak signal strength.
http://www.netstumbler.com/downloads/

Protect your machine from attacks from within your LAN. Use a software firewall on every device and make sure that port 113 is stealthed. If you are using Windows, run Windows Updates every month or keep Automatic Updates on. Install some anti-virus software (Microsoft Security Essentials seems quite nice) and keep that up to date, too. Turn off services like File Sharing unless you need them and understand the consequences.

For the borderline-paranoids, you can turn off DHCP (Dynamic Host Configuration Protocol) entirely and configure each device to connect using a specific IP, or at least assign all of your devices static IP addresses well away from the first address dynamically assigned by your router. For example, if your router starts assigning IP addresses at 192.168.0.100, give your devices static addresses above 192.168.0.150. This will make it slightly more of a nuisance for someone who does access your network to find the machines connected to it, as they won’t exist near the address assigned dynamically to the intruder. You can change the default IP address of the router itself, too, but that will be immediately obvious to anyone who gets in.

Test your connection for vulnerabilities with third-party software. Use the ShieldsUP! port probe from GRC.com to check whether your router (wired or not) is detectable by port scanners via the WAN.
https://www.grc.com/x/ne.dll?bh0bkyd2

Verify that your computer’s Wake on Wireless LAN (WoWLAN) function is disabled (check your BIOS).

A Wi-Fi network is only vulnerable when it is on, so turn off your router when you aren’t using it. Turn off your computers, or at least hibernate/sleep them, when not in use. (Don’t forget to turn off the monitors, too.) Better yet, turn off your computer and then kill the power at the surge protector, as some components can still draw power when the computer is turned off. There is some cost in electrical draw to be saved here.

Don’t connect to unprotected wireless networks yourself, as it’s possible for someone on that network to monitor your traffic. If you must connect to an unprotected network, enter passwords only on sites that use encryption (those that display the padlock icon in the lower-right corner of your browser and with a URL in the address bar that begins with https). Never select the ‘connect to available wifi networks automatically’ setup option under your Network Connections window.

Ensure that your router’s firewall is enabled, along with related built-in security features that block anonymous requests or pings from the WAN side.

The DMZ feature of your router allows you to put a machine ‘outside’ of the protection of the NAT router. In practice, this isn’t necessary for normal use. Only use this if you understand the consequences.

For a good Ars Technica article that includes a chart of common devices (Wii, PS3, Xbox 360, etc.) and their support for the various levels of encryption, read The ABCs of securing your wireless network.

While we’re on the subject of wireless channels, you might want to consider downloading inSSIDer for help choosing the right channel to obtain the best wireless signal. For best performance, you should choose the least-used channel that is at least 5 channels from your neighbors’ networks, which will most likely be 1, 6, or 11. You want your router to be the strongest signal on its channel.