What's new

Tips naman po for security of my VPS.

C

ChibiCed

Addict
Established
Joined
Oct 16, 2020
Posts
109
Reaction
22
Points
110
Good day po. I'm new po sa pag gamit ng VPS and currently trying to secure it properly. yung head kasi ng IT namin medyo ayaw niya sa Web due to security purposes daw.


Sa mga master sa pag gamit ng VPS niya baka po mabigyan niyo ko ng tips and tricks. im using Ubuntu 20.04 Apache2 mysql mssql(Ito kasi prefer ni boss na database). nag encrypt na din ako ng SSL thru self signed. every time na nag babackup ako inoopen ko yung port then close pag tapos lalo nasa phpmyadmin.
baka kasi pag nag request nako ng Domain and Server for purchase is alam ko na ang pag setup hehe.


I'm in Government and puro standalone ang system nila new hire lang din po ako. and i'm currently working po for Job Portal and HRIS System for HR Use na web based using php javascript/jquery. i tried to learn laravel and django pero nahihilo ako
 
if you are using web app gamit apache.. kindly review your code. if open for xss injection or sql injection.. do hashing sa passwords.. separate User group for root user and www-data group incase mapasok yung web app mo through shell backdooring sa ganoon paraan hindi ma priv-escal yung machine mo.. kindly check your code also sa session hijacking if your web app has a user or admin panel. and do honeypot .. log everything and saves it in database para may trace ka incase cyber attack happened
 
for sql injection - im using PDO Prepared Statement na din po

Research ko ito sir on how to implement po maraming salamat po!
xss injection
shell backdooring
priv-escal
session hijacking
honeypot
Cicada-3301 said:
if you are using web app gamit apache.. kindly review your code. if open for xss injection or sql injection.. do hashing sa passwords.. separate User group for root user and www-data group incase mapasok yung web app mo through shell backdooring sa ganoon paraan hindi ma priv-escal yung machine mo.. kindly check your code also sa session hijacking if your web app has a user or admin panel. and do honeypot .. log everything and saves it in database para may trace ka incase cyber attack happened
Click to expand...
 
ChibiCed said:
for sql injection - im using PDO Prepared Statement na din po

Research ko ito sir on how to implement po maraming salamat po!
xss injection
shell backdooring
priv-escal
session hijacking
honeypot
Click to expand...
xss tip: prevent special character like on login or admin panel
secure session
shell backdooring - prevent .php extension incase may upload image yung site mo
priv-escal : do update sa machine mo na ubuntu
honeypot. implement IP logger .. get every request remote ip .. the crawl ipinfo.io para makita full info ng nag visit sa site..
 
Cicada-3301 said:
xss tip: prevent special character like on login or admin panel
secure session
shell backdooring - prevent .php extension incase may upload image yung site mo
priv-escal : do update sa machine mo na ubuntu
honeypot. implement IP logger .. get every request remote ip .. the crawl ipinfo.io para makita full info ng nag visit sa site..
Click to expand...
Sir about doon sa Shell Blocking. yung uplaoding ko ng .PDF ni veverify niya if .PDF ba talaga possible kaya na ma bypass un?
 
ChibiCed said:
Sir about doon sa Shell Blocking. yung uplaoding ko ng .PDF ni veverify niya if .PDF ba talaga possible kaya na ma bypass un?
Click to expand...
kung iveverify pero kapag nahijack yung http request possible parin. kaya tips disable yung php.. or yung uploader mo is auto rename ... tas ipupunta siya sa temp folder na disallowed ang .php

sample upload ko is image.jpg

ipupunta niya ito sa temp/ folder tas irerename as - image-temp-0001.jpg

example din attacker ako .. shell.jpg tapos laman nyan ay backdoor i tamper ko yung http request and change to .php so shell.php hindi parin maging success kasi si shell.php magiging shel-temp-002.jpg parin siya
 
Cicada-3301 said:
kung iveverify pero kapag nahijack yung http request possible parin. kaya tips disable yung php.. or yung uploader mo is auto rename ... tas ipupunta siya sa temp folder na disallowed ang .php

sample upload ko is image.jpg

ipupunta niya ito sa temp/ folder tas irerename as - image-temp-0001.jpg

example din attacker ako .. shell.jpg tapos laman nyan ay backdoor i tamper ko yung http request and change to .php so shell.php hindi parin maging success kasi si shell.php magiging shel-temp-002.jpg parin siya
Click to expand...
Thank sir medyo gets ko na.
BTW po meron po kayo ma isuggest na VPS Hosting na mura lang. OVHCloud gamit ko ngayon sir and naka promo 700php for 1 year 1CPU and 20GB Storage 100MB Unmettered COnnection
 
thanks sa info sir yung vps poba pang up ng asp.net web? pinagaaralan kopo kasi ngayon
Cicada-3301 said:
kung iveverify pero kapag nahijack yung http request possible parin. kaya tips disable yung php.. or yung uploader mo is auto rename ... tas ipupunta siya sa temp folder na disallowed ang .php

sample upload ko is image.jpg

ipupunta niya ito sa temp/ folder tas irerename as - image-temp-0001.jpg

example din attacker ako .. shell.jpg tapos laman nyan ay backdoor i tamper ko yung http request and change to .php so shell.php hindi parin maging success kasi si shell.php magiging shel-temp-002.jpg parin siya
Click to expand...
 

Similar threads

Popular Tags

autoscript best centos computer debian debian 9 distro droplet hack how how to kali kali linux kali linux 2 linode linux linux distro linux for beginners linux os networking on openvpn operating system os ovpn problem proxy python raspberry pi samba script server softether squid squid proxy ssh ssl terminal termux tutorial ubuntu update vpn vps vps autoscript wifi windows windows 10 wireless adapter with

About this Thread

  • 7
    Replies
  • 494
    Views
  • 3
    Participants
Last reply from:
Artimatrix

New Topics

Popular On This Forum

Online statistics

Members online
555
Guests online
5,074
Total visitors
5,629
Back
Top