Weekend Projects - Securing Folders

Posted on May 3rd, 2008

Weekend Project

Last week we worked on Geotagging our site so that local people will be able to find our site easier. This week we will look at a quick method to secure your folders from hackers trying to gain access or deface your sites. Anyone that is using open source software should know they are at greater risk of being exploited by hackers and should be security conscious when using that software.

Basic Security
If you have a folder, like your images folder, where you do not want someone to browse it you can add a blank index.html page into that folder. This will prevent anyone from viewing the contents of that folder. The problem with this method is that in open source software it is very easy to find the files because they are all stored in the same location. Adding a index.html file to your folder will prevent basic nosey people from browsing folders they should not be browsing. For example with WordPress I can go in an see what plugins you have installed by going to www.yourblogurl.com/wp-content/plugins/.

General Security
A lot of open based software requires you to set folders to a permission of 777. This means that those file and folders are read and writable to anyone. The result is that someone could maliciously use your site for phishing or spamming by uploading their own files in to the insecure folder.

For some software’s they only require the folder or file to be set to 777 for the initial setup to write configuration information. For example WordPress wants you to set your theme files to writable so you can directly modify them from your admin area. This is a great feature but I would suggest once you are done editing them that you set the folder and file permission back to what they were originally.

From time to time you will need to have folders set to 777 so you can upload images. You can secure these folders from certain files being browsed in those folders by creating a .htaccess file and adding the following to it…

<FilesMatch “\.(php|php5|php4|php3|htm|html|shtml)$”>
Order Allow,Deny
Deny from all
</FilesMatch>

You can add other file types to the end if your server supports them like ASP would be |asp.

Advanced Security
There are certain folders in most open source software that hackers will look for exploits. Folders like an include folder are usually hit hard on sites. We do have mod_security installed on our own servers to block a majority of the well known exploits. To be more secure you can add your own layer of security by adding a .htaccess to your own include folders to prevent browsing of those folders completely. Add the following to the .htaccess…

<limit GET POST PUT>
order deny,allow
deny from all
</limit>

This will prevent anyone from viewing that folder at all. Some times the include is in an admin area where you or several others only need to see it. You can secure it the same way but add an allow based on your IP. Again create a .htaccess file, find your IP address and add the following…

<limit GET POST PUT>
order deny,allow
allow from 212.54.122.33
deny from all
</limit>

You may need to tweak or combine these various methods to ensure the best security for your folders.

If you get stuck let me know in the comments.

What do you think?

Posted in Weekend Projects | 357 views