This is usually done by adding the following to your “httpd.conf”…

AddType ‘application/x-httpd-php-source’ .phps

We use the cPanel web hosting control panel and to improve security cPanel recommend using suPHP, which allows PHP scripts to run as a user rather than “nobody”.

This means that adding the above line to “httpd.conf” does not work with suPHP.

So what can be done?

The official word is located in the suPHP FAQ, which says:

Does suPHP support code highlighting by using the “.phps” extension?

suPHP itself has no support for code highlighting. The main reason is that PHP-CGI does not support any input parameter to activate code highlighting. However there is a solution based on a small PHP script and some rewrite rules. You can find the discussion at http://forums.macosxhints.com/archive/index.php/t-23595.html.

So I decided to checkout the suggested link.

I noticed that even though the FAQ suggested using rewrite rules, the forum did not provide any kind of working solution.

Using the PHP code supplied, and a bit of rewrite ingenuity we can get this working as expected.

First, create a file called “phpsource.php”, in this file paste the following code:

<?php
if (substr($_GET['file'],strpos($_GET['file'],’.')) == ‘.phps’) {
highlight_file($_GET['file']);
}
?>

Then, in your “.htaccess”, paste the following code:

RewriteRule ^(.+\.phps)$ phpsource.php?file=$1 [L]

Note: If you don’t already have rewrites turned on in your “.htaccess” file, you will also need the line “RewriteEngine On” at the top.

What this will do is pass all “.phps” files through your “phpsource.php” script, and output a highlighted version.

The benefits of this solution is that it’s portable (will work on any server); it won’t(/shouldn’t) break when you upgrade apache or PHP; it’s pretty secure as it’ll only handle .phps files, as expected; it’s quick and effective.

I’m sure we’re all familiar with URLs that look like this:

http://www.example.com/?nav=page

These type of URLs aren’t particularly “friendly”, they are known as dynamic URLs. As a rule of thumb search engines such as Google don’t like them as much as “static URLs”.

However, Google has recently released an article on this very subject entitled Dynamic URLs vs. static URLs, I recommend you give it a read so you fully understand what we’re talking about.

Google suggests that many search engine crawlers do not like dynamic URLs as much as static URLs.

A “static” or “friendly” version of the above URL could be as follows:

http://www.example.com/page.html

Here’s how it’s done…

Solution 1

Apache’s mod_rewrite can be easily used via a file called “.htaccess” to turn dynamic urls into friendly urls.

Here is an example of how it’s done:

#Turn on the Rewrite Engine
RewriteEngine on
#Set the base path
RewriteBase /
#Check that the lookup isn’t an existing file
RewriteCond %{REQUEST_FILENAME} !-f
#Check that the lookup isn’t an existing directory
RewriteCond %{REQUEST_FILENAME} !-d
#Check that the file isn’t index.php (avoid looping)
RewriteCond %{REQUEST_URI} !^index\.php$
#Force all .html lookups to the index file
RewriteRule (.+)*\.html index.php?nav=$1 [QSA,L]
#Note: QSA=query string append;L=Last, no more rules

This will rewrite all paths ending in “.html” to your index file.

From there, it’s simply a case of tailoring the rewrite to your requirements.

Checkout the mod_rewrite cheat sheet for more help on rewrites.

Solution 2

If you ARE using PHP, a better way might be to just hand over ALL the path information to your “index.php” and handle it from there.

The rewrite to do that looks something like this:

RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^index\.php$
RewriteRule ^(.+)$ index.php/$1 [QSA,L]

As per above this will only rewrite paths that don’t exist.

It doesn’t work out any slower than the above solution, as either way you’re passing it to PHP, and rewrites are fairly slow to begin with.

In your “index.php”, you can parse $_SERVER['PATH_INFO'] (or $_SERVER['ORIG_PATH_INFO']) for the path information. It may be quicker and easier to explode the path by “/”, and find the information you need using a foreach rather than using regex in preg_match.

In this case I will be running FreeBSD 6.0, with bash shell, SSHd, named (bind), httpd (Apache2+PHP4), FTPd (pure-ftpd).

Note: In many cases, if you don’t wish to review the config when adding to it you can do: echo ‘<string>’ >> <file> (ie: echo ‘accounting_enable=”YES”‘ >> /etc/rc.conf)

sshd

• edit /etc/ssh/sshd_config
• Add line “Port 22″ – This is default, BUT change to another port if you want to be even more secure.
• Add line “Protocol 2″ – We don’t want protocol 1, just 2.
• Add line “LoginGraceTime 1m” – If you don’t login within 1 min, it will timeout.
• Add line “PermitRootLogin no” – You should not allow direct root login via ssh, use su.
• Add line “MaxAuthTries 3″ – If you get your login incorrect 3 times, you’re doing something wrong anyway.
• Add line “X11Forwarding no” – You don’t run Xwindows on a server muppet!
• Add line “MaxStartups 15:30:60″ – This means, after 15 concurrent unauthed connections, 30% of connections will be dropped, until it reaches a max of 60, then it’s full.

sysctl

• You can read each current setting by doing sysctl <setting> (ie: sysctl kern.securelevel)
• If you are unsure about using a setting you can use “sysctl -w <setting>” to temporary set, until you next reboot.
• edit /etc/sysctl.conf
• Add line “security.bsd.see_other_uids=0″ – We don’t want users to see each other’s processes.
• Add line “kern.securelevel=1″ – By default it is -1, you don’t need this unless you’re running Xwindows, run at least 0.
• Add line “net.inet.tcp.blackhole=2″ – This will drop ALL tcp packets that are received on a CLOSED port and not reply.
• Add line “net.inet.udp.blackhole=1″ – This will drop ALL udp packets that are received on a CLOSED port and not reply.
• Add line “kern.ipc.somaxconn=1024″ – Default is 128, this means we can have more concurrent connections. If like you me you have plenty of bandwidth, this is best, otherwise if you get attacked, you’ll reach 128 very quickly.
• Add line “net.inet.icmp.icmplim=50″ – Default is 200, you shouldn’t need this many, set it to 50 to reduce the amount of ICMPs sent back per second.
• Add line “net.inet.ip.rtexpire=2″ – Default is 3600, See the FreeBSD handbook: Denial Of Service Attacks.
• Add line “net.inet.ip.rtminexpire=2″ – Default is 10, See the FreeBSD handbook: Denial Of Service Attacks.
• Add line “net.inet.tcp.always_keepalive=1″ – This will help discover dead connections and clears them.
• Add line “net.inet.ip.random_id=1″ – This is optional, but I like the idea. It gives you random PIDs instead of sequential.

This is my “/etc/sysctl.conf”:

security.bsd.see_other_uids=0
kern.securelevel=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.ipc.somaxconn=1024
net.inet.icmp.icmplim=50
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.tcp.always_keepalive=1
net.inet.ip.random_id=1

rc.conf

• edit /etc/rc.conf
• Add line ‘portmap_enable=”NO”‘ – You only need this if you’re using NFS, which we’re not.
• Add line ’sendmail_enable=”NO”‘ – This will tell sendmail to only listen on the localhost, it’s not a good idea to leave a mail server open to spam on a shell server.
• Add line ‘nfs_server_enable=”NO”‘ – As above, we don’t need NFS.
• Add line ‘nfs_client_enable=”NO”‘ – Again, no NFS, not even a client.
• Add line ‘accounting_enable=”YES”‘ – This enables process accounting. (You need to do touch /var/account/acct && accton /var/account/acct).
• Add line ‘clear_tmp_enable=”YES”‘ – This will clear the “/tmp” dir at boot time.
• Add line ’syslogd_flags=”-ss”‘ – This stops syslogd from broadcasting on port 514.
• Add line ‘enable_quotas=”YES”‘ – Assuming you’re running a shell server, you want quotas enabled.
• Add line ‘check_quotas=”YES”‘ – This will help keep your users within their quotas.
• Add line ‘ntpdate_enable=”YES”‘ – This will enable ntpdate, which will keep your date/time up-to-date.
• Add line ‘update_motd=”NO”‘ – This will ensure that the FreeBSD details aren’t added to the /etc/motd on each reboot. We don’t want to broadcast this information.
• Check for ‘inetd_enable’ – Set it to NO, or add inetd_enable=”NO”, if it’s not there.
• Check for ‘named_enable’ – Okay, so running named will increase overheads, but if this is a shell box it probably makes sense to run your own dns server as IRC relies a lot on resolving hosts.
• Check for ‘log_in_vain’ – You may have set this based on what you read else where, but I recommend having this as “NO”, because it logs events on non-open ports, which could cause a ddos.

The latter half of my “/etc/rc.conf” looks like this:

inetd_enable=”NO”
linux_enable=”YES”
sshd_enable=”YES”

portmap_enable=”NO”
sendmail_enable=”NO”
nfs_server_enable=”NO”
nfs_client_enable=”NO”
accounting_enable=”YES”
clear_tmp_enable=”YES”
syslogd_flags=”-ss”
enable_quotas=”YES”
check_quotas=”YES”
ntpdate_enable=”YES”
update_motd=”NO”
named_enable=”YES”

Firewall

For a shell server, a firewall may not be required, but for many others it may be required.

• edit /etc/firewall.rules – for a shell server, you can do the following:
  • You need to allow new connections for services on the following ports: 21 (ftpd), 22 (sshd), 53 (dns), 80 (httpd).
  • If you are running any other core services, you will need to open the ports for those too. Remember, the first 1024 ports are reserved for root services.
  • If you run an IRC shell server, you should open a range (ie: 2000-4000) for your users services. (such as eggdrops and psybncs).
  • No other new connections to other ports should be allowed.
  • All other traffic is okay.
• Don’t forget to “chmod 600 /etc/firewall.rules”
• Add line ‘firewall_enable=”YES”‘ – We want a firewall enabled.
• Add line ‘firewall_logging=”YES”‘ – Logging the firewall can be useful.
• Add line ‘firewall_script=”/etc/firewall.rules”‘ – It needs to know where to find the rules. (don’t forget to touch /etc/firewall.rules)

Date and Time

You must ensure your system’s date/time is correct, otherwise SSH may fail and logs will be incorrect.

• As above, ensure you have ‘ntpdate_enable=”YES”‘ in your “rc.conf”.
• For first time use: “touch /etc/ntp.conf && echo /etc/ntp.conf >> server uk.pool.ntp.org prefer && echo /etc/ntp.conf >> driftfile /var/db/ntp.drift”
• Run: ntpdate uk.pool.ntp.org

Login.conf

Using login.conf you can create custom classes for your users giving them all sorts of limits and restrictions.

• edit /etc/login.conf
• If you change the “passwd_format” in the Default class to read “:passwd_format=blf:\”, this will give you blowfish password hashes, for better security, but you need to rebuild your login database by doing: “cap_mkdb /etc/login.conf”, and update all passwords by doing “passwd <user>” as root (check “/etc/master.passwd” all passwords will start with $2 if done correctly), don’t forget to edit /etc/auth.conf to “crypt_default=blf” also. This step isn’t required, but recommended.
• There are lots more options, you need to read the handbook for the “login.conf” file.
• Run “cap_mkdb /etc/login.conf” when you’re done to update the database.

pure-ftpd

Instructions are as follows:

• cd /usr/ports/ftp/pure-ftpd && make install
• cp /usr/local/etc/pure-ftpd.conf.sample /usr/local/etc/pure-ftpd.conf
• edit /usr/local/etc/pure-ftpd.conf (if required)
  • Change “NoAnonymous no” to yes
• /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
• echo ‘pureftpd_enable=”YES”‘ >> /etc/rc.conf

Apache 2

• edit /usr/local/etc/apache2/httpd.conf
• change the “ServerAdmin” line with your email address.
• change the “ServerTokens” line from “Full” to “Prod”, this means only “Apache” will be displayed.
• echo ‘httpd_enable=”YES”‘ >> /etc/rc.conf

oidentd

• echo ‘oidentd_enable=”YES”‘ >> /etc/rc.conf
• edit /usr/local/etc/oidentd.conf
• Ensure the defaults deny everything, and that root has a different reply, ie:

default {
default {
deny spoof
deny spoof_all
deny spoof_privport
deny random
deny random_numeric
deny numeric
deny hide
}
}

user root {
default {
force reply “UNKNOWN”
}
}

Note: You can add a user, if you want to allow spoof for certain users, and allow that.

Files and Permissions

• “find / -perm -2000 -ls && find / -perm -4000 -ls” – This lists binaries that everyone can currently access.
• Use “chmod a-s <file>” to remove access or “chmod o-rwx <file>” to allow just for wheel users.
• “chmod 640 /etc/crontab” – This will allow only root and wheel users to see it. Users don’t need to know what processes are started by cron.
• “chmod 600 /etc/rc.conf” – Users don’t need to access this.
• “chmod 600 /etc/sysctl.conf” – Users don’t need to access this.
• “chmod 0750 /root” – Stops non-wheel users from viewing root files.
• “chmod 640 /var/db/locate.database” – You don’t want all users to see all the files on your system.
• edit /etc/motd – Change this to say what you like.
• “touch /etc/COPYRIGHT” – This will remove the copyright info.

ToDo

• Provide an in-depth example of a firewall script
• Provide details about working with Quotas
• Provide better usage of login.conf

Additional Security

• Try checking system integrity with tripwire.
• Keep things up to date with cvsup.

Resources

• FeeBSD Security Information
• Defcon1 Security Guide
• A basic guide to securing FreeBSD (DALnet)
• Hardening FreeBSD (bsdguides.org)
• Protecting yourself with FreeBSD
• sysctl.conf Sample (Freebsdblog.org)
• Securing FreeBSD (ONlamp.com)
• FreeBSD Security HowTo (windowssecurity.com)
• tris’ FreeBSD setup info
• cPanel FreeBSD Seminar

Final notes

I’ve written this as more of a reference, i’ve more than likely missed a few things, so feel free to add your own comments.

Since most people don’t have direct access to their httpd.conf, the obvious solution was to create a method using mod_rewrite within “.htaccess”. This also allowed it to be setup very easily and quickly.

I have no immediate use for this solution, however I know it will come in very handy in the future.

Someone I know was trying to figure this out earlier today, so I took it upon myself to figure out how to work out a solution for this problem.

After much discussion with #apache @ EFnet, in particular TBF, we came about the following solution.

#Grab the subdomain from the domain
RewriteCond %{HTTP_HOST} ^([^.]+).hm2k.org$
#Make sure the subdomain is not www or example
RewriteCond %{1} !^(www|example)$
#Check if the directory actually exists before we go there
RewriteCond /home/hm2k/public_html/%1 -d
#This stops it from looping
RewriteCond %{REQUEST_FILENAME} !^/home/hm2k/public_html/
#Finally, this is the actual rewrite
RewriteRule (.*) /home/hm2k/public_html/%1/$1 [Last]

Thanks to all those who helped, I hope this comes in useful to someone.

1136331104

Often you will find yourself buying a domain for your project (eg: example.com), however these days to secure the brand you have to buy all the associated domains (eg: example.net, example.org, example.co.uk, example.info, etc).

I then find that visitors will end up entering the sites at different points from different domains, depending on how they find it, or what they have been told.

The problem with this is its confusing, and its confusing for the user. The solution is to decide on one domain name, and focus on that, then simply redirect all traffic from the other domains to your main domain name.

This will also help enforce your brand name by ensuring the user always gets redirected to the correct domain, even if they visit the others by mistake.

In addition to this, Google states “Don’t create multiple pages, subdomains, or domains with substantially duplicate content.“, therefore by redirecting traffic to one domain, rather than having duplicates you stand more chance of your domain not being marked as “bad” by search engines. (Also see What’s a preferred domain?)

On a very similar note, another common problem is the “www.” prefix on domains, sometimes people include when visiting a URL, other times they do not. The problem with this is that “www.example.com” is considered an entirely different domain than “example.com” by search engines. By redirecting traffic that is NONE “www.example.com” we can still continue our focus and maintain our brand name.

How?

One method is using 301 redirects to redirect from other domains, to your main one.

We can do this by using mod_rewrite for Apache or ISAPI_Rewrite for IIS.

Apache mod_rewrite (.htaccess)

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,QSA,L]

Note: The QSA flag will append the query string to the rewritten URL.

IIS mod rewrite using ISAPI filter (mod_rewrite.ini)

RewriteCond Host: !^www\.example\.com

RewriteRule ^/(.*)$ http://www\.example\.com/$1 [I,RP]

Note: Some find ^(.*)$ works, others find ^/(.*)$ works. I’ll let you decide which to use.