• Do you Play DayZ, World of Tanks or STO? Why not visit our Partner website The Good Stuff Clan and join the gaming goodness they have to offer, click here to join their discord


Solved protect your website for attackers

Z

zwx_exploiter

New Member
Joined
Sep 18, 2019
Messages
0
Reaction score
4
Points
2
Age
31
Location
anonymous
DS Credits
226D$
For several years now I have been observing how the tendency for hacks for sites is growing. Hundreds of thousands of sites suffered from hacks, millions of sites are susceptible to attacks.
I decided to share with the developments that have already been introduced into the SECURED DLE release for a year and ensure the normal operation of the site without loss of information. Many will condemn me for this patch, as for someone I will ruin the business, greatly complicating the hack. This operating time is suitable for almost any site where there is php. I do not hold a grudge against those who do not believe in the release security. And so I’ll tell you how to protect yourself from: shells, sql inj, php inj, xss First I’ll introduce my module, you need to connect it before connecting to the database.

Code: 
You don't have permission to view the code content. Log in or register now.
Code: 
You don't have permission to view the code content. Log in or register now.
The module checks all GET and POST requests and, if it finds bad ones, it blocks it, preventing the requests from leaving the database or beyond.

Next, we need to protect ourselves from shells on the site.
We need to edit php.ini and disable the following functions

Code: 
You don't have permission to view the code content. Log in or register now.
The shells successfully use these functions, it is necessary to disable the functions at the server level, since if you have hosting, then the shells can work on the neighboring account, which can lead to hacking. Hope this one will help to all developers.
 
  • Like
Reactions: apaixtos, loazch, whattheduck and 1 other person
whattheduck

whattheduck

New Member
Joined
Jan 25, 2020
Messages
3
Reaction score
4
Points
11
Age
44
Location
AU
DS Credits
300D$
zwx_exploiter said:
For several years now I have been observing how the tendency for hacks for sites is growing. Hundreds of thousands of sites suffered from hacks, millions of sites are susceptible to attacks.
I decided to share with the developments that have already been introduced into the SECURED DLE release for a year and ensure the normal operation of the site without loss of information. Many will condemn me for this patch, as for someone I will ruin the business, greatly complicating the hack. This operating time is suitable for almost any site where there is php. I do not hold a grudge against those who do not believe in the release security. And so I’ll tell you how to protect yourself from: shells, sql inj, php inj, xss First I’ll introduce my module, you need to connect it before connecting to the database.

Code: 
You don't have permission to view the code content. Log in or register now.
Code: 
You don't have permission to view the code content. Log in or register now.
The module checks all GET and POST requests and, if it finds bad ones, it blocks it, preventing the requests from leaving the database or beyond.

Next, we need to protect ourselves from shells on the site.
We need to edit php.ini and disable the following functions

Code: 
You don't have permission to view the code content. Log in or register now.
The shells successfully use these functions, it is necessary to disable the functions at the server level, since if you have hosting, then the shells can work on the neighboring account, which can lead to hacking. Hope this one will help to all developers.
Click to expand...
Why I don't have permission to view the code content?
 
S

sparky94320

Member
Joined
Apr 20, 2020
Messages
5
Reaction score
4
Points
8
Age
29
Location
Paris
DS Credits
138D$
Same for me, can't view the code.

For protecting your website you have multiple technical consideration to take in count, and after that it may be not enough, nothing is perfect.
Read some docs, follow the rules, control internal/external connection on your server, allow only ip/certs auth/2way auth, scan softwares for security breach

Free service for ddos protection exist also


Depending on your activities your attacker may target you many way
 
R

rainbowgirl42

New Member
Joined
Apr 23, 2020
Messages
2
Reaction score
2
Points
8
Age
31
Location
Australia
DS Credits
192D$
You can just install ModSecurity on Apache or Nginx. ModSecurity is a WAF that does exactly what you want. Doing it through php.ini or doing it from a module that you created that isn't maintained or tried and tested isn't the best way of doing things.
 
  • Like
Reactions: drfuture and sparky94320
drfuture

drfuture

Member
Joined
Jan 26, 2021
Messages
1
Reaction score
4
Points
8
Age
100
Location
Saturn, East
DS Credits
0D$
a other idea is to filter ips that are able to browse your site.
For sites that are only important for users from country x,y,z i sometimes used the ipranges exportet from public ip-databases to limit the access by .htaccess to this ip-ranges.
It could hurt users with special vpns but after this action i was able to use forms without captcha ;)
 
You must log in or register to reply here.
[PHP] Show Current Date | Php Nuke anbody ?
Top Bottom
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features of our website. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock