Lunarpages Web Hosting Forum

Author Topic: RFC regarding my security system  (Read 1354 times)

Offline Sentix

  • Newbie
  • *
  • Posts: 5
RFC regarding my security system
« on: July 29, 2003, 03:44:35 PM »
I figured I'd float a line out to see if anyone could give me advice or suggestions on improving the security of my webpage... the goal is for this thing to be fort knox to anyon who isn't welcome.


Initial contact:
   Obviously still in the works is my goal of blocking whole swathes of low-grade hackers and unwanted guest by isolating incoming traffic only to Japan and the USA.

Login:
   mydomain.org/index.php
   If they get this far all they see is a form with two sections.  Account activation and a user/password label & textbox combo.  If they submit anything using the User & password inputs their immediately redirected to a script that blocks their specific IP address for for 30 minutes then in sets of 15 after that.

PHP scripts:
    All incoming data from outside is run through a corresponding data validation and assertion function. I've written one for every form of data type PHP has.  Function arguments is the variable coming from outside of PHP ($_GET, $_PUT) plus an acceptable range.   If the outside variable comes back outside of this range, an event log entry is written to a MySQL database then on the IpCon database which keeps a active list of all active connections within a 24 period, it decrements a counter for acceptable mistakes.  When that counter reaches zero... yup the offending IP is disconnected.


Web site structure:
    All pages are *.php with a access control header tag plus I am using the cPanel hot-linking session system.  So if someone tries to enter the website by typing in random directories or pages... Eventually their IP address will be ignored for a interval of 30 minutes.

User privacy:
    The only data stored on site about a user is their nickname, site preferences, and a email address.  Real names & identification is kept on a remote computer hooked up to a modem.


Lastly, I was considering using a weak encryption system for all communication between remote and server but in hindsight I decided that was a little bit to paranoid.


The only thing I haven't figured out how to do yet is make the database control php files chmod'd so only the webserver and php can read it.  Right now all DB activity is cornered into two objects located inside of one php file that uses code obfusication to hide the passwords.  As it is, I've changed the permissions so the file can only be read and nothing else.

Well I think I am getting close to going overboard on security but you can never have enough protection because these days it seems like all it takes is to miss one angle of system entry and the full thing's toast.

Sincerely,
    Sentix