Tag Archives: Security

Protecting against data loss and hard disk failure with backups

No, I wont fix your computerIf I had a pound for every time a customer, friend or family member told me their hard disk had failed, or they had been infected with the latest uber-virus and their pc since developed a serious personality disorder, then I would be rich! Well, I’d probably be able to afford a good meal out. It’s one of the reasons for those T-Shirts that say “No, I won’t fix your computer”. Nobody wants to see people suffer, but the number of times geeks get asked to fix people’s computers is nothing short of – well, unfair!

In an attempt to preserve my sanity, and hopefuly that of the unfortunate victims of fate above, I am going to write about a few ways in which you can provide yourself with some disaster recovery (or DR as we like to call it in the trade) insurance. I can’t state how strongly I urge you to read this and do something about it. A good DR plan is like a parachute – life is infinitely sweeter to have one and not need it, than to need it, and not have one! Read More…

The NHS SCR Summary Care Record Scandal – Why Opt Out

Security and the NHS - Oil and Water?If you are concerned by the piece of paper that recently came through your door regarding the Summary Care Record the NHS want to computerise, then this article is for you. If you are concerned that the NHS might not be equipped to keep your information secure, then this article is for you. If you are worried that your personal data might fall into the wrong hands by being left on a laptop on the back seat of a car in a public car park, then this article is for you!

It is no secret within the industry that the NHS has a poor record of data security. ICO (Information Commissioner’s Office) deputy commissioner David Smith has now singled out the National Health Service (NHS) as being the worst in the UK when it comes to breaches in data security. It comes as little surprise to me. Several years experience in an NHS Health Authority (later PCT) I.T. department exposed me to staggering lapses in security of patient data, and the complacency of senior management when concerns were voiced. Read More…

Bash Script to scan folders and PHP files for bad permissions

This script will run through all Cpanel user account home directories and recursively do the following:

  • check for directories that have the write bit set for group(g) or other(o) – and reset any found to 755 permissions.
  • check for any files with the .php extension and that have any access bits at all allowed for other (o), write/execute bits set for group(g), or execute bit set for user(u) – and reset any found to 640 permissions.

It is quite easy to modify for your own purposes, but these permissions are generally a good starting point when on a server running PHP with the suPHP module (THIS WILL BREAK EVERYTHING IF YOU ARE RUNNING PHP AS DSO). Read More…

Prevent Modsec_Audit.log filling up with HTTP 200 OK

Modsec is an enormous benefit in terms of catching many of the security holes created by bad php programming in your user accounts. However, on a busy server, you will find that the majority of the audit log (and the bulk of the entries it dumps into mysql) will be for things that you really don’t want to see. These logs, particularly the MySQL table, can grow to gigabytes in size, so it’s something I like to keep in check.

Obviously, there ARE some attacks which may still result in a 200 response, and therefore won’t be logged, so be warned. However, this measure is easy to implement and remove at will. I suspect that if an attack managed to penetrate your server, regardless of it only triggering 200 responses, then the least of your worries is going to be looking through the modsec logs (if you have a server left at all!)

In the modsec2.conf file, usually found in /usr/local/apache/conf/modsec2.conf you need to make sure the following directives are in place. You will likely have many more directives in your conf file, but here I am just showing the ones you need to control the logging levels.

<IfModule mod_security2.c>
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^[345]"
</IfModule>

Basically SecAuditEngine RelevantOnly tells us to only audit things that modsec deems relevant. The ^[345] is just a little regex that says “only match anything that starts with 3, 4 or 5” – so this would only log anything in the 300 – 599 range.

This can drastically reduce the amount of unwanted material in the log.

As always, do not test this in a production environment!

Microsoft Internet Explorer 8 – Just plain sucks

I’m sorry, I’m not normally given to outburts like this. For years I, like every web developer out here, has had to battle with the big E. It’s one thing to have to write code to make a web browser do what you want – that’s part of the job. But then we all have to make it work in IE6, IE7, or older – two truly horrible web browsers, whose crumby standards compliance is nothing short of depressing. I’m not sure of the exact figures, but I think most developers would agree that if it took 8hrs to create your web application, then it’s not uncommon for more than 2 of those hours might be simply to fix bugs in Internet Explorer.  Read More…