[Tutor] Beri Sedikit Polesan Server Anda Pada Hosting Dgn Cpanel [Full Tips]

[wahyu_devilzc0de™]

Assalamu'alaikum, sobat devilzc0der . Salam sejahtera

Pada bagian ini, ane sedikit berbagi tips bagaimana membuat server anda lebih joss dalam melindungi web2 anda dari serangan sesuatu , ok langsung aja.

skenario:
Di asumsikan ane sudah punya cpnel dan dengan mudah menginstall software web, seperti joomla,mybb,wp dll. Di sini ane memakai joomla sebagai contoh saja,

Pertanyaan:
Gimana sih, agak server itu aman, "intinya gak ada server yang aman" , Nah paling ndak kita ada usaha sedikit untuk mempolesnya.!!!

TKP:
1. create atau add domain pada path

Code:

/home/user/webku

diatas untuk menghindari jumping. nah, intinya jangan tepat pat /public_html

2. installasi software, ane di sini contohken joomla, setelah terintah jangan lupa chmod folder2 rawan uploading shell, ex: component,plugins,templates,images,modules,language atau tempat2 yang di kiranya sebagai ajang upload shell di sini ane chmod 777, dan nanti kita buktiken nanti hasilnya.


3. minimalisiken templates joomla sedemikian rupa, "sesuai kebutuhan" ex: ane cuma butuh 1 aja, dan sudah full design dan cantik


4. beri sedikit php ini, untuk lebih sesuatu lagi "safemode=on dan disable_function" semakin joss,
berikut server yang sudah di beri racikan polesan

Spoiler for: buka

jika sobat butuh php.ini yang sesuatu untuk lebih secure, monggo:

Code:

[PHP]
engine = On
short_open_tag = On
asp_tags = Off
precision    =  12
y2k_compliance = On
output_buffering = Off
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func=
serialize_precision = 100
allow_call_time_pass_reference = On
safe_mode = On
safe_mode_gid = Off
safe_mode_include_dir =                                
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
; open_basedir = On
disable_functions = "system, exec, readfile, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, popen, pclose, dl, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setsid, posix_setuid, posix_setpgid, ini_alter, show_source, define_syslog_variables, symlink, syslog, openlog, openlog, closelog, ocinumcols, listen, chgrp, apache_note, apache_setenv, debugger_on, debugger_off, ftp_exec, dll, ftp, myshellexec, socket_bind, fpassthru, dl"
disable_classes =
expose_php = Off
max_execution_time = 30     ; Maximum execution time of each script, in seconds
max_input_time = 60    ; Maximum amount of time each script may spend parsing request data
memory_limit = 16M      ; Maximum amount of memory a script may consume (32MB)
error_reporting  =  E_ALL & ~E_NOTICE
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
;html_errors = Off
error_log = error_log
variables_order = "EGPCS"
register_globals = On
register_argc_argv = On
post_max_size = 8M
gpc_order = "GPC"
magic_quotes_gpc = On
magic_quotes_runtime = Off    
magic_quotes_sybase = Off
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
;default_charset = "iso-8859-1"
include_path = ".:/usr/lib/php:/usr/local/lib/php"
doc_root =
user_dir =
extension_dir = "/usr/local/lib/php/extensions/no-debug-non-zts-20060613"
zend_extension="/usr/local/IonCube/ioncube_loader_lin_5.2.so"
zend_extension_ts="/usr/local/IonCube/ioncube_loader_lin_5.2_ts.so"
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
extension="suhosin.so"
enable_dl = Off
file_uploads = On
upload_max_filesize = 2M
allow_url_fopen = On
default_socket_timeout = 60
[Syslog]
define_syslog_variables  = Off

[mail function]
smtp_port = 25
sendmail_path = "/usr/sbin/sendmail -t -i"

[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1  
odbc.defaultlrl = 4096  
odbc.defaultbinmode = 1  

[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off

[mSQL]
msql.allow_persistent = On
msql.max_persistent = -1
msql.max_links = -1

[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0

[Sybase]
sybase.allow_persistent = On
sybase.max_persistent = -1
sybase.max_links = -1
sybase.min_error_severity = 10
sybase.min_message_severity = 10
sybase.compatability_mode = Off

[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10

[dbx]
dbx.colnames_case = "unchanged"

[bcmath]
bcmath.scale = 0

[browscap]
;browscap = extra/browscap.ini

[Informix]
ifx.default_host =
ifx.default_user =
ifx.default_password =
ifx.allow_persistent = On
ifx.max_persistent = -1
ifx.max_links = -1
ifx.textasvarchar = 0
ifx.byteasvarchar = 0
ifx.charasvarchar = 0
ifx.blobinfile = 0
ifx.nullformat = 0

[Session]
session.save_handler = files
;session.save_path = /tmp
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor     = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatability_mode = Off
;mssql.connect_timeout = 5
;mssql.timeout = 60
;mssql.textlimit = 4096
;mssql.textsize = 4096
;mssql.batchsize = 0
;mssql.datetimeconvert = On
mssql.secure_connection = Off
;mssql.max_procs = 25

[Assertion]
;assert.active = On
;assert.warning = On
;assert.bail = Off
;assert.callback = 0
;assert.quiet_eval = 0

[Ingres II]
ingres.allow_persistent = On
ingres.max_persistent = -1
ingres.max_links = -1
ingres.default_database =
ingres.default_user =
ingres.default_password =

[Verisign Payflow Pro]
pfpro.defaulthost = "test-payflow.verisign.com"
pfpro.defaultport = 443
pfpro.defaulttimeout = 30
;pfpro.proxyaddress =
;pfpro.proxyport =
;pfpro.proxylogon =
;pfpro.proxypassword =

[com]
;com.typelib_file =
;com.allow_dcom = true
;com.autoregister_typelib = true
;com.autoregister_casesensitive = false
;com.autoregister_verbose = true

[Printer]
;printer.default_printer = ""

[mbstring]
;mbstring.language = Japanese
;mbstring.internal_encoding = EUC-JP
;mbstring.http_input = auto
;mbstring.http_output = SJIS
;mbstring.encoding_translation = Off
;mbstring.detect_order = auto
;mbstring.substitute_character = none;
;mbstring.func_overload = 0

[FrontBase]
;fbsql.allow_persistent = On
;fbsql.autocommit = On
;fbsql.default_database =
;fbsql.default_database_password =
;fbsql.default_host =
;fbsql.default_password =
;fbsql.default_user = "_SYSTEM"
;fbsql.generate_warnings = Off
;fbsql.max_connections = 128
;fbsql.max_links = 128
;fbsql.max_persistent = -1
;fbsql.max_results = 128
;fbsql.batchSize = 1000

[Crack]

[exif]
;exif.encode_unicode = ISO-8859-15
;exif.decode_unicode_motorola = UCS-2BE
;exif.decode_unicode_intel    = UCS-2LE
;exif.encode_jis =
;exif.decode_jis_motorola = JIS
;exif.decode_jis_intel    = JIS
extension=pdo.so
extension=pdo_sqlite.so
extension=sqlite.so
extension=pdo_mysql.so


[Zend]
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3
zend_optimizer.version=3.3.3




zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so

save as php.ini kemudian chmod 444

5. seditikit polesan .htaccess untuk melindungi config dari symslink

Code:

Redirect 301 /configuration.php http://youtube.com

intinya, kita ada orang yg akan symslink, nah ketika akan meliatnya maka ada di redirect ke youtube.com, save ke .htaccess

6. demo, testing hasil folder2 yang telah kita chmod tadi, dengan 777, asumsikan di dir itu shell si anu .
file upload ane:

Code:

http://wahyu.jkrtenteramelaka.gov.my/templates/rhuk_milkyway/upload.php
dan
http://wahyu.jkrtenteramelaka.gov.my/images/upload.php

pasti akan muncul pesen :

Quote:Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@wahyu.jkrtenteramelaka.gov.my and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

kok sesuatu banget yah

7. ndak ada server yang sempurna sekuritinya, dan usahalah untuk pencegahan dari semua itu, laen kata" ndak ada penyakit yang sembuh tanpa kita obati dan usaha"

Semoga ini dpt bermanfaat bagi sobat2 ane semua,

Salam devilzc0der

Wassalamau'alaikum.

[tabun]

keren abis...
omz wahyu keren nih...

Spoiler:

Code:

http://wahyu.jkrtenteramelaka.gov.my/

[rusuh]

joss mas
mencegah emg lebih baek daripada mengobati
jangan sampe database ilang dah kena symlink orang

[wahyu_devilzc0de™]

(01-07-2012 12:48 PM)tabun Wrote:  keren abis...
omz wahyu keren nih...

Spoiler:

Code:

http://wahyu.jkrtenteramelaka.gov.my/

hehehe, saya padamu mas

(01-07-2012 12:50 PM)rusuh Wrote:  joss mas
mencegah emg lebih baek daripada mengobati
jangan sampe database ilang dah kena symlink orang

ho'oh, monggo2 semoga semakin sesuatu

[Super Moderator]

wah,kk wahyu udah pinter buat website ya sekarang?
nympe security servernya kyk gitu
bagi2 project kk,kalo build web,kali aja dapet uang saku lebih

[wahyu_devilzc0de™]

(01-07-2012 01:14 PM)linuxer46 Wrote:  wah,kk wahyu udah pinter buat website ya sekarang?
nympe security servernya kyk gitu
bagi2 project kk,kalo build web,kali aja dapet uang saku lebih

aku kui iso opo toh xer xer, ket biyen mung tukang turu, trus kuliah mung nyimak duduk paling mburi, trus molor ,

[CitooZz]

thanks om wahyu

buru2 benerin site

[Super Moderator]

(01-07-2012 01:16 PM)wahyu_devilcode Wrote:  

(01-07-2012 01:14 PM)linuxer46 Wrote:  wah,kk wahyu udah pinter buat website ya sekarang?
nympe security servernya kyk gitu
bagi2 project kk,kalo build web,kali aja dapet uang saku lebih

aku kui iso opo toh xer xer, ket biyen mung tukang turu, trus kuliah mung nyimak duduk paling mburi, trus molor ,

ah kk bisa aja
sekarang udah banyak project

[wahyu_devilzc0de™]

(01-07-2012 01:18 PM)CitooZz Banditozz Wrote:  thanks om wahyu

buru2 benerin site

monggo kang citoz, cendol jg gak nolak

(01-07-2012 01:19 PM)linuxer46 Wrote:  ah kk bisa aja
sekarang udah banyak project

hehehe ayam bakar wong jowo enak ya xer

[Killu4]

Wow full of tips,Nice banget dah om