WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Some Bulletproof Security Questions & Observations - Reduex (15 posts)

  1. BULLSH.com
    Member
    Posted 1 year ago #

    I had posted this outside of the Plugin Forum last night, my bad. So I'm re-posting this here where it belongs...

    Questions and Observations:

    1. What are the typical minimal file permissions for .htaccess and BPS directories/folders for BPS to work without getting write errors? (Writing WP .htaccess files and backup copies for same, ie - xxx.htaccess, under BPS folders.)

    I'm experiencing errors unless I set FILES and FOLDERS to 777. My website belongs to a "user" on the server and the ownership properties of all files and folders (owner & group) for WP are such as "userX userX". Rarely is setting 777 a good thing (almost always bad), but does BPS overcome that potential risk due to the extensive and indepth use of .htaccess - of and for .htaccess files?

    I may need to do some more experimenting, but when in doubt after trying default 644, I then try 777 and work down from there to where it breaks, finding the minimal setting for things to work. I'm hoping you can save me (and others) the time and hassle of trial and error here... lol

    UPDATE: Since I'm re-posting, just wanted to mention that to get BPS to Turn On by using the buttons Create xxx.htaccess and Activate Security Modes (Activate) to work without coming back with red warning/error messages, I had to:

    A. Figure out which File and Folders to either CREATE or CHMOD to 777.

    B. Then click on each different button to run the lockdown process.

    C. Then apply CHMOD 644 (Files) and 755 (Folders) to re-secure access.

    I believe that the plugin should auto-install those missing directories (bps-backups and master-backups, which by the way, I noticed are outside the plugins folder) and/or the Install Readme clearly state the process and steps to cleanly and easily install the plugin.

    Or, on the BPS landing page, provide a checklist (or a link to it) of things that need to be done to ready the plugin before it can be Turned On (by scanning the installation for missing folders or incorrect permissions for true Activation).

    Then then scan again after BPS is fully activated to create another Checklist for file permissions cleanup, ie, change any 777 back to 644/755 as appropriate.

    I realize BPS is quite comprehensive and there is a lot to know over time, but First Things First - That is to get it installed and running quickly without frustration for first time users.

    It's not that I'm a noob or should buy "WP for Dummies", as I've been in Technology for 35 years wearing many different hats (LAN/WAN admin, network and systems engineer, software QA, webmaster, author of mods, etc., just to name a few). I just get frustrated when something doesn't go as it should from a "Finished Product" and I have to dig into it to find out why and fix it. Imagine what the uninitiated neophyte feels like... But that's why I'm posting this - to give a different perspective and some suggestions.

    2. Maintenance Mode. While I see the need and usefulness of it FOR CERTAIN CIRCUMSTANCES, I think that if .htaccess can filter on a specific IP address (I have and only use a static IP) to allow all Admin access and functionality without having to go into Maintenance Mode, that would be preferable to having to go into and out of Maint. Mode to add plugins, etc. My Two Cents.

    I didn't see any examples of why and when Maint Mode should be invoked, just guessing here. Hey! Further reading tells me that Maint Mode is just a way to suspend/redirect the website (to a particular page) while working on it extensively so visitors don't get surprised from weird things happening unexpectedly. Handy, but I would think there are other "Maint Mode" plugins that could or would be easy to turn on/off with more pleasant aesthetics built in, else the redirect page would have to be custom built for a good looking page to match the theme, etc.

    Actually, a good "Countdown" plugin would be perfect for giving the estimated time when the site will be back online after maintenance is expected to be done. Just a thought.

    3. Firewalls. I just read somewhere on your site that BPS (Pro?) now incorporates a Firewall as of version 5.x - How robust is it and how does it compare with OSE Firewall, another plugin that I've come across that is fairly recent and gaining lots of traction in the WP community. Can BPS's firewall be disabled so another (such as OSE Firewall) can be used instead? (Hmm, is it time for a BPS Firewall vs OSE Firewall comparision article, post, or forum topic?)

    4. Finally, what I look for in a good plugin is (A) Does it do what I expect? (B) Does it install and set itself up with minimal input from the user? (C) Does it have really good documentation, links to help, an online Forum, etc. so if I get stuck I can look things up. My first impression of BPS is for:

    A: Yes, 100% - Once I read up on what BPS is and does. And does not do.

    B: Yes, 85% - For me, it did not really turn itself on after activating the plugin. It has to be turned ON after activating, and there were a lot of (okay, just 2, but they were two large Yellow Message areas) warning of this and that and I had to figure out what it was talking about and there really wasn't much in the way of help and explanations. Hence my very first question above about file and folder permissions, and that I didn't know I had to create certain folders and/or set particular permissions.

    C: Yes, 75% - While all the inline help and Readme buttons were good, there is a need for a REALLY Good INSTALL doc or readme on Steps to Take or Checklist after activation: This is what you want to do, How to do it, and If you get this error message or warning, this is what it means and this is how to fix it.

    Okay, I'm done for now. lol

    Just so you know, I think BPS is awesome. Keep up the great work you're doing here. I'll be getting the Pro version soon. Thanks for listening.

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    1. You obviously have a DSO configured Server. 99% of folks have CGI so unfortunately you are in the other 1% of folks. DSO is problematic for all plugins that write to files and even WordPress itself in general.

    DSO help can be found in the BulletProof Security Forum here: http://forum.ait-pro.com/

    I have been looking at ways to compensate for DSO configured Servers for over a year now and am still continuing to look for a permanent automated solution that actually will work in all the various posssible DSO scenarios/configurations/etc....

    2. Maintenance Mode is a BPS stepchild in need of attention. One day it will get some attention again. ;)

    3. I have no idea what the OSE Firewall is, but will look it up and see if it compares to the BPS Pro Plugin Firewall. The BPS Pro Plugin Firewall is 100% effective, impenetrable and incorporates a plethora of Whitelisting tools.

    4. Thanks for your excellent feedback. Very much appreciated.

    If you are considering getting BPS Pro then read this Forum Topic first before making that decision since you have a DSO configured Server.
    http://forum.ait-pro.com/forums/topic/bulletproof-security-pro-compatibility-check-upgrading-from-bps-free-to-bps-pro/

  3. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I downloaded the OSE Firewall plugin and will put it to the test.

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yikes there are several DB queries that are not being filtered with the WordPress prepare function. I cannot test this plugin on a Live site due to this so I will test it on a XAMPP site. That is a bit scary. ;(

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Testing completed.
    The OSE Firewall and the Plugin Firewall cannot be compared to each other because they are very different from each other. They are only generally similar in that they provide website security protection.

  6. BULLSH.com
    Member
    Posted 1 year ago #

    AITpro,

    I have seen time and again the surprise of others at the response times you post replies to questions and inquiries. Let me just say that I AM TOTALLY BLOWN AWAY myself. I've been doing Tech for over 35 years (some of that in Tech and Customer Support - Ever heard of 3Com, Sun Microsystems, Telebit, or Emulex to name a few? I worked for them in years past.)

    Sounds like you have a sleeping bag next to your desktop computer and you don't have a life... lol (Good for us, bad for your night life.)

    Okay, sounds like OSE Firewall is a scratch due to unsafe/unprotected DB queries upon first inspection. Would you mind clarifying the differences and distinctions between the two, as you see them?

    Next, what is DSO, exactly? I googled it and what I found said, "Dynamic Shared Objects" in relation to Apache. I can guess, but I'd rather be educated in what it means to me and how it might impact the use of BPS (I'll read up on the link you provided in the meantime).

    Thanks!

    Chris

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    LOL yeah did many 10,000+ node Computer Network corporate slave drone stints myself in the big leagues in the past 2 decades - Dell, Wellpoint, USPTO, etc etc etc.

    What I have learned from that experience is that if you answer questions as fast as the question come in then you are always surfing the peak of the wave and not drowning in the whitewash. ha ha ha.

    I like working so 16-18 hour days are fine with me - I like being busy. I can code and answer questions at the same time so I am always making forward progress. ;)

    The primary difference between the Plugin Firewall and the OSE Firewall are these:

    Plugin Firewall - true IP based .htaccess Firewall using a distributed configuration file (.htaccess file). No external access is allowed to the plugins folders and files except for whitelisted conditions/rules/front loading plugin scripts.

    OSE Firewall - IP based php Firewall using php code. I believe this plugin is applying security generally over the entire site and with a finite ruleset of things that are blocked/protected against.

    You can see that you really cannot compare them since they are so different.

    DSO = Dynamic Shared Object: http://httpd.apache.org/docs/current/dso.html

    A very good Layman's explanation: http://boomshadow.net/tech/php-handlers/

  8. BULLSH.com
    Member
    Posted 1 year ago #

    My dedicated server is using the DirectAdmin control panel (other common CP's are Plesk and cPanel). I've been using DA for a couple of years now and love that it is lightweight and gets the job done for my hosting needs - all are my websites or for friends I provide hosting for. (If I really wanted to make money, I'd start my own religion or my own government, as Taxes and Tithes are a great revenue stream. LOL)

    Yet I have recently learned that it is a DSO environment, but while I never had a problem with that, seems it may be significant for BPS. I'm still researching this...

    Any thoughts, anyone?

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    DSO is slightly faster than CGI, but for all the additional headaches that come with DSO that slight difference in speed is just not worth it. I have a lot of custom scripts that would not work correctly on a DSO configured Server so I cannot use it anyway.

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    DSO vs suPHP research

    DSO is faster by default because of the lower CPU usage and PHP runtime is loaded only once.
    DSO is problematic for WordPress because of the file ownership & permissions issues with DSO.
    For Dedicated Hosting the usual security concerns about DSO security in a Shared Hosting environment are not a factor because all files have a single ownership.

    suPHP works well with WordPress
    suPHP is more secure then DSO in a Shared Hosting environment, but in a Dedicated Hosting environment they are almost equal in security, with DSO being slightly more secure in general.
    suPHP runs a higher CPU load usage and PHP runtime is loaded twice. A performance decrease may be noticeable in a Shared environment, but this will not be noticeable for a Dedicated Server.
    CANNOT use an Opcode Cache (such as Xcache or APC) with suPHP. It is strongly recommend that you install a caching plug-in supplement.

  11. BULLSH.com
    Member
    Posted 1 year ago #

    Again, thanks for the speedy reply.

    I will look up the links shortly. Just had another thought (actually, remembered something I installed on my server), and that is I'm using CSF (Config Firewall Server - Site Link) that uses IP Tables and is "A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers."

    I've used it for over a year now and not had any intrusions (though had many attempts that it locked/locks out after meeting customizable threshold triggers). Plus, the DirectAdmin control panel has a Brute Force Monitor for alerting about multiple login attempts to for common services (email, ftp, ssh, etc.)

    With CSF, is BPS's Firewall redundant, or good to have as another layer specific for the WordPress application (because it's on port 80 for http(s), while other services reside on their normal/modified ports)?

    Thanks for your time and effort, ATIpro. I'm learning things and the discussion is great for others to learn as well.

    Chris

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Server Level Security protection is using the conventional standard approach of blocking by pattern.

    The Plugin Firewall is designed to create a true Firewall for the WordPress plugins folder. Nobody can access your plugins folder externally except for you. You can allow front loading plugin scripts to load unblocked/whitelisted by whitelisting those scripts with the Plugin Firewall Whitelist Tools.

    Let's say for example you installed a plugin that has an exploit in it. The exploit is a coding mistake. The exploit would not be blocked by Server Level protection because the exploit would be at the logic level. The Plugin Firewall on the other hand would not allow the exploit to be possible since the exploitable plugin code would be behind the Plugin Firewall.

    What is redundant is the general htaccess security protection provided in the BPS root and wp-admin htaccess files since these are Server configuration files (distributed configuration files) and your Server Level protection is also at the Server config level.

    The thing you always have to keep in mind is that most things about websites have to be publicly accessible since everything Internet based must be downloadable in order to be viewed by a human. So layers upon layers of the typical standard method of filtering by pattern is optimum, but you can clearly see the obvious difference with the Plugin Firewall. ;)

    The term "firewall" is used very loosely around the block. The BPS Pro Plugin Firewall is a true firewall. ;)

  13. BULLSH.com
    Member
    Posted 1 year ago #

    That's funny...

    The article by Boom Shadow on DSO stated,

    "Functions that require uploading files to the server (such as Auto-updates or Plug-in/Theme installation) will NOT work unless PHP is loaded as a CGI module. This means they will ONLY work with suPHP or FastCGI. This will ensure they are uploaded with the correct ownership & permissions."

    Well, a couple of things. First, I'm using PHP 5.4.x CLI; and second, I'm not having any problem Auto-Updating or installing Plugins or Themes. I am using the plugin "ssh-sftp-updater-support" as I disabled FTP and using only SSH (SFTP) for WP and other server file transfer tasks.

    Still, I think my server is primarily DSO (Apache with mod_php enabled). While BPS may prefer a non-DSO environment to work out of the box (meaning WP Admin's don't have to chmod files/folders manually), now that I understand what is going on, I don't mind having to chmod to 777 to make a change or save for backups, then chmod back to a more secure setting 644/755 after BPS is done. It's the nature of the beast. All I needed was an explanation to know what and why.

    Hmm, wouldn't it be great to be able to auto chmod in BPS as needed on the fly for DSO environments. So if a Username and Password was needed for chmod (to have permissions to do so, ie, user/owner), couldn't the credentials be hashed and stored, then recalled as needed within BPS without every exposing the plain text username/password? Even further, hash the hash as an added precaution. Just a thought, but there maybe implications I'm not aware of.

    I will drop this for now. I promised my wife I would finish painting the kitchen today... Happy Wife, Happy Life! lol

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep you are correct. If you have the correct ownership permissions setup or file permissions relevant to DSO then yep auto-updates will work fine, but as you experienced with BPS when it comes to actually accessing and writing to files you needed to change things at the file/folder level.

    This is not isolated to BPS. Any plugin that requires file/directory access and write would also be prevented from functioning normally due to DSO standard permissions and ownership. Most plugins do not need write access to files and have database options instead or do whatever they do at the website page level.

    CHMOD does not apply with DSO in regards to file ownership. CHOWN would be what is needed, but I have tried messing around with that for over a year and have not found a working solution to compensate for DSO Servers yet. I hate to say it, but the ratio is 99% to 1% so DSO development gets bumped all the time since it is in a lower priority category. Some day I will figure out a working solution.

  15. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    But with that said this is pretty cool.

    DSO Folks ONLY: The really neat thing about the Plugin Firewall for DSO folks. Since DSO folks have to decrease file permissions and / or ownership permissions then the Plugin Firewall completely protects the /plugins folder based on an IP address/your IP address. So what this means is that whether or not your file permissions or folder permissions are 777 or you have to change your ownership permissions in your /plugins folder – NO ONE is getting into the /plugins folder except for you/your IP address.
    You can selectively ONLY change file permissions or you can change entire folder permissions or you can change ownership permissions safely in the /plugins folder. The Plugin Firewall blocks external/remote access to the /plugins folder from everyone except you.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic