Author: DigTek

Secure .git Folders

Posted on by DigTek
  How to Secure Your .git Folders (Apache)
To check if your .git folder is public, navigate to the .git folder in a browser, for example: https://yourdomain.com/.git/
If presented with a directory listing, your .git folder is exposed to the internet and you should use one of the following methods to prevent public access to this sensitive information. These methods don’t indicate that the folders exist, they produce a 404 error.

  Create a Redirect using .htaccess  
You will need to create or edit the file .htaccess and save it to the root of your web server, the file needs to include this line:

RedirectMatch 404 /\.git

 
Once the .htaccess file has been created or updated, save, exit your editor and restart apache:

systemctl reload apache2

Depending on your preference or access to the server, another method is to redirect using the Apache config file.

  Create a Redirect using Apache  
To create this redirect you will need to edit the Apache2 config file. If the package installer was used for Debian / Ubuntu systems, the file is found at /etc/apache2/apache2.conf and can be modified using a text editor to add the line below:

RedirectMatch 404 /.git

 
Restart Apache to apply the changes and activate the redirect:

systemctl reload apache2

Secure phpMyAdmin

Posted on by DigTek
  How to Secure Your phpMyAdmin Installation (Apache)
The first step in securing phpMyAdmin is to change the default directory Alias/Symlink that is used to serve phpMyAdmin.
By default, any user can access phpMyAdmin if they visit the expected URL: https://yourdomain.com/phpmyadmin/

This poses a security risk as attackers are aware of that URL and can access it without restriction.
To avoid this, take the following actions to create a new Alias and change the URL where phpMyAdmin is found.

  Change the phpMyAdmin Folder Alias  
Open the file /etc/phpmyadmin/apache.conf with a text editor and find the Alias line, the default should look like this:

Alias /phpmyadmin /usr/share/phpmyadmin

  • If the ServInfo Client is installed it will detect the insecure URL and generate a random token for this purpose.
  • This token, if used, will allow ServInfo to provide a link to the new phpMyAdmin URL in the Client and Dashboard


    • It is recommended to append the phpmyadmin Alias with characters from a random string generator as shown below:

    Alias /phpmyadmin-f73r862b /usr/share/phpmyadmin

     
    Once the Alias has been updated, save, exit your editor and restart apache:

    systemctl reload apache2

     
    phpMyAdmin will now be available only at the new URL: https://yourdomain.com/phpmyadmin-f73r862b/

      This prevents indiscriminate use of the default URL, but provides no actual security should this obscure URL be discovered.  

    If it is preferred that phpMyAdmin can be accessed from the internet, you can increase security by making use of the .htaccess file password capability. This prevents access to the installation folder unless the proper credentials are provided, and is in addition to the database user login required by phpMyAdmin. Follow these steps to activate .htaccess password protection.

      Password Protect the phpMyAdmin Folder  
    For the password and/or IP based security to work, we must first add AllowOverride All to the Directory section of the file /etc/phpmyadmin/apache.conf using a text editor, save and exit once your file looks like the following sample:

    <Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All

     
    Next we will need to create or edit the file /usr/share/phpmyadmin/.htaccess per the example below, then save and exit:

    AuthType Basic
AuthName "Stay Away"
AuthUserFile /etc/phpmyadmin/.htpasswd
Require valid-user

     
    Now we must create the user and password credentials with the htpasswd utility, replacing ‘username’ with the user name of your choice. When the command is run, you will be prompted to specify a new secure password to complete the setup:

    htpasswd -c /etc/phpmyadmin/.htpasswd username

     
    Restart apache to apply the changes and activate password protection:

    systemctl reload apache2

     

      Make note of the username and password as they will now be required before access to phpMyAdmin is granted.

    As an additional or optional security measure, you can restrict access to a specific IP address, set of IP addresses or subnet of IP addresses. This is the best option in certain situations where static IP addresses are in use or internet access is not required. However, if LAN or WAN dynamic IP addresses are in use, you may find yourself locked out if an IP address changes.

      Restrict Access to Specific IP Address or Subnet  

  • To enter an IP subnet instead of a single address, enter only the unique part of the subnet like so: Allow from 192.168


    • IP restriction is configured in the Directory section of the file /etc/phpmyadmin/apache.conf. To deny access for all IP addresses, then grant access to a specific IP or subnet, add the following to the file making sure to use your IP information:

        Order Deny,Allow
    Deny from All
    Allow from 192.168.1.1

     
    For referance, here is a sample version of the file /etc/phpmyadmin/apache.conf with all the security edits in place:

    Alias /phpmyadmin-f73r862b /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
    Options SymLinksIfOwnerMatch
    DirectoryIndex index.php
    AllowOverride All
    # limit libapache2-mod-php to files and directories necessary by pma
    <IfModule mod_php7.c>
        php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
        php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/: ...
    </IfModule>
    Order Deny,Allow
    Deny from All
    Allow from 192.168.1.1
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>

     
    Restart apache to apply the changes and activate IP based access restriction:

    systemctl reload apache2
    Live Beta Testing Continues
    Posted on by DigTek

    Features continue to be added and refined as Blue Haze is tested on an expanding number of sites. As of release 0.9.9.4 the functionality provided by the plugin Post Template Select has been replaced by settings integrated into the Blue Haze Options dashboard that allows selecting which post types, including any custom post types, you want to be able to use the Blue Haze Dynamic Template on.

    Blue Haze Enters Public Beta
    Posted on by DigTek

    Testing of the theme for major issues and expected feature operation is now complete and Blue Haze is ready for public use. No major issues would be expected since the theme started as a branch of the existing WordPress theme Bootstrap Basicv3. Blue Haze retains and expands on the Bootstrap compatibility, offering better FontAwesome integration and optional dataTables compatibility along with a new set of features that empower authors and developers alike to build on Blue Haze without the worry of having an upgrade cause havoc to the modifications they have made, or requiring the use of child themes and plugins solely to support trouble free theme upgrades.

    If you are like me, you have downloaded and messed with countless themes only to discover that none of them fit your exact needs. I am not saying Blue Haze is that one size fits all theme, that would be an unrealistic expectation on my part, since we are all looking for what we need, not what someone else thinks we need. However, having waded through countless themes, my goal is to make the Blue Haze as functional and code friendly to as many people as possible.

    Besides being designed for the Classic WordPress Editor, one of the key goals was to work towards more of a universal template. Far too many themes seem to lack true control of page layout, our Blue Haze Template Options allow you to easily pick normal or full width pages. But the real functionality comes with the ability to select virtually no formatting at all, or even substitute a php file for any page’s content, up through page by page sidebar and format control. For those who may be upgrading from Bootstrap Basic, the default template is the same in Blue Haze.

    Our plan is to add features based on user requests and we welcome any who wish to make suggestions or offer improvements. Another goal is true upgrade protection for those who choose to expand on Blue Haze for their own needs. We have options for you to include your own functions and css file, both safely outside the themes folders, so upgrades do not affect them. Speaking of upgrades, our theme will upgrade through the WordPress dashboard like any other theme once installed.

    Like many WordPress offerings, we do not claim the code used in our theme is entirely of our own making or that we are expert coders using only the latest approved methods, in fact nothing could be further from he truth, we used examples from themes, plugins and other existing resources along with our own code and hacks to create the final product. We believe you should be able to easily follow our code should you need it as an example of how you could implement a feature, so we include notes in our code and try to make it easy to understand.