Supplementary security: htaccess, WAF/Intrusion Prevention

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
peebee
AppGini Super Hero
AppGini Super Hero
Posts: 352
Joined: 2013-03-21 04:37

Supplementary security: htaccess, WAF/Intrusion Prevention

Post by peebee » 2014-02-19 02:10

Hi All. I'm looking for some advice if anybody is able to assist.

As part of an overall site security audit, a website that also hosts an Appgini application I've created is soon to be professionally "Penetration Tested".

Whilst I'm presuming that Appgini will be able to stand up to the pen-test on its own; I was also hoping to compliment things with some additional layers of security if possible - just to make sure (no offence intended towards Appgini/Ahmad) ;-)

I've had a good Google search and found a few possible Web Application Firewalls that would handle things nicely but unfortunately most require loading modules directly to the server config. This particular site is hosted on a shared server so I don't have that luxury. I was hoping there might be some php based WAF or other Intrusion Prevention System that I can load directly via ftp? I'm also aware that a decent, solid .htaccess is a great defence but the directives are so many, varied and complex it's hard to get my head around exactly what's required?

What I've found so far: http://www.spambotsecurity.com. I've tried this and the "test" does what it is meant to although the application seems oriented more towards blocking spammers rather than preventon of XSS, SQLi, LFI and the likes?

I also found this: https://github.com/xsploit/xp-Sec but it is extremely early in production and I found it via this forum thread: http://www.hackforums.net/showthread.php?tid=3995318 so I'm a little dubious....?

Not sure if anybody has played around with any htaccess directives specifically for Appgini but any tips would be nice and very well received.

So, does anybody happen to have any suggestions as to a decent web application firewall (that I can load to a shared hosting account), or perhaps a good htaccess generator or any other intrusion prevention that I could add as a supplementary defence to what I presume is going to be a very vigorous attack? I'd rather see any potential attacks met with a nice 403 Forbidden error than anything else if possible.

The Appgini application is isolated to a sub-directory off the root of the hosting account so my ultimate responsibility is really only for that folder and its Appgini contents if that makes any difference. Any suggestions very gratefully received. Thanks.

KSan
AppGini Super Hero
AppGini Super Hero
Posts: 252
Joined: 2013-01-08 20:17

Re: Supplementary security: htaccess, WAF/Intrusion Preventi

Post by KSan » 2014-02-20 02:09

I sadly don't have any information to contribute but would love to hear how the audit goes for your AppGini app and the recommendations that the auditors might provide. This could help all of us greatly and especially if Ahmad patches any vulnerabilities your auditors might find in your app. Good luck.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 352
Joined: 2013-03-21 04:37

Re: Supplementary security: htaccess, WAF/Intrusion Preventi

Post by peebee » 2014-02-20 23:24

Just my paranoid personailty disorder taking over I'm sure. Never had a professional pen-test conducted before so should be an interesting experience if nothing else.

Sadly, I'm way out of my depth when it comes to the intricacies of php security. Fortunately, we have Ahmad and Appgin to take care of that for us! I'm well aware that correct secure coding in the first place is the only real defence to penetration and that these types of add-on scripts I'm asking about are more of a smoke screen rather than proper protection. I was just hoping to add an extra layer that they'd have to get through before they actually reach Appgini. It's all about appearances... :D

Happy to report back on any results.

KSan
AppGini Super Hero
AppGini Super Hero
Posts: 252
Joined: 2013-01-08 20:17

Re: Supplementary security: htaccess, WAF/Intrusion Preventi

Post by KSan » 2014-04-26 06:58

Hi PeeBee,

Hope all went well with your audit. Would love to learn from your experience. Did your auditors find anything that needs to be secured in the AppGini app setup?

Thanks much for sharing. Regards

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 352
Joined: 2013-03-21 04:37

Re: Supplementary security: htaccess, WAF/Intrusion Preventi

Post by peebee » 2014-04-28 22:40

Nothing to report yet. The application is loaded to a privately hosted web server and they've decided to replace/upgrade the hardware/software prior to pentest.

They tell me all should be ready within the next two weeks. I'll let you know the outcome.

KSan
AppGini Super Hero
AppGini Super Hero
Posts: 252
Joined: 2013-01-08 20:17

Re: Supplementary security: htaccess, WAF/Intrusion Preventi

Post by KSan » 2014-04-28 23:11

Great! Best of luck with the assessment.

datacate
Posts: 6
Joined: 2016-01-02 20:07

Re: Supplementary security: htaccess, WAF/Intrusion Prevention

Post by datacate » 2016-01-16 19:17

Hey peebee -

Did you ever get any results back from that PenTest? How did it go? Also, whom did you use? We are in the market for a reasonably priced Pen-Test outfit, as that kind of work can be very pricey! Would love to hear back on anything you can share.

Thanks!
Ed

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 352
Joined: 2013-03-21 04:37

Re: Supplementary security: htaccess, WAF/Intrusion Prevention

Post by peebee » 2016-01-18 02:58

Pen-test ultimately passed. I sent you a PM with further information.

Post Reply