-1

I'm making a custom CMS for a website I've been planning and security is a big concern.

I probably lack the expertise to fend off a full scale hacker social engineering his way into the server room but this is a list of what I've compiled from here and other sites to prevent hacking attempts please comment if anything here is lacking or if further steps should be taken

STAGE 1

using PDO to make database calls and htaccess to rewrite urls as to conceal things such as index.php?get=variable now is myurl.com/get/variable

and aforementioned variable is passed through PDO as outlined here

moving database queries and functions into folders that deny HTTP access and lock certain admin functions behind a server usergroup which only the few will be trusted with access to.

All passwords are encrypted and will never be decrypted for plain text as I have no sane reason to need to read other peoples passwords.

Login and user creation stop gaped by an IP address auto lockout based on X amount of attempts and reCapatcha

Stage 2

these steps find a home mostly because I intend to one day distribute this software and don't want egg on my face

User tracking to prevent finding files and logging intrusion attempts

IP tracking to prevent XXS hijacking and possible behavior monitoring for similar reasons

I'd think of more but my brain is now jumping to requiring two stage facial recognition and a DB of state ID's

Community
  • 1
  • 1
ert3
  • 114
  • 11
  • 2
    Step #1) Don't re-invent the wheel (that is, one of the best things to do to "avoid hax" is use a well-vetted, tested, and maintained framework/CMS). –  Jun 14 '12 at 05:24
  • 5
    Questions on SO are expected to relate to a specific programming problem. Your question is too vast and, in my opinion, cannot be done justice in a single answer. – Ayush Jun 14 '12 at 05:24
  • @pst which framework you think will be the answer i think you need to code for all this right ?? – Rinzler Jun 14 '12 at 05:25
  • @Rinzler I use SharePoint (but only because my work, which bills clients, pays me to ;-) There are *many* different products out there with a huge range of overlaps. Pick your own poison. –  Jun 14 '12 at 05:27
  • im not certain what framework would be correct but i want the CMS to be mine and mine alone so I can be proud of an acheivement even if it falls after a month or so to some 4chan trolls – ert3 Jun 14 '12 at 05:29
  • There are at least few PHP frameworks that offers built-in functions that stop at least most common hack-attacks attempts. And I'm a Symfony2 newbie but as far as I know it offers automatic building for the admin panel which may be the best solution for your problem if I get your question right. For sure, if you decide and use Symfony2 for your project on theory at least you should get basic(maybe even better) defend from XSS attacks, SQL injections, and getting your admin panel up and running. – Leron Jun 14 '12 at 05:45

2 Answers2

5

Unless you have a lot of time on your hands and a team of experienced people, your CMS will never be up to par with ones like Joomla, Drupal, or Wordpress.

Since they've been around for a while, they've been weatherproofed, but even then hackers find exploits.

Not trying to discourage you, but if security is a big concern, I would just go with a well established CMS. More specifically I would use Wordpress for simplicity. It's also very easy to create custom themes and create custom functions and plugins.

Like PST mentioned above, no need to reinvent the wheel

rcorrie
  • 921
  • 8
  • 26
0

I think it's admirable that you're thinking big and want an accomplishment under your belt that you've coded and that you're proud of. I think we all would like to code something really solid that we can point to and say "I did that" and feel a real sense of accomplishment.

I won't tell you that it can't be done, but I well agree with the other comments that security is a huge, huge, huge topic and you've only scraped the very surface here. You have some good items in your list of steps, but web application security goes well beyond authentication and intrusion. From the steps you've written, it seems like you have an understanding of some of the basics of application security.

With that said, a really thorough and comprehensive security professional needs to consider: * what version of apache do you recommend people deploy on? what are the known issues with the versions of mod_php or mod_fcgid that you'll recommend? * what version of PHP will you run? are you aware of any outstanding vulnerabilities with the version of the interpreter that you'll code in? * how will you recommend that people harden the server? e.g. besides having apache and mysql running, what other services need to be active? will you allow SSH to the server? if the web server and db are on two different machines, how do you ensure that only the web server can talk to the db server?

Some of the other things you mentioned like intrusion detection, facial recognition, etc. are extremely complex topics and there are whole companies building products just around each topic area.

My point is: it is basically impossible for one person to be able to think of every possible security issue that could come up and - even if you could think of all of them today - tomorrow someone is likely to discover a security issue that no-one has heard of before.

So, it's good to be ambitious, but it's also good to know what you're dealing with before you get in over your head. (That's another trait of a good security professional, too).

bitops
  • 4,022
  • 3
  • 26
  • 31