Documentation - OSE SEC
OSE PHP Security Suite User Manual
Version: 2.0 (Previous OSE PHP Anti-Hacker Standalone) Released Date: 03-Feb-2009 Manual Date: 20-Apr-2009 Author: OSE Security Team. email@example.com Copyright: Reproduction and redistribution of the document is disallowed without the consent of the author. Notes: The OSE Security software series is an Open Source software series developed by Open Source Excellence Team. License: GPL V2, you can install it into UNLIMITED websites FOREVER! No License Restrictions! No more IONCUBE!
- 1 Introduction
- 2 Installation
- 2.1 Contents in the Package
- 2.2 Software Download and Support
- 2.3 Installation
- 2.4 Configuration
- 2.5 Activation and Test
- 2.6 Whitelisting Strings and Form Fields
- 2.7 Scan Files with the Virus Scanner
Open Source Excellence PHP Security Suite is a server-based software which provides an all-in-one protection for the websites, being able to secure you private data, protect your system files from malicious codes and hacking attacks, and it clean virus and infected files. It combines the functions of Open Source Excellence Anti-hacker and Open Source Excellence Virus Scanner, and hence offers the maximal protection for the websites. It’s suitable for all kinds of websites, including online stores, small business, personal websites, public institutes, etc. It’s easy to use and has very friendly interface for you to customize for your own demands. The application is competent to perform an advanced protection for ALL PHP systems (for instance Joomla, VirtueMart, Magento, Drupal and WordPress, etc). The major technical features include:
- Double Firewall system providing Three Layers of protection:
- Layer 1: Signature-based Detection System - detecting most common hacking behaviours.
- a) Surface Scanning, once hacking behaviour is found, the activity and corresponding IP will be banned immediately.
- Layer 2: Pattern-based Instruction Detection Systems - blocking all inbound malicious codes and hacking activities, including network-, application-, and operating system-level attacks.
- b) Scans and monitors all URL, Form Fields, Cookies values.
- c) If hacking is found and the Risk Score exceed the secure level, the IP will be banned immediately.
- d) If Suspicious Hacking behaviour is found for Form Fields and Cookies hacking, the hacking strings in the Form / Cookies value will be stripped and sanitized.
- Layer 3: HTTP BlackList System - dynamically linking to a HTTP blacklist database and blocking access based on network masks or IP addresses.
- e) Scans users' IPs, once the IP address is located in the HTTP blacklist, the access will be blocked immediately.
- Layer 1: Signature-based Detection System - detecting most common hacking behaviours.
- Two Types of reactions:
- 1) Ban + Email Alert: If the hacking triggers Layer 1 protection or exceed the Risk Score in Layer 2 protection, the IP will be blocked, and the alert email will be sent to the administrator.
- 2) Log + Email Alert: If the Risk Score of the suspicious behaviour is lower than the global setting, the IP will be blocked for monitoring purpose, and the alert email will be sent to the administrator.
- Embedded OSE Virus Scanner application providing on-demand scanning of your source codes for malicious codes injections, cleaning of the malicious codes from the infected files, and generating complete scanning reports.
- Form Field Filtering Enabled - allowing users to filter the content of the form fields in order to prevent XSS attacks.
- Whitelist Setting Enabled – Unlike other security software which only provides IP whitelist function, OSE PHP Anti-Hacker also provides the whitelist function for your programs and form fields, so that it gives you the flexibility to user a wide range of software while maintaining a high level of protections.
- Supports for Search Engine Optimized Websites – providing protection while maintaining your page ranking.
- Instant emails alerts to administrators once suspicious hacking behavior is logged.
- The application is developed under an Open Source PHP basis using the Model-View-Control Architect. Therefore its functions can be easily extended to all Open Source PHP systems.
Contents in the Package
Files which can be installed as a website platform on the server. After installation, the Open Source Excellence Security Suite platform includes the following components:
- Anti-Hacker component – managing blacklist and whitelist IPs, whitelist strings and form fields list.
- Virus Scanning Class Files – A folder containing class files for the application, allowing you to protect other websites on the same server. This means that with one installation, you can use it to protect all other PHP system on the same server.
- Virus Scanner – A component scanning and cleaning the website files on the same server.
- System Guard – A set of tools to help you change your system setting. It also includes a file audit system to audit files in the system of the OSE Security Suite platform.
- Update Manager – An upgrade component which allows you to keep the database of the virus definitions updated conveniently.
Software Download and Support
- Please find the OSE Security Suite on our OSE website: http://www.opensource-excellence.co.uk/index.php?page=shop.product_details&flypage=flypage_new.tpl&product_id=2&category_id=6&option=com_virtuemart&Itemid=157.
- After you purchase the product, you can use it FOREVER (INDEFINITELY); you can download all upgrades within 1 year; and you can receive our support within 1 year. Please check and download the latest upgrade on our OSE website in your “My Account” after login at: http://www.opensource-excellence.co.uk/index.php?option=com_osemsc&view=member&Itemid=145.
- If you have questions regarding installation, configuration, or usage, please go to our ticket system to raise a question: http://www.opensource-excellence.co.uk/tickets.
If you have a previous version of the OSE Security Suite installed and you intend to upgrade it to the latest version, please only read section 2.1 and then use the Security Suite as before. If you are a new user and going to make a fresh installation, please read all the contents from section 2.2.
Upgrade from a Previous Version
1. Uninstall previous components and plug-ins from the backend
- Login to your Security Suite Back-end, and uninstall the Anti-Hacker component, Virus Scan component, the Updater component and the System Guard component if any.
2. Installing new components and plug-ins
- Go to your Security Suite Back-end, and install the new version of the Anti-Hacker component, Virus Scan component, and the System Guard component in the Upgrade Folder of the zip pack.
3. Uploading new files
- Upload all files in the folder "Core Scanning Class Files" to your Security Suite Root folder.
- After finishing all above, please test if the update is successful by entering the following link: www.yoursite.com/index.php?%20union.
Before you install the OSE Security Suite, please make sure that:
1.Backup your current website, including all files and database just in case there are any accidents happening!
2. You are using a database that is specific for the Security Suite and is different from the database for your current website! This means that you have at least two databases, one is for your website, while the other is for the OSE Security Suite!
3. You are installing the OSE Security Suite into a folder that is different from your existing websites!
After you confirm the above three requirements, we can start now:
1. Under your www or public_html directory, create a folder called "osesecurity" (or any other name you prefer);
2. Upload the OSESecuritySuite zip pack to the folder "osesecurity";
3. Extract (Unzip) the zip pack (Don't know how? If you use cPanel, please see this instruction: How to extract zip files through cPanel?);
4. Delete the OSESecuritySuite zip file afte the files are extracted;
5. We can now start installing the software by accessing www.yoursite.com/osesecurity (please replace "yourdomain.com" to your website address and replace "osesecurity" to the folder name you specified);
6. Then follow the installation pages step by step. Please choose English for your language.
7. Click Next to go through Step 2 and Step 3.
8. Enter your database setting as shown below.
9. Ignore the FTP setting.
10. In the Final setting page, first of all, please click the Install Sample Data button, which will import the pre-set security setting for System Guard (which helps you improve the security of the file system for the Security Suite).
11. Then enter your contact email address, and password for the Security Suite backend.
12. Click Next to the Finish page.
13. Delete the Installation folder in the Security Suite folder when you finish setting this up. The installation folder is under your osesecurity folder (or something you specified) which is named as "installation".
14. Load the Back-end page and login using you admin information.
After installation, you need properly configure the OSE security Suite before activating it to work.
Go to the component and the plug-in manager to configure the Anti-Hacker function before the first time use.
1. Configuring Security Level of the Anti-hacker.
The Anti-Hacker Component introduces a 3-Layer protection system and a risk score policy.
- A. Layer 1 Protection
The Layer 1 protection is on by default and any activity violating the Layer 1 rules will be 100% blocked.
- B. Layer 2 Protection
Under the Layer 2 protection, all violations will be scored from 1 to 100 according the potential harm level, based on which the Anti-hacker decides whether block them. The violation with a higher risk score is more likely to be a real hacking attack and that with a very low risk score has a high possibility to be a FALSE POSITIVE. The Anti-Hacker function sets layer 2 protection off by default and it allows you to switch it on and configure the appropriate security level which is suitable to your websites by doing the following: Please access the "Dash Board" of Anti-Hacker component (by going to the Security Suite Backend --> Components --> Anti-Hacker), open the Parameters on your top right corner, adjust the Security Level.
The security level of Layer 2 protection is optional from Level 1 to Level 10. A higher security level indicates a stricter protection level. For Level n, the software will block all violations with risk scores above (100-10*n). For instance, if you set the security level as 8, it will block violations with scores larger than 20 and those under 20 will be only logged and altered by emails, but won't be blocked. Your websites can get a full protection by setting the security level to Level 10, at which all suspicions blocked.
We recommend you to set the Lay 2 protection to Level 7, which can protect your websites very well and at the same time reduces the possibility of FALSE POSITIVE to a quite low level. However, you can set the security level to any value to match your needs. You may inspect the alert list over a period and find out the optimal level for your websites.
- C. Layer 3 Protection
As shown in the above picture, you can configure the Lay 3 (HTTP BL) protection via the same "Parameter" button. You can opt to turn on the Layer 3 protection by ticking "Yes" and go to http://www.projecthoneypot.org/create_account.php to apply a HTTP: black list key.
2. Next, we need to know how to whitelist a program and whitelist a form field, and then whitelist proper strings and form fields to make the Anti-Hacker compatible with your websites. This is one important feature of our Anti-Hacker, which allows you to have the flexibility to use the Anti-Hacker function on any PHP platform. Please read section 5 Whitelisting programs and form fields on the following topics:
3. Other Configurations.
- A. Please double check that the Plug-in "Authentication - Open Source Excellence Authentication" is enabled. You can find it at "top menu -> Extensions -> Plugin Manager".
- B. Please click on the Plug-in "Authentication - Open Source Excellence Authentication" to open the options for it, and adjust the maximum login attempts that you set for backend users (default value is 3). Change the value "Integrate with Anti-Hacker" from No to Yes.
After configuring the Anti-Hacker function, you can go to the next step to make the System Guard Component perform "File and system audit" for your website.
File and System Audit
This section introduces how to do the file and system audit using the System Guard of Security Suite. This includes:
- Files permissions audit;
- System Configuration audit:
- Ensuring you are using a non-default administrator username,
- Set passwords to protect your administrator folder,
- Ensuring the configuration.php file is not writable.
In order to achieve this, we borrow functions from a popular Joomla component - GuardXT (this can be downloaded for free from: http://www.joomlaxt.com/).
Step 1. Audit your files permissions
The System Guard (a modified version of GuardXT) has been installed, and the files of the OSE Security Suite have been audited by default. However, ALL of your other websites if based on a Joomla system are RECOMMENDED to INSTALL this tool to audit your files as well.
Step 2. System Configuration Audit
After completing the file permissions checks, now we need to do the following steps:
* Step 2.1: Ensuring you are using a non-default administrator username
Change the default administrator's username if the super administrator's user name "admin" is still being used by clicking the Change Now link in System Guard in the Default admin user active row.
* Step 2.2: Set a password to protect the administrator
You can follow the instruction in FAQs to setup a password, Anti-Hacker FAQs: How do I set a new password to protect a folder with .htaccess?
Or go to your WEB HOSTING account control panel, check with your web hosting company to see how you can SET A PASSWORD TO PROTECT A DIRECTORY, then set a password to protect the whole OSE Security Suite folder. For example, if your Anti-Hacker is installed in the folder called "home/XXXX/htdocs/osesecurity", please set a password to protect this folder.
* Step 2.3: Change the permission of the configuration file
Simply click the "Change Now" in the "Joomla Server Configuration Check" Section in System Guard, and it will help you to change the permission of the configuration.php to be un-writable.
Please note: If you use the recommended php.ini in System Guard, please note one thing that you may not be able to install further plug-ins if you enable the "open_basedir" in php.ini. If you would like to install further plug-ins, please temporarily remove that line in the php.ini, and once you finish installing new plug-ins, add that line back to the php.ini.
We also recommend you to disable insecure functions for PHP environment. Please view how to do it in the FAQs: How to disable insecure functions for PHP environment?
Activation and Test
There are three methods to activate the Anti-Hacker function. Before you perform one of the activation methods, please notice: replace "/absolute_path_to_antihacker/" with the absolute path of the Security Suite in the following text. The path should be the admin folder under the root folder of Security Suite folder where you install the Security Suite, e.g. "/public_html/osesecurity/administrator/".
First, please go to Components --> System Guard --> Version Checks, it lists the lines for you to add to activate the anti-hacker. Please use one of the following methods and we would suggest you to choose to use php.ini or .htaccess to activate the anti-hacker in order to have a server-wide protection.
- A. Via the php.ini file
Activate the Anti-Hacker through php.ini: you can add the following line to the php.ini file, and copy the php.ini file to the folder or system that you would like to protect:
- B. Via the .htaccess file
If you are using Apache Module and you want to use .htaccess to run anti-hacker, you can add the following line to the .htaccess file, and copy the .htaccess file to the folder or system that you would like to protect:
php_value auto_prepend_file "/absolute_path_to_antihacker/administrator/scan.php"
If you could not activate it through the above methods (even after reading the FAQs, Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker?), please consult your hosting company with regard to how to enable the auto_prepend function to activate it through .htaccess or php.ini, because this will maximize the protection on your websites.
While you are waiting for the hosting company to sort out the above problem, you can use the following method to activate the anti hacker temporarily:
- C. Via the index.php file
In the Root folder of the system that you would like to protect, open the index.php, enter the following code in the first line:
- X. Disable risky PHP functions
Please also add the following codes in the the activation file to disable the risky PHP functions to maximize the security. This is very important and effective to give your websites a good protection.
register_globals = off safe_mode = off allow_url_fopen = off display_errors = off enable_dl = off disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
php_flag display_errors off php_flag enable_dl off php_value disable_functions "exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"
After doing one of these activations, we can go to test the Anti-Hacker function. You can test it using the url:
Then you will be blocked. The screenshot of what your clients will see is as below. You can customize the blocking message by the "Custom BanPage" function of the Anti-Hacker.
However, when you successfully login to the backend, sometimes you will find that there is no IP being locked! Why???
That is because our plug-in may change the IP status from "hacking IP" to "suspicious IP" if you can successfully enter into the back end. Then when you successfully enter the Administrator login information, your IP would be removed from the blacklist automatically. Therefore, in that case, you cannot find any blacklist IPs in the backend.
If you would like to know the changes of the IP status, you can log into the phpmyadmin and see how it changes, and also after you login to the backend successfully.
If the Anti-Hacker doesn't return the expected result meaning the activation is not easily successful, please read the FAQs carefully, Anti-Hacker FAQs: What if having difficulties in Activating Anti-Hacker?
Whitelisting Strings and Form Fields
Since the OSE Security Suite is a common security platform, it only has a basic list of whitelist programs. You may need to define more to make it compatible with your specific systems, websites, and programs. This section introduces how to add more allowed-to-access strings and form fields.
How to Whitelist a Program?
Please refer to this FAQ for instructions: How_to_Whitelist_a_Program?
How to Whitelist a Form Field?
In order to maximize the protection, the Anti-hacker of Security Suite will scan and filter content of all form fields for suspicious hacking behaviours. Therefore, if you would like to NOT scan or filter some form fields, you need to add the corresponding name of the form field in the White List Form Fields list.
You may simply need to add the name of the form field into the Whitelist Form Field List in order to ignore scanning the content of this form field. For example, the name of the filed text in the contact form is called "text", and then you could add "text" in one form field as follows:
Then save the record, the anti-hacker will NOT filter the content of this form field to see whether that there is suspicious hacking behaviour. Please note that when sometimes the scanner reports FALSE POSITIVES alerts, this function allows you to have more flexibility in Anti-hacker filter rules to fit your system.
Scan Files with the Virus Scanner
1. Find the absolute path of your Security Suite website by doing the following: Go to Security Suite backend --> Global Configuration --> System -> System Setting --> Path to Log folder
You can get the absolute path of the log folder. Then by removing the part "/log", you will get the absolute path of the Security Suite website
- a) Assuming that the absolute path of your Security Suite website log folder is:
- b) Then the absolute path of your other websites is:
- c) Then the absolute path of the root folder of your server will be:
2. Entering the absolute path of the folder you would like to scan in OSE Virus Scanner:
- a.1) If you are using 2.0, Go to Security Suite Components --> Anti-Virus --> Click the Parameter button on your top right corner.
- a.2) From version 2.1, we bring in OSE File scanner to help you initialize your database for files, so it sorts out the 500 errors when you scan virus. With version 2.1, please go to Backend --> Components --> OSE File Scanner --> Click the Parameters button on your top right corner.
- b) Enter the Absolute path of the folder that you would like to scan. Let's say the root folder ("home/demo/public_html/") here.
- c) Change the file extensions that you would like the Virus Scanner to scan.
- d) Then Save the parameter settings.
Update 25-05-2010 New version 2.1 beta can be downloaded in your download area: . New instruction on how to use 2.1 beta can be found here: OSE_Joomla_Anti-Virus#New_Version_2.1_Beta
1. After you click the Scan button, the scanner will start scanning files inside the folder you specified in the parameters. The status bar of your browser will become busy.
2. At this stage, please do not close your Browser or operate the Virus Scanner before the final result displays.
3. Scanning Results
- a) After Scanning the Files, the Scanner will report what files are infected in a list, which looks like the following.
- b) 99% of time the scanner reports real infected files, but in some cases it will report false positives, because some files may use iframe inside their codes which matches one of the suspicious patterns the scanner is looking for. Therefore sometimes the scanner will alert false positives. To deal with false positives, we need to add the file path to the whitelist section. Please tick the files you are going to whitelist and then whitelist them as shown above. Alternatively, you can also add files in the whitelist by inputting the absolute path of file in the Whitelist tab as shown below.
- c) After Adding all false reported files, go back to the Virus Scan and click the Scan button to re-scan your folders. Now, only infected files will be reported. Under the result reporting page, tick all infected files and click the “Clean” button to start cleaning all infected files.
- d) IF YOUR SERVER ALLOWS THE WRITE PERMISSION FOR THE COMPONENT, your files can be cleaned immediately and a backup file will be created in the quarantine folder of the Anti-Virus. You can view the processing report via Report tab. Please see this screenshot:
- e) Custom scan. You are allowed to scan some of the files and folders using the custom scan function.
1. Comparing the Backup Files with the Cleaned Files, you may find the malicious codes inside the file.
2. If you look at the Cleaned version, the malicious codes were all removed.
3. If you find that the file was reported as false positives because the codes that have been removed are not malicious codes, please use the "Restore" function to recover the original files and add the file to the Whitelist for next scan.
You can get the original files back at any time you want. Click the Restore button under the Virus Scan page and you will view the list of all cleaned files.