Howdy again, I have another question/scenario for you all.
Now that I am at the stage of buttoning down everything on our actual site, I will finally be moving it over to main domain. But before doing so, I need to make sure I have a few things straight security wise.
First off, I will be installing an SSL certificate, and encrypting the database. Since the site will be storing patient confidential details (and I am scared to even say that as someone may purposely go to our site to figure out a loophole), I need to know if anyone can think of anything else that I can add to increase the security.
In addition to that - and here is where it is specifically dolphin related - can I move my inc folder to the path one level above my public_html directory - ie: instead of home/myacc/public_html/inc/, I would want it to be home/myacc/inc/. Reason: This was suggested to me by someone with more web knowledge than myself - but as this has been a great place for advice, in all areas - not just dolphin - maybe one of the gurus can tell me what would be best and allowable within the constraints of Dolphin.
As always - Thanks in advance.
caredesign.net |
Now that you just posted "Since the site will be storing patient confidential details (and I am scared to even say that as someone may purposely go to our site to figure out a loophole)" that over the web. You better look a lot harder into it. Remember Hippa.. You can get into huge trouble. Only reason I say that is because I was running a server for medical transcription. And if there is one complaint. They will go though you with a fine tooth comb and fine you for everything. They do not mess around. They take patient confidential seriously. |
Exactamundo - thats what I am worried about. One of the reasons we have taken so long is because the client has spent a lot of time just getting the specifics about HIPAA compliancy. It is almost easier doing a site for a bank than doing medical records.
After I do what I can, his next step is going yo be to get it certified, now THAT should be fun.
caredesign.net |
Is it at all viable to allow access to your site from US based IP addresses only? A site I am working on is for US residents only, and as such, I use GeoIP to black access from anyone outside the US. I take all that a step further by using Maxmind's proxy detection service to block acess to join.php via US based anonymous proxy servers. This ensures that all members reside in the US, and since 95% of the world's population is blocked, it is safe to assume that hacking attempts and undesirable traffic is reduced proportionally. My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
thank you very much for the tip houston - i will pass that along as something we should add as well. Heck - just for the sake of it, we are even running 2 separate dedicated servers - this will most likely change, but for now it is what it is. But one is for the database and the other is for the webserver.
We have the database server with encryption on the database itself, and then the server itself has encryption on it as well. for that worse case scenario if a person were to get past the guards, alarms and every other on site seciruty measure and actually steal our server
caredesign.net |
If your servers are running Cpanel/WHM I would strongly suggest installing Mod Security and CSF Firewall. They are both free and are highly configurable. Mod Security is always improving and will block most standard attacks right out of the box. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
tnaks a lot mscott - and yes they are. I will add that to my list caredesign.net |
http://www.maxmind.com
They have some really good products and web services that may help you. If the services don't do anything else but give you enough information to track would-be attackers on your servers, that in itself may one day prove invaluable, and it will presently show those interested parties, that you are ready to deal with such eventualities.
My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
now THAT was invaluable - That just got shot to the top of the list, but thats a quick email - mscott is second, but i will do that in the morning.
Thank you very much. I will make sure to Plus you all.
caredesign.net |
also incpanel i would suggest password protect the administration folder, so it goives an extra line of password to open the admin section.
also consider ConfigServer eXploit Scanner (cxs) - $50 (one-time fee) http://configserver.com/cp/cxs.html which bwill constantly scan for exploits
https://niceday-hosting.co.uk | http://northumberlandfriends.co.uk |http://kids-tv.net |
greatly appreciated easyhost caredesign.net |
OK, I am totally grateful for the tips and advice you all have given to me, but I am still wondering what the effects would be if i moved my inc folder up above my public_html level. From the explaination that I got: If for some reason there is an issue where someone is able to get into the folders of the public_html, they wouldnt be able to go above that level. caredesign.net |
If your servers are running Cpanel/WHM I would strongly suggest installing Mod Security
This was installed as standard when our dedicated server was setup. Please see file below.
2013-02-14 14:45:01 100.43.83.161 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 14:06:00 100.43.83.161 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:58:30 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:58:30 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:58:30 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:58:30 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:47:05 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:47:05 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:47:05 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:47:05 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:45:52 100.43.83.161 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:07:46 69.163.231.116 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:06:59 69.163.231.116 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:06:35 213.249.64.242 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:06:23 174.77.92.170 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:06:02 68.104.173.16 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
02/14/13 13:10Web Host Manager 11.34.1.7 - Mod Security
2 of 2
2013-02-14 13:05:43 68.104.173.16 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 13:05:37 68.104.173.16 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:49:20 156.111.131.114 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:49:20 156.111.131.114 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:49:19 156.111.131.114 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:49:19 156.111.131.114 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:49:16 156.111.131.114 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:49:12 156.111.131.114 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:49:12 156.111.131.114 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:00:39 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:00:39 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:00:39 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 12:00:39 66.249.74.58 Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "35"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag
"POLICY/METHOD_NOT_ALLOWED"]
2013-02-14 11:59:41
24.250.164.77
Access denied with code 406 (phase 2). Pattern match "(?:b(?:(?:typebW*?b(?:textbW*?
/catalog
b(?:j(?:ava)?|ecma|vb)|applicationbW*?
/view/javascript
bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe
/jquery
southernviewcompany.com b.{0,100}?bsrc)b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at
/ui/external
REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "85"] [id
/jquery.cookie.js
"950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"]
HTTP/1.1
[tag "WEB_ATTACK/XSS"]
406
02/14/13
caredesign.net |
Is it at all viable to allow access to your site from US based IP addresses only?
we are currently exploring this option. One of the things on the to do list is a section for missionaries in other countries, but as this is not an immediate feature, we can get away with blocking non us access.
caredesign.net |
RE:
Is it at all viable to allow access to your site from US based IP addresses only?
we are currently exploring this option. One of the things on the to do list is a section for missionaries in other countries, but as this is not an immediate feature, we can get away with blocking non us access.
With maxmind's mod_geoip for Apache installed on the server, adding these lines to ,htaccess is all that is needed. Then you can allow additional countries as needed, or even individual IPs.
<IfModule mod_geoip.c>
GeoIPEnable On
Order deny,allow
deny from all
SetEnvIf GEOIP_COUNTRY_CODE US TargetLocation
Allow from env=TargetLocation
</IfModule>
My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
thanks again HL - I relayed that fact to the client, so he is gonna mull it over and talk with the other team members. caredesign.net |
