Sunday, April 19, 2015

Some Security Tips

Some Security Tips

The "robots.txt" file has its legitimate uses but not everyone who reads it is legitimate. In many cases the file will give nefarious individuals a glimpse into your directory structure and files you didn't intend anyone to look at. 

For example, if you list a directory like 'admin' and have not made it unreadable either via a password or by having an 'index.html' file in the directory or use the 'Options -Indexes' server directive, then even if there are no links anywhere to 'admin' the person reading your robots.txt file knows you have that directory and may therefore be able to look at it and all the files therein.

Another thing to keep in mind when writing a web page is that anything you get via the web may be evil. For example, if you have a form with an 'input' box you should make sure that the input data does not contain nefarious markup. You may be asking for someone's name which you intend on displaying on the form action page. What if the person entered the following markup: 

<script>windows.location =</script>

If the browser rendering your site has JavaScripts enabled that little snippet would redirect from your site to another site with a big advertisement. The result could be worse depending on where the redirection goes.

This type of devilishness is not restricted to 'input' boxes. Say your site gets the 'HTTP_USER_AGENT' and displays it. Many browsers have html markup in the User Agent Strings. I have seen <script> tags as well as anchor tags (<a). 

What to do? Well it is good practice to escape all tag markers, that is less than (<) and greater than (>) symbols, as &lt; and &gt;. Using PHP you could make a function:
function escapeltgt($value) {
  $value = preg_replace(
           array("/</", "/>/"),
           array("&lt;", "&gt;"), 
  return $value;
Use the function on anything that could be dangerous.



I installed the APC ES 550G UPS to my Linux Mint 13 desktop. I got the 'apcupsd' package via the repository and had it all up and running within a half hour. Get the 'apcupsd', 'apcupsd-cgi' and the 'apcupsd-doc' packages via apt-get or synaptic. 

Then edit the '/etc/apcupsd/apcupsd.conf' file. Change 'UPSCABLE' to 'usb' and 'UPSTYPE' to 'usb'. You can change times etc. if you want but it is not necessary to get things going. Look at the rest of the stuff in '/etc/apcupsd' just to get an idea how everything works. You might want to comment out the 'FIELD UPSTEMP' 'UPS Temp' in 'multimon.conf' as this device does not seem to support temperature. 

You will also need to edit the '/etc/default/apcupsd' and change 'ISCONFIGURED=no' to 'yes'. Then you can start the daemon by 'sudo invoke-rc.d apcupsd start' (or 'sudo /etc/init.d/apcupsd start'). You can use your browser to check the status by going to 'http://localhost/cgi-bin/apcusbd/multimon.cgi'.

I have my computer and my wireless router plugged into the UPS. I tested it out by pulling the UPS plug and sure enough the power stayed up and the power outage was logged in my 'syslog', an email was sent to 'root' and the 'multimon.cgi' reported the outage. I plugged the UPS back in and the event was logged on all three: 'email', 'syslog' and 'multimon.cgi'.

All in all the APC UPS seems to work just fine. The status log, '/var/log/apcupsd.status', shows an UPS load of only 26% and predicts 27 minutes of UPS power. With only 26% load I may plug my phone answering machine in to the UPS also so I don't have to reset the clock every time we have a brown-out.

For $59.99 from this seems like a perfect fit for my home system. I understand that APC has software for Window$ if you really want to punish yourself. As always APC like most vendors could mention that the UPS works just fine on Linux and point people to the 'apcupsd' packages. But maybe APC is afraid of alienating Microsoft or maybe they just figure if someone is smart enough to use Linux they are probably smart enough to figure everything out for themselves.

Saturday, April 18, 2015

My New PHP Project

I have just added three new projects to GitHub and PHPClasses. The projects are:

  1. SiteClass framework. 
  2. PHP SlideShow.
  3. MySqlSlideShow.
The projects can be installed via 'Composer' as follows:
composer require bartonlp/site-class:dev-master
composer require bartonlp/slideshow:dev-master
composer require bartonlp/mysqlslideshow:dev-master

Each project is well documented both in the code itself and in the README files. Enjoy.

Update 2016-12-12
I have added two more projects:

composer require bartonlp/updatesite:dev-aster
composer require bartonlp/rssfeed:dev-master