Tip 1: Login Page/Authentication

Let’s start with the basic example, which you can find in all those so similar tutorials… First of is the login form:

<form action="login.php" method="post">
    <input type="text" name="username" />
    <input type="password" name="password" />

    <input type="submit" name="Login" />
</form>

Very complex html code, I know. It took me around 10 minutes to write it. Now for the php script that does all the work. NOTE: In this example and all to follow we always assume a mysql connection has been made and that sessions are started.

$username = mysql_real_escape_string($_POST['username']);
$password = sha1('salt'.$_POST['password']);
$result = mysql_query(
    "SELECT id
     FROM users
     WHERE username='$username' AND password='$password'
     ORDER BY id"
);
if(1!=mysql_num_rows($result)) {
    echo 'Login failed, username or password was wrong!';
    exit;
}
$_SESSION['auth'] = true;
$_SESSION['username'] = $username;
$_SESSION['id'] = mysql_result($result, 0);
echo 'Logged in!';

If everything is clear till now than we can move onward… (with this first section I’ve done a summary of all the secure login scripts tutorials)

Tip 2: Bruteforce?

Such a rudimentary attack that people almost forget about it. And most of the time it can be invisible to the websites administrator because POST requests aren’t logged by default. You may remember this from my article Logging the HTTP requests! But I’m not going to use that, because I want to keep all this simple, as simple as possible. So then, we will assume we got a table which is cleared daily (cron?) and stores only the username in the table. One columned table. (I told you that I’m gonna keep it simple) Then the following lines would be also in the login script (before the login query):

$counter = mysql_result(
    mysql_query(
        "SELECT COUNT(*)
         FROM attempts
         WHERE username='$username'"
    ),
    0
);
mysql_query("INSERT INTO attempts VALUES('$username')");
if($counter>=10) {
    echo 'Bruteforce attempt detected or more than allowed logins per day exceeded!';
    exit;
}

As you can see the drawback for this is that while protecting the users from bruteforce attacks, it may also (and it’s likely) to lock them out. Luckily for us there is a solution for the problem. We add another column to our table attempts of type char(2) in which we store the current hour. Basically we limit the number of logins per hour.

$counter = mysql_result(
    mysql_query(
        "SELECT COUNT(*)
         FROM attempts
         WHERE username='$username'
         AND hour='".date('G')."'"
    ),
    0
);
mysql_query("INSERT INTO attempts VALUES('$username', '".date('G')."')");
if($counter>=3) {
    echo 'Max number of logins per hour exceeded!';
    exit;
}

Now it looks a little better, but still it misses something…

Tip 3: IP Ban List

You could use ban lists for various reasons, from allowing “known attackers” to blocking access via proxy. Generally people tend to use .htaccess files for blacklisting, but I will stick to PHP and MySQL for the example. NOTE: On medium to large websites a database (MySQL) – backend (PHP) application would stress pretty much the database. The following code should be inserted before the max number of logins per hour check.

$max_counter = mysql_result(
    mysql_query(
        "SELECT COUNT(*)
         FROM attempts
         WHERE username='$username'"
    ),
    0
);
if($max_counter>9) {
    mysql_query("INSERT INTO banlist VALUES('".$_SERVER['REMOTE_ADDR']."')");
}

And the following line on the first line of the script.

if(1==mysql_num_rows(
    mysql_query(
        "SELECT 1
         FROM banlist
         WHERE ip='".$_SERVER['REMOTE_ADDR']."'"
    )
)) {
    echo 'Your IP address is in the ban list!';
    exit;
}

Of course you could dump the IP Address list from time to time from the database, but the following solution is a better one because it does not involve high stress on database.

Tip 4: reCAPTCHA

CAPTCHA is a good way to protect a web page (login page, important forms) from bruteforce and CSRF attacks. But we are not talking about self made CAPTCHA’s, you don’t have to reinvent the wheel… in a cubic form. That’s right, most of those who write there own CAPTCHA’s tend to make them weak or impossible to use (yes, Rapidshare’s CAPTCHA is one of those). You should use a good and public CAPTCHA, like reCAPTCHA. Also don’t over use them, you have to think of CAPTCHA’s like door keys. It’s very good to have one to your entrance door, but having to unlock the door for every room can be quite annoying, if not frustrating.

Tip 5: Encrypted login information

You either should use SSL or (if not available) frontend encryption (hashing in our case). A good example of such an implementation would be userAtuh’s one. You can find available md5/sha1 hashing library’s written in javascript around the web. One such an example is Paul Johnston’s Javascript MD5 library which is stated to be used by Yahoo on several non SSL pages. Can’t tell if it’s true or not, didn’t check it out, but for those who know Trilulilu (especially Romanian comrades) I can tell you that they implemented it in their flash player, for “encrypting” the source of their media (did I say too much?=).

Tip 6: Legitimate Requests (CSRF free)

As mentioned before excessively using CAPTCHA may be annoying, except in the case that the admin panel is designated for only one person (yourself) and you can bare completing on every important request a CAPTCHA field. For the other cases you could take a similar approach. On request of a page with an important form you could generate the token in the following way.

$_SESSION['token'] = sha1(rand());

And inside the form you could place it like…

<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>" />

While in the form processing page you should deal with it as in the following code.

if($_SESSION['token']!=$_POST['token']) {
    exit;
}
$_SESSION['token'] = sha1(rand());

Also a better way would be by using mt_rand() and seeding it with a secret method. Like for example the sum of the numbers from the session id.

Tip 7: Protect your includes/secure pages

If you develop your web application in a similar manner as myself than probably you include the admin pages, rather than use one single over bloated file. And it’s a common mistake to not protect those files from direct access. I’ve seen cases of obscure naming of the files, which are not secure if the attacker can get directory information in a way or another. Although are very interesting. Why? Because security by obscurity can be very fun an creative, even useful sometimes if build on top of a secure design. Like for example when using a MySQL database (version 4, so no information_schema database available) and obscuring the table names. Coming back to our subject, you could protect your included files by using the following line of code.

if(!defined('PROTECTED')) { exit; }

While defining the PROTECTED constant in the script which includes the files (which we assume you protect). You can secure your main files (those who include files) in a similar way.

if(!$_SESSION['auth']) { exit; }
define('PROTECTED', true);

Tip 8: Password Change

When making a password change functionality don’t forget to ask the user for their current password. Many think that if a user is logged in and no CSRF could take place they are safe and thus don’t need to ask them for their current password. It’s wrong to think like that because Session Riding attacks are more frequent than you think. And it’s not such a big deal of doing this, it only takes an extra where clause in the update syntax.

$old_password = sha1('salt'.$_POST['old_password']);
$new1 = sha1('salt'.$_POST['new1']);
$new2 = sha1('salt'.$_POST['new2']);
if($new1!=$new2) {
    echo 'Your new passwords do not match!';
    exit;
}
if(mysql_query(
    "UPDATE
     SET password='$new1'
     WHERE id='".$_SESSION['id']."'
     AND password='$old_password'"
)) {
    echo 'Password successfully changed!';
}
else {
    echo 'Password couldn\'t be changed!';
}

Tip 0

This are the most common approaches which should be taken when coding login scripts/admin panels. Also they are the most common neglected aspects. Kind of paradoxical in a way. And that;s not all, if we think of HTTP Redirects which by the way haven’t been treated because latest versions of PHP protect you against HTTP Response Splitting. Another thing I didn’t treat was XSS, which I think (and maybe you would approve) doesn’t make a part of this subject, it concerns the way you implement functionality in your pages. I often wonder why even give power to the user, like for example in a comment form. Why give him even the ability to post link (and convert them to link)?

Anyway, as you can see I didn’t post a ready to use script/class because I wanted you to understand the concept behind login/admin panel security. Not just copy-paste the code and cross your fingers that it will work.

UPDATE: On Ronald’s suggestion I replaced the md5 hashes with sha1 hashes, even salted them. Also modified the MySQL code to order the result by id, just in case there where two accounts with the same login information (which shouldn’t, if you properly did the checks in the registration page, if uses any).

And so you don’t think I am speaking in a hypocritical manner, I admit I strip as well a part from your privacy, with the simple Google tracker I have inside my web pages… but for those that do care about their anonymity this is not an issue.

Tor

As any other person would say, as a first step in regaining your anonymity would be installing the Tor bundle… And don’t get me that “just hackers use proxies”, because it’s not true… who would use a proxy for a %25 bonus prison time if caught? (they would use their own tunnels and proxies, not Tor networks)

There are many reasons why you would use a proxy, apart from the list which you can read on Tor projects website “Who uses Tor?“, what better way to hide your ass when trolling people?

Use Tor, if possible even help out by setting up a node, and be happy of it’s extra anonymity (which I cannot have).

Scroogle

Well, in case you are a Google user I hope you know that every search you ever do is logged… If you have a Google account you may check your whole search history here. Now you may see where Scroogle would come in pretty handy. It also comes with SSL support, so it also adds a part of privacy to it: ssl.scroogle.org.

In simple terms Scroogle does the search on Google for you, drops the cookie that Google tries to attach to your browser and prints you the output of the search.

BugMeNot

Often enough websites ask you for a user account in your attempt to access their content, even if it’s going to be your first (and last) visit on their page. Well through BugMeNot you can bypass that compulsory registration process. Why not just register?

Mailinator

In case BugMeNot didn’t have the answer for the problem (as in bypassing compulsory registration), you can quickly set up your account without having to fear spam later on. Mailinator offers you a easy one step temporary email address for any occasion, at any time you may need it.

GPG

GnuPG is the GNU project’s complete and free implementation of the OpenPGP standard as defined by RFC4880 . GnuPG allows to encrypt and sign your data and communication (…)

Using PGP encryption has many benefits, given the amount of tools built upon it.
For the browser (Firefox) you got FireGPG which let’s you sign, verify, encrypt and decrypt anything that you can select in your browser, this even includes email, posts and so fort. It also comes with implementation for Gmail.

Firefox addons

There are two addons which I know help in providing anonymity.

One would be NoScript, which I use to block trackers (like Google Analytics), but this is just a bonus for the main reason I use it, and I mean security.

The second one is RequestPolicy, which if even would look very similar to NoScript there is a finely grained difference them. I personally use both of them, and do recommend the same if you got the patience to whitelist websites you visit.

IM Encryption

The modern use of the internet is highly oriented on instant messaging, so this area of privacy should be taken care of with more interest than any other before told privacy measure.

For example the IM client Pidgin has a few privacy and security plugins from which you may choose.

As for IM clients like MSN and Yahoo! you may download (and use) BitDefender Chat Encryption for free.

More suggestions?

If there is something that you think I missed out (as in privacy and anonymity for internet users) feel free to contribute, even with alternatives for the before mentioned ones.

If there is a phrase that describes in the best way the distribution, it has to be the one from LinuxTracker:

Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop — it’s a learning tool for security students.

To be honest I didn’t play with it till now (even if have been a user of the website for a year or so) because off limited free time that I’ve got. But in the near future (hope so) I will give it a shot, you know demonstrate my “talents” to my work colleague, maybe even do a video to help out DVL.

More specific info about included vulnerabilities/tools you can find on this page, but just up to version 1.4, and the download mirrors can be found here.

If this is an unknown domain for you (security) I would recommend you firstly to start out with some basics before even taking a glimpse at DVL. In such a case you might be interested in David Melnichuk book The Hacker’s Underground Handbook.

Before I forget… You would highly be appreciated for seeding the torrent, not just leeching it, because the free stuff never gets seeded well, IMO.

And ignoring this warning is half as bad as having a sql injection vulnerability. Even if home users no longer are a part in a shared network thus sniffing is highly improbable, companies have LAN’s which would make a sniffing attack possible (if the sysadmin didn’t do his job). Throwing away all your security implementations, password enforcements…

SSL is the solution for this case but isn’t necesarily needed. Here comes in userAtuh. Yes it’s a typo, but who cares how it’s called as long as it does a great job?

UserAtuh is a php/js library used for serverside/client side password encryption, ment to mask the password sent by login forms. You can download it from it’s project page on SourceForge.

How does it work? Actually it’s quite straight forward, but I could better show it’s working by pointing out the key portions of code.

It all starts with the login form with has defined to the on submit event assigned to the setEncryption() function, which: hashes the password, joins it with the username and key and double hashes the result storing it in a hidden input field.

Upon form submision the only two values that are requested are the username and the result of the setEncryption() function. The rest is ignored. Forgot to mention that the setEncryption() function also changes the password from the input field with a substring of its result.

The authentification is done by the function with the same name from the KeyHandler object:

public function authenticate($name,$encodedPass,$sha1=true){
    //get the last key that was generated for this
    //session
    $ip = getenv('REMOTE_ADDR');
    $key  = $this->_dba->getKeyFromDB($ip);

    //check if a user exists with this name
    if ($this->_dba->userExists($name)==false) return false;    	

    //retrive the password for the user
    $pass = $this->_dba->getPass($name);

    //make sure password is hashed
    if (!$sha1) $pass = sha1($pass);

    //create a hashed string from the date collected
    $encoded = sha1(sha1($pass.$name.$key));

    //generate a new key, so the last key won't be usable
    $this->generateKey();

    //check the hashed string with the key sent by the
    //client side
    return ($encodedPass==$encoded);
}

Simple, easy, useful. It’s implementation can take at maximum a couple of minutes. Quick and painless, just as I like ‘em.