# Security Guide
## Table of Contents
- [Overview](#overview)
- [Built-in Security Features](#built-in-security-features)
- [Access Control Configuration](#access-control-configuration)
- [Web Server Security](#web-server-security)
- [File System Security](#file-system-security)
- [Network Security](#network-security)
- [Monitoring & Logging](#monitoring--logging)
- [Incident Response](#incident-response)
- [Security Best Practices](#security-best-practices)
## Overview
Security for 5q12's Indexer involves multiple layers: built-in protections, configuration controls, web server hardening, and monitoring. This guide covers comprehensive security implementation.
### Security Principles
- **Defense in Depth**: Multiple security layers
- **Least Privilege**: Minimum necessary access
- **Security by Default**: Safe default configurations
- **Monitoring**: Continuous security awareness
## Built-in Security Features
### Path Traversal Protection
**Automatic protection against directory traversal attacks:**
```php
// Built-in security checks
if (strpos($downloadPath, '../') !== false || strpos($downloadPath, './') !== false) {
http_response_code(403);
die('Access denied - invalid filename');
}
```
**Protected against:**
- `../` escape sequences
- `./` relative path references
- NULL byte injection (`%00`)
- Symlink exploitation
- Encoded traversal attempts
### File Type Security
**Default security exclusions:**
```json
{
"exclusions": {
"index_key": false, // Cryptographic keys
"index_secret": false, // Secret files
"index_passwd": false, // Password files
"index_rsa": false, // SSH private keys
"index_authorized_keys": false,
"index_known_hosts": false,
"index_jks": false, // Java keystores
"index_keystore": false,
"index_p12": false, // PKCS#12 certificates
"index_pfx": false
}
}
```
### Hidden File Protection
**Hidden files excluded by default:**
```json
{
"main": {
"index_hidden": false // Hides .htaccess, .env, .git/, etc.
}
}
```
**Hidden items include:**
- `.htaccess` - Web server configuration
- `.env` - Environment variables
- `.git/` - Version control data
- `.ssh/` - SSH configuration
- `.DS_Store` - System files
## Access Control Configuration
### Deny List Implementation
**Block sensitive directories and files:**
```json
{
"main": {
"deny_list": "admin, private, .git, .env*, config/secrets*, logs, uploads/.exe*"
}
}
```
### Common Security Patterns
#### High-Security Environment
```json
{
"main": {
"cache_type": "sqlite",
"disable_file_downloads": true,
"disable_folder_downloads": true,
"index_hidden": false,
"deny_list": "admin, config, logs, .git, .env*, .htaccess, *.key, *.pem, private/*"
},
"exclusions": {
"index_php": false,
"index_key": false,
"index_secret": false,
"index_passwd": false
},
"viewable_files": {
"view_php": false,
"view_config": false,
"view_env": false,
"view_key": false
}
}
```
#### Public File Server
```json
{
"main": {
"deny_list": "admin, private, .htaccess, config, system, .exe*, .bat*, .cmd*"
},
"exclusions": {
"index_exe": false,
"index_dll": false,
"index_bat": false,
"index_cmd": false
}
}
```
### Download Controls
**Disable downloads for security:**
```json
{
"main": {
"disable_file_downloads": true,
"disable_folder_downloads": true
}
}
```
**Use cases:**
- Read-only environments
- Content protection
- Bandwidth conservation
- Compliance requirements
## Web Server Security
### Apache Security Configuration
#### Protect Configuration Files
```apache
# In .indexer_files/.htaccess
Require all denied
Require all denied
Require all denied
```
#### Prevent PHP Execution in Sensitive Areas
```apache
# In uploads/.htaccess
Require all denied
Require all denied
php_flag engine off
```
#### Hide Sensitive Directories
```apache
# In root .htaccess
Require all denied
Require all denied
Require all denied
```
#### Security Headers
```apache
# Add security headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy strict-origin-when-cross-origin
Header always set Content-Security-Policy "default-src 'self'"
```
### Nginx Security Configuration
#### Main Configuration
```nginx
server {
listen 443 ssl http2;
server_name files.yourdomain.com;
root /var/www/html/files;
# SSL Configuration
ssl_certificate /path/to/certificate.pem;
ssl_certificate_key /path/to/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
# Security headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
# Hide sensitive files and directories
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~* \.(json|log|backup)$ {
deny all;
access_log off;
}
# Prevent PHP execution in uploads
location /uploads/ {
location ~ \.php$ {
deny all;
}
}
# Main indexer location
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name files.yourdomain.com;
return 301 https://$server_name$request_uri;
}
```
## File System Security
### File Permissions
**Set restrictive permissions:**
```bash
# Indexer file
chmod 644 index.php
# Configuration directory
chmod 755 .indexer_files/
chmod 644 .indexer_files/config.json
chmod 755 .indexer_files/cache/
chmod 755 .indexer_files/zip_cache/
# Remove world write permissions
find .indexer_files/ -type f -exec chmod 644 {} \;
find .indexer_files/ -type d -exec chmod 755 {} \;
# Secure log files
chmod 640 .indexer_files/*.log
```
### Ownership Configuration
**Set appropriate ownership:**
```bash
# Linux/Unix systems
chown -R www-data:www-data .indexer_files/
chown www-data:www-data index.php
# Ensure proper group permissions
chgrp -R www-data .indexer_files/
# Prevent other users from reading sensitive files
chmod 750 .indexer_files/
```
### Directory Security
**Secure sensitive directories:**
```bash
# Create protected directories
mkdir -p {admin,private,config}/.protected
echo "deny from all" > admin/.htaccess
echo "deny from all" > private/.htaccess
echo "deny from all" > config/.htaccess
# Set restrictive permissions
chmod 700 admin/ private/ config/
```
## Network Security
### HTTPS Configuration
**Force HTTPS for all connections:**
```apache
# Apache .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Add HSTS header
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
```
### IP Access Restrictions
#### Allow Specific Networks
```apache
# Apache
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
Require ip 172.16.0.0/12
```
```nginx
# Nginx
allow 192.168.1.0/24;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
deny all;
```
#### Block Suspicious IPs
```bash
# Using fail2ban
[indexer-bruteforce]
enabled = true
port = http,https
filter = indexer-bruteforce
logpath = /var/log/apache2/access.log
maxretry = 5
bantime = 3600
```
### Firewall Configuration
**Configure server firewall:**
```bash
# UFW (Ubuntu Firewall)
ufw default deny incoming
ufw default allow outgoing
ufw allow from 192.168.1.0/24 to any port 22
ufw allow from 192.168.1.0/24 to any port 80
ufw allow from 192.168.1.0/24 to any port 443
ufw enable
# iptables
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
```
## Monitoring & Logging
### Access Logging
**Enhanced Apache logging:**
```apache
# Custom log format with security details
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D %{X-Forwarded-For}i" security
CustomLog /var/log/apache2/indexer_security.log security
```
### Security Monitoring
**Monitor for suspicious activity:**
```bash
#!/bin/bash
# Security monitoring script
LOG_FILE="/var/log/apache2/access.log"
ALERT_EMAIL="admin@yourdomain.com"
# Monitor for path traversal attempts
grep -E "\.\.\/|%2e%2e|%252e" $LOG_FILE | tail -10 | \
mail -s "Path Traversal Attempt Detected" $ALERT_EMAIL
# Monitor for large downloads
awk '$10 > 100000000 {print $0}' $LOG_FILE | tail -5 | \
mail -s "Large Download Detected" $ALERT_EMAIL
# Monitor for rapid requests from single IP
awk '{print $1}' $LOG_FILE | sort | uniq -c | sort -nr | head -10 | \
awk '$1 > 1000 {print "High request volume from " $2 ": " $1 " requests"}' | \
mail -s "High Request Volume Detected" $ALERT_EMAIL
```
### Log Analysis
**Regular security analysis:**
```bash
# Daily security report
#!/bin/bash
LOG_FILE="/var/log/apache2/access.log"
REPORT_DATE=$(date +%Y-%m-%d)
echo "Security Report for $REPORT_DATE" > /tmp/security_report.txt
# Failed requests
echo "=== Failed Requests ===" >> /tmp/security_report.txt
grep " 403 \| 404 \| 500 " $LOG_FILE | wc -l >> /tmp/security_report.txt
# Suspicious user agents
echo "=== Suspicious User Agents ===" >> /tmp/security_report.txt
grep -i "bot\|crawler\|scanner" $LOG_FILE | cut -d'"' -f6 | sort | uniq -c | sort -nr | head -10 >> /tmp/security_report.txt
# Geographic analysis (if GeoIP available)
echo "=== Top Countries ===" >> /tmp/security_report.txt
# Add GeoIP analysis here
# Send report
mail -s "Daily Security Report" admin@yourdomain.com < /tmp/security_report.txt
```
## Incident Response
### Security Breach Response Plan
#### Immediate Actions (First 15 minutes)
1. **Isolate the system:**
```bash
# Temporarily disable indexer
mv index.php index.php.disabled
# Or block all access
echo "deny from all" > .htaccess
```
2. **Preserve evidence:**
```bash
# Copy current logs
cp /var/log/apache2/access.log /tmp/incident_$(date +%s).log
cp .indexer_files/*.log /tmp/
```
3. **Assess damage:**
```bash
# Check for unauthorized file modifications
find . -type f -mtime -1 -ls
# Check running processes
ps aux | grep -E "php|apache|nginx"
```
#### Investigation Phase (First hour)
1. **Log analysis:**
```bash
# Find attack vectors
grep -E "\.\.\/|%2e%2e|%252e" /var/log/apache2/access.log
# Identify attacker IPs
grep " 403 \| 404 " /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -nr
```
2. **File integrity check:**
```bash
# Compare with backups
diff -r backup/ current/
# Check for webshells
find . -name "*.php" -exec grep -l "eval\|base64_decode\|exec" {} \;
```
#### Recovery Phase
1. **Clean and restore:**
```bash
# Restore from clean backup
rm -rf compromised_files/
cp -r backup/ current/
# Update permissions
chmod -R 644 *.php
chmod -R 755 .indexer_files/
```
2. **Strengthen security:**
```bash
# Update deny list
vim .indexer_files/config.json
# Add IP blocks
echo "deny from attacker.ip.address" >> .htaccess
```
### Backup Security
**Secure backup procedures:**
```bash
#!/bin/bash
# Secure backup script
BACKUP_DIR="/secure/backups"
DATE=$(date +%Y%m%d_%H%M%S)
# Create encrypted backup
tar -czf - .indexer_files/ index.php | \
gpg --cipher-algo AES256 --compress-algo 1 --symmetric \
--output "$BACKUP_DIR/indexer_backup_$DATE.tar.gz.gpg"
# Verify backup integrity
gpg --decrypt "$BACKUP_DIR/indexer_backup_$DATE.tar.gz.gpg" | \
tar -tz > /dev/null && echo "Backup verification: OK"
# Clean old backups (keep 30 days)
find "$BACKUP_DIR" -name "indexer_backup_*.tar.gz.gpg" -mtime +30 -delete
```
## Security Best Practices
### Development Security
#### Secure Coding Practices
1. **Input validation** - Validate all user inputs
2. **Output encoding** - Encode output data appropriately
3. **Error handling** - Don't expose system information
4. **Resource limits** - Implement appropriate limits
#### Security Testing
```bash
# Test for common vulnerabilities
curl "https://yoursite.com/path/../../../etc/passwd"
curl "https://yoursite.com/path/%2e%2e%2f%2e%2e%2fetc%2fpasswd"
curl "https://yoursite.com/path/..%2f..%2f..%2fetc%2fpasswd"
```
### Deployment Security
#### Environment Hardening
1. **Remove unnecessary software** and services
2. **Update regularly** - OS, PHP, web server
3. **Use security frameworks** - ModSecurity, fail2ban
4. **Implement monitoring** - Real-time alerts
#### Configuration Management
```bash
# Secure PHP configuration
sed -i 's/expose_php = On/expose_php = Off/' /etc/php/8.1/apache2/php.ini
sed -i 's/display_errors = On/display_errors = Off/' /etc/php/8.1/apache2/php.ini
sed -i 's/;disable_functions =/disable_functions = exec,shell_exec,system,passthru/' /etc/php/8.1/apache2/php.ini
```
### Ongoing Security
#### Regular Security Tasks
1. **Weekly log review** - Analyze access patterns
2. **Monthly updates** - Apply security patches
3. **Quarterly audits** - Review configurations
4. **Annual testing** - Penetration testing
#### Security Checklist
- [ ] HTTPS enabled and enforced
- [ ] Security headers configured
- [ ] File permissions properly set
- [ ] Sensitive files hidden/protected
- [ ] Regular backups created and tested
- [ ] Monitoring and alerting active
- [ ] Access logs reviewed regularly
- [ ] Updates applied promptly
This security guide provides comprehensive protection for 5q12's Indexer while maintaining functionality and performance.
---
**Related Documentation:**
- [Configuration Guide](configuration.md) - Security-focused settings
- [Installation Guide](installation.md) - Secure deployment procedures