PHP Security For Sys Admins

PHP Security For Sys Admins

PHP is an open-source server-side scripting language and it is a widely used. The Apache web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.

Sample Setup For PHP Security Tips

DocumentRoot: /var/www/html
Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
Default PHP configuration file: /etc/php.ini
Default PHP extensions config directory: /etc/php.d/
Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
Default php server TCP/UDP ports: none

Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell:
$ php -v
PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

For demonstration purpose I’m going to use the following operating system:
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.1 (Santiago)

#1: Know Your Enemy
PHP based apps can face the different types of attacks. I have noticed the different types of attacks:

XSS – Cross-site scripting is a vulnerability in php web applications, which attackers may exploit to steal users’ information. You can configure Apache and write more secure PHP scripts (validating all user input) to avoid xss attacks.
SQL injection – It is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
Spoofing
File uploads – It allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete database, get user details and much more. You can disable file uploads using php or write secure code (like validating user input and only allow image file type such as png or gif).
Including local and remote files – An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.
eval() – Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval().
Sea-surf Attack (Cross-site request forgery – CSRF) – This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
#2: Find Built-in PHP Modules
# php -m
[PHP Modules]
apc
bcmath
bz2
calendar
Core
ctype
curl
date
dom
ereg
gd
imap
json
libxml
mbstring
memcache
mysql
mysqli
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
shmop
SimpleXML
zip
zlib
[Zend Modules]
Suhosin
I recommends that you use PHP with a reduced modules for performance and security. For example, you can disable sqlite3 module by deleting (removing) configuration file , OR renaming (moving) a file called /etc/php.d/sqlite3.ini as follows:
# rm /etc/php.d/sqlite3.ini

OR
# mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable

Other compiled-in modules can only be removed by reinstallating PHP with a reduced configuration. You can download php source code from php.net and compile it as follows with GD, fastcgi, and MySQL support:

./configure –with-libdir=lib64 –with-gd –with-mysql –prefix=/usr –exec-prefix=/usr –bindir=/usr/bin –sbindir=/usr/sbin –sysconfdir=/etc –datadir=/usr/share –includedir=/usr/include –libexecdir=/usr/libexec –localstatedir=/var –sharedstatedir=/usr/com –mandir=/usr/share/man –infodir=/usr/share/info –cache-file=../config.cache –with-config-file-path=/etc –with-config-file-scan-dir=/etc/php.d –enable-fastcgi –enable-force-cgi-redirect
See how to compile and reinstall php on Unix like operating system for more information.

Restrict PHP Information Leakage

To restrict PHP information leakage disable expose_php. Edit /etc/php.d/secutity.ini and set the following directive:

expose_php=Off
When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.3). The PHP logo guids (see example) are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. When expose_php enabled you can see php version using the following command:
$ curl -I http://www.cyberciti.biz/index.php
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.3
Content-type: text/html; charset=UTF-8
Vary: Accept-Encoding, Cookie
X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wikiToken;string-contains=wikiLoggedOut;string-contains=wiki_session
Last-Modified: Thu, 03 Nov 2011 22:32:55 GMT

I also recommend that you setup the ServerTokens and ServerSignature directives in httpd.conf to hide Apache version and other information.

Minimize Loadable PHP Modules (Dynamic Extensions)

PHP supports “Dynamic Extensions”. By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your webapps requires. For example, to disable gd extension, type the following commands:
# cd /etc/php.d/
# mv gd.{ini,disable}
# /sbin/service httpd restart

To enable php module called gd, enter:
# mv gd.{disable,ini}
# /sbin/service httpd restart

Log All PHP Errors

Do not expose PHP error messages to all site visitors. Edit /etc/php.d/security.ini and set the following directive:

display_errors=Off
Make sure you log all php errors to a log file:

log_errors=On
error_log=/var/log/httpd/php_scripts_error.log
Disallow Uploading Files

Edit /etc/php.d/security.ini and set the following directive to disable file uploads for security reasons:

file_uploads=Off
If users of your application need to upload files, turn this feature on by setting upload_max_filesize limits the maximum size of files that PHP will accept through uploads:

file_uploads=On
# user can only upload upto 1MB via php
upload_max_filesize=1M

Turn Off Remote Code Execution

If enabled, allow_url_fopen allows PHP’s file functions — such as file_get_contents() and the include and require statements — can retrieve data from remote locations, like an FTP or web site.

The allow_url_fopen option allows PHP’s file functions – such as file_get_contents() and the include and require statements – can retrieve data from remote locations using ftp or http protocols. Programmers frequently forget this and don’t do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. Edit /etc/php.d/security.ini and set the following directive:

allow_url_fopen=Off
I also recommend to disable allow_url_include for security reasons:

allow_url_include=Off
Enable SQL Safe Mode

Edit /etc/php.d/security.ini and set the following directive:

sql.safe_mode=On

If turned On, mysql_connect() and mysql_pconnect() ignore any arguments passed to them. Please note that you may have to make some changes to your code. Third party and open source application such as WordPress, and others may not work at all when sql.safe_mode enabled. I also recommend that you turn off magic_quotes_gpc for all php 5.3.x installations as the filtering by it is ineffective and not very robust. mysql_escape_string() and custom filtering functions serve a better purpose (hat tip to Eric Hansen):

magic_quotes_gpc=Off
Control POST Size

The HTTP POST request method is used when the client (browser or user) needs to send data to the Apache web server as part of the request, such as when uploading a file or submitting a completed form. Attackers may attempt to send oversized POST requests to eat your system resources. You can limit the maximum size POST request that PHP will process. Edit /etc/php.d/security.ini and set the following directive:

; Set a realistic value here
post_max_size=1K
The 1K sets max size of post data allowed by php apps. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize. I also suggest that you limit available methods using Apache web server. Edit, httpd.conf and set the following directive for DocumentRoot /var/www/html:

Order allow,deny

## Add rest of the config goes here… ##

Resource Control (DoS Control)

You can set maximum execution time of each php script, in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume. Edit /etc/php.d/security.ini and set the following directives:

# set in seconds
max_execution_time = 30
max_input_time = 30
memory_limit = 40M

Install Suhosin Advanced Protection System for PHP

From the project page:

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

See how to install and configure suhosin under Linux operating systems.

Disabling Dangerous PHP Functions

PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.ini using disable_functions directive:

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

PHP Fastcgi / CGI – cgi.force_redirect Directive

PHP work with FastCGI. Fascgi reduces the memory footprint of your web server, but still gives you the speed and power of the entire PHP language. You can configure Apache2+PHP+FastCGI or cgi as described here. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://www.cyberciti.biz/cgi-bin/php/hackerdir/backdoor.php. Turn on cgi.force_redirect for security reasons. Edit /etc/php.d/security.ini and set the following directive:

; Enable cgi.force_redirect for security reasons in a typical *Apache+PHP-CGI/FastCGI* setup
cgi.force_redirect=On

PHP User and Group ID

mod_fastcgi is a cgi-module for Apache web server. It can connect to an external FASTCGI server. You need to make sure php run as non-root user. If PHP executes as a root or UID under 100, it may access and/or manipulate system files. You must execute PHP CGIs as a non-privileged user using Apache’s suEXEC or mod_suPHP. The suEXEC feature provides Apache users the ability to run CGI programs under user IDs different from the user ID of the calling web server. In this example, my php-cgi is running as phpcgi user and apache is running as apache user:
# ps aux | grep php-cgi
phpcgi 6012 0.0 0.4 225036 60140 ? S Nov22 0:12 /usr/bin/php-cgi
phpcgi 6054 0.0 0.5 229928 62820 ? S Nov22 0:11 /usr/bin/php-cgi
phpcgi 6055 0.1 0.4 224944 53260 ? S Nov22 0:18 /usr/bin/php-cgi
phpcgi 6085 0.0 0.4 224680 56948 ? S Nov22 0:11 /usr/bin/php-cgi
phpcgi 6103 0.0 0.4 224564 57956 ? S Nov22 0:11 /usr/bin/php-cgi
phpcgi 6815 0.4 0.5 228556 61220 ? S 00:52 0:19 /usr/bin/php-cgi
phpcgi 6821 0.3 0.5 228008 61252 ? S 00:55 0:12 /usr/bin/php-cgi
phpcgi 6823 0.3 0.4 225536 58536 ? S 00:57 0:13 /usr/bin/php-cgi
You can use tool such as spawn-fcgi to spawn remote and local FastCGI processes as phpcgi user (first, add phpcgi user to the system):
# spawn-fcgi -a 127.0.0.1 -p 9000 -u phpcgi -g phpcgi -f /usr/bin/php-cgi

Now, you can configure Apache, Lighttpd, and Nginx web server to use external php FastCGI running on port 9000 at 127.0.0.1 IP address.

Limit PHP Access To File System

The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen(), and others. If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround. For example only allow access to /var/www/html directory and not to /var/www, or /tmp or /etc directories:

; Limits the PHP process from accessing files outside
; of specifically designated directories such as /var/www/html/
open_basedir=”/var/www/html/”
; ————————————
; Multiple dirs example
; open_basedir=”/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/”
; ————————————

Session Path

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. This path is defined in /etc/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option. The default is as follows under RHEL/CentOS/Fedora Linux:

session.save_path=”/var/lib/php/session”
; Set the temporary directory used for storing files when doing file upload
upload_tmp_dir=”/var/lib/php/session”

Make sure path is outside /var/www/html and not readable or writeable by any other system users:
# ls -Z /var/lib/php/
drwxrwx—. root apache system_u:object_r:httpd_var_run_t:s0 session
Note: The -Z option to the ls command display SELinux security context such as file mode, user, group, security context and file name.

Keep PHP, Software, And OS Up to Date

Applying security patches is an important part of maintaining Linux, Apache, PHP, and MySQL server. All php security update should be reviewed and applied as soon as possible using any one of the following tool (if you’re installing PHP via a package manager):
# yum update

OR
# apt-get update && apt-get upgrade

You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.

Note: Check php.net for the most recent release for source code installations.

Restrict File and Directory Access

Make sure you run Apache as a non-root user such as Apache or www. All files and directory should be owned by root user under /var/www/html:
# chown -R root:root /var/www/html/

Make sure file permissions are set to 0444 under /var/www/html/:
# chmod -R 0444 /var/www/html/

Make sure all directories permissions are set to 0445 under /var/www/html/:
# find /var/www/html/ -type d -print0 | xargs -0 -I {} chmod 0445 {}

Make sure httpd.conf has the following directives for restrictive configuration:

Options None
AllowOverride None
Order allow,deny

You should only grant access when required. Some web applications such as wordpress and others may need a caching directory. You need to grant write access caching directory:
# chmod a+w /var/www/html/blog/wp-content/cache
### block access to all ###
# echo ‘deny from all’ > /var/www/html/blog/wp-content/cache/.htaccess

Write Protect Apache, PHP, and, MySQL Configuration Files

Use the chattr command to write protect configuration files:
# chattr +i /etc/php.ini
# chattr +i /etc/php.d/*
# chattr +i /etc/my.ini
# chattr +i /etc/httpd/conf/httpd.conf
# chattr +i /etc/

Use Linux Security Extensions (such as SELinux)

Linux comes with various security patches which can be used to guard against misconfigured or compromised server programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel and Apache web server. To list all Apache SELinux protection variables, enter:
# getsebool -a | grep httpd
allow_httpd_anon_write –> off
allow_httpd_mod_auth_ntlm_winbind –> off
allow_httpd_mod_auth_pam –> off
allow_httpd_sys_script_anon_write –> off
httpd_builtin_scripting –> on
httpd_can_check_spam –> off
httpd_can_network_connect –> off
httpd_can_network_connect_cobbler –> off
httpd_can_network_connect_db –> off
httpd_can_network_memcache –> off
httpd_can_network_relay –> off
httpd_can_sendmail –> off
httpd_dbus_avahi –> on
httpd_enable_cgi –> on
httpd_enable_ftp_server –> off
httpd_enable_homedirs –> off
httpd_execmem –> off
httpd_read_user_content –> off
httpd_setrlimit –> off
httpd_ssi_exec –> off
httpd_tmp_exec –> off
httpd_tty_comm –> on
httpd_unified –> on
httpd_use_cifs –> off
httpd_use_gpg –> off
httpd_use_nfs –> off
To disable Apache cgi support, enter:
# setsebool -P httpd_enable_cgi off

Install Mod_security

ModSecurity is an open source intrusion detection and prevention engine for web applications. You can easily install mod_security under Linux and protect apache and php based apps from xss and various other attacks:

## A few Examples ##
# Do not allow to open files in /etc/
SecFilter /etc/

# Stop SQL injection
SecFilter “delete[[:space:]]+from”
SecFilter “select.+from”

Run Apache / PHP In a Chroot Jail If Possible

Putting PHP and/or Apache in a chroot jail minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can use traditional chroot kind of setup with Apache. However, I recommend FreeBSD jails, XEN virtulization, KVM virtulization, or OpenVZ virtualization which uses the concept of containers.

Use Firewall To Restrict Outgoing Connections

The attacker will download file locally on your web-server using tools such as wget. Use iptables to block outgoing connections from apache user. The ipt_owner module attempts to match various characteristics of the packet creator, for locally generated packets. It is only valid in the OUTPUT chain. In this example, allow vivek user to connect outside using port 80 (useful for RHN or centos repo access):

/sbin/iptables -A OUTPUT -o eth0 -m owner –uid-owner vivek -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT

Here is another example that blocks all outgoing connections from apache user except to our own smtp server, and spam validation API service:

# ….
/sbin/iptables –new-chain apache_user
/sbin/iptables –append OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables –append OUTPUT -m owner –uid-owner apache -j apache_user
# allow apache user to connec to our smtp server
/sbin/iptables –append apache_user -p tcp –syn -d 192.168.1.100 –dport 25 -j RETURN
# Allow apache user to connec to api server for spam validation
/sbin/iptables –append apache_user -p tcp –syn -d 66.135.58.62 –dport 80 -j RETURN
/sbin/iptables –append apache_user -p tcp –syn -d 66.135.58.61 –dport 80 -j RETURN
/sbin/iptables –append apache_user -p tcp –syn -d 72.233.69.89 –dport 80 -j RETURN
/sbin/iptables –append apache_user -p tcp –syn -d 72.233.69.88 –dport 80 -j RETURN
#########################
## Add more rules here ##
#########################
# No editing below
# Drop everything for apache outgoing connection
/sbin/iptables –append apache_user -j REJECT

Watch Your Logs & Auditing

Check the apache log file:
# tail -f /var/log/httpd/error_log
# grep ‘login.php’ /var/log/httpd/error_log
# egrep -i “denied|error|warn” /var/log/httpd/error_log

Check the php log file:
# tail -f /var/log/httpd/php_scripts_error.log
# grep “…etc/passwd” /var/log/httpd/php_scripts_error.log

Log files will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present or not. The auditd service is provided for system auditing. Turn it on to audit SELinux events, authetication events, file modifications, account modification and so on. I also recommend using standard “Linux System Monitoring Tools” for monitoring your web-server.

About PHP Backdoors

You may come across php scripts or so called common backdoors such as c99, c99madshell, r57 and so on. A backdoor php script is nothing but a hidden script for bypassing all authentication and access your server on demand. It is installed by an attackers to access your server while attempting to remain undetected. Typically a PHP (or any other CGI script) script by mistake allows inclusion of code exploiting vulnerabilities in the web browser. An attacker can use such exploiting vulnerabilities to upload backdoor shells which can give him or her a number of capabilities such as:

Download files
Upload files
Install rootkits
Set a spam mail servers / relay server
Set a proxy server to hide tracks
Take control of server
Take control of database server
Steal all information
Delete all information and database
Open TCP / UDP ports and much more
Tip: How Do I Search PHP Backdoors?

Use Unix / Linux grep command to search c99 or r57 shell:
# grep -iR ‘c99′ /var/www/html/
# grep -iR ‘r57′ /var/www/html/
# find /var/www/html/ -name *.php -type f -print0 | xargs -0 grep c99
# grep -RPn “(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)” /var/www/html/

Conclusion

Your PHP based server is now properly harden and ready to show dynamic webpages. However, vulnerabilities are caused mostly by not following best practice programming rules. You should be consulted further resources for your web applications security needs especially php programming which is beyond the scope of sys admin work.

Advertisements

48 thoughts on “PHP Security For Sys Admins

  1. Good post. I be taught something more difficult on totally different blogs everyday. It is going to always be stimulating to read content material from different writers and observe slightly something from their store. I’d prefer to use some with the content material on my blog whether you don’t mind. Natually I’ll provide you with a hyperlink on your internet blog. Thanks for sharing.

  2. I’ve found myself here quite a few times before while looking various things. I appreciate the detailed articles you write, and in some cases this is the ONLY place I can even find them. Cheers

  3. Very interesting information! I have been reading on here for awhile off and on, and I finally wanted to make my first comment and reveal myself 😉 I really like some of the news I’ve seen here.

  4. I have been searching for information on this topic for awhile now. So, really appreciate you taking the time to write about it. Truly was difficult to find, so I wanted to post my first comment out of gratitude 🙂

  5. Hey There. I found yoսr blog սsing msn. TҺis iss aո extremely ԝell written article.
    ӏ will Ƅe surе to bookmark it anԀ return tօ read morfe
    օf your useful info. Thaոks foг the post.

    I’ll defiոitely return.

  6. Hey I am so delighted ӏ found your web site, I reallʏ fօսոd you bү
    mistake, ѡhile I աaѕ searching oon Aol foor ѕomething elsе, Regardless I am hewre now ɑոd would just liҟe tߋ ѕay
    mɑny thanks for a tremendous post аnd a all rokund inteгesting blog
    (І also love tthe theme/design), ӏ don’t haѵe time to lоoκ over
    it all at tҺe minute but I hаve saved it anɗ alѕo ɑdded уou RSS feeds,
    ѕo whеn I hɑve time I will be back to read a lot mօre, Pleaase do kеep up thee
    great b.

  7. Excellent pieces. Keeep osting ѕuch kiոd of info on yօur site.
    Im гeally impressed ƅy ƴօur site.
    Hi there, Ύou’ve done aո incredible job. Ι’ll definitelʏ
    digg іt аnd for my part suggеst tо my friends.
    I am confident tɦey wіll bе benefited from thіs website.

  8. Hello! Ӏ’ve been reading yoiur website fօr a whilе nоw ɑnd finally ցot the bravery tto go ahead аnd give you а shout ߋut from Kingwood Texas!
    Jusst ԝanted tο tell ʏߋu keеp սp the grеat job!

  9. Ԝhat’s up іt’s me, I am aleo visiting tɦis web ρage regularly, tɦіs
    web pagе іs genuinely pleasant annd tҺe people aгe truly sharing fasyidious tҺoughts.

  10. Ԝhat’s սp to everʏ , as I ɑm genuinely eager ߋf reading tthis website’s post
    tо bbe updated daily. Іt consists off pleasant material.

  11. Just want to say your article is as astonishing. The clarity to your
    publish is simply spectacular and i can suppose you’re
    an expert on this subject. Fine together with
    your permission allow me to clutch your RSS feed to stay up to date with impending post.
    Thank you one million and please keep up the rewarding work.

  12. Hi there, just became aware of your blog through Google, and
    found that it is truly informative. I’m going to watch out for brussels.
    I will be grateful if you continue this in future. A lot of
    people will be benefited from your writing. Cheers!

  13. ңello tοo eveгy one, the contents pгesent aat tɦis web pagе are actuallу
    amazing fօr people experience, աell, keep up tҺe
    gooɗ work fellows.

  14. Υou have made ѕome гeally goοd points there. I looked on the web to fіnd out morе аbout tҺe issue annd fօսnd most
    individuals wіll gо along with yoսr views onn thіs site.

  15. My relativges ɑlways ѕay that I aam killing mү time here at
    web, Ьut ӏ know I am getting familiarity everү day bby
    reading sսch fastidcious articles orr reviews.

  16. Hello veгy cool website!! Маn .. Beautiful .. Superb ..

    І’ll bookmark yߋur website and take tɦe feeds аlso?
    Ӏ’m happy tto seaarch оut numerous useful infoгmation hеre iin the submit, ԝe need
    worҡ out extra strategies օn thіs regard, thɑnk ƴоu for
    sharing. . . . . .

  17. Sweet blog! I found it while surfing aroind օn Yahoo News.
    Ɗo you havе any suggestions on how to gett listed іn Yahoo News?
    І’ve been trying for a while but I never seem tߋ gеt there!
    Thɑnk ƴou

  18. I thіnk this iѕ amoong the so mucɦ vital informatioon for me.

    And i am happy readikng уour article. Βut shoսld commentary
    on somе geneгal issues, Тhe web site taste іs perfect, thе articles
    is actually gresat : D. Ecellent job, cheers

  19. Hi, I doo believe this is ann excellent site. І stumbledupon iit 😉 І аm goіng tߋ return οnce aցain since i have book-marked іt.

    Money аnd freedom іs thе besst ԝay to change, may ƴou be rich ɑnd continue
    tto guide οther people.

  20. І am suгe tɦiѕ article Һаs touched all the internet people,
    іts reallу reallʏ pleasaant post ߋn building up neѡ website.

  21. Hey veгy nice blog!! Guy .. Beautiful .. Amazing .. Ӏ will bookmark youг website and tɑke
    tҺe feweds additionally? І’m satisfied tto find so many helpful іnformation riցht Һere witҺіn the submit, we’d likе develop extra
    techniques іn thіs regard, tҺanks for sharing. . . . . .

  22. Hi! I’ve Ƅeеn followіng your site foг a long time now and finally got the courage to ggo ahesd and gіve үօu a
    shout out from Austin Tx! Јust աanted to mention keep up the great job!

  23. What’s up to eѵery body, it’s my fіrst visit оf tҺis weblog;
    tɦis weblog includes remarkable andd гeally fіne information in favor of readers.

  24. I was recommended this website by my cousin. I’m not sure whether this post is written by him as nobody else know such detailed about my difficulty.

    You are incredible! Thanks!

  25. Thanks for your marvelous posting! I really enjoyed reading it, you will be
    a great author.I will be sure to bookmark your blog and will
    often come back later in life. I want to encourage you to definitely continue your great work, have
    a nice afternoon!

  26. Heya i am for the first time here. I found this board and I in finding It really useful & it hhelped mee out a lot.
    I’m hoping to offer one thing back and aid others such as
    you helped me.

  27. An impressive share! I’ve just forwarded this onto a coworker who has
    been doing a little research on this. And he in fact ordered mee dinner because I discovered it forr him…
    lol. So allow me to reword this…. Thanks for the meal!!
    But yeah, thanx for spending time to talk about this matter here
    on your web site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s