System - Security - Hacking

While redirecting all traffic to HTTPS is good, it may not completely prevent man-in-the-middle attacks. Thus administrators are encouraged to set the HTTP Strict Transport Security header, which instructs browsers to not allow any connection to using HTTP, and it attempts to prevent site visitors from bypassing invalid certificate warnings. This can be achieved by setting the following settings within the Apache VirtualHost file: <VirtualHost *:443>     ServerName example.com     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </VirtualHost> This example configuration will make all subdomains only accessible via HTTPS. If you have subdomains not accessible via HTTPS, remove  includeSubdomains; . Note: Require  mod_headers   extension in Apache. Using a long max-age is 1 year

To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 status code. When using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts config: <VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost>

Securing Apache web server is very important, it means allowing see only the intended info & protecting data and restricting access. Some hints and tips on security issues in setting up a web server. Some of the suggestions will be general, others specific to Apache. 1. First, make sure you've installed latest security patches If you have obtained your version of the HTTP Server directly from Apache, we highly recommend you subscribe to the  Apache HTTP Server Announcements List  where you can keep informed of new releases and security updates. Similar services are available from most third-party distributors of Apache software. 2.  Hide the Apache Version number, and other sensitive information. By default many Apache installations tell the world what version of Apache you're running, what operating system/version you're running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an a...

The Apache HTTP Server is designed to be a powerful and flexible web server that can work on a very wide variety of platforms in a range of different environments.  A pache2 comes with 2  multi processing modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests.: 1. Prefork 2. Worker What is the difference between this two? Prefork MPM   uses multiple child processes with one thread each and each process handles one connection at a time. Worker MPM   uses multiple child processes with many threads each. Each thread handles one connection at a time. On most of the systems, speed of both the MPMs is comparable but prefork uses more memory than worker. Which one to use? Websites that need a great deal of scalability can choose to use a threaded MPM like  worker  (because of low memory usage)  while sites requiring stability or compatibility wi...

In this final part of the series, we will discover how to strengthen security in Apache by logging and other miscellaneous ways. Configuring a system to be secure is indeed a key task, but it is also important to know that the configuration is working properly — and the only way to do so is through log analysis. Sensible logging helps detect performance problems well before they become apparent to users, and provides evidence of potential security problems. Maintaining logs is also useful for traffic analysis. Apache can produce many types of logs, the two essential ones being the access log, where all requests are noted, and the error log, which is designed to log various informational and debug messages, plus every exceptional event that occurs. You, as Web master, have a limited amount of control over the logging of error conditions, but a great deal of control over the format and amount of information logged about request processing (access log). The server may log activity in...

Right from Part 1 of this series, we’ve covered the major types of attacks being done on Web applications — and their security solutions. In this article, I will reveal the tremendous capabilities of the Apache mod_security module, covering just a small part of what it can do. From the development perspectiv e, implementing security against the many attacks on Web apps doesn’t just require extra coding and stronger validation, but often also results in complex and messy code, which may sometimes cause yet another security loophole. Security is often compared to a football game, where success requires the defense to quickly adapt, outrun, and outplay the attackers. Such a dynamic defense cannot properly survive in complex and messy code. Here, Web application firewalls come to the rescue — and what else is better than mod_security. It is designed as an Apache module that adds intrusion-detection and prevention features to the Web server. In principle, it’s similar to an IDS that ...