System - Security - Hacking

While redirecting all traffic to HTTPS is good, it may not completely prevent man-in-the-middle attacks. Thus administrators are encouraged to set the HTTP Strict Transport Security header, which instructs browsers to not allow any connection to using HTTP, and it attempts to prevent site visitors from bypassing invalid certificate warnings. This can be achieved by setting the following settings within the Apache VirtualHost file: <VirtualHost *:443>     ServerName example.com     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </VirtualHost> This example configuration will make all subdomains only accessible via HTTPS. If you have subdomains not accessible via HTTPS, remove  includeSubdomains; . Note: Require  mod_headers   extension in Apache. Using a long max-age is 1 year

To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 status code. When using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts config: <VirtualHost *:80> ServerName example.com Redirect permanent / https://example.com/ </VirtualHost>

Some Web sites, such as on-line stores, require secure communication (HTTPS) to protect credit-card transactions and customer information. Like Apache, Nginx supports HTTPS via an SSL module, and it’s very easy to set up. In this tutorial i use hostname srv-web01.nginx.vn with the ip address 10.11.218.251. First, you need to generate an SSL certificate. The openssl command will ask you a bunch of questions, but you simply can press Enter for each one: # yum install openssl # mkdir /etc/nginx/ssl # cd /etc/nginx/ssl # openssl req -new -x509 -nodes -days 265 -newkey rsa:2048 -out server.crt -keyout server.key Create a new config file called /etc/nginx/sites-available/nginx.vn, which contains the following: server { listen 443; server_name nginx.vn; root /var/www/nginx.vn index index.html index.htm access_log /var/log/nginx/nginx.vn-access.log; error_log /var/log/nginx/nginx.vn-error.log; ssl on; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key ...

Securing Apache web server is very important, it means allowing see only the intended info & protecting data and restricting access. Some hints and tips on security issues in setting up a web server. Some of the suggestions will be general, others specific to Apache. 1. First, make sure you've installed latest security patches If you have obtained your version of the HTTP Server directly from Apache, we highly recommend you subscribe to the  Apache HTTP Server Announcements List  where you can keep informed of new releases and security updates. Similar services are available from most third-party distributors of Apache software. 2.  Hide the Apache Version number, and other sensitive information. By default many Apache installations tell the world what version of Apache you're running, what operating system/version you're running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an a...

In this final part of the series, we will discover how to strengthen security in Apache by logging and other miscellaneous ways. Configuring a system to be secure is indeed a key task, but it is also important to know that the configuration is working properly — and the only way to do so is through log analysis. Sensible logging helps detect performance problems well before they become apparent to users, and provides evidence of potential security problems. Maintaining logs is also useful for traffic analysis. Apache can produce many types of logs, the two essential ones being the access log, where all requests are noted, and the error log, which is designed to log various informational and debug messages, plus every exceptional event that occurs. You, as Web master, have a limited amount of control over the logging of error conditions, but a great deal of control over the format and amount of information logged about request processing (access log). The server may log activity in...

Right from Part 1 of this series, we’ve covered the major types of attacks being done on Web applications — and their security solutions. In this article, I will reveal the tremendous capabilities of the Apache mod_security module, covering just a small part of what it can do. From the development perspectiv e, implementing security against the many attacks on Web apps doesn’t just require extra coding and stronger validation, but often also results in complex and messy code, which may sometimes cause yet another security loophole. Security is often compared to a football game, where success requires the defense to quickly adapt, outrun, and outplay the attackers. Such a dynamic defense cannot properly survive in complex and messy code. Here, Web application firewalls come to the rescue — and what else is better than mod_security. It is designed as an Apache module that adds intrusion-detection and prevention features to the Web server. In principle, it’s similar to an IDS that ...