Category Archives: security

Mod Security for Apache – Web Server Smart Firewall

Mod security has features that go above and beyond a standard firewall. It will help to prevent denial of service attacks, and also can be used to block traffic based on realtime blackhole lists issued by Spamhaus and others. Mod security is apparently in the Debian repositories as well as Ubuntu. In the Ubuntu repos you will have to enable the third party applications and update the aptitude databases. Then install:

sudo apt-get install libapache2-mod-security

Then enable the module:

sudo a2enmod security

By default there is a configuration file installed. The default configuration will provide you a basic starting point for the various security options available by the module. Please refer to the document for more information about what can be done. This blog shows how to use mod security to hit realtime blackhole lists to block nasty offenders of various natures.

http://www.inliniac.net/blog/2007/02/23/blocking-comment-spam-using-modsecurity-and-realtime-blacklists.html

Apache Security – Necessary Settings

PHP is powerful, and allows static html pages to become dynamic. It also allows information to translate into commands and functions. Because of this you should implement a variety of security features. The biggest security feature, which increases security of the host machine, is setting the basedir parameter. This locks PHP functions to a particular directory, not allowing them to run processes or effect files further down the tree. Use nano and the cntrl-w function to search for “open_basedir” in /etc/php5/apache/php.ini. It will most likely be commented with a # sign. Remove the # sign and add the document root of your website. If you virtualhost, you can add the root of all documents served.

Also turn off several other parementers.

allow_url_fopen

allow_url_include

display_errors

register_globals

safe_mode

Also turn off the Magic Quotes options in php.ini. In /etc/apache2/apache2.conf turn off the signature option. Search for “ServerSignature”. There is an apache modules that should be iplemented; mod security; I’ll save it for the next post.

Hostnames – Strategic and Secure Naming

I have 4 system in my house. The primary I label serverhost. On the serverhost the /etc/hostnames file is the same as the hostnames file on the other machines. The hostnames file is formatted accordingly:

##/etc/hostnames
192.168.1.100 serverhost.bgevolution.com serverhost
192.168.1.101 server.bgevolution.com server
192.168.0.102 tv.bgevolution.com tv
192.168.0.103 server2.bgevolution.com server2

Server 2 is new. I can further cleanup the schema by changing the static address of tv to 103 and server2 to 102. But for now its ok. Now I can reference hosts, with the respective ip address, simply by hostname. This is convenient for setting permissions. Permissions can be a pain in the neck, and if you are referencing a host by ip, localhost, and or the hostname you will have to create permissions for each. For example your mysql server will need permissions for each hostname that you want to connect to it with. Connecting to the server from the serverhost I need permissions for username@serverhost.bgevolution.com. But if I am connecting to mysql through phpmyadmin I need permissions for username@server.bgevolution.com.

I have replicated the mysql server on server to server2, which I connect to with the phpmyadmin installation on server. On server2 I must give permissions to username@server.bgevolution.com to be able to connect from the server. Ultimately with no experience dealing with permissions it is a pain, but after getting everything running you will realize that it makes sense, and it does increase security.

I want the slave server to also behave as the master, and ultimately I want to experiment with setting up a round robin mysql server, meaning as http requests come in to the website, I want it to randomly access database information from either server or server2. This should prove fun.

5 Ways to Save Businesses Big Bucks, Enhance Security and Evolve

Lightning

Electricity is one of the biggest expenditures in the business world. Surpassed only by procurement, and human resources; reducing the amount of power consumed by electrical appliances can save a company millions. The first thing to do is configure your computers as thin clients. A computer can consume 30 or more watts each. If a Corporation has thousands of computers, and a thin client uses 50-75% less energy, then that translates directly to a 50-75% reduction in the utility bill. There might be a setup cost associated with 10,000 new thin client terminal, but that will be made back within the first year of use.

1) To implement a thin client setup the Corporation can use a Microsoft Windows product, which would cost money and be counter productive. The economical choice is to use Linux, and an out of the box setup can be achieved using Ubuntu. Talk about killing two birds with one stone; using Linux will eliminate the costly expenditure of anti virus subscriptions that all corporations have.

Server

2) By implementing Linux the cost of maintenance will be dramatically reduced. You can have Linux machine running for years without serious security problems, and the entire update process can be completely automated and centralized to the thin client server. A corporation can significantly cut their maintenance costs with a thin client setup.

Most database applications nowadays are browser based therefore Linux is perfectly compatible with most existing systems. Firefox works on all Linux systems.

3) After switching to a Linux thin client server, all those pesky Windows license keys can be resold to needy customers. Theoretically the corporation can recoup several thousands of dollars, if not 10’s.

Ubuntu

4) Then the old energy inefficient hardware can be resold, or donated to a organization of good will. Either an economical or philanthropic plus.

5) Then security can be enhanced by enforcing an outbound firewall to block all but the needed ports. Theoretically only several ports, clearly port 80, port 25, and several others need to be open. This will dramatically reduce the risks even if a computer becomes infected with a virus. Bye bye Norton, or Symantec. Save that 10-50k per year subscription fee.

Overall there are many reason to convert to Linux and some of the reasons are priceless. You really cannot put a cost savings on potential security risks, which is one of the biggest selling points of Linux. Ubuntu is free, how can that be beaten?

So all you tech savvy, under appreciated employees out there start dreaming up ways to approach the right people in your company with a way to save them million. If thousands of you draft presentations and attempt to talk to higher ups, at least one of you will hit a jackpot. Why not let that one person be you.