WebForensik – PHPIDS-based Security Log Analyzer for Apache. GoAccess - Visual Web Log Analyzer. Serving Secure Sites With SNI On Apache. What is SNI SNI (Server Name Indication) is an extension to SSL that allows multiple SSL-enabled Web sites to be served from a single IP address and port (443). While it requires visitors to use more recent browser versions, it helps get around the problem of requiring separate IP addresses for every secure site hosted on the same Web server. For our example we'll set up two sites with SSL: secure1.example.com and secure2.example.com. Both sites will be served by the same IP address. We'll use separate SSL certificates for each site.
We'll also set up an unsecured site, www.example.com, for contrast and testing purposes. Pre-requisites We'll use the Apache Web server with mod_ssl and OpenSSL for this article. If you are using Ubuntu 10.04 (or newer) or Fedora 10 (or newer) on your server the Apache and OpenSSL packages that ship with these distributions support SNI already. If you're compiling Apache yourself, note that SNI is supported in Apache versions 2.2.12 and newer. Browsers How-to. Nikto. Jan 1018 Nikto est un scanner de vulnérabilités permettant d’auditer de manière très simple vos serveurs Web. Ce logiciel permet de détecter différentes failles telles les XSS, l’utilisation d’une version trop ancienne de votre serveur Web,listing de répertoires plus ou moins sensibles etc… La force de Nikto réside principalement dans le fait de pouvoir intégrer des plugins permettant d’étendre la puissance du soft.
Cependant je recommande de coupler ce programme avec des logiciels plus complets tels : Acunetix, AppScan, Shadow Security Scanner… Utilisation : - Tests basiques - Scan du site www.lestutosdenico.com :#perl nikto.pl -h www.lestutosdenico.com Scan du site si le port est différent de 80 :#perl nikto.pl -h www.lestutosdenico.com -p 8080 Scan du site en https :#perl nikto.pl -h - Utilisation d’un proxy - #perl nikto.pl -h 192.168.0.1 -p 80 -u Il faudra cependant éditer le fichier nikto.conf et préciser ces variables : - Evasion Scan - - Mise à jour - Unix News Tutorials Events and Stuff: Hardening Apache. Your apache + PHP installation may not be as secure as you think it is. I recently did some nessus scans on servers I was getting ready to deploy and found they weren't configured as securely out of the box as I had hoped.
Here are a few of the things I changed on them to make them more secure. The first obvious thing I did was upgrade all the software to the latest version.Backup CGIs shouldn't be downloadable This problem includes files such as .old, .bak, files ending in ~ (an extension used by some backup programs), and .save, etc. These files are not being handled properly by apache to hide them from prying eyes and can be downloaded as source files, which may reveal sensitive information.
It also includes .svn or .cvs files that you may have unwittingly copied into a web directory that you keep under source control. Just add this to the httpd.conf file. <FilesMatch "(\.inc|. Disabling Trace Trace can be used in cross site scripting attacks, so we need to turn it off. Expose_php off. Creating Self-Signed SSL Certificates for Apache on Linux. If Firesheep and other menaces have you freaked out about using unsecured connections, it's time to take matters into your own hands. In just under 20 minutes, you can create a self-signed certificate for Apache to connect to your Web site for passing any kind of sensitive information. It's easy and takes very little time to configure. This tutorial assumes you're going to do a self-signed certificate. Note that you can pretty much follow along with the tutorial for getting and installing a certificate via a Certificate Authority (CA), but omit the steps for generating your own self-signed cert.
Generate the request, work with the CA to get the certificate, and then follow the installation and configuration steps. Self-signed vs. Certificate Authorities Why am I giving a guide for self-signed certs? I use a self-signed certificate because I want to connect to my server securely when managing my blog using WordPress. The reason? A Cert of My Own Here's what we're going to do, in order: Arrêter d'interdire des adresses de courrier légales. Installing ModSecurity2 On Debian Etch. Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 06/22/2007 This article shows how to install and configure ModSecurity (version 2) for use with Apache2 on a Debian Etch system. ModSecurity is an Apache module that provides intrusion detection and prevention for web applications. It aims at shielding web applications from known and unknown attacks, such as SQL injection attacks, cross-site scripting, path traversal attacks, etc.
I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you! 1 Preliminary Note I'm assuming that Apache2 is already installed and fully functional on your Debian Etch system. 2 Installation In Debian Sarge, ModSecurity was available as a .deb package in the official Debian repositories, but in Debian Etch it was removed due to some license issues. Vi /etc/apt/sources.list apt-get update 4 Links. Securing Apache Web Server from information leakage. By default, most pre-packaged apache installations come with full information leakage, so if you telnet to port 80 on your webserver you can check, just type in the GET / HTTP/1.1 line, then hit enter twice #telnet localhost 80 Trying 127.0.0.1...
Connected to localhost.localdomain. Escape character is ‘^]'. GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Fri, 30 Mar 2007 09:59:37 GMT Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-18 Content-Length: 337 Connection: close Content-Type: text/html; charset=iso-8859-1 Here we see the Apache version, the distro, and the php version. ServerSignature Off ServerTokens Prod Now you need to Secure PHP version information By default when php serves a page your header will show X-Powered-By: PHP/4.X.X You need to modify the php.ini and set the expose_php variable to Off.
Expose_php = Off Another problem in php could be display_errors, you want this turned off for a production web site because it might provide file paths or other informaiton. How to secure my web application? Having a shopping cart or content management system is an excellent option to start your own website, but not securing your system is going to give you a big heart attack if an attacker hacks into your system. Therefore, it is crucial to ensure that your application's administration panel is secured to prevent attack or abuse.
Here are some of the methods you can consider implementing to protect your website. Use strong passwords. A strong password should consist of non-dictionary words, with a combination of symbols, lower-case alphabets, upper-case alphabets, and numbers. Change your password regularly, do not fear forgetting your password as you can easily reset them if needed, simply contact us and we will assist you. Password protect your directories using htpasswd files. Here are some examples of sensitive folders that you should secure. Wordpress: wp-adminPopular shopping carts (osCommerce, ZenCart, Cubecart): administratorJoomla: administrator. Project - PHP Security - Configuration. Suhosin‘s features are all configured through the php.ini configuration file. Here you can find descriptions of all supported options.
For most users the Suhosin will work out of the box without any change to the default configuration needed. When you only use the Suhosin-Patch only the logging features are supported. When you only use the Suhosin-Extension you cannot use the predefined constants for configuration. Logging Configuration suhosin.log.syslog Type: Integer Defines what classes of security alerts are logged to the syslog daemon. Keep in mind that using the constants is only supported when the Suhosin-Patch is used suhosin.log.syslog.facility Type: Integer Default: LOG_USER Defines the syslog facility that is used when ALERTs are logged to syslog. Suhosin.log.syslog.priority Type: Integer Default: LOG_ALERT Defines the syslog priority that is used when ALERTs are logged to syslog. Suhosin.log.sapi Defines what classes of security alerts are logged through the SAPI error log. Print - Hardening PHP with Suhosin. Introduction Suhosin [ is a great and simple way of increasing your security without having a large impact on overall performance.
In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial. In this tutorial I assume that you already have apache and php setup. The setup and or installation of apache and php are outside the scope of this tutorial. Contents Debian etch installation [/tutorial/hardening-php-with-suhosin/page2]CentOS 5 installation [/tutorial/hardening-php-with-suhosin/page3]Configuration [/tutorial/hardening-php-with-suhosin/page4] Debian etch installation The installation of suhosin on debian etch is really pretty simple.
First we start by finding the suhosin package for our php version apt-cache search suhosin php4-suhosin - advanced protection module for php4 php5-suhosin - advanced protection module for php5 Now install suhosin Configuration.