Server Security Tips
Over the past year, we have covered many server security issues. Here is a brief summary of some of the highlights.
1. Do not allow direct root/administrator login
2. Make sure passwords are secure and changed regularly (by force if necessary)
3. Use a network firewall, such as APF
4. Use an application firewall, such as ModSecurity
5. Chroot all non-root users to keep them out of system directories
6. Use virus scanners and spam filters
7. Close mail server open relays
8. Keep all software and scripts up-to-date
9. Test your server for security holes
10. Keep up on the latest security news
11. Use SSL for secure data transactions
12. Set permissions as strictly as possible on any web-accessible files
Image Source: Wikimedia Commons
Tag: chroot, firewall, modsecurity, passwords, root, security, ssl, virus
Book Review: ModSecurity 2.5 by Magnus Mischel
Title: ModSecurity 2.5: Securing your Apache installation and web applications
Author: Magnus Mischel
Publisher: Packt Publishing
Price: £26.34
Securing a web server can be a difficult task. Large companies hire professionals or consulting companies to ensure their customers have access to their content and any would-be attackers have access to nothing else. For the rest of us (and possibly even for the consulting companies), there is ModSecurity, a free and open source application firewall.
In this newly released book from Packt Publishing, Magnus Mishel guides readers through the entire process of downloading, installing, setting up, and solidifying ModSecurity on their Linux-based servers. Make no mistake, this book is not for entertainment purposes, but the writing is concise, and the style of delivery is easy on the eyes.
Read More >>
Tag: apache, book, linux, modsecurity, server, web hosting
New ModSecurity Book
ModSecurity, a free and open source application firewall, is one of the best in the industry. Packt Publishing will soon be releasing a book about the software called ModSecurity 2.5 by Magnus Mischel.
“This book is written for system administrators or anyone running an Apache web server who wants to learn how to secure that server. It assumes that you are familiar with using the Linux shell and command-line tools, but does its best to explain everything so that those who are not Linux experts can make full use of ModSecurity. “
According to its website, the book will teach a number of useful skills, including: compiling ModSecurity from source and installing in Linux, locating the geographical location of an attacker, putting Apache in a chroot jail, and much more.
In the coming weeks, I will post a review of the book. Be sure to check back soon.
How to Turn Off ModSecurity for a Site
Question: My dedicated server is running ModSecurity, but one of the websites needs it turned off in order to operate correctly. How do I turn it off for just one site?
Answer: Before you proceed, keep in mind the reason you have ModSecurity installed in the first place. It is there to prevent security problems. Turning it off opens up that site and possibly even your server to attacks. The more practical approach would be to turn off certain features of ModSecurity to accommodate that site. By default, the restrictions are pretty stringent. You can ease some of them and still provide blanket security.
Nevertheless, if you insist on turning it off completely on a site, simply enter the following into an .htaccess file for ModSecurity 1:
<ifmodule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
For ModSecurity 2, enter the following in the site’s virtual host section of the Apache configuration file:
<ifmodule mod_security2.c>
SecRuleEngine Off
</ifmodule>
Photo Source: Flickr
Tag: apache, dedicated server, modsecurity, security
Securing Apache with ModSecurity
Apache HTTP Server is the most widely used web server application and is arguably the best available. Nevertheless, being a good application does not automatically make Apache secure. If your websites are simple html pages with no dynamic web applications or scripts, you probably do not have need for much concern. Once you start introducing other elements, however, security can become an issue.
PHP scripts, for example, introduce vulnerabilities into your system that can be hard to predict. Rather than find out you have a security hole after the fact, the proactive web host will use a security system. ModSecurity is a free and open source web application firewall. As the name and description imply, it protects your web server by placing a firewall between it and your web applications. Before an outside entity can use your web applications to interact with the server, it must go through ModSecurity.
ModSecurity comes with a set standard core rules that you can install and immediately apply. Chances are, however, that you will want to customize those rules depending on your needs. Sometimes they might be too restrictive for certain applications. You can make exceptions and tweak it to your liking. The large community of users also submit custom rules that they share with each other. In addition to the source code, you can obtain binary packages for ModSecurity for various Linux distributions, BSD, Windows, and many Unix variants.
Photo source: Flickr
Tag: apache, http, linux, modsecurity, security, web server