Many of the voices we have heard speaking out about the proposed .XXX top-level domains (TLD) are mostly from the tech community, the adult industry, and politicians with various agendas. Although I rarely use this blog for editorial purposes, I thought it might be helpful for people to consider the perspective of an educator who has worked in all primary and secondary school levels and will soon start working in higher education.

The benefits of having an entire TLD for adult sites is clear if you are in the adult industry, but what some may not have considered is that it can also have advantages for those trying to prevent children from accessing them. It also provides a definite advantage for tech security professionals who are often given the impossible task of trying to limit access.

Make no mistake, it will not solve all problems, and it is doubtful adult and pornographic sites will limit themselves exclusively to .XXX domains, but part of promoting themselves as legitimate businesses involves making a conscious effort to keep children away from their sites. This could work in favor of both sides of the argument if it is used to its full potential. ICANN is again considering it, and time will tell. But it is certainly worth a second thought.

Photo Source: Flickr

Continue reading: An educator's perspective on .XXX domains

There are many security factors you should consider when deploying Linux-based virtual private servers (VPS) on systems such as OpenVZ. Some protect your users and some protect your server as a whole. Here are five steps you can take to make sure your server is secure:

1. Disable the root password on the real server. Users may decide to use root passwords on their VPS systems, but do not make it easy for attackers to get past them to the real system.

2. Create a user designed just for admin tasks and give it “sudo” rights.

3. Create an ssh user to handle any remote logins and an sftp user for uploads to the real server. Disable remote access for all other users.

4. Run OpenSSH on a port other than the default 22. You can use 2222 or something else.

5. Rely on SSH keys for the two secure users and disable clear password authentication.

Photo Source: Flickr

Continue reading: 5 Security tips for virtual private servers

Web server administrators should take notice of a “severe” vulnerability that computer scientists have discovered in OpenSSL, the free and open source encryption software package for Linux and Unix-like systems.

The bug is in OpenSSL’s cryptographic library and vulnerability allows attackers to retrieve a server’s cryptographic key, leaving any secure transactions, such as banking and sales, exposed to the attacker. Hundreds of thousands (perhaps even millions) of businesses, banks, and other enterprise-level institutions depend on SSL encryption security, particularly that of OpenSSL.

Those who discovered it said that the attack is difficult to execute, but administrators should still be cautious. An OpenSSL spokesperson said that they are already working on a solution and will release a patch for the software. Furthermore, an attack requires access to the power source of the device, making it unlikely that an attacker could exploit a server, since most attack remotely.

Source: The Register
Photo: Ivan Petrov

Continue reading: Severe OpenSSL security vulnerability announced

As we have mentioned in previous posts, a virtual private server (VPS) is an isolated instance of a larger operating system running in an enclosed environment. In Linux it is normally in a chrooted environment, where the root directory / is not available to the server user, but that user has its own virtual root directory. In essences it looks and feels to the end user like he has his own dedicated server.

There are several benefits to this setup,namely:

1. On the server side, it is a benefit to the web host because the user does not have true access to the server’s most critical files.
2. The host can support multiple VPS instances on a single machine, saving hardware costs
3. For both the user and web host it adds a higher level of security.
4. The user is provided with a managed server (even if the VPS itself is unmanaged) and does not have to worry about larger security concerns.
5. The cost is usually lower for the user since the host can offer dedicated server functionality while only giving the user the amount of space, CPU power, and RAM that she actually needs.

Photo: Flickr

Continue reading: Benefits of a Virtual Private Server (VPS)

Microsoft provides a tool for Windows Server 2008 that tests for security misconfiguration. It comes with a graphical interface and a command line interface for both local and remote scans. It looks for vulnerabilities, performs assessment checks, and checks SQL Server 2005.

In addition to Windows Server 2008, MBSA runs on Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 systems. It scans for misconfigurations on Internet Information Server (IIS), SQL Server, Internet Explorer, and MS Office.

MBSA is available for download from the Microsoft website. It is free to download and use on Windows systems. It comes with a readme.html document containing information on system requirements, scan options, and tool support options.

Source: Microsoft

Photo: Flickr

Continue reading: Test Windows Server 2008 with MBSA

Whenever you start a new website, you want to make sure everyone can see it, that it loads quickly, and that hackers can’t bring it to its knees. Here are a few useful web tools to make sure you cover all three:

1. Accessibility. A-Checker - An accessibility testing tool. Simply enter the URL or upload the html file of the site page you want to evaluate, and it will test it according to HTML standards and accessibility standards.

2. Speed. Pingdom Full Page Test - This complete tester will load your entire web page, including images, CSS, flash, and anything else you might have stuck in there. It then evaluates the overall speed as well as each item.

3. Security. Zero Day Scan - An online service that tests your website for security vulnerabilities such as Cross-Site Scripting (XSS), SQL injection, and more. It then generates a report of the test results. Domain ownership verification is required.

Continue reading: 3 tools to keep your website secure, accessible, and fast

Question: Which Linux services should be enabled at boot on a server?

Answer: Most Linux distributions come with more than what you need. They are designed to not only work on servers but also desktop computers, laptops, netbooks, and in some cases, even smaller mobile devices like phones. Because of this there are sometimes numerous services running that you may not need. Similarly, there might be special server-oriented services that you will want to enable.

Security is also an issue. In the past we covered X.org and why it is a bad idea to have it running on a server. There are other services like X.org that might be good for the desktop but are superfluous on a server. The first thing to do is to find out which services are currently running. Execute the following commands:

#service --status-all
#chkconfig --list | grep '3:on'

You can read the rest of the steps in tis process at nixCraft. Everything in the complete how-to article will cover CentOS, Fedora, and Redhat Enterprise Linux.

Source: nixCraft

Continue reading: Managing bootup services on Linux servers

Yesterday, we took a look at a web application security testing tool, and there are many other tools like it available both for a fee and for free. But there are not many tools available that actually test the web server itself and even fewer that are designed to test a Windows server.

Wikto, which apparently borrowed its name from Nikto (a Unix-based assessment tool), is a free and open source windows-based web scanner that searches a windows server environment for potential security issues. Unlike web application scanners that focus on the scripting code, Wikto looks at the web server setup and searches for security problems.

Wikto relies on the .NET environment, and you will need to have .NET installed in order to use it. Full documentation is available on the project’s website. You can download it for free from their website as well.

Continue reading: Wikto web server assessment tool

Any security-minded system administrator has heard of cross site scripting (XSS). It might even keep you up at night, but there are steps you can take to identify vulnerabilities in your websites and deal with them. One method of finding vulnerabilities is to use fuzz testing (the insertion of random commands and code into web applications to see how they react).

Powerfuzzer is a free web fuzzer that allows administrators to create custom tests for their web applications to identify vulnerabilities. In essence, it is a web application vulnerability scanner. Currently, Powerfuzzer tests for the following security vulnerabilities:

• Cross Site Scripting (XSS)
• Injenctions (SQL, LDAP, code, commands, and XPATh)
• CRLF
• HTTP 500 statuses

You can download Powerfuzzer from the project’s website. It is free and open source software, released under the GNU General Public License.

Continue reading: Find security holes in web applications with Powerfuzzer

SELinux stands for Security-Enhanced Linux and is a comprehensive feature of Linux that allows system administrators to control security access policies with highly advanced modules in the Linux kernel. It can be applied to any Linux distribution and comes installed by default on some. It was originally based upon projects initiated by the U.S. National Security Agency and is considered to be a high-level security feature.

Redhat Enterprise Linux and CentOS are both designed to run SELinux out of the box with little effort. Some desktop Linux users disable it and see it as overkill, but for a server, particularly one that runs web servers, mail servers, database servers, and other servers accessible via the Internet, have that extra security can go a long way in preventing attacks.

To read a full tutorial on setting up SELinux in CentOs/Redhat, visit nixCraft.

Photo: Flickr

Continue reading: SELinux: Extra security protection

Question: Is there a way to hide the version of Apache running on my server?

Answer: Yes, there certainly is, and there is a good reason to do so. While the version of Apache running on your server might be inconsequential to the average, it could be ammunition in the sneaky minds of would-be hackers. If they know which version of Apache you are running, they also know what vulnerabilities you have.

Ideally, you will always have the latest, most secure version, but security holes pop up and spread very quickly in the Internet underground, sometimes even before developers and security watchdogs can find them.

To hide your Apache version from all visitors, simply add two directive to your, Apache configuration file. On Redhat-based systems, you need to edit httpd.conf, which is found in the /etc/httpd directory. Find these two lines or add them:

ServerTokens ProductOnly
ServerSignature Off

That is all it takes. Now outside users will not be able to see what version of Apache server you are running no matter what software they have.

Continue reading: Hide Apache version from outside requests

America’s Federal Trade Commission will hold a roundtable discussion later this month on the privacy and security of cloud computing. Social networking and mobile computing will also be covered.

David Vladeck, director of the FTC’s Bureau of Consumer Protection, stated in a letter to the government agency:

…the ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities in ways not originally intended or understood by consumers.

The discussion is slated for January 28. The security and reliability of cloud computing have been under consumer scrutiny for some time. The FTC is also concerned about the wide amount of data social networking sites have access to and how it might pose a threat to consumer privacy.

Source | Data Center Knowledge

Continue reading: FTC to look into security and privacy of cloud computing