secure – Internetblog.org.uk

How to Connect via SSH

Tue, 06 Jul 2010 19:03:02 +0000

SSH secure iconSSH stands for Secure Shell and is a secure encrypted method of connecting to a server for shell/command line access. It can be useful for shared hosting, virtual private servers, and dedicated servers. Linux server usually come with SSH enabled by default, although some web hosts may disable it for shared hosting accounts.

To connect to your server via SSH, simply type:

ssh -l(username) hostname_or_ip

It will prompt you for a password. Type your password, and you should be connected. Some web hosts may use a different port for SSH, other than the default port (22). If so, you will need to specify it, for example:

ssh -p 2222 -lmyname webserver.com

Normal Linux/Unix shell commands apply, once you are logged into the server. When you are finished, simply type “exit”.

MySQL Server Optimization

Wed, 30 Jun 2010 16:08:42 +0000

If you are running a dedicated server, optimization is very important to maximize speed, efficiency, and save time and energy. We have already looked at ways to optimize Apache web server, but many dynamic websites also use databases that hold the data for their dynamic web applications.

You can accomplish basic optimization of database tables from within your web-based control panel or in phpMyAdmin. You should do this routinely. But there are also ways you can optimize the server itself to serve databases faster and more securely. Over the remainder of this week, I will show you a few tips to optimize your MySQL server. Today, I will just point you to the right file.

To begin configuring your MySQL server, you will need to locate the configuration file. This will differ, depending on your operating system and even from one Linux distribution to another. Most commonly, it will be in a directory like /etc/mysql, and the file will be called my.cnf. You will need to edit it as root:

# nano /etc/mysql/my.cnf

Tomorrow, we will start to plow through this file for optimization tweaks.

How to Enable/Disable Root Login in SSH

Fri, 18 Jun 2010 14:09:51 +0000

Question: I have heard that enabling root login in SSH can be a security risk. Is that true, and if so, how do I disable it?

Answer: The truth is that having root logins enabled is not in itself a security risk. The real risk comes from having an easily hacked root password or non-secure web applications on your server that allow hackers to decipher the root password. Disabling root login gives those hackers one less avenue to exploit, and if you do not need to login directly as root through SSH, there is really no reason to have it enabled.

Actually disabling the root login is not nearly as complicated as my above explanation. Just follow these steps:

1. Login to your server via SSH
2. Become root:
su
3. Edit /etc/ssh/ssh_config
4. Add the following line:
PermitRootLogin no
5. Save and exit

Photo Source: Flickr

Creating Good Passwords

Wed, 12 May 2010 21:32:05 +0000

Whether you have a single small website or a data center filled with servers, security should always be at the top of your agenda. One of the most basic security holes that attackers often exploit is the weak password. It is important for you and any users on your server to use secure passwords.

There are certain practices you can use to make your passwords more secure:

Use a mixture of letters and numbers
Mix lowercase and uppercase letters
Make the password at least 8 characters long
Change default passwords given to you
Do not use a real dictionary word in any language
Do not use acronyms that are easily deciphered
Never give your password to anyone, even someone claiming to be a web host or system administrator
Do not use the same password you use for other things
Do not use letters or numbers that relate to personal information (birthdays, names, etc.)
Change your password often.

If you need help creating a password, consider using a password generator. PC Tools has a free online password generator that will allow you to specify length, types of characters, and similarities. Best of all, it will allow you to create multiple passwords at once. Now you have no excuses left for having a password that is easy to guess.

What You Should Know About SSL Certificates

Thu, 06 May 2010 18:38:18 +0000

SSL certificates allow website owners to provide something like a badge of authenticity to their users. In theory a website with a valid certificate should be trustworthy and secure. By default, web browsers will recognize a number of certificate authorities, companies that sell annual certificates and verify them. Depending on the company selling the certificate and the level of encryption, they can run from free to nearly $500.

When a web browser connects to a site without a valid certificate, the user will receive a nasty warning about the site not being trusted. This increases the chances that a user may not stay on the site, and if you are a business, it means that customers may be unwilling to proceed with sales transactions. In some cases, you may even have a self-signed certificate with perfectly secure encryption, but the user’s web browser will stay say it is untrusted.

Purchasing a certificate is only the beginning of the process. You will need to setup your server correctly to use it. Each secure HTTPS site will require a unique IP address and correct certificate authority information that matches the certificate. If anything does not match (such as the domain name – common problem with domain CNAME aliases), web browsers will still spit out errors. Be mindful of all these factors as you choose the right certificate for you.

Photo Source: Flickr

How to secure your WordPress installation

Tue, 13 Apr 2010 18:08:29 +0000

Yesterday, news sources and blogs announced that WordPress blogs hosted by Network Solutions were being hacked. The website owners’ credentials were stolen, and then the sites were used to redirect thousands of visitors to websites that distributed malware. Apparently, WordPress’ configuration file, called wp-config.php, stores the user’s database password in plain text. Even still, attackers would not have access to the file if the right permissions are set. The hacked sites had configuration files that were readable by the outside world, including site visitors.

Because the attack exploits user error rather than an actual bug in the WordPress code, it is important to make sure that yours or your customers’ WordPress-based sites are secure. The first thing you can do is to chmod wp-config.php to 640, which means any outside site visitors will be completely denied.

chmod 650 wp-config.php
The second is to deny access using your .htaccess file, since no one who accesses the webserver will actually need access to the file under any circumstances.

# to protect wp-config.php

order allow,deny deny from all

That is essentially all it takes and is actually more than is probably necessary to keep everything secure.
Warning: Some web hosting providers provide automated scripts to install WordPress for you. Do not assume that those installations are automatically secure.

Photo Source: Wikimedia Commons

Sudo vs. SU

Mon, 29 Mar 2010 16:13:16 +0000

The “su” command is what a Linux user with proper permissions uses to ascend to the root administrator account. A secure SSH server will not allow direct root login, so the user must gain root after initial login. The “sudo” command is an alternative to using a separate root user with its own password. Instead, the user prepends “sudo” before a command that needs root privileges. Certain distributions, such as Ubuntu use “sudo” by default, while others, such as CentOS, prefer “su”.

There are benefits and drawbacks to each. With “su”, root is a true separate user, and some administrators find it more useful to be able to log in as root and run several commands. With “sudo” only commands with those words in front of it will be administrative preventing the user from accidentally running a dangerous command as root.

There are security benefits to each, and the argument over which is better can get heated. Suffice it is to say that it ultimately depends on the preference of the system administrator. Does he/she want to deal with one password or two? Technically, an administrator can decide to use both on the same server and use the one that is most beneficial at the time. It can also be useful if you have multiple users who need various permissions.

Photo Source: Flickr

How to enable HTTPS on a Windows server

Fri, 29 Jan 2010 23:08:41 +0000

SSL stands for Secure Socket Layer and is the underlying technology that enables a website to use the HTTPS protocol. Why is this important? A website with an HTTPS URL provides website visitors with a secure connection for private transactions. It is essential for any type of online sales or exchange of private data.

Windows 2008 server relies on IIS to serve websites to users, and in order to configure a Windows server for SSL, you need to enable it in IIS.

“The implementation of SSL has changed from IIS 6.0 to IIS 7.0. On Windows Server 2003, all SSL configuration was stored in the IIS metabase and encryption/decryption happened in user mode (required a lot of kernel/user mode transitions). On Windows Vista and Windows Server® 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections. “

Read the rest at Learn IIS

Photo: stock.xchng

How to disable dynamic updates in BIND DNS

Wed, 30 Dec 2009 19:12:27 +0000

BIND (also called NameD) is the DNS system for most Unix-like and Linux networked servers. It controls all of the DNS functionality on those servers and thus needs to be secure. Dynamic updates allow remote servers to add, delete, or modify zone entries in DNS records. While there may be situations where this is necessary, it is better to disable it if you do not need it.

If you decide you need it, you can find more information about making it secure at Crypt.Gen.NZ. To disable dynamic updates, edit the named.conf file and edit each domain zone, setting “allow-update” to “note”

zone "globberific.net" IN { .... allow-update { none; }; ... }

That is all it takes, although it is probably wise to do this before you end up with a lot of entries and have to go through each one and painstakingly remove all dynamic updates. Regardless, getting it done will give you a little more peace of mind.

Source: nixCraft
Photo: Flickr

Running an entire website under SSL

Fri, 25 Dec 2009 17:23:15 +0000

Question: I was thinking of making my entire website HTTPS instead of just the shopping cart. Is this a good idea?

Answer: There are both pros and cons to securing an entire site with SSL, but most seem to agree that the cons outweigh the pros. The advantage is that your users know from the beginning that they are working with a secure site. If your website happens to be for a financial institution, this may add to users’ comfort when they are entering login data.

The disadvantages are that a site will mostly like run slower when it has to authenticate encrypted data. The larger your site, the more data it will have to encrypt. Also, if a browser ever has issues with the certificate, a user will be locked out from your site completely or will have to click through unnecessary confirmations. This may prevent them from even getting to a contact form to tell you something is wrong.

Generally speaking, there is simply no need to encrypt general pages of information. Login forms should point to encrypted script URLs, and all shopping cart data, personal information, and financial information should be under HTTPS. If that is all you have (i.e. you only have those private forms on your site and nothing else), then complete HTTPS might be a good idea.

Source: webhostingtalk.com
Photo: Flickr