ssl – Internetblog.org.uk

Server Security Tips

Mon, 26 Jul 2010 15:51:31 +0000

1. Do not allow direct root/administrator login
2. Make sure passwords are secure and changed regularly (by force if necessary)
3. Use a network firewall, such as APF
4. Use an application firewall, such as ModSecurity
5. Chroot all non-root users to keep them out of system directories
6. Use virus scanners and spam filters
7. Close mail server open relays
8. Keep all software and scripts up-to-date
9. Test your server for security holes
10. Keep up on the latest security news
11. Use SSL for secure data transactions
12. Set permissions as strictly as possible on any web-accessible files

Image Source: Wikimedia Commons

Joomla Security Tips Part 3

Tue, 08 Jun 2010 19:45:34 +0000

In the two previous parts of the Joomla security series, we looked at various configuration settings both prior and after installation. Here are some important security steps to take during installation.

1. Move the configuration.php outside of the root document directory. For example, if you directory is /home/user/www/public_html, you can move configuration.php up to /home/user/www where outside visitors cannot possibly access it. Read this guide for the detailed procedure.

2. Disable XML-RPC, if not needed. Unless you need to access and publish to your Joomla installation from another application (without logging into your website), this component just presents a security risk.

3. Check 3rd-party extension vulnerability. Joomla publishes a list of vulnerable extensions. Avoid them.

4. Use SSL for all logins and publishing. Joomla 1.5 has increased support for SSL.

Previous Joomla Security Tips:

Part 1

Part 2

New Web Site Shopping List

Fri, 14 May 2010 17:11:59 +0000

You have purchased your domain and a hosting account. Now what do you do? You are ready to get your website started, so here are a few things you might need along the way.

1.Content Management System – Whether you have a blog or a shop, a CMS is pretty much the way to go these days. It is the easiest way to update your site and have a steady flow of dynamic content.

2.SSL certificate – If you are planning to make any sales, accept donations, require user logins, or anything else that involves the exchange of personal user information, SSL encryption is essential.

3.Support app – Unless your website is just a calling card, you will need to offer some type of support to your customers. The more methods of contact you make available to visitors, the better informed and willing to work with you they will be. A help desk and/or live chat app can go a long way in customer satisfaction.

4.Backup storage – You need to backup your data somewhere. There are many services that will handle this, or you can use a local computer.

5.Cloud services – If you would rather not manage your own email, groupware, or other systems, you can let a cloud computing service host those applications for you.

6.Web design – While a content management system gives you functionality, it will not give you style out of the box. You should hire a web designer or purchase a good template.

7.Site monitoring – Some web hosts will offer you decent web services monitoring. If not, you can find many free and paid for offerings on the web.

Photo Source: Flickr

Self-Signed SSL Certificates

Tue, 11 May 2010 16:08:42 +0000

SSL allows you to serve encrypted web pages to website visitors over the HTTPS protocol. Certificates must be signed in order to not set off browser flags that will question your site’s authenticity. But OpenSSL also provides the option to create a self-signed certificate, and many web hosting control panels have an option for it.

In most circumstances involving financial transactions, you should purchase a signed certificate, but there are instances when self signing will suffice. Some examples include private intranets, internal business groupware, web-based control panels, and other content backends. In all of those situations, you need encryption, but it does not matter to you if the certificate is official since you are the one who signed it.

You will still receive the browser warning the first time, but your browser should have a function that allows you to add your site to your browser’s trusted sites. From then on, you will not see the warning, although other users still would see it. If you ever decide that you do actually need to purchase a certificate, you can always change it later. For information about creating a self-signed certificate, see this site.

Photo Source: Flickr

What You Should Know About SSL Certificates

Thu, 06 May 2010 18:38:18 +0000

SSL certificates allow website owners to provide something like a badge of authenticity to their users. In theory a website with a valid certificate should be trustworthy and secure. By default, web browsers will recognize a number of certificate authorities, companies that sell annual certificates and verify them. Depending on the company selling the certificate and the level of encryption, they can run from free to nearly $500.

When a web browser connects to a site without a valid certificate, the user will receive a nasty warning about the site not being trusted. This increases the chances that a user may not stay on the site, and if you are a business, it means that customers may be unwilling to proceed with sales transactions. In some cases, you may even have a self-signed certificate with perfectly secure encryption, but the user’s web browser will stay say it is untrusted.

Purchasing a certificate is only the beginning of the process. You will need to setup your server correctly to use it. Each secure HTTPS site will require a unique IP address and correct certificate authority information that matches the certificate. If anything does not match (such as the domain name – common problem with domain CNAME aliases), web browsers will still spit out errors. Be mindful of all these factors as you choose the right certificate for you.

Photo Source: Flickr

Common extra dedicated server features

Fri, 09 Apr 2010 22:30:50 +0000

An unmanaged dedicated server is almost like a bare-bones computer. While you get all of the essentials required to call it a server, there are many features that you will want to add. Some of them are free and/or open source, while some require purchase or even subscription services. It is important to know this before getting a dedicated server, thinking that you are getting a complete product.

A good web host will list some of their extra available features, including prices. Here is a brief list of options you might want:

cPanel or other control panel
SSL certificates
Additional IP addresses
Load balancing for two or more servers
Anti-virus protection for mail servers
Routine backup storage
Additional RAM
Additional hard drive
Windows Server 2008
KVM over IP
Additional badwidth/data transfer

For prices check your web host’s website.

Photo Source: Wikimedia Commons

How do I enable SSL/TLS in Dovecot mail server?

Thu, 01 Apr 2010 22:34:21 +0000

Dovecot is a popular POP3/IMAP server for Unix-like operating systems. It is available through most distributions, including RHEL, CentOS, and Fedora. To enable secure mail transactions, you will need to edit your /etc/dovecot.conf file as root.

Uncomment the following lines:

# Disable SSL/TLS support? ssl_disable = no


# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before

# dropping root privileges, so keep the key file unreadable by anyone but

# root. Included doc/mkcert.sh can be used to easily generate self-signed

# certificate, just make sure to update the domains in dovecot-openssl.cnf

ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

You can also optionally disable non-secure logins:

disable_plaintext_auth = yes

Finally, you need to restart dovecot:

service dovecot restart

Severe OpenSSL security vulnerability announced

Fri, 05 Mar 2010 21:30:03 +0000

Web server administrators should take notice of a “severe” vulnerability that computer scientists have discovered in OpenSSL, the free and open source encryption software package for Linux and Unix-like systems.

The bug is in OpenSSL’s cryptographic library and vulnerability allows attackers to retrieve a server’s cryptographic key, leaving any secure transactions, such as banking and sales, exposed to the attacker. Hundreds of thousands (perhaps even millions) of businesses, banks, and other enterprise-level institutions depend on SSL encryption security, particularly that of OpenSSL.

Those who discovered it said that the attack is difficult to execute, but administrators should still be cautious. An OpenSSL spokesperson said that they are already working on a solution and will release a patch for the software. Furthermore, an attack requires access to the power source of the device, making it unlikely that an attacker could exploit a server, since most attack remotely.

Source: The Register
Photo: Ivan Petrov

Half of SSL websites may not be safe

Fri, 05 Mar 2010 16:36:43 +0000

According to Comodo Dragon, a new open source web browser, more than half of all sites using SSL certificates may be unsafe. This is because these days, it’s very easy to buy an SSL certificate and validate your website.

This trend is mainly a result of a huge spike in domain-validated SSL certificate sales. Offered by a number of registrars, including Go Daddy, these SSL certificates are less safe because anyone can get one. There is no verification to ensure the site in question is safe.

So in essence, just because a site has an SSL certificate doesn’t mean you can trust it. SSL security and the value of buying a certificate have been undermined.

How to enable HTTPS on a Windows server

Fri, 29 Jan 2010 23:08:41 +0000

SSL stands for Secure Socket Layer and is the underlying technology that enables a website to use the HTTPS protocol. Why is this important? A website with an HTTPS URL provides website visitors with a secure connection for private transactions. It is essential for any type of online sales or exchange of private data.

Windows 2008 server relies on IIS to serve websites to users, and in order to configure a Windows server for SSL, you need to enable it in IIS.

“The implementation of SSL has changed from IIS 6.0 to IIS 7.0. On Windows Server 2003, all SSL configuration was stored in the IIS metabase and encryption/decryption happened in user mode (required a lot of kernel/user mode transitions). On Windows Vista and Windows Server® 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections. “

Read the rest at Learn IIS

Photo: stock.xchng