Password Protect a Directory in Apache with htpasswd | Here is a quick and easy way to password protect a directory in Apache. I use this similar setup to password protect my ownCloud instance!
Log POST data in Apache
Log POST data in Apache | Apache can log all POST data for troubleshooting purposes. I’ll show you how to set this up! First you will need to enabled mod_dumpio. On Ubuntu / Debian enable the module: $ sudo a2enmod dump_io Then add the following and restart apache: $ sudo nano /etc/apache2/apache2.conf LogLevel debug DumpIOInput On DumpIOOutput On DumpIOLogLevel debug
How to Install Apache in Windows
How to Install Apache in Windows | To install Apache in Windows, use builds available from the Apache Lounge. The Apache Lounge provides current up-to-date Apache releases compiled with current versions of OpenSSL for best security. This is preferred over apache.org Windows builds as apache.org does not maintain OpenSSL security updates. The download link is: http://www.apachelounge.com/download At the time of this post,
Protect Against XSS by Enabling HttpOnly for Linux Apache PHP
Protect Against XSS by Enabling HttpOnly for Linux Apache PHP | HttpOnly is a session cookie flag created to protect against cross site scripting and theft of session cookies. For good security, this should be enabled for PHP running under Apache especially for sites such as WordPress, Drupal, Joomla, and other popular PHP-based web applications. OWASP has some information on HttpOnly. I’ll show you how to
The Importance of Securing a Linux Web Server
The Importance of Securing a Linux Web Server | Linux web hosting is popular but that also makes Linux a target for malware and other malicious hacking. Here is a write up pointing out some general best practices for Linux web servers: The Importance of Securing a Linux Web Server If you find this topic interesting, you may also be interested in Linux Boot
How to Check for SSL Renegotiation
How to Check for SSL Renegotiation | To check if a server allows SSL Renegotiation, you can use the openssl command. I’ll show you how! The commands are as follows: $ openssl s_client -connect yourdomain.com:443 Then after the regular ssl cert info displays, enter the following: GET / HTTP/1.0 R If the server allows renegotiation, it will then have something similar to
WPScan WordPress Vulnerability Scanner
WPScan WordPress Vulnerability Scanner | WPScan is a nifty WordPress vulnerability scanner. It can do things such as scan for installed plugins and provide vulnerability information based on results. It is part of Backtrack, which is handy as well! Here’s how wpscan looks checking scottlinux.com: root@bt:/pentest/web/wpscan# ruby wpscan.rb –url scottlinux.com –enumerate p
Enable HTTP Strict Transport Security on Debian / Ubuntu
Enable HTTP Strict Transport Security on Debian / Ubuntu | HSTS or just STS can be enabled with Apache fairly easily. I’ll show you how! Enabling HSTS enforces a policy that all content from your server to the end user’s web browser will be over HTTPS. This can protect against interceptions, https stripping, and other possible man-in-the-middle attacks. First, enable mod_headers: $ sudo a2enmod headers
Apache List Loaded Modules
Apache List Loaded Modules | Use apache2ctl -M or httpd -M to list loaded apache modules. The output will look similar to: $ sudo apache2ctl -M Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_worker_module (static) http_module (static) so_module (static) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgid_module (shared) deflate_module (shared)
Nikto Web Server Scanner
Nikto Web Server Scanner | Everyone knows the greatness of nmap, but another useful tool is nikto! Nikto is available in Ubuntu 10.10 multiverse, as well as in the latest Fedora. Install it as usual: sudo apt-get install nikto or yum install nikto Now, update nikto to the latest scanning vulnerabilities by issuing: sudo nikto -update Then, run nikto -h
