Password Protect a Directory in Apache with htpasswd | Here is a quick and easy way to password protect a directory in Apache. I use this similar setup to password protect my ownCloud instance!
Log POST data in Apache | Apache can log all POST data for troubleshooting purposes. I’ll show you how to set this up! First you will need to enabled mod_dumpio. On Ubuntu / Debian enable the module: $ sudo a2enmod dump_io Then add the following and restart apache: $ sudo nano /etc/apache2/apache2.conf LogLevel debug DumpIOInput On DumpIOOutput On DumpIOLogLevel debug
How to Install Apache in Windows | To install Apache in Windows, use builds available from the Apache Lounge. The Apache Lounge provides current up-to-date Apache releases compiled with current versions of OpenSSL for best security. This is preferred over apache.org Windows builds as apache.org does not maintain OpenSSL security updates. The download link is: http://www.apachelounge.com/download At the time of this post,
The Importance of Securing a Linux Web Server | Linux web hosting is popular but that also makes Linux a target for malware and other malicious hacking. Here is a write up pointing out some general best practices for Linux web servers: The Importance of Securing a Linux Web Server If you find this topic interesting, you may also be interested in Linux Boot
WPScan WordPress Vulnerability Scanner | WPScan is a nifty WordPress vulnerability scanner. It can do things such as scan for installed plugins and provide vulnerability information based on results. It is part of Backtrack, which is handy as well! Here’s how wpscan looks checking scottlinux.com: root@bt:/pentest/web/wpscan# ruby wpscan.rb –url scottlinux.com –enumerate p
Enable HTTP Strict Transport Security on Debian / Ubuntu | HSTS or just STS can be enabled with Apache fairly easily. I’ll show you how! Enabling HSTS enforces a policy that all content from your server to the end user’s web browser will be over HTTPS. This can protect against interceptions, https stripping, and other possible man-in-the-middle attacks. First, enable mod_headers: $ sudo a2enmod headers
Apache List Loaded Modules | Use apache2ctl -M or httpd -M to list loaded apache modules. The output will look similar to: $ sudo apache2ctl -M Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_worker_module (static) http_module (static) so_module (static) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgid_module (shared) deflate_module (shared)
Nikto Web Server Scanner | Everyone knows the greatness of nmap, but another useful tool is nikto! Nikto is available in Ubuntu 10.10 multiverse, as well as in the latest Fedora. Install it as usual: sudo apt-get install nikto or yum install nikto Now, update nikto to the latest scanning vulnerabilities by issuing: sudo nikto -update Then, run nikto -h