Here are a few of the things I changed on them to make them more secure. The first obvious thing I did was upgrade all the software to the latest version.
Backup CGIs shouldn't be downloadable
This problem includes files such as .old, .bak, files ending in ~ (an extension used by some backup programs), and .save, etc. These files are not being handled properly by apache to hide them from prying eyes and can be downloaded as source files, which may reveal sensitive information. It also includes .svn or .cvs files that you may have unwittingly copied into a web directory that you keep under source control. Just add this to the httpd.conf file.
<FilesMatch "(\.inc|.*sql|.*~|.*bk|.*sav|.*save|.*old|.*bak.php|.bk.php|.*bakup.php|.*bak|.*bakup|.*backup|.*backup.tgz|.*backup.tar.gz|.*backup.tar|.*backup.gz|.*backup.bz2|.*backup.zip)" >
Order allow,deny
Deny from all
</FilesMatch>
<DirectoryMatch .*\.svn/.*>
Deny From All
</DirectoryMatch>
<DirectoryMatch .*\.cvs/.*>
Deny From All
</DirectoryMatch>
Disabling Trace
Trace can be used in cross site scripting attacks, so we need to turn it off. This can be done in httpd.conf
TraceEnable off
Enable Strong Encryption
I use SSL certificates to encrypt access to some of my websites. You want to be sure to remove the low encryption suites. People who don't support encryption will then be limited to your unsecure sections. This goes in the httpd.conf or included files.
SSLCipherSuite HIGH:MEDIUM
Remove Easter Eggs
Trace can be used in cross site scripting attacks, so we need to turn it off. This can be done in httpd.conf
TraceEnable off
Enable Strong Encryption
I use SSL certificates to encrypt access to some of my websites. You want to be sure to remove the low encryption suites. People who don't support encryption will then be limited to your unsecure sections. This goes in the httpd.conf or included files.
SSLCipherSuite HIGH:MEDIUM
Remove Easter Eggs
I'm not that happy that people have allowed easter eggs into PHP source code. It would be nice if the pkg_src/ports maintainers patched this code out as part of a security patch. But for the mean time, we can disable expose_php in the php.ini file and it will suffice.
expose_php off
Remove Directory Indexes
Directory indexes allow people to see all of your files listed in a directory.
Remove Indexes from the Options directive in httpd.conf
These few things will make your web servers much more secure.
No comments:
Post a Comment