How to disable SSLv3 in Nginx (protect against the POODLE vulnerability)

SSL 3.0 is an obsolete and insecure protocol recently affected by the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability which allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

SSLv3 has been replaced by TLS which is supported by all modern browsers so it should be safe to disable SSLv3. Continue reading

How to detect if your server is vulnerable to the Shellshock bug and fix it

Shellshock vulnerability is a security bug affecting Unix/Linux operating system through the bash shell. Disclosed on September 24 2014, it has been rated 10 (the maximum score) for severity by NIST. Debian installs bash by default so you’re probably affected!

To check if your server is vulnerable, run this command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
Continue reading

How to detect if your server is vulnerable to the Heartbleed OpenSSL bug and fix it

HeartbleedThis is a serious bug affecting a lot of servers including Debian Wheezy. Act fast because everything is being scanned and information is being leaked right now!

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

It’s really easy to use to bug to steal information from affected systems without having any access to it or the network. To check if your server is infected and see what information it is exposing you can use this python script:

To use the script, make sure you have python installed and run the following command:

Continue reading

Secure SSH with Two-Factor Authentication (using Google Authenticator) on squeeze

Two-Factor authentication adds an extra layer of security to the authentication process to prevent unauthorized users to access your services or data. Normally you only type username and password (something you know) but with Two-Factor authentications, additionally you need to provide something you have (mobile phone running Android, iOS or Blackberry with one time codes when using Google Authenticator).

Google Authenticator on iPhone1. Download and install the Google Authenticator app for you phone. Here you can find instructions: Continue reading

Enable Active Directory / LDAP authentication in Apache

If you already have a central directory of users installed (AD or LDAP) you can configure most applications to use that directory instead of a local database for each application and make the user management much easier. Apache supports that so here are instructions on how to password protect a site or location using LDAP directory.

In squeeze, the Apache LDAP module is already installed with the Apache common package. You just need to enable the module and configure.

1. Enable the LDAP module

a2enmod authnz_ldap
Continue reading

Scan your web server for vulnerabilities with Nikto on squeeze

Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.

1. Add non-free archive to apt sources (pico /etc/apt/sources.list)

deb squeeze main non-free
deb-src squeeze main non-free
Continue reading

Scan your server for rootkits with rkhunter

Rootkit hunter (rkhunter)rkhunter (Rootkit Hunter) is a tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

1. Install rkhunter

apt-get install rkhunter
Continue reading

Prevent brute force attacks using fail2ban

fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.

1. Install fail2ban

apt-get install fail2ban
Continue reading