Short Notes on Security

From PaskvilWiki
Revision as of 10:40, 16 January 2012 by Admin (Talk | contribs)

Jump to: navigation, search


Note - serving of local files

Note: Often the initial installation of Apache has <Directory /> directive (directive for the root of the filesystem) set to "Allow from All", in [Apache config dir]/sites-available/default! This means that server can server any file from the file system, not just the files in the htdocs document folder, which you typically want!

To avoid this, simply change this to "Deny from All".

Self-Signed SSL Certificate

They might not pass as customer-friendly - in fact, if you need https/ssl for customer communication, you should always use signed certificates, as those do induce trust - but often you have private sections/domains/sites where self-signed is just fine... or you might just wanna test the ssl while waiting for the signed certificate.

Here are only listed steps to get to your certificate; for details and explanations, see e.g.

# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# cp server.key
# openssl rsa -in -out server.key
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# cp server.crt /etc/apache2/cert/ssl.crt
# cp server.key /etc/apache2/cert/ssl.key
# chmod 400 /etc/apache2/cert/ssl.crt /etc/apache2/cert/ssl.key

Enable SSL/HTTPS in Apache

HowTo: Use the following virtual host definition:

<VirtualHost *:443>
    ServerName ssl-name
    DocumentRoot /var/www/ssl/root
    SSLEngine on
    SSLCertificateFile /etc/apache2/server.crt
    SSLCertificateKeyFile /etc/apache2/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

where certificate file and the certificate key file are either authority-signed or self-signed certificate files (see above), and add

NameVirtualHost *:443
Listen 443

to /etc/apache2/ports.conf and restart Apache.

.htaccess and mod_rewrite Tricks

Mostly based on 17 Useful .htaccess Tricks and Tips


1. Set Timezone

2. SEO Friendly 301 Permanent Redirects

3. Skip the Download Dialogue

4. Skip or Force www.

5. Custom Error Pages

6. Compress Files

7. Cache Files

8. Disable Caching for Certain File Type

9. Redirect (Sections) to https://

10. Simple MVC using .htaccess

redirect all on handler script and act according to the request_uri

11. Provide Different Page Versions based on User Agent

redirect to light, full, ...


1. Hotlinking Protection with .htaccess

2. Prevent Hacks

3. Block Access to Your .htaccess File

4. Rename .htaccess Files

5. Disable Directory Browsing

6. Change Default Index Page

7. Block Unwanted Visitor based on Referring Domain

8. Blocking Request based on User-Agent Header

9. Secure Directories by Disabling Execution of Scripts


Password Generators

  • PHP - replace the '16' with length of the generated password (28 is most you can get):
$password = substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);

or, terminal version:

$ php -r "echo substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);"; echo
  • Bash - replace the '64' with length of the generated password (no real limit here), and change the characters class in tr -d as you please, to control what characters can be contained in the password; the characters class presented here are all characters that are treated as a part of the word in terminal (i.e. you can double-click the word and it gets selected as a whole):
$ cat /dev/urandom | tr -d -c "a-zA-Z0-9@#%&\-\_+=:,.?/" | head -c 64; echo

External Links