Tuesday, September 06, 2011

web server: a few notes on security hardening

server access hardening

1. dont allow root in sshd, set protocol and max tries
 in /etc/ssh/sshd_config, set
  Protocol 2
  PermitRootLogin no
  MaxAuthTries 3

2. remove remote root login
 in /etc/securetty, remove all entries except for "console"

3. set idle timeout
 in /etc/profile, add
  TMOUT=7200

4. set password policy
 in /etc/login.defs, set
  PASS_MAX_DAYS 30
  PASS_MIN_LEN 8

web access hardening

1. remove http mod_rewrite (to disable http trace/track method)
 in /usr/local/apache2/conf/httpd.conf, set
  RewriteEngine Off

2. display http 413 error message (for web server cross-site scripting vulnerability due to 413 error message)
 in /usr/local/apache2/conf/httpd.conf, uncomment
  ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var

3. apply SSL to portion of website that uses logon credentials or entire website (for credentials with encryption)

4. implement input validation (for more web server cross-site scripting vulnerability) see owasp.org for details

5. ignore session id provided by user. generate your own session id after authentication. (for session fixation vulnerability) see owasp.org for details
at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

SSH : No matching host key type found. Their offer: ssh-rsa,ssh-dss

Got this while connecting to my mikrotik router via ssh   Unable to negotiate with <ip address> port <ssh port>: no matching hos...