Tag Archives: mod_security

Remove Apache 2.4 version signature @ Ubuntu 15.04

Forbidden

You don’t have permission to access /galleries/ on this server.

 

Ubuntu 15.04
Apache/2.4.10 (Ubuntu)

Remove Apache version signature
nano /etc/apache2/conf-enabled/security.conf

On ServerTokens uncomment the line with ServerTokens Prod or add it.
Uncomment the ServerSignature Off entry or add it.

Remove PHP version from headers

I guess that by default they are disabled, but in any case you can remove it by editing the php.ini and set expose_php to off.

sudo nano /etc/php5/apache2/php.ini

NAXSI: protecting websites with Nginx

NAXSI is Nginx Anti XSS & SQL injection. In simple words, it’s a firewall for web applications (WAF) for Nginx, protecting from XSS, SQL injections, CSRF, Local & Remote file inclusions. NAXSI is known for its fast working and simple configuring. It’s a good alternative for mod_security in Apache.

What would you need NAXSI for?

It’s obvious that’s the best way of protection from attacks is correctly written code, but in some situations WAF and particularly NAXSI can help:

  • low quality of site code with no resources or possibilities of rewriting it;
  • closed source code in which fixing mistakes is impossible;
  • the quality of code is unknown and unpredictable (i.e. shared hosting).

Read more at http://howtounix.info/howto/naxsi-nginx-firewall

Got it from my friend from hexcode.org