Tag Archives: security

Ubuntu 16.04 LTS tutorials

How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 16.04
https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-16-04

How to secure an Ubuntu 16.04 LTS server

https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics

The Perfect Server – Ubuntu 16.04 (Xenial Xerus) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1

https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/

How To Protect WordPress with Fail2Ban on Ubuntu 14.04

https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-with-fail2ban-on-ubuntu-14-04

UFW Essentials: Common Firewall Rules and Commands

https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands

Other readings…

Potential ufw and fail2ban conflicts

http://askubuntu.com/questions/54771/potential-ufw-and-fail2ban-conflicts

 

Remove Apache 2.4 version signature @ Ubuntu 15.04

Forbidden

You don’t have permission to access /galleries/ on this server.

 

Ubuntu 15.04
Apache/2.4.10 (Ubuntu)

Remove Apache version signature
nano /etc/apache2/conf-enabled/security.conf

On ServerTokens uncomment the line with ServerTokens Prod or add it.
Uncomment the ServerSignature Off entry or add it.

Remove PHP version from headers

I guess that by default they are disabled, but in any case you can remove it by editing the php.ini and set expose_php to off.

sudo nano /etc/php5/apache2/php.ini

A bunch of security tools for Ubuntu

 

 

Ubuntu CIS Benchmark

This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu 12.04 LTS Server. To obtain the latest version of this guide, please visit http://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at [email protected].

https://benchmarks.cisecurity.org/tools2/ubuntu/CIS_Ubuntu_12.04_LTS_Server_Benchmark_v1.0.0.pdf

Apache CIS Benchmark

This document, CIS Apache 2.4 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apache Web Server versions 2.4 running on Linux. This guide was tested against Apache Web Server 2.4.3 – 2.4.6 as built from source httpd-2.4.x.tar.gz from http://httpd.apache.org/ on Linux. To obtain the latest version of this guide, please visit http://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at [email protected].

https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_HTTP_Server_2.4_Benchmark_v1.1.0.pdf
Got it from http://askubuntu.com/questions/447144/basic-security-tools-and-packages-that-should-be-installed-on-a-public-facing-we

 

nginx – allow only one IP to access the domain/subdomain

Restricting Access

Access can be allowed or denied by the IP address of a client or by using the HTTP basic authentication.To allow or deny access from a certain set of addresses, or all addresses, use the allow and deny directives:

location / {
    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny 192.168.1.2;
    deny all;
}

Copy&Past from http://nginx.com/resources/admin-guide/restricting-access/

InfiniteWP – self-hosted multiple WordPress management platform

I run several WP blogs/sites… for me and for my clients…
3 of my WP blogs get 1.5K users per day… they aren’t huge, but they might get some extra attention to hackers…
Wordpress this days had some huge security vulnerabilities – WordPress itself and well known plugins like JetPack!…

One of my clients use Infinite WP.
I might try this out!

What is InfiniteWP?
InfiniteWP is a free, self-hosted multiple WordPress management platform that simplifies your WordPress management tasks into a simple click of a button.

TOP FEATURES
One Master Login
One-click access to all your WordPress dashboards. Forget your passwords once and for all.
One-click updates
Click the Update All button like a Boss and update everything – WP core, plugins and themes.
Instant Backup & Restore
Create backups of all your WordPress sites simultaneously. Restore backups instantly.
Manage Plugins & Themes
Activate, Deactivate and delete plugins and themes in bulk. Bulk install favorite plugins with a single click.

Google Chrome 85 Google Chrome 84

 

Google Chrome 83

 

 

On your wordpress you need to install InfinityWP plugin.
After install and activate it, you will see a screen like this…
Hit the Copy details and, from your WP you are done.

Google Chrome 81

On you Infinity WP, on the left bottom you will see a Add Website bottom. Hit it!

Google Chrome 86

 

Now, just Past the codes copied from your WordPress blog… 🙂
Repeat this for all your blogs! 🙂

Google Chrome 80

Google Chrome 82  Google Chrome 76

Google Chrome 77

Google Chrome 78

Google Chrome 79

 

 

 

WordPress XML DOS

 

Major Security Vulnerability in WordPress, Drupal Could Take Down Websites

Nir Goldshlager, a security researcher from Salesforce.com’s product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

The vulnerability uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly.

WordPress and Drupal are used by millions of websites. The latest statistics from the World Wide Web Consortium (WC3) show WordPress alone powers nearly 23% of the web.

 

 

http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/

 

Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media.   Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to  a valid search warrant, are: SMS, photos, videos, contacts,  audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.

http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf