Tag: security

  • Securing Dokuwiki with nginx

    After migrating a server from Apache2.4 to nginx a Dokuwiki install was complaining about the following on the admin page:

    Dokuwiki security error with nginx
    Dokuwiki security error with nginx

     

    Previously .htaccess files were controlling access, which aren’t used by nginx. You can test your Dokuwiki install’s access by attempting to visit the following url:

     

    http://yourserver.com/data/pages/wiki/dokuwiki.txt

     

    If you can see any content there, you need to fix your permissions. We fixed this by adding the following to the site’s nginx config file (e.g. /etc/nginx/sites-available/sitename):

     

    location ~ ^/(data|conf|bin|inc) {
    deny all;
    }

     

    …in the same section as the other “location” stanzas, then restarted nginx (whether the latter is necessary or not I don’t know, force of habit).

  • How to protect your CentOS server from the Shellshock exploit

    Shellshock is quite a serious security hole found a couple of days ago in Bash; to check whether your CentOS server is vulnerable run the following in a terminal:

    env VAR='() { :;}; echo Shellshock vulnerable!' bash -c "echo Bash Testing"

    If your system is vulnerable, you will see:

    Shellshock vulnerable!

    Bash testing

    If it is not vulnerable, you will see:

    bash: warning: VAR: ignoring function definition attempt
    bash: error importing function definition for `VAR’
    Bash testing

    If you are vulnerable, you can update bash by running the following:

    sudo yum update bash

    Once the update has finished, run the code to check your vulnerability again and it should be sorted.

    
    
    
    
  • How to protect Debian from the Shellshock exploit

    Shellshock is quite a serious security hole found a couple of days ago in Bash; to check whether your Debian server is vulnerable run the following in a terminal:

    env VAR='() { :;}; echo Shellshock vulnerable!‘ bash -c “echo Bash Testing”

    If your system is vulnerable, you will see:

    Shellshock vulnerable!

    Bash testing

    If it is not vulnerable, you will see:

    bash: warning: VAR: ignoring function definition attempt
    bash: error importing function definition for `VAR’
    Bash testing

    If you are vulnerable, you can update bash by running the following:

    sudo apt-get update && sudo apt-get install --only-upgrade bash

    Once the update has finished, run the code to check your vulnerability again and it should be sorted.

    
    
    
    
  • How to protect Ubuntu against the Shellshock exploit

    Shellshock is quite a serious security hole found a couple of days ago in Bash; to check whether your Ubuntu server is vulnerable run the following in a terminal:

     

    env VAR='() { :;}; echo Shellshock vulnerable!‘ bash -c “echo Bash Testing”

     

    If your system is vulnerable, you will see:

     

    Shellshock vulnerable!

    Bash testing

     

    If it is not vulnerable, you will see:

     

    bash: warning: VAR: ignoring function definition attempt
    bash: error importing function definition for `VAR’
    Bash testing

     

    If you are vulnerable, you can update bash by running the following:

    sudo apt-get update && sudo apt-get install --only-upgrade bash

     

    Once the update has finished, run the code to check your vulnerability again and it should be sorted. NOTE! Only the currently-supported versions of Ubuntu will get the bash update – if you are running anything older (e.g. 13.04, 13.10 or anything older that isn’t a still-supported LTS release) you will need to update your Ubuntu install to have the above work.

  • Ubuntu: Securing your remote SSH logins with Denyhosts

    Being able to log in to your server remotely via SSH is an incredibly powerful way of remotely managing your system. With so many devices now able to support consoles (just about any current smartphone or current OS, really) you can check on things, update or make changes from just about anywhere.

     

    One of the less positive consequences of opening up your SSH port to the wider world is that you’re also exposing your server to everyone else in the world, not just yourself. There are many computers and virus-born botnets out there who scan IP addresses for open ports and try to brute-force their way in to steal data, generally cause destruction or create another bot. One good way of protecting yourself is installing a program which monitors the attempted logins via SSH and blocks any IP addresses which match an undesired pattern: Denyhosts.

     

    You can install denyhosts by entering the following:

     

    sudo apt-get install denyhosts

     

    This installs denyhosts on your system, which starts automatically once installed and also on boot. You can edit the settings with the following file:

     

    /etc/denyhosts.conf

     

    Blocked IPs are listed in:

     

    /etc/hosts.deny

     

    It’s not unusual to have hundreds of entries after a couple of months. The default settings are reasonably good; you do have the freedom to make them as lenient or paranoid as you care to which is handy for tailoring it to your specific needs (e.g. strict rules re: logging in as accounts that don’t exist or the root account). Be aware that if you mistype your own password enough times you may ban your ou cown IP address, which might be inconvenient if you don’t have physical access to the server or another IP to fix!

     

    Denyhosts is a quick, easy and powerful way to begin securing your SSH-accessible servers – as far as we’re concerned it or an equivalent program are a must if you’re opening up a SSH port to the outside world.