Adding nginx to the LAMP stack for performance

The Apache HTTP Server is a very flexible server that can be used with almost all open source projects with little to no customisation due to Apache’s ubiquity within the community, however being a jack of all trades unfortunately means it isn’t necessarily a master of everything. One of the more commonly cited issues with Apache HTTP, is that its resource usage is more considerable compared to other options available, which can lead to issues when under heavy load.

In order to obtain the benefits of lower resource usage, there are plenty of other options available such as the choice for this article of nginx as well as others such as Apache Traffic Server or lighttpd, however making use of these options as your server software of choice may lead to compatibility issues with your applications. To avoid any of these issues, this article outlines how to add nginx into the mix, without losing Apache.

Continue reading “Adding nginx to the LAMP stack for performance”

Example iptables configuration for Web Servers

Setting up a host based firewall on your server to protect it from the nasties of the internet is a very simple step, that can easily backfire when you lock yourself out of SSH….

Below is a very simple script to setup basic firewall restrictions for a web server such as Apache or Nginx, allowing the below:

  • Allow all traffic from the server to its local loopback interface – this is needed for lots of system and application level functions
  • Allow ports 80 and 443 inbound access from all sources for your HTTP and HTTPS websites
  • Allow all connections outbound from your server to the internet and allow the reply traffic from those connection – this is needed to connect to repositories, APIs, send email etc.
  • Allow SSH inbound connections from the internet, but at the same time, blocking anyone trying to connect more than 4 times a minute in order to prevent easy SSH Brute Forcing

Continue reading “Example iptables configuration for Web Servers”

SSL Certificate discovery script

Heartbleed…. well….if you were vulnerable you need to replace (and importantly re-key) all your certificates that may have had their private keys revealed. Remember that although it is only OpenSSL that was vulnerable, if you use a certificate on multiple platforms, you will need to re-certificate everything, not just the devices running the now patched OpenSSL.

Not only is the task of identifying all your vulnerable devices a task in itself, finding where all your certificates are to begin the process of re-installation can be a pretty impressive feat on its own.

Scripting a discovery scan

The below bash script can be used to complete a scan against a list of IP addresses or DNS entries and will report back on the Common Name of the certificate installed.

Continue reading “SSL Certificate discovery script”

Best practice Apache SSL configuration – Ciphers

Upon installation, the default Apache SSL configuration for SSL standards are not optimal and will achieve low scores when run through SSL implementation testing services such as Qualys’ SSL Labs.

The below configuration lines can be added to your Apache configuration to achieve a higher grade and improve the security of your SSL/HTTPS implementation using Apache and OpenSSL. As of February 2014 this configuration achieves an “A-” on the Qualys results when using RedHat/CentOS operating system and standard repo installations of Apache and OpenSSL. The main reason that the result is not better is due to the fact that RedHat currently has concerns over “possible patent issues”.

Continue reading “Best practice Apache SSL configuration – Ciphers”

Obscuring PHP and Apache versions for security best practice

Allowing the malicious users of the world more information than is absolutely necessary doesn’t make sense and is simply inviting them to run automated scanning tools to discover old and outdated versions of PHP and Apache before attempting to breach the system using known vulnerabilities with that version. Although it will not completely hide the fact you are using either system, you can easily remove the HTTP headers that are sent as part of every response by PHP and Apache, advertising their version number.

To reduce the security risk of your server, you should implement this, but remember that it will not hide the fact that you are using either software, it will simply not advertise the fact.

Continue reading “Obscuring PHP and Apache versions for security best practice”