Sync time in Ubuntu

In order to synchronize  the time on your ubuntu machine with your domain controller or another time server, you need to perform the following actions:

1) Install NTP server.

sudo apt-get install ntp

2) Modify the list of NTP servers to use for synchronization.

vim /etc/ntp.conf
server 0.europe.pool.ntp.org iburst

Read More »

Advertisements

Apache Digest Authentication

Create the user/password file:

htdigest -c C:/Apache/conf/.passfile RESTRICTED user1

Configure httpd.conf to ask for authentication except from subnet 192.168.1.0/24:

<Directory "C:/Apache/htdocs">
 AuthName "RESTRICTED"
 AuthType digest
 AuthUserFile "C:\apache\conf\.passfile"
 Require valid-user
 Order allow,deny
 Allow from 192.168.1.0/24
 Satisfy Any
 </Directory>

Apache HTTPS Configuration

  • Navigate to the folder containing the openssl.cnf (Apache2.4/Conf) file and execute the commands:
openssl req -config openssl.cnf -new -out certificate.csr -keyout certificate.pem
 openssl rsa -in certificate.pem -out certificate.key
 openssl x509 -in certificate.csr -out certificate.crt -req -signkey certificate.key -days 3650
  • Enable mod_ssl in httpd.conf or by executing a2enmod ssl.
  • Configure httpd.conf:
Listen 443
<VirtualHost *:443>
 servername test.com
 serveralias www.test.com
 SSLEngine On
 SSLCertificateFile "Path To certificate.crt"
 SSLCertificateKeyFile "Path To certificate.key"
 DocumentRoot "Path to Document root"
 </VirtualHost>

Apache Reverse Proxy Configuration

<VirtualHost *:80>
ServerName default
Redirect 503 /
</VirtualHost>

<VirtualHost *:80>
servername site1.com
serveralias http://www.site1.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /site2 http://192.168.0.14:8080/site1/
ProxyPassReverse /site2 http://192.168.0.14:8080/site1/
ProxyPass / http://192.168.0.14:8080/
ProxyPassReverse / http:// 192.168.0.14:8080/
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.site1.com [NC]
RewriteRule ^(.*)$ http://site1.com/$1 [L,R=301]
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>

<VirtualHost *:80>
servername site2.com
serveralias http://www.site2.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.0.15:8080/
ProxyPassReverse / http://192.168.0.15:8080/
<Proxy *>
Order deny,allow
Deny from all
allow from 192.168.0.0/24
</Proxy>
</VirtualHost>

Top 10 Apache Security Configurations

Document root directory: /var/www/html  or  /var/www
Apache Configuration file: /etc/apache/apache2.conf  or  /etc/httpd/conf/httpd.conf
Apache Access Log: /var/log/httpd/access_log
Apache Error Log: /var/log/httpd/error_log

1. Make sure you have the latest Apache updates

2. Disable unused modules

3. Change Apache user account

Create a new special linux user for Apache.

# groupadd webuser
# useradd -d /var/www/ -g webuser -s /bin/nologin webuser

After creating the user, you need to tell Apache to run with this new user.

User webuser 
Group webuser

4. Remove version from Custom Error Pages

ServerSignature Off
ServerTokens Prod

Read More »

Secure your Web Server (Cipher Suites)

In order to have a secure website it’s not enough to use a certificate, you need to configure the server to use the right cryptography and hashing algorithms.

1. For IIS Web Servers the following tool will help configure the corect cipher suites you want to use.

IIS CRYPTO

2. For other Web Servers (Apache, Nginx) use the following link to configure the server:

https://wiki.mozilla.org/Security/Server_Side_TLS

3. Also make sure to enable HTTP Strict Transport Security.

You can also verify the security of your website here: https://www.ssllabs.com/ssltest/

Postfix outgoing server authentication (SASL)

Postfix, by default, only allows IPs from “mynetworks” to relay messages through the server. If you want your users using Thunderbird, Outlook to be able to send emails from any location using their mail clients, you need to enable outgoing server authentication(SASL).

1. Edit /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

2. Edit /etc/dovecot/dovecot.conf

auth default {
    mechanisms = plain login
    passdb pam {
    }
    userdb passwd {
    }
    user = root
    socket listen {
      client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
      }
    }
}

3. Restart dovecont and postfix.