CyberKeeda In Social Media
Showing posts with label Vulnerability Fixes. Show all posts
Showing posts with label Vulnerability Fixes. Show all posts

Apache Hardening : Limit Request Size


By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow large requests on a web server its possible that one could be a victim of Denial of service attacks. We can Limit the requests size of an Apache directive “LimitRequestBody” with the directory tag.

This is generally preffered for websites/blogs that gives an upload option through http protocol
Unlimited upload size can really effect and site can be compromised by attackers  using DDos.

One can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body. You can set this limit according to your site needs.


Here in this example, my_uploads is a directory which contains files uploaded by users. We are We We will put a limit of  500K  for this by making the changes in Apache configuration file ( httpd.conf ).

<Directory "/var/www/mywebsite/my_uploads">
LimitRequestBody 512000
</Directory>


Read more ...
Posted by No comments:
Labels: , , , ,

How to fix : OpenSSL Sweet 32 Birthday attack Vulnerability






Sweet32 Birthday attack, which affects the triple-DES cipher. OpenSSL has rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.”

The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.


Fix :

Verify the CIPHER status from below commands.

One can use openssl ciphers  command to see a list of available ciphers for OpenSSL

 


openssl ciphers

To check the status of DES and 3DES cipher below commands will help.


 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl2



 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -ssl3 



 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1 



 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_1 



 openssl s_client -connect yourserverIP:443 -cipher 'DES:3DES' -tls1_2



Find your Open SSL  config file ( openssl.conf )   and locate     SSLCipherSuite

You might find a lot of ciphers written parallel along with SSLCipherSuite.

 Just Add  ! before DES and 3DES to disable CIPHER successive with :


 ! -- It states don't use



 : -- It states a begining of CIPHER
It should look like below

SSLCipherSuite !3DES:!DES

Save and close ssl config file and restart apache to reflect changes.

On Ubuntu/Debian

systemctl restart apache2

On RHEL/CentOS

systemctl restart httpd
Read more ...
Posted by 2 comments:
Labels: , , , ,

Protect your website from DDOS attacks using apache modules ( mod_evasive )



Below mentioned apache module is quiet famous in terms of security


mod_evasive


mod_evasive works very efficiently, it takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute forceand Dos or DDos attack. This module detects attacks with three methods.
  1. If so many requests come to a same page in a few times per second.
  2. If any child process trying to make more than 50 concurrent requests.
  3. If any IP still trying to make new requests when its temporarily blacklisted.
Find and un comment the line within your http.conf file to make it as
LoadModule evasive20_module modules/mod_evasive24.so

Read more ...
Posted by No comments:
Labels: , , , , ,

Vulnerabilities : HTTP TRACE Method Enabled Fix.

Here I believe you too have been forced by your Vulnerability Scanner to look for it :)



Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:

telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. TRACE / HTTP/1.0

 HTTP/1.1 200 OK Date: Sat, 20 Oct 2015 20:39:36 GMT

Disable HTTP TRACE Method for Apache.



 Method - 1

 Add this lines to your httpd.conf file.

 RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

 Method - 2
Applies: apache 1.3.x / apache 2.0.x Required apache module

 Add the below mentioned line to your httpd.conf file

TraceEnable off
Read more ...
Posted by No comments:
Labels: , , , ,

Vulnerability Fix : Browsable Web Directories



                               How to Disable Directory Listings in Apache


Make sure that browsable directories do not leak confidentialinformative or give access to sensitive resources. Additionally, useaccess restrictions or disable directory indexing for any that do.


  • Look for apache/httpd configuration file and edit the following lines
  • Open the config file using a text editor like vi (vi httpd.conf)
  • Search for the directory section of the file where your website resides, and the Options keyword beneath that. It should look something like:
  • <Directory /home/mywebuser/public_html>
 Options Indexes 
</Directory>
  • Update the option 'Indexes' from the above, so the line would read instead:
    Options -Indexes
    • Keep the Indexes Option as it is , the only change is to add a "-" sighn before it.
    • After making the above changes, save the file and restart httpd/apache.





Read more ...
Posted by 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)
Designed By Jackuna