Category: Security

Apache Strong SSL config

So only enable SSL on Apache is not good enough there are some config to add to apache to make it stronger.   This are the setting i use in my apache ssl configs. SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLCertificateKeyFile /etc/apache2/ssl/apache.key Header add Strict-Transport-Security “max-age=15768000” SSLCompression off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4… Read more →

No more spam (Centos and postfix)

So i HATE spam and now to get rid of as so many as possible i go for 3 step. 1. Postfix  Get postfix to restrict witch is to allow to send email to me. No strange name and use spam block lists. Also restrict time in how many connections you can do. 2. Greylisting So the first time some… Read more →

Fail2Ban on Centos

Fail2Ban is a small service to block unwanted traffic to you server. I use it to block ssh,and postfix loggins in to my virtual hosts. Fail2Ban scans the service loggfiles and if it find any strange traffik like ssh bruteforce. That ip will be blocket for some time. All settings are done in /etc/fail2ban/ folder. Install Have  epel repo aktivated… Read more →

Install Diaspora one Centos 6.4 with Apache

So Im going to test diaspora on one of my virtual server with run centos 6.4. Setup Centos Setup Repos wget wget rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm” Install packages yum install tar make automake gcc gcc-c++ git net-tools libcurl-devel libxml2-devel libffi-devel libxslt-devel tcl redis ImageMagick npm mysql-server mysql-devel httpd mod_ssl libyaml libyaml-devel patch readline-devel libtool bison Start services chkconfig… Read more →

Private GIT server on centos 6

So i need to have an private git server. The plan is to fill the git server with my backups so I can see changes done to my git server.   Set up the local GIT server Users adduser git passwd git Become the git user and go to home folder su git cd  ~ Create the repo mkdir myrepo.git… Read more →

Securing Apache – TRACE TRACK XSS

So i will tryi to updated with some tips on securing apache as I stumbel over them. This will be the first one in not so many I hope (Apache will be secure ) I always scan my servers every month with Openvas as one of my PCI-DSS task. And this week I locking down my Apache servers. Add this… Read more →

Set up Openvpn client on Centos 6.4

I often use Openvpn to connect my servers toghter over several cloud servers provider. This is my small how to for setting up the openvpn client. Install the openvpn server yum install wget wget rpm -Uvh epel-release-6-8.noarch.rpm  yum install openvpn   Set up the Vpn client In /etc/openvpn extract you vpn config Save you openvpn config file as client.conf… Read more →

Openvpn on Raspberry Pi

So sommar is comming and I planning to be away as mutch as possible. But I need an door in to my server at home for some work. When Im of i only will have an 3g/4g connections so its mutch nicer to work against my server home at a stabel 100 line. So for making this possibel I install… Read more →

Installing PfSense on Clavister

After we change our server location and install some new servers and firewalls (Firewall now in centos with iptables) we got one Clavister over. We needed a new firewall in our office but did not want to use the Clavister firewall software so we decided to see if we could get PfSense running on the hardware. We open the Clvister up… Read more →

Extracting HP-Switch running config

Every so othen I have to extract my running-config from my hp switches. And put them under OSSEC file monitoring. And to verify so that no changes has bean done to the original running-config. So here is an small script for extracting my running-config and mf5 check that they are the same as my standard config.   Make you own… Read more →

%d bloggers like this: