Skip to main content

Posts

How to Strengthening Nginx Security and Website Security Headers with SSL?

Using a SSL certificate that doesn't mean you are secure, but there is a lot more to Strengthening Web Site Security. Whilst most people are happy with just having their site running under SSL after successfully figuring out how certbot and Let’s Encrypt works. Strengthening Web Site Security is very easy as it only requires you to set up what is called a Content Security Policy (CSP). What a Content Security Policy does is tell a browser what external resources can be loaded within your site without being regarded and Non-Secure Origins. It’s an essential part of good security especially when it comes to SSL. But Strengthening Web Site Security does not stop there as there are additional server headers that need to be implemented to prevent cross browser sniffing, people loading parts of your site with a frame in their site and what is called an XSS header which prevents cross scripting attacks from browsers and then also a strict transport security header call
Recent posts

How To Install and Secure Memcached on Ubuntu 16/18.04 ?

Memcached is an open-source memory caching system that you can use to speed up web applications and dynamic websites. Memcached works by storing frequently accessed data in RAM hence reducing the time an application reads data from databases, files or API interfaces. If your website, web application or API server has high read calls and infrequent writes, Memcached can be a great tool for you.  Install Memcached and Client Library  # sudo apt install memcached libmemcached-tools # sudo systemctl status memcached Securing Memcached Configuration Settings # vi /etc/memcached.conf -d -vv -m 256 -p 11211 -u memcache -l 127.0.0.1 add the following option to the bottom of this file: -U 0 Restart your Memcached service to apply your changes: # sudo systemctl restart memcached Verify that Memcached is currently bound to the local interface and listening only for TCP connections by typing: # sudo netstat -plunt To check that Memcached is up and running, type the following: # memcstat --servers

How to Install Redis on Ubuntu 16/18/20 LTS ?

With the new transactional file locking in place, we felt it was time to get rid of APCu and replace our cache with Redis instead. APCu is kind of old, and from our understanding, it doesn’t work well with the new Laravel locking system. Redis cache is the preferred way to go. Update APT and Install Development Tools First:   # apt update && apt upgrade # sudo apt install build-essential -y # apt-get install autoconf automake gdb git libffi-dev zlib1g-dev libssl-dev Install and Enable Redis Server # sudo apt install redis-server # sudo systemctl enable redis-server Change Redis configuration in file /etc/redis/redis.conf # vi /etc/redis/redis.conf bind 127.0.0.1 ::1 maxmemory 500mb maxmemory-policy volatile-lru port 6379 and after change the system configuration: (for redis use) # echo 1 > /proc/sys/vm/overcommit_memory add at file /etc/sysctl.conf (for redis use) vm.overcommit_memory = 1 [at end of the line] and update the system configuration: # sysctl -p Restart Red

How to remove exim mail server from VestaCP on Ubuntu ?

Of all MTAs we’re reviewing, Postfix has the strongest emphasis on security. The likely reason is that it was created by Wietse Zweitze Venema , a prolific freeware security specialist. Sendmail cannot be considered a secure MTA. Moreover, Postfix was originally designed to mitigate the vulnerabilities associated with Sendmail. Exim is quite secure for most cases but loses to Postfix. A proper configuration of your Postfix MTA provides improved defenses against spam, abuse, and leakage of sensitive data. So i don't want to use EXIM as a MTA with VestaCP on Ubuntu. I want to remove exim  completely from my VestaCP control panel. I want to use Postfix/Dovecot RSPAMD as a AntiSPAM solutions . I will publish details in next tutorials  Check Exim Status # systemctl status exim # systemctl status exim4 Remove Frozen mail # exim -bp # exim -bpc # exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash Remove Completely  # sudo apt remove --auto-remove exim4 #

How to Install Maldet Malware Detect and clean malware with clamav on Debian / Ubuntu ?

Linux Malware Detect (LMD), popularly known as Maldet is an open-source malware scanner for Linux released under the GNU GPLv2 license. It is designed around the threats faced in shared hosted environments. Install, configure and run this free software to detect and clean malware on your system.  Install Maldet # cd /usr/local/src/ # curl -O http://www.rfxn.com/downloads/maldetect-current.tar.gz # tar -zxvf maldetect-current.tar.gz # cd maldetect-1.6.2/ # bash install.sh ( best for Ubuntu 16.04 ) # sudo ./install.sh ( for Ubuntu 20.04 ) Configuration:  For configuring maldet, the configuration file at /usr/local/maldetect/conf.maldet has to be edited. # vi /usr/local/maldetect/conf.maldet Line no 16 # Enable Email Alerting email_alert="1" Line no 21 # Email Address in which you want to receive scan reports email_addr="you@domain.com" Line no 141 # Use with ClamAV scan_clamscan="1" Line no 173 # Enable scanning for root-owned files. Set 1 to disable.

How to use Malware Patrol along with ClamAv in Ubuntu 16.04/20.04 LTS?

Malware Patrol provides signatures that are compatible with Clam AV software. You can follow these simple steps to configure your Clam AV instance and protect your internal network, computers and users from getting infected by malware.  1) Make sure your Clam AV instance is installed and working properly. There are a few resources on the internet that can help you configure Clam AV in your platform.  If you are experiencing trouble installing and configuring Clam AV, start at the following URL:  How to install ClamAv antivirus with rspamd on Ubuntu 16.04/20.04 LTS? If you followed the above instructions, skip to step 14. 2. Install curl. For example: apt-get install curl 3. Install rsync. For example: apt-get install rsync 4. Install unzip. For example: apt-get install unzip 5. cd /tmp 6. wget -O clamav-unofficial-sigs.zip ‘https://github.com/extremeshok/clamav-unofficial-sigs/archive/master.zip’ 7. unzip /tmp/clamav-unofficial-sigs.zip 8. cp /tmp/clamav-unofficial-sigs-master/clama

How to install ClamAv antivirus with rspamd on Ubuntu 16.04/20.04 LTS?

As usual I prefer to use open-source components. So the obvious choice is the famous ClamAV virus scanner. But its detection rate is ridiculously low with its default signatures. I heard of a study telling that in their tests ClamAV showed a 100% detection rate.  I myself have been scanning multiple infected emails with it (that have been found by another software) and it did not even find one infection.  So I started researching the alternatives – like a free-beer virus scanner from Sophos that worked well with the amavis-milter in the past. Its detection rate is pretty good. But no matter what I tried – I couldn’t get the two to work together. And to be honest… the documentation of rspamd’s antivirus module is incomplete to put say the least.  Then suddenly a friendly nerd pointed me to the SaneSecurity project that adds anti-virus signatures to ClamAV to make it actually useful. And this finally became the recommended solution for me. In a commercial setup where your customers

How to Install Memcached Server (Caching) on CentOS 7(CWP7)

It is important to secure your Memcached servers, Because systems like Memcached can contribute to denial of service attacks if improperly configured. We will explain how to install and secure your Memcached server on CentOS 7 Linux distribution. These given instructions also work on RHEL and Fedora Linux. First, update the system: # yum update -y Next, install the official Memcached package memcached; as well as libmemcached, which provides several utilities to work with Memcached: # yum install memcached libmemcached Note: libmemcached – a client library that offers a couple of tools to manage your Memcached server. Securing Memcached Configuration Settings for Local Access Only:   To make assure that installed Memcached service is listening on the 127.0.0.1 local interface, We will also disable the UDP listener. Both of these actions will protect our server from denial of service To do this, we will add the -U 0 parameter to our OPTIONS variable. The file in full should look l