Posts filed under “Internet Security”

Password Hashing Class v1.3

December 1, 2011. No comments.

I’m pleased to present version 1.3 of my password hashing class. I’ve added support for PBKDF2 and cleaned up a few things in the code. I’m using base64 to encode the hash rather than hex now, so this also drops the size of the derived hash from 144 characters down to 104, which makes it that much leaner for the database.

11 tips to secure your nginx/php web server

February 18, 2011. No comments.

1. User a default server configuration

Create a default server to catch all other requests that are not going specifically to your website(s).

server {
   listen 80 default;
   server_name _;
   deny all;
}

2. Drop your FTP server, use SFTP

Don’t use an FTP server, use SFTP. You already need SSH to log into your server. There is no need to add another point of entry to the server as SSH has the same capability built in with SFTP and it is more secure. SFTP runs on port 22, the same as SSH.

3. Use an iptables firewall

Create an iptables firewall. The easiest way to do this is with APF. The important sections to pay attention to are the incoming and outgoing ports. Limit these to only what you actually need. For example, for a very secure, simple system, only allow incoming port 80 in your config file. See below for SSH/SFTP access to that server.

nginx: Password protect a directory

February 10, 2011. One comment.

Password protecting a directory with nginx can be done easily with the following steps…

In your nginx configuration, you can change the location to anything you want, it can even be a file that is password protected and not just a directory. The .htpasswd file can be named anything you want and there is no restriction on where it can be placed. I prefer to name it the same name as is customery in Apache and I like to keep it in the same directory that I am trying to protect. Just make sure that wherever you put the file it is not readable from the web:

Facebook’s offers protection against firesheep

February 7, 2011. No comments.

Facebook is now offering secure browsing when logged into your account. In a previous post, SSL, please use it! I talked about how a new program that is available on the internet can allow anyone to easily hack into your facebook (or any other unsecured) account. The solution to this problem is simple, use SSL. Facebook [...]

IP Range Consolidator

February 6, 2011. One comment.

I have a firewall on my server that blocks IP addresses when it notices bad activity from a particular IP. As this list grows larger and larger, I’ve been looking for ways to shrink this list. My thought was to consolidate this list so the firewall doesn’t have to scan through a large list of individual IP addresses. If I noticed a lot of IP addresses in the 189.0.0.0/8 range, I could simply put that single IP in the firewall rules rather than 20 individual IP addresses. But this blocks millions of innocent IP addresses as the same time. I figured there should be a happy medium where I can create IP ranges to consolidate the list while blocking as few innocent IP addresses as possible.

nginx default server

January 29, 2011. No comments.

For a little extra security when configuring nginx, it’s best to define your web sites exactly how you need them and then create a catchall, default server that gives all other traffic a 403 Forbidden error. This can easily be done with the following code. Anything that you haven’t specifically configured goes here and that [...]

The 256M VPS

December 18, 2010. No comments.

There are a few cloud web hosting services offering 256Mb servers. But there is a lot of talk about whether 256Mb of memory is enough to run a web server. Well, of course, that entirely depends on what you are trying to do with it and how much traffic your website gets. However, if you prefer to have control over your server and only have a few small websites that don’t see much traffic, I believe that you can do fairly well with a 256Mb server.

SSL, please use it!

December 15, 2010. No comments.

If you log into a website on a public network (Starbucks, McDonalds, etc) and that website does not have HTTPS in the URL, your account can be hijacked. Meaning someone can log in as you and do whatever they want to your account. It is as simple as that. The biggest culprit here is Facebook. This vulnerability has been well known for years but until recently it was difficult to do so most didn’t worry about it. However, there exists a program called Firesheep which is a plugin for Firefox that allows anybody to hijack someones account with a single click of the mouse. It’s really that easy. Just wait for you to log in, your information pops up, the attacker clicks on it, and they are logged in as you.

Password Security

December 15, 2010. No comments.

I recently got an email from Gawker. Apparently their site was compromised and they are asking everyone who has an account on there to change their passwords. They say their passwords are encrypted but they are still vulnerable and that we should change our passwords on all other sites where we used the same password.

Facebook vulnerable to session hijacking

November 14, 2010. No comments.

Don’t log into Facebook on a public Wi-Fi (like Starbucks) or any network that you don’t know who else is on it. There exists a new tool that makes it easy for anyone to log in as someone else that is on the same network.

Facebook does not encrypt your session cookies. This means that when you log into your account, the login information is sent through the network unencrypted. Anyone else on the network can grab that information and use it to log in as you.

bradley proctor

Thoughts and writings