If you are terminating SSL on Amazon’s Elastic Load Balancer and need PCI Compliance, these are the protocols and ciphers I used that passed PCI Compliance
Adding RC4-MD5 & RC4-SHA and a few others will not fail a PCI scan however they come up as low vulnerabilities with CVSS scores averaging 2.6. I was aiming for an all-zeros scan result.
Not enabling these had no knock on effects.
You can also run a Qualys SSL Lab test – https://www.ssllabs.com/ssltest/ to check your protocols & ciphers before running a full PCI scan.
Using the SSL Lab test tool and Nessus I was able to achieve an all-zeros PCI scan and an A rating SSL Certificate test
I’ve bumped into this message a few times on different servers. The message offers no insight into why you can’t connect to a remote server over SSH.
It usually means the the ~/.ssh/authorized_keys file is corrupt, for example there is an incorrect or single corrupt line in this file. I’d recommend stepping through line by line and finding the offending line.
Tired of typing passwords for SSH keys? Me too, you can use ssh-agent to cache these keys.
eval `ssh-agent -s`; ssh-add
Bind has been insecure since before I started using the Internet. It has got better over the years, but not much.
It is quite common to hide Apache/nginx/PHP versions for security reasons and PCI Compliance. So why do we over look bind when securing our systems?
Continue reading “Hide Your Bind Version”
Disabling SSL 2.0 in IIS is a critical requirement to pass PCI Certification. I have no idea why IIS 7 ships with it still enabled, perhaps for super old browsers? We should only use stronger SSL 3.0 or TLS 1.0.
Here’s how to disable it in IIS 7 and IIS 7.5 Continue reading “How to Disable SSL 2.0 in IIS 7 (and 7.5)”
Since moving to Virgin’s 120Mb Broadband my SSH connections would drop after 30 seconds of inactivity. This made some grey hairs appear on the side of my head.
This happens due to the way Virgin handle the Internet traffic on their DOCSIS 3 network, as opposed to lower broadband speeds that use the DOCSIS 1 network.
I’ve managed to solve this by altering the client time out parameters in the SSHD config on each server. Continue reading “SSH Timeouts on DOCSIS 3 (Virgin Media 50Mb, 100Mb, 120Mb)”
SolusVM users really should protect their Admin Panel (/admincp/) . Although you can add IPs with Configuruation -> Admin CP Access. It didn’t make me feel too safe.
Here’s how I did it in lighttpd.
Continue reading “Secure access to your SolusVM Admin Panel”
PHP is an incredibly versatile language and if used in the wrong way, either maliciously or by accident has the potential to mess up an entire webserver. This can be a major problem if you are offering a shared hosting environment.
There is an often overlooked php.ini setting called disable_functions at hand. Continue reading “Disabling Dangerous PHP Functions in a Shared Environment”
tcptrack is a sniffer which displays information about TCP connections it sees on a network interface. It passively watches for connections on the network interface, keeps track of their state and displays a list of connections in a manner similar to the unix ‘top’ command. It displays source and destination addresses and ports, connection state, idle time and superbly impressive – bandwidth usage.
A server admin must have.
Continue reading “tcptrack”
One of the first things I do is run /scripts/easyapache and rebuild my PHP / Apache configuration.
I usually select Apache 2.2 and PHP 5.2.9. At the time of writing I stay away from the 5.3 versions as they aren’t supported by programs and programmers enough yet.
Although this guide was originally inspired from a cPanel install, its Apache specific and doesn’t require cPanel.
- Continue reading “cPanel Apache Tuning”