Skip to content
Sudonix

Securing your webserver against common attacks

Blog
  • phenomlabundefined

    1622031373927-headers-min.webp

    It surprises me (well, actually, dismays me in most cases) that new websites appear online all the time who have clearly spent an inordinate amount of time on cosmetics / appearance, and decent hosting, yet failed to address the elephant in the room when it comes to actually securing the site itself. Almost all the time, when I perform a quick security audit using something simple like the below

    https://securityheaders.io

    I often see something like this

    Not a pretty sight. Not only does this expose your site to unprecedented risk, but also looks bad when others decide to perform a simple (and very public) check. Worse still is the sheer number of so called “security experts” who claim to solve all of your security issues with their “silver bullet” solution (sarcasm intended), yet have neglected to get their own house in order. So that can you do to resolve this issue ? It’s actually much easier than it seems. Dependant on the web server you are running, you can include these headers.

    Apache

    <IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
header set X-XSS-Protection "1; mode=block"
Header set X-Download-Options "noopen"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Referrer-Policy 'no-referrer' add
Header set Feature-Policy "geolocation 'self' https://yourdomain.com"
Header set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
Header set X-Powered-By "Whatever text you want to appear here"
Header set Access-Control-Allow-Origin "https://yourdomain.com"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>

    NGINX

    add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Download-Options "noopen" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "upgrade-insecure-requests" always;
add_header Referrer-Policy 'no-referrer' always;
add_header Feature-Policy "geolocation 'self' https://yourdomain.com" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=();";
add_header X-Powered-By "Whatever text you want to appear here" always;
add_header Access-Control-Allow-Origin "https://yourdomain.com" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;

    Note, that https://yourdomain.com should be changed to reflect your actual domain. This is just a placeholder to demonstrate how the headers need to be structured.

    Restart Apache or NGINX, and then perform the test again.


    That’s better !

    More detail around these headers can be found here

    https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    1

Related Topics
  • phenomlabundefined

    Secure SSH connectivty

    Security
    7
    6 Votes
    7 Posts
    579 Views
    DownPWundefined

    @phenomlab

    yep but I use it since several month and I haven’t see any bugs or crash
    In any case, I only use him anymore 🙂

    Tabby offers tabs and a panel system, but also themes, plugins and color palettes to allow you to push the experience to the limit. It can support different shells in the same window, offers completion, has an encrypted container for your passwords, SSH keys and other secrets, and can handle different connection profiles.

    Each tab is persistent (you can restore them if you close one by mistake) and has a notification system, which will let you know if, for example, a process is finished while you are tapping in another tab.

    It’s really a great terminal that will easily replace cmd.exe for Windowsians or your usual terminal. And it can even work in a portable version for those who like to carry their tools on a USB key.

    –> To test it, you can download it, but there is also a web version. Handy for getting an idea.

    https://app.tabby.sh

  • DownPWundefined

    Crowdsec: a replacement for Fail2ban

    Security
    3
    4 Votes
    3 Posts
    1k Views
    DownPWundefined

    @phenomlab

    No they have a free and pro console instance.
    We can see alert with IP, Source AS, scenario attack etc…

    Installation on the NODEBB server without problems. Very good tools

    cf7e5a89-84f4-435b-82eb-434c0bfc895e-image.png
    cc82a10e-a1f1-4fd8-a433-7c9b2d31f254-image.png

    1b7147b0-37c6-4d87-b4f1-a0fe92e74afd-image.png

    7c21fc10-1825-48e1-a993-92b84455f074-image.png


    We can also do research on IPs via the crowdsec analyzer

    I believe it’s 500 per month in the Free version

    43bc8265-a57c-4439-829c-0bb8602d99b4-image.png

  • phenomlabundefined

    Hardening WordPress - Reducing the attack vector

    Blog
    13
    +0
    1 Votes
    13 Posts
    1k Views
    JACundefined

    @phenomlab said in Hardening WordPress - Reducing the attack vector:

    @jac Microsoft’s and Google’s Authenticator both support TOTP - essentially, a time based system that changes every 30 seconds. The main principle here is that the device itself carrying the One Time Passcode only needs to be in sync with the source server in terms of time, and can be completely offline with no internet access.

    Provided the time matches on both devices, the One Time Passcode will be accepted. Applications such as Microsoft Authenticator and Authy also support push notification meaning you just choose either yes or no on your device when prompted, and then that response is sent back to the origin which then determines if access is granted or not.

    One of the best looking password less authentication models was CLEF - sadly, this product died out due to a lack of funding (if I recall correctly) although some open source implementations of this have appeared quite recently.

    Essentially, both products will achieve the same goal. TOTP is an industry standard, and widely accepted across the board. Not all services offer push confirmation.

    Many thanks for the detailed reply mate.

    There’s some great advice in there that will help me secure my accounts.

  • phenomlabundefined

    The Multi-Billion Pound Catfishing Industry

    Blog
    1
    0 Votes
    1 Posts
    320 Views
    No one has replied
  • phenomlabundefined

    Hackers aren't evil - separating fact and FUD

    Blog
    1
    0 Votes
    1 Posts
    248 Views
    No one has replied
  • phenomlabundefined

    Security, Or Just Obscurity?

    Blog
    1
    +0
    0 Votes
    1 Posts
    331 Views
    No one has replied
  • phenomlabundefined

    Surface Web, Deep Web, And Dark Web Explained

    Blog
    3
    0 Votes
    3 Posts
    500 Views
    phenomlabundefined

    @justoverclock yes, completely understand that. It’s a haven for criminal gangs and literally everything is on the table. Drugs, weapons, money laundering, cyber attacks for rent, and even murder for hire.

    Nothing it seems is off limits. The dark web is truly a place where the only limitation is the amount you are prepared to spend.

  • phenomlabundefined

    Browsing without a VPN? Think Twice...

    Moved Security
    12
    2 Votes
    12 Posts
    1k Views
    phenomlabundefined

    And if you ever needed another reason to use a VPN, here it is.

    https://news.sky.com/story/google-blinks-first-in-11-month-privacy-showdown-with-uk-regulator-12479198