Pradeep Sharma from OSSCube presents on Securing your web server at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
This document provides an overview and introduction to the LAMP stack, including its components (Linux, Apache, MySQL, PHP) and how they interact. It discusses installing and configuring LAMP on OES Linux, optimizing performance, and available applications. Common LAMP applications and potential migration issues are also briefly mentioned.
PHP & Performance document discusses various techniques to improve PHP and web server performance. Some key points:
- Compilation of PHP scripts can consume significant time, opcode caches like APC reduce this.
- Profiling tools like APD and XDebug help identify bottlenecks in PHP code. Optimizations like output buffering, reducing output, content compression and database tuning can improve performance.
- Server configuration like Apache optimizations for file I/O, syscalls and KeepAlive headers also impact performance. PHP settings like disabling register_globals and using opcaches help.
- Application techniques like avoiding unnecessary functions, using class constants, and reducing regex usage in PHP code provide performance benefits.
This document summarizes an instructor-led discussion on advanced Apache topics including virtual hosting, setting up name-based and IP-based virtual hosts, enabling server-side includes, and enabling CGI (Common Gateway Interface) scripts. Key points covered include configuring Apache for virtual hosting using the VirtualHost directive, enabling CGI scripts through ScriptAlias, Options ExecCGI, and AddHandler directives, and examples of simple CGI scripts.
The document discusses various techniques for optimizing Apache web server performance, including:
1) Monitoring tools like vmstat and top to observe server performance and detect issues.
2) Analyzing web server logs using tools like Webalizer to understand traffic patterns.
3) Configuring Apache settings like threads and processes based on the platform.
4) Caching static content and pre-rendering dynamic pages to reduce load on the server.
This document describes the Perforce configuration management system used at MathWorks. It discusses MathWorks' Perforce infrastructure which includes a master server, replicas for load balancing and high availability, and proxies. It also describes how configuration files are used to define and manage the infrastructure, including services, failover processes, and cron jobs. Specific examples are provided around automating workspace updates across multiple global locations.
I will be giving a brief overview of the history of NGINX along with an overview of the features and functionality in the project as it stands today. I will give some real use case of example of how NGINX can be used to solve problems and eliminate complexity within infrastructure. I will then dive into the future of the modern web and how NGINX is monitoring and leveraging industry changes to enhance the product for individuals and companies in the industry.
The document provides an overview of configuring and using Hibernate, an object-relational mapping tool for Java. It discusses downloading and setting up required libraries, configuring Hibernate properties and mappings, and examples of mapping Java objects to database tables for single entities, primary keys, one-to-many and many-to-many relationships, and reference data. Code samples and explanations are provided for saving, updating, and querying objects using Hibernate.
This document provides a guide to configuring the Apache web server. It begins with basic setup instructions, covering verifying the installation, editing configuration files, creating HTML documents, starting the server, and accessing the website locally and externally. It then covers more advanced topics like using directory, files, and location tags; redirecting URLs; setting up virtual hosts; loading modules; using .htaccess files; and securing the server with encrypted sessions and SSL/TLS certificates. The document is intended to help new Linux and Windows users become proficient with Apache.
This document provides an overview and introduction to the LAMP stack, including its components (Linux, Apache, MySQL, PHP) and how they interact. It discusses installing and configuring LAMP on OES Linux, optimizing performance, and available applications. Common LAMP applications and potential migration issues are also briefly mentioned.
PHP & Performance document discusses various techniques to improve PHP and web server performance. Some key points:
- Compilation of PHP scripts can consume significant time, opcode caches like APC reduce this.
- Profiling tools like APD and XDebug help identify bottlenecks in PHP code. Optimizations like output buffering, reducing output, content compression and database tuning can improve performance.
- Server configuration like Apache optimizations for file I/O, syscalls and KeepAlive headers also impact performance. PHP settings like disabling register_globals and using opcaches help.
- Application techniques like avoiding unnecessary functions, using class constants, and reducing regex usage in PHP code provide performance benefits.
This document summarizes an instructor-led discussion on advanced Apache topics including virtual hosting, setting up name-based and IP-based virtual hosts, enabling server-side includes, and enabling CGI (Common Gateway Interface) scripts. Key points covered include configuring Apache for virtual hosting using the VirtualHost directive, enabling CGI scripts through ScriptAlias, Options ExecCGI, and AddHandler directives, and examples of simple CGI scripts.
The document discusses various techniques for optimizing Apache web server performance, including:
1) Monitoring tools like vmstat and top to observe server performance and detect issues.
2) Analyzing web server logs using tools like Webalizer to understand traffic patterns.
3) Configuring Apache settings like threads and processes based on the platform.
4) Caching static content and pre-rendering dynamic pages to reduce load on the server.
This document describes the Perforce configuration management system used at MathWorks. It discusses MathWorks' Perforce infrastructure which includes a master server, replicas for load balancing and high availability, and proxies. It also describes how configuration files are used to define and manage the infrastructure, including services, failover processes, and cron jobs. Specific examples are provided around automating workspace updates across multiple global locations.
I will be giving a brief overview of the history of NGINX along with an overview of the features and functionality in the project as it stands today. I will give some real use case of example of how NGINX can be used to solve problems and eliminate complexity within infrastructure. I will then dive into the future of the modern web and how NGINX is monitoring and leveraging industry changes to enhance the product for individuals and companies in the industry.
The document provides an overview of configuring and using Hibernate, an object-relational mapping tool for Java. It discusses downloading and setting up required libraries, configuring Hibernate properties and mappings, and examples of mapping Java objects to database tables for single entities, primary keys, one-to-many and many-to-many relationships, and reference data. Code samples and explanations are provided for saving, updating, and querying objects using Hibernate.
This document provides a guide to configuring the Apache web server. It begins with basic setup instructions, covering verifying the installation, editing configuration files, creating HTML documents, starting the server, and accessing the website locally and externally. It then covers more advanced topics like using directory, files, and location tags; redirecting URLs; setting up virtual hosts; loading modules; using .htaccess files; and securing the server with encrypted sessions and SSL/TLS certificates. The document is intended to help new Linux and Windows users become proficient with Apache.
The document provides an overview of how to configure and run the Apache HTTP Server on FreeBSD. It discusses installing Apache from ports, editing the main configuration file httpd.conf to configure server settings like the server name, admin email, and document root. It also explains how to start, stop, and restart the server, set up virtual hosts, install additional modules, and use Apache to run dynamic websites built with frameworks like Django, Ruby on Rails, and applications like PHP.
This document provides instructions for installing and configuring Apache HTTP Server on Linux. It describes downloading and extracting the Apache files, editing the configuration files such as httpd.conf to configure settings like the server name, ports, document root, error logs, and supplemental configuration files. It also explains how to set up virtual hosting by editing httpd.conf to include a vhosts.conf file, then creating that file and adding directives to allow multiple websites on different domains to run on the same IP address.
Apache web server installation/configuration, Virtual Hostingwebhostingguy
The document describes the history and development of the Apache web server. Some key points:
- Apache was originally developed by the Apache group in 1995 as an open source alternative to NCSA httpd. It was called "A PAtCHy server" as it was initially developed through people contributing patch files to NCSA httpd.
- The first official public release was version 0.6.2 in April 1995. Key early features included adaptive pre-fork child processes and a modular/extensible structure and API.
- Apache quickly gained popularity and overtook NCSA httpd as the most widely used web server on the Internet after releasing version 1.0 in December 1995.
The document provides information about the Apache HTTP Server software. It discusses that Apache is notable for playing a key role in the growth of the World Wide Web. It is the most popular web server software, serving over half of all websites. The document then covers Apache's features, uses, performance capabilities, and how to install and configure it in Linux.
This document summarizes an instructor-led meeting about advanced Apache topics including virtual hosting, setting up name-based and IP-based virtual hosts, enabling server-side includes, and enabling CGI scripts. Key points covered include configuring Apache for virtual hosting using VirtualHost blocks, setting up name-based virtual hosting with NameVirtualHost, and enabling CGI scripts through ScriptAlias directives or directory options.
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
This document discusses tuning Apache web server performance. It explains that there is no single solution and each site has unique requirements. It recommends monitoring the server to understand usage patterns and identify areas for tuning. Suggested tuning techniques include optimizing Apache and OS configuration, adding caching, and pre-rendering dynamic content. The document stresses acting based on monitoring results and not overloading the system.
SysAdmins love Apache. It allows one to run websites on the Internet with minimal configuration and administration.
However, this fexibility and simplicity is what typically leads Apache to become a memory hog. Utilizing these easy to understand tips, you can significantly boost Apache's performance.
The objective of this article is to describe what to monitor in and around Alfresco in order to have a good understanding of how the applications are performing and to be aware of potential issues.
Web server installation_configuration_apacheShaojie Yang
The document discusses installing and configuring the Apache web server on a CentOS Linux system. It describes downloading and installing Apache using Yum, installing PHP and MySQL, configuring the databases and virtual hosts, and ensuring file permissions and firewall settings are configured properly. Finally, it verifies the WordPress site is functioning correctly when browsing to the site URL.
Linux Webserver Installation Command and GUI.pptwebhostingguy
The document provides instructions for installing and configuring an Apache web server on Linux. It discusses downloading and unpacking the Apache files, running configuration commands like make and make install, editing the httpd.conf file to configure server settings and start the Apache service, and testing the installation by accessing the server locally. It also covers additional configuration topics like setting up virtual hosts and file permissions.
https://zeronights.ru/en/reports-en/weird-proxies-2-and-a-bit-of-magic/
Reverse proxies and their variations are used everywhere in modern web applications for routing, caching, and access differentiation. This talk is dedicated to new research results about different reverse proxies and new possibilities brought by HTTP/2. It is a collection of tricks for exploiting various misconfigurations.
Results - https://github.com/GrrrDog/weird_proxies
Apache Traffic Server (ATS) is a fast, scalable HTTP caching proxy server. It allows plugins to be written using Lua, a lightweight scripting language. This provides advantages over writing plugins in C/C++, including easier development, testing, and ability to leverage Lua features. The presentation discusses using Lua with ATS, including exposing ATS APIs as Lua functions, implementing plugins, testing plugins, and security considerations like input validation and sandboxing. Future work may include exposing more ATS APIs and providing input validation libraries.
This document provides instructions for installing and configuring the Apache web server on UNIX systems. It discusses downloading and unpacking the Apache source code, running the configure script, compiling the code, and installing the Apache files. It also explains how to configure Apache by editing the httpd.conf file to set parameters like the listening port, document root, and virtual directories. The document outlines how to start, stop and restart Apache using the apachectl script for easy management.
The document provides information about installing and using HBase in pseudo-distributed mode. It describes how to configure Hadoop Distributed File System (HDFS) and HBase to run on a single machine, start HBase, and verify it is running properly. It also demonstrates how to use the HBase shell to define schema, insert and retrieve data, and manage tables.
This document describes the installation and configuration of a network intrusion detection system using Snort and ACID. It outlines the software components used including Snort, ACID, MySQL, PHP, IIS and WinPcap. It then details the process of setting up the test network, installing each component, configuring Snort and ACID settings, and testing the system by generating traffic and viewing alerts.
This document provides instructions for installing and configuring Snort 2.9.6 and DAQ 2.0 on CentOS 6.3/6.4 running in a VirtualBox virtual machine. It describes compiling and installing necessary libraries like libpcap and libdnet. It then provides commands for extracting, configuring, compiling and installing DAQ and Snort. Finally it discusses configuring Snort configuration files, adding the Snort user, and providing a script to start and stop Snort.
NGINX is used by more than 130 million websites as a lightweight way to serve web content. Use it to decrease costs, improve performance and open up bottlenecks in web and application server environments without a major architectural overhaul. In this talk, we'll cover the three most basic use cases of static content delivery, application load balancing, and web proxying with caching; and touch on the NGINX maintained Docker container.
This document provides guidance on hardening a Linux server for security. It recommends following the CIS and NSA security benchmarks. It suggests choosing a server-oriented Linux distribution, keeping partitions and filesystems separate, encrypting partitions and the running server, securing the boot process, using iptables and TCP wrappers for firewalls, restricting root access and using sudo, enforcing password policies, removing unnecessary packages and services, securing remote administration like SSH, disabling unnecessary Linux modules, and implementing auditing and integrity checks.
The document discusses securing an Apache web server. Key points include:
- Hardening the operating system and only running Apache on the server
- Restricting Apache modules and features to only those necessary
- Running Apache in a chroot jail to limit its access to the file system
- Configuring Apache, related modules like PHP/Perl, and prerequisites securely
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
This document summarizes vulnerabilities related to server-side request forgery (SSRF) attacks and how they can be exploited. It discusses how external network access and internal network access can be obtained through SSRF. It provides examples of vulnerabilities in various protocols like HTTP, FTP, TFTP, and protocols used by services like Memcached, databases, and file uploads. It also describes how file descriptors can be used to write to open sockets or files to forge server responses or inject malicious content. Overall, the document is an overview of real-world SSRF attacks and exploitation techniques.
The document provides an overview of how to configure and run the Apache HTTP Server on FreeBSD. It discusses installing Apache from ports, editing the main configuration file httpd.conf to configure server settings like the server name, admin email, and document root. It also explains how to start, stop, and restart the server, set up virtual hosts, install additional modules, and use Apache to run dynamic websites built with frameworks like Django, Ruby on Rails, and applications like PHP.
This document provides instructions for installing and configuring Apache HTTP Server on Linux. It describes downloading and extracting the Apache files, editing the configuration files such as httpd.conf to configure settings like the server name, ports, document root, error logs, and supplemental configuration files. It also explains how to set up virtual hosting by editing httpd.conf to include a vhosts.conf file, then creating that file and adding directives to allow multiple websites on different domains to run on the same IP address.
Apache web server installation/configuration, Virtual Hostingwebhostingguy
The document describes the history and development of the Apache web server. Some key points:
- Apache was originally developed by the Apache group in 1995 as an open source alternative to NCSA httpd. It was called "A PAtCHy server" as it was initially developed through people contributing patch files to NCSA httpd.
- The first official public release was version 0.6.2 in April 1995. Key early features included adaptive pre-fork child processes and a modular/extensible structure and API.
- Apache quickly gained popularity and overtook NCSA httpd as the most widely used web server on the Internet after releasing version 1.0 in December 1995.
The document provides information about the Apache HTTP Server software. It discusses that Apache is notable for playing a key role in the growth of the World Wide Web. It is the most popular web server software, serving over half of all websites. The document then covers Apache's features, uses, performance capabilities, and how to install and configure it in Linux.
This document summarizes an instructor-led meeting about advanced Apache topics including virtual hosting, setting up name-based and IP-based virtual hosts, enabling server-side includes, and enabling CGI scripts. Key points covered include configuring Apache for virtual hosting using VirtualHost blocks, setting up name-based virtual hosting with NameVirtualHost, and enabling CGI scripts through ScriptAlias directives or directory options.
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
This document discusses tuning Apache web server performance. It explains that there is no single solution and each site has unique requirements. It recommends monitoring the server to understand usage patterns and identify areas for tuning. Suggested tuning techniques include optimizing Apache and OS configuration, adding caching, and pre-rendering dynamic content. The document stresses acting based on monitoring results and not overloading the system.
SysAdmins love Apache. It allows one to run websites on the Internet with minimal configuration and administration.
However, this fexibility and simplicity is what typically leads Apache to become a memory hog. Utilizing these easy to understand tips, you can significantly boost Apache's performance.
The objective of this article is to describe what to monitor in and around Alfresco in order to have a good understanding of how the applications are performing and to be aware of potential issues.
Web server installation_configuration_apacheShaojie Yang
The document discusses installing and configuring the Apache web server on a CentOS Linux system. It describes downloading and installing Apache using Yum, installing PHP and MySQL, configuring the databases and virtual hosts, and ensuring file permissions and firewall settings are configured properly. Finally, it verifies the WordPress site is functioning correctly when browsing to the site URL.
Linux Webserver Installation Command and GUI.pptwebhostingguy
The document provides instructions for installing and configuring an Apache web server on Linux. It discusses downloading and unpacking the Apache files, running configuration commands like make and make install, editing the httpd.conf file to configure server settings and start the Apache service, and testing the installation by accessing the server locally. It also covers additional configuration topics like setting up virtual hosts and file permissions.
https://zeronights.ru/en/reports-en/weird-proxies-2-and-a-bit-of-magic/
Reverse proxies and their variations are used everywhere in modern web applications for routing, caching, and access differentiation. This talk is dedicated to new research results about different reverse proxies and new possibilities brought by HTTP/2. It is a collection of tricks for exploiting various misconfigurations.
Results - https://github.com/GrrrDog/weird_proxies
Apache Traffic Server (ATS) is a fast, scalable HTTP caching proxy server. It allows plugins to be written using Lua, a lightweight scripting language. This provides advantages over writing plugins in C/C++, including easier development, testing, and ability to leverage Lua features. The presentation discusses using Lua with ATS, including exposing ATS APIs as Lua functions, implementing plugins, testing plugins, and security considerations like input validation and sandboxing. Future work may include exposing more ATS APIs and providing input validation libraries.
This document provides instructions for installing and configuring the Apache web server on UNIX systems. It discusses downloading and unpacking the Apache source code, running the configure script, compiling the code, and installing the Apache files. It also explains how to configure Apache by editing the httpd.conf file to set parameters like the listening port, document root, and virtual directories. The document outlines how to start, stop and restart Apache using the apachectl script for easy management.
The document provides information about installing and using HBase in pseudo-distributed mode. It describes how to configure Hadoop Distributed File System (HDFS) and HBase to run on a single machine, start HBase, and verify it is running properly. It also demonstrates how to use the HBase shell to define schema, insert and retrieve data, and manage tables.
This document describes the installation and configuration of a network intrusion detection system using Snort and ACID. It outlines the software components used including Snort, ACID, MySQL, PHP, IIS and WinPcap. It then details the process of setting up the test network, installing each component, configuring Snort and ACID settings, and testing the system by generating traffic and viewing alerts.
This document provides instructions for installing and configuring Snort 2.9.6 and DAQ 2.0 on CentOS 6.3/6.4 running in a VirtualBox virtual machine. It describes compiling and installing necessary libraries like libpcap and libdnet. It then provides commands for extracting, configuring, compiling and installing DAQ and Snort. Finally it discusses configuring Snort configuration files, adding the Snort user, and providing a script to start and stop Snort.
NGINX is used by more than 130 million websites as a lightweight way to serve web content. Use it to decrease costs, improve performance and open up bottlenecks in web and application server environments without a major architectural overhaul. In this talk, we'll cover the three most basic use cases of static content delivery, application load balancing, and web proxying with caching; and touch on the NGINX maintained Docker container.
This document provides guidance on hardening a Linux server for security. It recommends following the CIS and NSA security benchmarks. It suggests choosing a server-oriented Linux distribution, keeping partitions and filesystems separate, encrypting partitions and the running server, securing the boot process, using iptables and TCP wrappers for firewalls, restricting root access and using sudo, enforcing password policies, removing unnecessary packages and services, securing remote administration like SSH, disabling unnecessary Linux modules, and implementing auditing and integrity checks.
The document discusses securing an Apache web server. Key points include:
- Hardening the operating system and only running Apache on the server
- Restricting Apache modules and features to only those necessary
- Running Apache in a chroot jail to limit its access to the file system
- Configuring Apache, related modules like PHP/Perl, and prerequisites securely
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
This document summarizes vulnerabilities related to server-side request forgery (SSRF) attacks and how they can be exploited. It discusses how external network access and internal network access can be obtained through SSRF. It provides examples of vulnerabilities in various protocols like HTTP, FTP, TFTP, and protocols used by services like Memcached, databases, and file uploads. It also describes how file descriptors can be used to write to open sockets or files to forge server responses or inject malicious content. Overall, the document is an overview of real-world SSRF attacks and exploitation techniques.
Here are some ways to optimize the code:
1. Use strtr() instead of preg_replace() since it avoids the overhead of regular expressions.
2. Define the replacement array outside the loop to avoid redefining it on each iteration.
3. Use direct string concatenation instead of sprintf() for better performance.
4. Avoid function calls inside the loop like sizeof(). Define the length before the loop for better performance.
5. Consider using string replacement/manipulation functions like str_replace() instead of redefining/reconcatenating strings on each loop iteration.
So in summary, the optimized code would be:
$rep = ['-' => '*', '.' => '*
The document discusses securing the Apache web server. It provides an overview of Apache's history and versions. It outlines common system attacks like directory traversals and overflows. It then discusses ways to secure Apache such as running it with limited privileges, chrooting it, trimming the configuration, and using security modules like Mod_Security. The document emphasizes securely configuring the operating system, auditing settings, patching, and monitoring logs.
The document discusses securing the Apache web server. It provides an overview of Apache's history and versions. It outlines common system attacks like directory traversals and overflows. It then discusses ways to secure Apache such as running it with limited privileges, chrooting it, trimming the configuration, and using security modules like Mod_Security. The document emphasizes securely configuring the operating system, auditing settings, patching, and monitoring logs.
PHP is a server-side scripting language that is used for web development. It allows developers to manage dynamic content, databases, sessions, and build entire web applications. PHP code can be embedded within HTML or used on its own. When a web request is made, the PHP code is executed on the server and the output is sent to the browser. PHP supports features like variables, control structures, functions and object-oriented programming. It also allows access to databases and the generation of dynamic page content.
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.
Deployment of WebObjects applications on CentOS LinuxWO Community
With the rise of cloud computing and the death of the Xserve, learn how you can deploy your WebObjects applications on a CentOS server. You will also get tips about how to secure your server so that you don't get hack.
Logstash is a tool for managing logs that allows for input, filter, and output plugins to collect, parse, and deliver logs and log data. It works by treating logs as events that are passed through the input, filter, and output phases, with popular plugins including file, redis, grok, elasticsearch and more. The document also provides guidance on using Logstash in a clustered configuration with an agent and server model to optimize log collection, processing, and storage.
The Apache HTTP Server is an open-source web server software developed by the Apache Software Foundation. It is cross-platform, secure, fast, and reliable. Key features include virtual hosting, SSL encryption, custom error responses, and extensibility through modules. Apache relies on simple text configuration files and runs as a standalone process to efficiently handle HTTP requests from client browsers.
This document provides an overview of server-side web programming. It discusses how web servers deliver static and dynamic web pages using technologies like HTML, CSS, JavaScript, Java, PHP, and databases. It then covers common web servers like Apache and IIS. The main server-side technologies - CGI, servlets, and PHP - are explained. Servlets are Java classes that extend server capabilities, while PHP is a scripting language designed for web development. Examples are given to demonstrate basic servlets and PHP scripts. The document also mentions modifying configuration files, handling GET/POST requests, and returning JSON/XML data.
Zend Core on IBM i - Security ConsiderationsZendCon
The document discusses security considerations for Zend Core for IBM i. It provides two options for securing the system: 1) guarantee system security by unplugging and locking the system in a vault or 2) take a security journey to protect valuable information assets from outsiders like hackers and insiders like corporate criminals. The document then discusses steps to understand and protect various components of Zend Core like directories, files, programs, user profiles, and configurations. It provides recommendations to make the Apache and PHP configurations more secure through access controls, encryption, and logging.
This document provides an overview of various Linux basics including the VIM text editor, networking commands, SSH secure shell, SSH keys, package management, package dependencies, services, Apache web server configuration, MySQL database server, caching, and configuration management tools like Puppet, CFEngine, and Chef. It discusses installing and using the popular Wordpress content management system on a Linux server.
Apache Solr on Hadoop is enabling organizations to collect, process and search larger, more varied data. Apache Spark is is making a large impact across the industry, changing the way we think about batch processing and replacing MapReduce in many cases. But how can production users easily migrate ingestion of HDFS data into Solr from MapReduce to Spark? How can they update and delete existing documents in Solr at scale? And how can they easily build flexible data ingestion pipelines? Cloudera Search Software Engineer Wolfgang Hoschek will present an architecture and solution to this problem. How was Apache Solr, Spark, Crunch, and Morphlines integrated to allow for scalable and flexible ingestion of HDFS data into Solr? What are the solved problems and what's still to come? Join us for an exciting discussion on this new technology.
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like Puppet for server management, OSSEC for log management, different command line tools, and Nagios/Monit for system monitoring.
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Chris Tankersley
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014Miguel Zuniga
This document discusses configuration management tools Puppet and Chef in the cloud. It provides an overview of what configuration management is and why it is more painful in cloud environments where resources are dynamic. It then covers using infrastructure as code and discusses Puppet and Chef architectures, code examples, and how to use them in a masterless configuration in the cloud. Key aspects covered include using repositories to manage code, rebuilding on failure, and dynamically updating config files using knife to search inventory in Chef.
Similar to Securing Your Webserver By Pradeep Sharma (20)
High Availability Using MySQL Group ReplicationOSSCube
MySQL Group Replication is a recent MySQL plugin that brings together group communication techniques and database replication, providing both a high availability and a multi-master update everywhere replication solution.
The PPT provide provide a broad overview of MySQL Group Replication plugin, what it can achieve and how it helps keep your MySQL databases highly available and your business up and running, without fail.
Accelerate Your Digital Transformation Journey with PimcoreOSSCube
A key priority for businesses today is to successfully transform their enterprise into a digital business. Digital transformation offers enormous opportunities to enterprises to refine their business models and to win in this digital era. How is your organization placed in this digital world?
In the video, we have discussed, how Pimcore delivered the promise, consolidating PIM, CMS, DAM & Commerce within one framework platform with faster time-to-market.
We will also go through some recent digital transformation experiences driven through Pimcore that helped clients achieve market differentiation and customer value.
Key Points:
* Understanding Digital Transformation need and strategies
* Transformation of digital strategies through Pimcore
* Helps gain insights into Pimcore and its features
* Identification/Co-relation of end customer needs based on our digital transformation experiences
Migrating Legacy Applications to AWS Cloud: Strategies and ChallengesOSSCube
To reduce the TCO of application infrastructure and to make them more scalable and resilient it is advisable to migrate on-premise legacy applications to AWS cloud. In this webinar, you will learn the benefits, key challenges and strategies to mitigate them. It will also talk about leveraging the cloud infrastructure to further modernize the application.
Key Take Away:
Opportunities and challenges while migrating premise application to cloud.
Identifying the applications
Assessing cloud architecture and costs
Data migrations strategies and options
Strategies for migration applications
Leveraging the cloud and optimization
Using MySQL Fabric for High Availability and Scaling OutOSSCube
MySQL Fabric is an extensible framework for managing farms of MySQL Servers. In this webinar, you will learn what MySQL Fabric is, what it can achieve and how it is used by database administrators and developers. Plus, you will learn how MySQL Fabric can help for sharding and high-availability. See more @ http://www.osscube.com/
Webinar: Five Ways a Technology Refresh Strategy Can Help Make Your Digital T...OSSCube
You’ve realized that in order to create new revenue streams, increase efficiency and improve customer engagement your organization may need a digital transformation. But what exactly is a digital transformation, how do you start one, and how does technology play a role? Join experts Dietmar Rietsch, co-founder and CEO of Pimcore, and John Bernard, EVP of North America at OSSCube, as they discuss how Pimcore is disrupting the digital transformation market.
We’ll cover:
- What digital transformation is and why it’s important for your organization
- The role technology plays in the digital transformation process
- How choosing the right technology gives you a competitive advantage
- Outcomes of a successful digital transformation project
The pace of change in business is faster than we could have ever imagined, and in this day and age you must either disrupt, or be disrupted.
This presentation aims to explain the changes we are seeing in the business technology world, the struggles many organizations are facing to keep up, and present the audience with solutions to these difficulties.
The presentation was originally presented by OSSCube CEO Lavanya Rastogi.
Legacy to industry leader: a modernization case studyOSSCube
This live webinar goes through the steps of how MakeMyTrip.com engaged OSSCube to completely modernize their website and help them become one of the top online travel companies in the world. Zend Server and Zend Studio were used to expedite the entire project for what has now become arguably the largest Drupal implementation to date.
This live webinar demonstrates how using an integrated customer acquisition solution can help to close the loop between marketing and sales. We show you examples of how this process has worked for other companies, giving them a better understanding as to where their leads are coming from and how to best spend their marketing dollars for the highest return. - See more at: https://www.osscube.com/webinar/sales-and-marketing-together-at-last#sthash.ZT2dsELD.dpuf
Using pim to maximize revenue and improve customer satisfactionOSSCube
This live webinar shows how Pimcore, an open source PIM (Product Information Management) solution, can be used to quickly update and append your product catalog across all channels, effectively reducing data management costs.
This webinar explores the process of how OSSCube developed a Talend solution--for a global provider of digital marketing and client reporting tools--that aggregates and converts information from a variety of resources into well-defined data formats.
Watch on YouTube: https://www.youtube.com/watch?v=gyZiiG7mjx8
OSSCube EVP John Bernard and Talend Alliances and Channels Manager Rich Searle provide an in-depth explanation of the benefits of Talend as well as the usefulness of data organization in today's business world.
Key Discussion Points:
- Talend ETL tools capabilities
- Implementing Talend in your organization
For more information please visit OSSCube.com
For more webinars please visit OSSCube.com/upcoming-webinars
Follow us on Twitter @OSSCube
Follow us on LinkedIn http://linkedin.com/company/osscube
This webinar goes through how the commerce industry today has changed, causing customers to interact differently, expect more from retailers and demand unique shopping experiences. Rakesh Kumar and John Bernard dive into what makes Magento the world’s leading eCommerce platform and how it puts the retailer back in control.
Non functional requirements. do we really care…?OSSCube
Non Functional requirements are an essential part of a project’s success, sometimes it becomes less focused area as everyone tries to make project successful in terms of functionality. This recorded webinar uncovers what can happen if Non Functional requirements are not addressed properly. What are the after impacts? You also learn the importance of Non Functional requirement, their identification, implementation and verification.
Learning from experience: Collaborative Journey towards CMMIOSSCube
The document summarizes OSSCube's journey towards achieving CMMI Level 3 accreditation. It discusses the different phases of implementation including initiation, planning, execution, appraisal planning, and final appraisal. Key aspects covered include establishing internal commitment, conducting a gap analysis, forming an implementation team, creating an implementation roadmap and schedule, building a quality management system, rolling out processes, conducting trainings, setting up an audit function, selecting appraisers, planning for the appraisal, and completing the final appraisal. The presentation emphasizes the importance of internal commitment, using tools, collaborative process writing, trainings, and planning well in advance for the final appraisal.
JXL is the library of JExcel API, which is an open source Java API that performs the task to dynamically read, write, and modify Excel spreadsheets.
We can use its powerful features to build an automated testing framework using Selenium Web Drivers. The JXL works as a data provider where multiple sets of data is required as input. Moreover, users can read and write information using external excel files. The JXL also helps create custom reports where users have all authority to design reports as per their need.
Listen to this webinar to explore JXL with examples.
OSSCube provides consulting, development, integration and support services for open source technologies. They have expertise in areas such as PHP, CRM, marketing automation, content management, e-commerce, BI and big data. This presentation introduces AWS and discusses why organizations use AWS, common use cases, and how to get started. It describes key AWS services for application and web hosting including EC2, ELB, RDS, ElastiCache, EBS and CloudWatch and how they provide scalability, reliability, flexibility and security for applications deployed in the AWS cloud.
Maria DB Galera Cluster for High AvailabilityOSSCube
Want to understand how to set high availability solutions for MySQL using MariaDB Galera Cluster? Join this webinar, and learn from experts. During this webinar, you will also get guidance on how to implement MariaDB Galera Cluster.
Talend Open Studio Introduction - OSSCamp 2014OSSCube
Talend Open Studio is the most open, innovative and
powerful data integration solution on the market today. Talend Open Studio for Data Integration allows you to
create ETL (extract, transform, load) jobs.
Performance testing is a type of non-functional testing used to identify a system's response time, throughput, reliability, and scalability under given load conditions. It helps understand how a system will behave under extreme loads, identifies constraints, and which parts may misbehave in real-time. There are different types including baseline, benchmark, load, stress, endurance, and volume testing. JMeter is an open source tool commonly used for performance testing as it can simulate heavy loads and provide instant visual feedback. Key challenges include accurately simulating high user loads, implementing real-life usage scenarios, accounting for network latency, testing certain systems like chat servers, and reducing the time needed for metrics collection and report analysis.
JobQueue is one of the feature of Zend Plateform. Where you can schedule and manage the execution of php scripts (jobs). The Job Queue can be used to create asynchronous execution of php script and provide, for instance, the scalability of a server.
application
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
1. Securing Your Web Ser ver
(A pache)
OSScamp, Impetus Noida, Sept, ’07
Pradeep Kr. Sharma
Account Management Executive, OSSCube
2. Web ser ver (A pache)
• A web server like Apache, in its
simplest function, is software that
displays and serves HTML pages
hosted on a server to a client
browser that understands the
HTML code.
3. Functionality
• The Web server will be accessible from the Internet; and, Only static HTML
pages will be served
• The server will support name-based virtual hosting mechanism
• Specified Web pages can be accessible only from selected IP addresses or
users (basic authentication)
• The server will log all the Web requests (including information about Web
browsers)
Or
• The web server must handle the PHP/Perl scripting language
• The PHP/Perl component must be able to read and write users' data in a locally
installed MySQL database.
4. Security Assumptions
• The operating system must be hardened as much as possible, both against
local and remote attacks;
• The server must not offer any network services except HTTP: (80/TCP);
• Remote access to the server must be controlled by a firewall, which should
block all outbound connections, and allow inbound connections only to the
80/TCP port of the Web server;
• The Apache Web server must be the only service available on the system;
5. • Only absolutely necessary Apache modules should be enabled;
• Any diagnostic Web pages and automatic directory indexing service must be
turned off;
• The server should disclose the least amount of information about itself
(security by obscurity);
• The Apache server must run under a unique UID/GID, not used by any other
system process;
• Apache's processes must have limited access to the file systems
(chrooting); and,
• No shell programs can be present in the Apache's chrooted environment
(/bin/sh, /bin/csh etc.).
Or
• The PHP configuration should take advantage of built-in security
mechanisms
• PHP scripts must be executed in a chrooted environment
6. • The Apache server must reject all requests (GET and POST), which contain
HTML tags (possible Cross-Site-Scripting attack) or apostrophe/quotation
marks (possible SQL Injection attack)
• No PHP warning or error messages should be shown to the web
application's regular users
• It should be possible to store incoming GET and POST requests into a text
file which will make it possible to use additional, host-based intruder
detection system (HIDS), e.g. swatch.
7. Operating system
• UNIX or UNIX like system i.e. Linux, FreeBSD, etc. is best for Apache. MS
Windows provide very limited securing capabilities to apache so not
recommended.
8. Prerequisites
• OpenSSL should be already installed on your system if you want Apache
and SSL encryption support.
• PosgreSQL should be already installed on your system if you want Apache
and PostgreSQL database connectivity support.
Or
• MySQL should be already installed on your system if you want Apache and
MySQL database connectivity support.
9. • MM should be already installed on your system if you want Apache and MM
high-performance RAM-based session cache support.
• OpenLDAP should be already installed on your system if you want Apache
and LDAP directory connectivity support.
• IMAP & POP should be already installed on your system if you want Apache
and IMAP & POP capability.
10. Software Preparation
These installation instructions assume
• Commands are Unix-compatible.
• The source path is /var/tmp
• Installations were tested on Red Hat Linux
• All steps in the installation will happen in super-user account root.
• Apache version number is 1.3.27+ (Why?)
• Mod_SSL
• Mod_Perl (Optional)
• Mod_PHP
15. PHP4
This tells PHP4 to set itself up for this particular hardware setup with:
• Compile without debugging symbols.
• Enable safe mode by default.
• Include IMAP & POP support.
• Include LDAP directory support.
• Include PostgreSQL / MySQL database support.
• Include mm support to improve performance of Memory Library.
• Enable inline-optimization for better performance.
• Compile with memory limit support.
• Assume the C compiler uses GNU ld.
• 3. [root@deep ]/php-4.0# make && make install
16. Mod_PERL
• [root@localhost] cd ../mod_perl-version.version/
• [root@localhost] perl Makefile.PL EVERYTHING=1
APACHE_SRC=../apache_1.3.37/src USE_APACI=1 PREP_HTTPD=1
DO_HTTPD=1
• 3. [root@localhost]/mod_perl-version.version# make && make install
19. Step – 2: Chroot Jail
• Chroot
• Chrooting is the process through which you can change the root of a system
to different location so that actual root system will safe from the intruders.
20.
21. Benefit
• Apache by default runs as a non-root user, which will limit any damage to what can be
done as a normal user with a local shell.
• The main benefit of a chroot jail is that the jail will limit the portion of the file system
the daemon can see to the root directory of the jail.
• The jail only needs to support Apache; the programs available in the jail can be
extremely limited.
• There is no need for setuid-root programs, which can be used to gain root access and
break out of the jail.
22. Pros
• If apache is ever compromised, the attacker will not have access to the entire file
system.
• Poorly written CGI scripts that may allow someone to access your server will not
work.
Cons
• There are extra libraries you'll need to have in the chroot jail for Apache to work.
• If you use any Perl/CGI features with Apache, you will need to copy the needed
binaries, Perl libraries and files to the appropriate spot within the chroot space. The
same applies for SSL, PHP, LDAP, PostgreSQL and other third-party programs.
25. Copy all found dependencies into created directory along with File Access
Permissions
(No other writable)
• [root@localhost ]/# cp -r /etc/ssl /chroot/httpd/etc/ � require only if you use mod_ssl
feature.
• [root@localhost ]/# chmod 600 /chroot/httpd/etc/ssl/certs/ca.crt � require only if you
use mod_ssl feature.
• [root@localhost ]/# chmod 600 /chroot/httpd//etc/ssl/certs/server.crt � require only if
you use mod_ssl feature.
• [root@localhost ]/# chmod 600 /chroot/httpd/etc/ssl/private/ca.key � require only if
you use mod_ssl feature.
• [root@localhost ]/# chmod 600 /chroot/httpd/etc/ssl/private/server.key � require only
if you use mod_ssl feature.
26. users authentication with .dbmpasswd password file
• To change the permissions on the dbmmanage program, use the following
command:
• [root@localhost ]/# chmod 750 /usr/bin/dbmmanage
• To create a username and password, use the following command:
• [root@deep ]/# /usr/bin/dbmmanage /etc/httpd/.dbmpasswd adduser username
• New password:
• Re-type new password:
• User username added with password encrypted to l4jrdAL9MH0K.
27. Now copy the passwd and group files inside the /chroot/httpd/etc chrooted directory and
remove all entries except for the user that apache runs as in both files passwd and
group.
• [root@localhost ]/# cp /etc/passwd /chroot/httpd/etc/
• [root@localhost ]/# cp /etc/group /chroot/httpd/etc/
Edit the passwd file, vi /chroot/httpd/etc/passwd and delete all entries except for the user
apache run as in our configuration, it's www:
• www:x:80:80::/home/www:/bin/bash
Edit the group file, vi /chroot/httpd/etc/group and delete all entries except the group
apache run as, in our configuration it,s www:
• www:x:80:
Then you will also need /etc/resolv.conf, /etc/nsswitch.conf and /etc/hosts files in your
chroot jail in same directory structure to resolve hosts name.
28. Step – 3: Securing CGI Applications
• Configuring PHP
• add the following lines to httpd.conf
• AddModule mod_php4.c
• AddType application/x-httpd-php .php
• AddType application/x-httpd-php .inc
• AddType application/x-httpd-php .class
• A few changes must also be made in the PHP configuration file
(/chroot/httpd/usr/local/lib/php.ini).
• Parameter Description
• safe_mode = On
• safe_mode_gid = Off
• open_basedir = directory[:...] (Only this dir. Accessible by Scipts)
• safe_mode_exec_dir = directory[:...] (Executable program refused to run by Apache)
• expose_php = Off (Do not show PHP Info)
• register_globals = Off
• display_errors = Off
• log_errors = On
• error_log = filename
29. Changing the file extension
• In order to change the extensions, all the *.php files should be renamed to *.dhtml (for
example), and the following line should be changed in
/chroot/httpd/usr/local/apache/conf/httpd.conf:
• AddType application/x-httpd-php .php
• to the new one:
• AddType application/x-httpd-php .dhtml
• Web users will not see *.php extension in the URL address which is what immediately
suggests that the PHP technology is being used at the server side.
30. The last step - Defending against CSS and SQL Injection attacks
• In order to perform that, we will use the mod_security module, which we enable by adding the
following line into httpd.conf:
• AddModule mod_security.c
To enable logging of the GET and POST requests, it suffices to add the following section to
httpd.conf:
• <IfModule mod_security.c>
• AddHandler application/x-httpd-php .php
• SecAuditEngine On
• SecAuditLog logs/audit_log
• SecFilterScanPOST On
• SecFilterEngine On
• </IfModule>
31. • The above commands will enable the Audit Engine, which is responsible for logging
requests, and the Filtering POST Engine, which will make it possible to log POST
requests. In order to protect web application against CSS attacks, the following lines
should also be inserted before "</IfModule>":
• SecFilterDefaultAction "deny,log,status:500"
• SecFilter "<(.|n)+>“
• The first line causes that the server to return the "Internal Server Error" message
when the request contains the search phrase from any SecFilter variable.
• The second line sets up the filter to search for HTML tags in the GET and POST
requests.
32. • One of the typical signatures of SQL Injection attack is the appearance of an
apostrophe (') or quotation mark (") in the GET or POST request. By rejecting all the
requests containing those characters, we can make the use of SQL Injection
technique very difficult:
• SecFilter "'"
• SecFilter """
• Note, that although filtering the <, >, ', " characters lets us defend against CSS and
SQL Injection attacks, it can lead to the improper functioning of the PHP application. It
happens, because regular users cannot use those characters in the HTML forms. To
solve that problem, the JavaScript language can be used on the client side, which
should replace the prohibited characters with special tags, e.g. < > " etc.
33. Summar y
Achieving a high level of a web server's security using server-side technologies (PHP, ASP, JSP etc.)
is a very difficult task in practice.
Reasons:
• Server itself does not defend against poor programming techniques.
• Server side technology’s (ASP, PHP, JSP etc.) vulnerability also make the web server attack
prone.
• Applying of security patches and removal of unused files is necessary to make your web server
more defensive.
• We cannot forget that the security of the whole environment depends not only on Apache's or
PHP's configuration, but also and foremost - on the web application itself.
• Programmers need to analyze their code or application before deploying it over production
server.
• Regular monitoring of Logs and CGI behavior necessary to run Web Server long lasting without
Attack.
• Making a dedicated Web Server involve Cost and may be overhead and compromising it, needs
analysis.