Securing your apache – Part 1 (Hiding Server banner)

Posted on by
Reply

The first thing that the hacker will do while attacking your web application is to get information about your web server. Using netcat tool is pretty easy even for script kiddies. For example firing the next simple command can get the web server brand, version name and operating system

nc xxx.xxx.xxx.xxx 80
HEAD / HTTP/1.0

Here is the result

HTTP/1.1 200 OK
Date: Fri, 20 Jan 2012 14:24:08 GMT
Server: Apache/2.2.16 (Debian)
Last-Modified: Tue, 15 Nov 2011 09:24:49 GMT
ETag: "180d5-b1-4b1c28f12fa40"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

As you can see some dangerous information are available about the web server.
Also if you tried to request a non-existing page the server will respond with full details about it and the host OS

Not Found 
The requested URL /hack-test was not found on this server.

Apache/2.2.20 (Unix) DAV/2 PHP/5.3.6 with Suhosin-Patch Server at localhost Port 80

Fortunately a mitigation for such a leakage in apache is simple

  1. To hide server details shown when you request a non-existing page, you need to add the following line to httpd.conf (or whatever the apache configuration file name) 
    ServerSignature Off

    This will remove the server details from the page

  2. To hide server details from the response header, you need to install mod_security module for apache (in Debian servers the task is easy enough) 
    apt-get install libapache2-mod-security2

    then add the following line to httpd.conf (or whatever the apache configuration file name)

    ServerTokens Full
SecServerSignature "Web Server"

    This will show the word “Web Server” instead of you full server details

Sure there are other ways to determine the server banner using fingerprinting, but this will be for another post

Be Sociable, Share!

    Seeding rails application with data

    Posted on by
    Reply

    While development I like to have some sample data for testing and demo purposes. Instead filling them out using application interface, rails console or database operation rails has a slick way of seeding your database.

    When you create a new rails application you can find a file called seeds.rb on db directory. This file can contain all your seeding data as follows

    ?View Code RUBY
    projects = Project.create([{:title => 'xxxxx', :description => 'yyyyyyyy'}, {:title => 'rrrrrrrrr', :description => 'zzzzzzzzzzzzz'}])

    To execute this file and fill your database with seeding data run

    ?View Code CMD
    rake db:seed

    Note that if you run it more than once you’ll have your data filled twice in the database, to reset your database run

    ?View Code CMD
    rake db:reset

    Having your seeding data in ruby file can give you some advantages as you can use loops to fill data series or use other tools such as Faker. To use faker with your seed data:

    1- Add gem ‘faker’ to your Gemfile

    2- Add require ‘faker’ on top of seeds.rb

    3- Use faker in your seed data

    ?View Code RUBY
    projects = Project.create([{:title => 'xxxxx', :description => Faker::Lorem.paragraph(10)}])
    Be Sociable, Share!

      Changing port number for Central Administration site

      Posted on by
      Reply

      I posted this trick in an older blog but recently I was in a situation where is was in desperate need for it, here is the old post

      I always like to have a standard port number for Central Administration accross all my WSS/MOSS instalations. I always use the following command to change it to my standard 1000

      ?View Code CMD
      stsdm -o setadminport -port 1000

      It might be unsafe to change the port number as it might break something but so far nothing broken for me

      Be Sociable, Share!

        Install rmagick gem on windows 7

        Posted on by
        Reply

        My MacBook Pro was broken few days ago and i had to deal with the pain of rails programming on windows 7 :(

        one of the biggest pain I stumbled upon was getting rmagic gem to work on the windows machine. It took me about 8 hours to figure out how it is done.

        1. Install ruby DevKit http://github.com/downloads/oneclick/rubyinstaller/DevKit-tdm-32-4.5.2-20110712-1620-sfx.exe
        2. Install ImageMagick 6.6.x with windows installer with headers http://www.imagemagick.org/download/binaries/ImageMagick-6.7.3-3-Q16-windows-dll.exe (You should change the installation folder to c:\ImageMagic otherwise it won’t work)
        3. Set the following Environment variables
          set PATH = c:\ImageMagic;%PATH%
          set CPATH = c:\ImageMagic;%CPATH%
          set LIBRARY_PATH=c:\ImageMagic\lib;%LIBRARY_PATH%
        4. gem install rmagick
          This will install the latest rmagick (in this case 2.13.1)
        Be Sociable, Share!

          New Year Resolutions 2012

          Posted on by
          1

          Every year before it starts I make a list things I need to achieve by the end of the year (commitments, goals,…). Rarely I check all of them out by the ond of the year (if I manage to check any thing at all :) ).
          This year I decided to publish my list online for two reasons:

          1. This approach should help me keeping my promises to avoid public humiliation
          2.  It should force be to create a realistic list to avoid keeping me stressed all year long.

          Here is my list for this year

          • Getting married: should be easy as I’m already engaged and the weeding date is set (yes I’m cheating in my list :) )
          • Finish my CSSLP certification
          • Finish my secret new project (shhhhh)
          • Loose 12 Kg
          • Go cycling at least twice a week
          • Ge to gym at least 3 times a week
          • Eat Healthy
          • Write more Rails code
          • Every line of code should have a unit test
          • Publish more technical blog posts (at least once a week)
          • Learn French

          Happy New Year

          Be Sociable, Share!

            Happy singleton

            Posted on by
            Reply

            I love Ruby (Well…., only the programming language, I actually hate the stone)

            I don’t know what makes this programming language special to me, but I would like to share a small ahh moment i had while reading about ruby

            We are all familiar with the standard GOF implementation for singleton

            ?View Code RUBY
            1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

            class Logger
  def initialize
    @log = File.open("log.txt", "a")
  end
 
  @@instance = Logger.new
 
  def self.instance
    return @@instance
  end
 
  def log(msg)
    @log.puts(msg)
  end
 
  private_class_method :new
end

            That’s is the plain old singleton but with some Ruby magic it can be like this

            ?View Code RUBY
            1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

            class Logger
  def initialize
    @log = File.open("log.txt", "a")
  end
 
  @@instance = Logger.new
 
  def self.instance
    return @@instance
  end
 
  def log(msg)
    @log.puts(msg)
  end
 
  private_class_method :new
end

            It is some of these small things that brings me closer to Ruby every day

            Be Sociable, Share!

              Pragmatic approach to learn Ruby on Rails

              Posted on by
              Reply

              Three years ago out of bore and frustration with .Net framework while cruising on the web I stumbled upon Ruby on Rails, and from the first moment it clicked. I started to learn the framework and felt in love with it. I was working on and off with it for the last 3 years mostly due to the lake of Rails project (most of people still attached to other famous technologies)

              Here I want to share the learning approach that will get you up to speed with RoR with minimal frustration.

              To be able to explain my approach I will have to explain what is RoR briefly, Ruby on Rails is a web development framework built using Ruby language.
              First step here is to learn the language

              Learning Ruby

              1. Setup your system: RoR work best on Linux/Unix/Mac os (but it also work fine on windows platform). if you want to have the best experience without investing much money you can install Linux as a virtual machine on your system or clear 20 GB on your hard drive and install it directly on your computer (My favorit approach). My recommended Linux distribution is Ubuntu
              2. If you installed linux and needs to be familiar with it you can use this pdf to introduce you to the mysteries world of linux
              3. If you installed Linux you can google the installation approach (will introduce it in a later post). and if you will use your windows system you need to install it using ruby installer at this time the recommended version is 1.9.2 p290. Mac machines comes already with Ruby interpreter installed.
              4. After setting up the environment the following resources have proved really helpful.
                why’s (poignant) Guide to Ruby
                Learning Ruby (O’Reilly)

              Learning Rails

              1. First step is to write a very basic rails application and see how it works, the following link is my first choice to see RoR in action.
                http://guides.rubyonrails.org/getting_started.html
              2. I would recommend building a simple application (such as a blog, Task management…) without worrying so much about writing tests just to get yourself familiar with Rails environment.
              3. Authentication is a must in almost all project you can use the instructions in the following screencast to add authentication aspect to your application
                http://railscasts.com/episodes/209-introducing-devise or in text format
                http://www.asciicasts.com/episodes/209-introducing-devise
              4. Now you have an overview how RoR works and created a simple demo application. Make sure you go through most of the materials on Ruby Guides and familiarize yourself with Testing Rails Applications guide.
              5. Pick a real project and fire your command line and start programming
              6. Start using rSpec & Cucumber into your projects to create better tests, the best resource i found in this topic is The RSpec Book from Pragmatic Programmers.

              Tools

              You can using only the command line a text editor to build awesome rails apps (In fact I found it is the best way)

              • For Windows you can use e-texteditor
              • For Mac TextMate is your best friend
              • VI is my editor of choice but if you are new to linux Redcar can provide a good graphical interface editor

              If you are the IDE type of person Aptana is a great IDE with wonderful support for Rails

              Additional Resources

              Happy Coding

              Be Sociable, Share!