How to security harden your Linux or Windows web server

How to security harden your web server

Is your web server secure?

I’ve recently begun working on a project of my own and have been exploring options for colocation of servers (web servers, application servers, database servers, etc). I know that there are cloud services out there such as Amazon Web Services/AWS, Microsoft Windows Azure, Heroku among many others that simplify much of this process by virtualizing it all for you and allowing your services to scale easily with traffic. This is all fantastic, however it doesn’t fit the need for everything and it also takes some of the fun out of learning how to setup these services for those that are interested.

One of the key items that we need to be aware of in this age of information is security. Countless times I’ve read articles about data theft including passwords, email accounts, credit card data, etc. along with spam and phishing attacks coming from servers that don’t know they’ve been compromised. I ran a few simple searches on Google and came up with some webpages that iterated through the basics, but many of them fell short of a fully hardened system and/or didn’t describe *why* each security recommendation is done, how to test if it’s complete, and possible ways to resolve the potential security hole.

After some more in depth searches I found references to a STIG. STIG stands for “Security Technical Implementation Guide“.

“A Security Technical Implementation Guide or STIG is a methodology for standardized secure installation and maintenance of computer software and hardware.”

The DoD (Department of Defense) website has many STIGs for various common server and desktop operating systems, including what we might use for our web/application/database servers.

There are categories for Operating Systems, Network/Wireless, Application Security, etc. For the sake of this article, we’re interested in STIGs for Operating Systems.

For example, If you have a RedHat or CentOS server, you’ll want the Red Hat STIG.
If you have a Windows Server 2012, you’ll want the Windows Server 2012 STIG.

There is a large list of STIGs for various flavors of Linux as well as Windows and other OSs. You’ll be getting your hands dirty as you’ll be reading all about partitioning, secure password storage/algorithms, daemons/services, access rights/ACLs/permissions of directories, files and processes as well as a ton of other security recommendations.

In summary, follow the STIGs on the DoD website for your web server operating system of choice to improve the security of your server.

Test HTML Rendering against older IE versions (IE6, IE7, IE8, IE9)

Internet Explorer VMs for Browser Testing

Internet Explorer VMs for Browser Testing


As developers, it’s quite common to want to stay on the bleeding edge of technology. Downloading the latest version of our browser of choice, coding in the latest, fashionable language[s], etc. is all the rage.

Unfortunately, for web development there are quite a few monkey wrenches that get thrown into the works if we always code to the latest technology and ignore the old. There are still a lot of users out there that are on IE6, IE7, FF 2.x, etc. These platforms don’t, and won’t, support the latest in web technology (i.e. HTML5, CSS3, etc).

To fully support these older platforms it’s great to be able to install and test on them, however some don’t allow side by side installation. Microsoft Internet Explorer, for example doesn’t allow side by side installation.

That said, Microsoft does provide VM installations for all of their Internet Explorer versions from IE6 on up. You can download from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=21eabb90-958f-4b64-b5f1-73d0a413c8ef&DisplayLang=en It’s also good to know which browsers are the most common so I’d recommend looking at Browser Statistics.

Have fun playing with the new stuff, but don’t forget the old!

Finger PIP Joint Injuries

Finger Joints

Finger Joints

Well, A few weeks back I again injured myself during a grappling session. The pinky finger of my left hand (my dominant hand) was bent at an awkward angle. Even though it didn’t start to hurt for at least 3-4 hours after the incident, the next day I could barely move the finger as it was puffed up like a plump, juicy sausage. It’s now been about 5 weeks since I’ve done serious training and I’m finally able to use it again with some help from its neighbor. I’ve been buddy taping it up with my ring finger which seems to work quite well. There’s definitely an incorrect way to buddy tape which just causes the tape to fall off. Check out this reference for some good options for buddy taping your fingers when training martial arts, especially grappling/jiu jitsu.

Opengraph enable your WordPress site

open graph

open graph

I found a great article describing how to support opengraph on your WordPress site. Simplified, opengraph can be used to describe a web page (document) to the outside world. For example, you might want a title or image associated with your page. Users will commonly post a link to a web page on their facebook feed which is where the opengraph comes in. Facebook will use the opengraph information associated with the link to display an image, title, description, etc. If you have a WordPress site I’d highly recommend looking into adding opengraph support. Here is a simplified overview of the changes that need to be made:

  1. Get your facebook admin ID. You can do this by going to your facebook insights page and clicking on insights for your domain.
  2. Locate and open the header.php file associated with your current theme.
  3. Edit header.php with the following code:
        <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/" <?php language_attributes(); ?>>
        <head>
        <meta property="og:site_name" content="<?php bloginfo('name'); ?>" />
        <meta property="og:description" content="<?php bloginfo('description'); ?>" />
        <meta property="og:type" content="website" />
        <meta property="fb:admins" content="your_admin_id" />
        <meta property="og:url" content="<?php the_permalink() ?>"/>
    
    

For a more in depth description, definitely check out this article

Thoughts on Jiu-Jitsu knee injuries

Closed Guard - Brazilian Jiu Jitsu

Closed Guard – Brazilian Jiu Jitsu

I’ve been finding that there are very specific and common positions in Jiu-Jitsu that can put excessive pressure on the knee joints. Last Wednesday I was training with an individual who happened to be in my closed guard and was going for a simple pass, putting pressure on my inner thigh with his elbow and prying. I thought nothing of it at the time and kept my feet locked up, just dealt with the pressure until I adjusted my position to be more comfortable and thus relieved the pressure.

I finished up class and went home, however a few hours after training I found that I could barely walk as there was some serious pain in my left knee. After my injury I spent some time investigating what I might have injured and what might have caused it. I ended up self-diagnosing a minor medial meniscus injury. A description of how the medial meniscus is most commonly injured is described as having the lower leg, near the foot or ankle, held in a static position while the upper leg is twisted or bent. Initially I thought I may have injured my ACL, however there was no ‘popping’ sound, I could still bear weight on my leg and the pain didn’t occur until about 3-4 hours after my training had stopped.

I’m hoping this injury will heal on its own similar to my rotator cuff injury a couple of years back, however I’ve been thinking quite a bit about how I can prevent this from happening in the future. I’ve decided that I’m going to try to play open guard a bit more and if I do use a closed guard it should either be high up on the back, or there needs to be significant inward pressure to the body to keep the knees tight, not allowing room for an elbow to slip in and start prying.

Has anyone else sustained knee injuries during training/competition? How did you injure your knee and what did you do to rehab it?

Flamenco in Madrid

Towards the end of our trip to Spain in early October 2010 we were in Madrid for a few nights. We found some amazing night clubs at the top of buildings looking down on the crowds below as well as some great music. There wasn’t as much flamenco in Madrid as I had expected, but apparently Madrid is a bit farther north than where flamenco is generally performed (in Algeciras).

Casapatas Flamenco

My dad ended up getting in touch with his friend Susan who invited us to Casapatas, a flamenco bar, on one of our last nights and we decided to bring the flip video for some super secret video action. We ended up recording a few songs before the hostess finally came over and told us to stop recording (which we didn’t of course). Mission accomplished.