localhost.png

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

In the long journey of security, moving from HTTP to HTTPS is one of the many steps you will need to do. So, the first question is: why you just don't close port 80/tcp? The answer is more an SEO matter than a security one; if you close the port 80/tcp when Google and any other indexing engine will try to contact you, it will time-out. This, at Google's eyes, means an off-line server; an off-line server is a candidate to be taken out of the indexing.

Doing a proper redirection, for example from http://inside-out.xyz/path/script.php?parameters to https://inside-out.xyz/path/script.php?parameters is the correct way. Google will understand the HTTP error code 301 and it will reindex you with the correct URL.

Here it is my .htaccess file I use:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^127.0.0
RewriteCond %{REMOTE_HOST} !^127.0.0
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This will allow HTTP redirection for all queries but those who come to IP 127.0.0.x. You can play with the regular expression to do exceptions.

Remember to modify Apache's configuration in the <Directory> tag to allow all to be overwritten.

Enjoy!

fail2ban-cluster-servers-already-protected.png

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

If you are managing a farm of clusters with a common mission, for example, a set VoIP cluster or a Web Hosting farm, One of the hardest things is the repetitive management work. In a 100-server cluster environment, when an attacker hits one node, eventually that attacker will get to another node and continue the attack. One of the biggest exposures here is that usually (not always), cluster's nodes share a common database. Hitting a winning vulnerability it is just a matter of time for the other peers.

With all this said, I will explain my approach that tries to fix this situation. At the end of this reading, you will understand how to have a proactive secured environment.

terminal.png

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

As I have already written, fail2ban is an excellent tool to fill the gap between layer 7 exposures and layer 3 controls. One of the most common configuration you will need to do is the SSH protection against brute attacks. Some security experts recommend moving SSH out of port 22/tcp, but in my opinion, that is not a good idea. You are just filling a hole by doing a new one. Anyone can do a port scan with Nmap and find the new port.

Because of this, I will give a recipe here. Note that I have tested without using the firewalld daemon.