IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [configuration]

1. In computers and computer networks, a configuration often refers to the specific hardware and software details in terms of devices attached, capacity or capability, and exactly what the system is made up of. 2. In networks, a configuration often means the network topology. 3. In installing hardware and software, configuration is sometimes the methodical process of defining options that are provided.

  1. In computers and computer networks, a configuration often refers to the specific hardware and software details in terms of devices attached, capacity or capability, and exactly what the system is made up of.
  2. In networks, a configuration often means the network topology.
  3. In installing hardware and software, configuration is sometimes the methodical process of defining options that are provided.
157 questions
105
votes
11 answers

Best practices for Apache Server hardening?

What are some best practices, recommendations, required reading for securing an Apache Server?
Eric Warriner
  • 3,251
  • 3
  • 24
  • 20
89
votes
9 answers

Hardening Linux Server

We have already had questions on here about Hardening Apache, Hardening PHP and Securing SSH. To continue this trend I am interested in what steps people take to harden Linux servers. As in what steps do people always take when setting up a new…
Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
53
votes
2 answers

What are the main advantages of using LibreSSL versus OpenSSL

What are the main advantages of using LibreSSL vs OpenSSL? As I understood LibreSSL is a fork of OpenSSL: LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and…
Wilt
  • 833
  • 1
  • 9
  • 13
47
votes
3 answers

Security implications of stolen .git/objects/ files

As a security in-charge, I just noticed that one of our production web apps was attacked by some hackers. The attacker accessed the .git/objects/ files. I already modified .htaccess to make .git and its content inaccessible. The attacker may get…
Rudrakshya Barman
  • 563
  • 3
  • 6
30
votes
5 answers

What do I need to configure, to make sure my software uses /dev/urandom?

When setting up a server, what configuration changes do I need to make sure that all of the software uses /dev/urandom instead of /dev/random? Some servers don't have much entropy in the entropy pool (e.g., VPSs). If a software component uses…
D.W.
  • 98,420
  • 30
  • 267
  • 572
28
votes
3 answers

Secure Configuration of Ciphers/MACs/Kex available in SSH

Following on the heels of the previously posted question here, Taxonomy of Ciphers/MACs/Kex available in SSH?, I need some help to obtain the following design goals: Disable any 96-bit HMAC Algorithms. Disable any MD5-based HMAC Algorithms. Disable…
John
  • 1,009
  • 3
  • 11
  • 16
28
votes
2 answers

MySQL Server Hardening

Following the hardening theme.... What are some best practices, recommendations, required reading for securing MySQL.
Scott Pack
  • 15,167
  • 5
  • 61
  • 91
27
votes
2 answers

Guidance for implementors of HTTPS-only sites (Server side)

The recent trend in HTTPS attacks is to attack the HTTP protocol. What should I do to increase my site's security if the only protocol I want is HTTPS? Some easy to implement ideas are Implement HTTPS Strict Transport Security Issue the…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
25
votes
4 answers

Difference between hardening guides (CIS, NSA, DISA)

I'm researching OS hardening and it seems there are a variety of recommended configuration guides. I realize the different configuration providers supply different offerings per Operating System, but let's assume (for convenience) we're talking…
blong
  • 359
  • 1
  • 3
  • 9
20
votes
5 answers

Where can I find a solid BURP tutorial?

I'm looking for a good resource for learning/configuring BURP. I understand the concepts behind using the framework, and have read the docs on the site, but if anyone has a solid tutorial link I would love to see it. I would've made this a wiki…
mrnap
  • 1,308
  • 9
  • 15
19
votes
1 answer

Strict Transport Security -- max_age value

I've been wondering what max-age should the HTTP Strict Transport Security header have. Both paypal and lastpass sites leave it very low: 500 (seconds = bit over 8 minutes) market.android.com has it set much higher: 2592000 (seconds = 30 days). Do I…
Hubert Kario
  • 3,708
  • 3
  • 27
  • 34
19
votes
6 answers

Is there a security risk running web apps in debug=“true”?

This is a copy of the original question on Stack Overflow which didn't get much love and is probably more relevant here: There are plenty of performance reasons why apps shouldn't be run in debug="true" mode (good rundown from Scott Gu), but are…
Troy Hunt
  • 3,930
  • 4
  • 19
  • 21
18
votes
2 answers

Security Concerns with TCP Forwarding

Until now I've been setting TCP Forwarding in ssh always blindly to no but searching on the net, I have trouble finding out what the actual security threat is, when allowing it. The one thing I did find though was that the manpage states, it only…
user857990
  • 903
  • 1
  • 9
  • 21
14
votes
1 answer

How safely allow users to run arbitrary JVM code on a server?

I'm planning a service that will require allowing users to run arbitrary JVM code on a server. I'm planning to sandbox the code, but I know that the JVM has traditionally had security holes, which is why I want to explore other avenues. There are…
Ryan Kennedy
  • 461
  • 3
  • 9
14
votes
2 answers

What is the best way to verify the SSL configuration of my web server?

How do I ensure I have my SSL configuration setup securely?
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
1
2 3
10 11