[ZendTo] Re: Hardening Zendto

Wed May 25 12:55:16 BST 2011

On 24/05/2011 21:52, patrick.gaikowski at kaufland.com wrote:
>
> Hi,
>
> i'm preparing Zendto for Penetration Test and used some Scanner like 
> Paros, Nikto ...
>
> 1.) deactivate X-Powered-By (Server sends exact PHP-Version to client)
>
> in php.ini --> expose_php = Off
>
> 2.) deactivate HTTP TRACE (used by Security Scanner for XSS)
>
> http://www.ducea.com/2007/10/22/apache-tips-disable-the-http-trace-method/
>
Thanks for those two. I will try to make sure they get into the 4.02 (or 
is it 4.03?) release of the ZendTo VM images.
>
>
> 3.) using mod_security as module for apache
>
Do I need this? It adds another level of complexity to things, unless 
there are yum and apt packages of it that I can just include. Do you 
know if there are?

Many thanks,
Jules.

>
> Mod_Security is an open source Web application firewall with a lot of 
> preconfigured rulesets. Mod_Security prevents Injections, XSS, 
> Commands ... I played with mod_security and add an sample (not complete)
>
> # Prevents Path disclosure for PHP Fatal Error
> SecRule RESPONSE_BODY "Fatal Error:" 
> "deny,status:500,log,auditlog,msg:'PHP Fatal Error blocked'"
> ErrorDocument 500 /security-error.php
>
> #Prevent Security Scanner from Scanning the WebApplication"
> SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 
> \(compatible\)|etis)|webtrends security 
> analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack 
> ?widow|rutus|ilbo)|(?:jaascoi|Paro)s|internet 
> explorer|webinspect|\.nasl)" \
> "deny,log,msg:'Request Indicates a Security Scanner Scanned the 
> Site',,status:500,phase:2"
>
> SecDefaultAction 
> phase:2,redirect:/security-error.php,status:509,log,auditlog
>
> #Hides the Webserver signature (IIS, Apache ...)
> SecServerSignature "Hotzenplotz"
>
> #Root-Path
> SecRule REQUEST_URI "^/$" "log,allow,phase:2"
>
> #needed for ReCaptcha
> SecRule REQUEST_URI "https://www.google.com/recaptcha/api/image$" 
> "log,allow,phase:2"
>
> #PHP-Sites
> SecRule REQUEST_FILENAME "^/security-error.php$" "log,allow,phase:2"
> SecRule REQUEST_FILENAME "^/about.php$" "log,allow,phase:2"
> SecRule REQUEST_FILENAME "^/verify.php$" "log,allow,phase:2"
> ....
>
> The sample is not complete ...
>
> Mit freundlichen Grüßen / Best regards
>
> Patrick Gaikowski
> Tel:     +49 7132 94 3568
> Fax:    +49 7132 94 73568
> E-Mail: patrick.gaikowski at kaufland.com
> KI 967800 IT International / Infrastruktur
> Office:
> Lindichstrasse 11
> D-74189 Weinsberg
>
>
> http://www.kaufland.de
> Wir sind die Nr. 1:
> Kaufland ist "Bester Lebensmittelmarkt 2011"!
>
> Kaufland Informationssysteme GmbH & Co. KG
> Postfach 12 53 - 74149 Neckarsulm
> Kommanditgesellschaft
> Sitz: Neckarsulm
> Registergericht: Amtsgericht Stuttgart HRA 104163
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'Teach a man to reason, and he will think for a lifetime.' - Phil Plait                                       'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110525/30842fd7/attachment.html 