Default configurations of systems, including operating systems and Web servers, are mostly created to demonstrate and highlight their basic or most relevant features, not to be secure or protect them from attacks.
Some common default configurations that may compromise the security are the default administrator accounts created when the database, web server, or CMS was installed, and the default administration pages, default error messages with stack traces, among many others.
In this recipe, we will cover the fifth most critical vulnerability in the OWASP top 10, Security Misconfiguration.
httpd.conf
file (or the corresponding site configuration file):<Directory /var/www/phpmyadmin> Order Deny,Allow Deny from all Allow from 127.0.0.1 ::1 Allow from localhost Allow from 192.168 Satisfy Any </Directory>
This will first deny access from all addresses to the phpmyadmin
directory; second, it will allow any request from the localhost and addresses beginning with "192.168", which are local network addresses.
Talking about security and configuration issues, we are correct if we say "The devil is in the detail." The configuration of a web server, a database server, a CMS, or an application should find the point of equilibrium between being completely usable and useful and being secure for both users and owners.
One of the most common misconfigurations in a Web application is that there is some kind of a Web administration site accessible to all of the Internet; this may not seem such a big issue, but we should know that an admin login page is much more attractive to crooks that any web-mail as the former gives access to a much higher privilege level and there are lists of known, common, and default passwords for almost every CMS, database, or site administration tool we can think of. So, our first recommendations are in the sense of not exposing these administrative sites to the world and removing them if possible.
Also, the use of a strong password and changing those that are installed by default (even if they are "strong") is mandatory when publishing an application to the internal company network and much more so to the Internet. Nowadays, when we expose a server to the world, the first traffic it receives is port scans, login page requests, and login attempts; even before the first user knows the application is active.
The use of custom error pages helps the security stance because default error messages in Web servers and Web applications show too much information (from an attacker's point of view) about the error, the programming languages used, the stack trace, the database used, operating systems, and so on. This information should not be exposed because it helps us understand how the application is made and gives names and versions of the software used. With that information an attacker can search for known vulnerabilities and craft a more efficient attack process.
Once we have a server with its resident applications and all services correctly configured, we can make a security baseline and apply it to all new servers to be configured or updated and to the ones that are currently productive with the proper planning and change management process.
This configuration baseline needs to be continually tested in order to keep it improving and protected from newly discovered vulnerabilities consistently.
18.188.115.155