Search Results

Search found 15350 results on 614 pages for 'integrated security'.

Page 101/614 | < Previous Page | 97 98 99 100 101 102 103 104 105 106 107 108 | Next Page >

.htaccess redirect - Is it secure?

- by thecrandallster

This works; I'm not having trouble, but I want to be certain that this is bulletproof. I came up with a neat little .htaccess redirect, but I am not sure if it is secure; do you know? <IfModule mod_rewrite.c RewriteEngine On RewriteRule ^goto/([a-z]+)/?$ /$1/ [R] </IfModule I think as long as the server is configured correctly and the files handle authentication autonomously, then it shouldn't be a security issue. Also, being that the rewrite rule only works with characters a-z and one slash I doubt they could jump around directories by injecting stuff into the URL I think...

Read the article
How to make sure Windows PC is reasonably secure?

- by Coder

I'm not much of a network and network security expert, but I need to add an existing Windows PC to a network with always on connection. The problem is, I have no idea if the PC is really clean, and, actually, no knowledge to check it. I scanned the PC with Process Explorer to verify if all running processes are signed, ran an AVG scan, but this is where my knowledge ends. IIRC, there can be bad code attached to svchost or something, bad drivers, and so on, but I have no idea how to check all those things. Reformatting the PC is unfeasible as of now. Are there any suggestions on what I could do?

Read the article
Securing RDP access to Windows Server 2008 R2: is Network Level Authentication enough?

- by jamesfm

I am a dev with little admin expertise, administering a single dedicated web server remotely. A recent independent security audit of our site recommended that "RDP is not exposed to the Internet and that a robust management solution such as a VPN is considered for remote access. When used, RDP should be configured for Server Authentication to ensure that clients cannot be subjected to man-in-the-middle attacks." Having read around a bit, it seems like Network Level Authentication is a Good Thing so I have enabled the "Allow connections only from Remote Desktop with NLA" option on the server today. Is this acion enough to mitigate the risk of a Man-in-the-Middle attack? Or are there other essential steps I should be taking? If VPN is essential, how do I go about it?

Read the article
Why does mod_security require an ACCEPT HTTP header field?

- by ripper234

After some debugging, I found that the core ruleset of mod_security blocks requests that don't have the (optional!) ACCEPT header field. This is what I find in the logs: ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "example.com"] [uri "/"] [unique_id "T4F5@H8AAQEAAFU6aPEAAAAL"] ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "example.com"] [uri "/"] [unique_id "T4F5@H8AAQEAAFU6aPEAAAAL"] Why is this header required? I understand that "most" clients send these, but why is their absence considered a security threat?

Read the article
McAfee VirusScan Enterprise or avast! Free?

- by Pieter

I currently have McAfee VirusScan Enterprise on my computer. This was preinstalled on my PC. (My university did a bulk laptop purchase so I got a sweet deal on my laptop. McAfee was one of the extras that were included.) Apparently, it's getting bad ratings from sites such as Virus Bulletin and AV-Test. Am I better off with avast's free antivirus? Is it worth considering avast! Internet Security? I currently have a three-year license for VirusScan Enterprise. I keep my software up to date using Secunia PSI and I don't click on any suspicious links.

Read the article
Hacking prevention, forensics, auditing and counter measures.

- by tmow

Recently (but it is also a recurrent question) we saw 3 interesting threads about hacking and security: My server's been hacked EMERGENCY. Finding how a hacked server was hacked File permissions question The last one isn't directly related, but it highlights how easy it is to mess up with a web server administration. As there are several things, that can be done, before something bad happens, I'd like to have your suggestions in terms of good practices to limit backside effects of an attack and how to react in the sad case will happen. It's not just a matter of securing the server and the code but also of auditing, logging and counter measures. Do you have any good practices list or do you prefer to rely on software or on experts that continuously analyze your web server(s) (or nothing at all)? If yes, can you share your list and your ideas/opinions?

Read the article
Enable file download via redirect in IE7

- by Christian W

Our application enables our customers to download files to their computer. The way I have implemented it is using asp.net with a dropdown. When the user clicks the dropdown they get the choice of "PDF","Powerpoint", and a couple of other choices depending on circumstances. Then, in postback depending on the choice the user made, it will return a file (changing the content-header and such and then bitbanging a file to the user). This works perfectly in all browsers, but IE7 complains that this is a security risk and blocks the download. Is there any way for the users to authorize downloads from our webapplication?

Read the article
Wordpress Automatic Updating/Installing Plugins Permissions

- by karmic

I am using the latest Wordpress and I have always had issues with the automatic updater. For the files in the wordpress directory, i set them to permission 770, and add the webserver user 'www-data' as the group owner. I use lighttpd. However, the automatic updating plugins or installing plugins does not work. It works if I chmod 777 the files or if I set the actual owner to the web server as well. What are the best permission settings for security while still allowing the updating feature to work properly in wordress? Also, by 'not work' i mean, it will go to the screen that asks me for FTP credentials when I try to update.

Read the article
Finding how a hacked server was hacked

- by sixtyfootersdude

I was just browsing through the site and found this question: My server's been hacked EMERGENCY. Basically the question says: My server has been hacked. What should I do? The best answer is excellent but it raised some questions in my mind. One of the steps suggested is to: Examine the 'attacked' systems to understand how the attacks succeeded in compromising your security. Make every effort to find out where the attacks "came from", so that you understand what problems you have and need to address to make your system safe in the future. I have done no system admin work so I have no idea how I would start doing this. What would be the first step? I know that you could look in the server log files but as an attacker the first thing that I would do would be errasing the log files. How would you "understand" how the attacks succeeded?

Read the article
I just got a linode VPS a week ago and I've been flagged for SSH scanning...

- by meder

I got a 32-bit Debian VPS from http://linode.com and I really haven't done any sort of advanced configuration for securing it ( port 22; password enabled ). It seems somehow there is ssh scanning going on from my IP, I'm being flagged as this is against the TOS. I've been SSHing only from my home Comcast ISP which I run Linux on. Is this a common thing when getting a new vps? Are there any standard security configuration tips? I'm quite confused as to how my machine has been accused of this ssh scanning.

Read the article
How can I set up VLANs in a way that won't put me at risk for VLAN hopping?

- by hobodave

We're planning to migrate our production network from a VLAN-less configuration to a tagged VLAN (802.1q) configuration. This diagram summarizes the planned configuration: One significant detail is that a large portion of these hosts will actually be VMs on a single bare-metal machine. In fact, the only physical machines will be DB01, DB02, the firewalls and the switches. All other machines will be virtualized on a single host. One concern that has been is that this approach is complicated (overcomplicated implied), and that the VLANs are only providing an illusion of security, because "VLAN hopping is easy". Is this a valid concern, given that multiple VLANs will be used for a single physical switch port due to virtualization? How would I setup my VLANs appropriately to prevent this risk? Also, I've heard that VMWare ESX has something called "virtual switches". Is this unique to the VMWare hypervisor? If not, is it available with KVM (my planned hypervisor of choice)?. How does that come into play?

Read the article
How can I flush my ssh keys on power management activity?

- by Sam Halicke

Hi all, Using ssh-agent and private keys per the usual. Everything's working as normal. My question regards best practices on flushing keys from ssh-add on activity like sleep, suspend, hibernate, etc. I thought about writing a simple wrapper around those commands, but then wondered if are they even called? Or does the kernel initiate this activity directly? Are the PM utilities strictly userland? I would like this additional layer of security beyond locking my screen, etc. and was wondering if anyone else had solved this elegantly or has best practices to recommend. Thanks.

Read the article
Microsoft Ergonomic Keyboards With Card Readers?

- by Steve

When I started working at my current job I developed tendinitis in my wrists. Luckily that cleared up when I started using a Microsoft ergonomic keyboard. The problem is that where I work is moving to more security. We will need to stick a card into a slot to log into our PCs. They bought a bunch of new keyboards with these slots built in. All regular keyboards. Is there something like the Microsoft Ergonomic keyboard that comes with such a card slot? Thanks.

Read the article
How can I use fetchmail (or another email grabber) with OSX keychain for authentication?

- by bias

Every fetchmail tutorial I've read says putting your email account password clear-text in a config file is safe. However, I prefer security through layers (since, if my terminal is up and someone suspecting such email foolery slides over and simply types "grep -i pass ~/.*" then, oops, all my base are belong to them!). Now, with msmtp (as opposed to sendmail) I can authenticate using the OSX keychain. Is there an email 'grabber' that lets me use Keychains (specifically the OSX keychain) or at least, that lets me MD5 the password? This is a duplicate of my unanswered question on serverfault. I've put it on superuser because I'm doing this on a personal computer (viz. with OSX) so it's more of a superuser question.

Read the article
Configuring SQL Server Management Studio to use Windows Integrated Authentication … from non-

- by Enrique Lima

Did you know you can pass your Windows credentials to SQL Server even when working from a workstation that is not joined to a domain? Here is how … From Start, then click All Programs, find Microsoft SQL Server (version 2005 or 2008). Once there, do a right-click on SQL Server Management Studio, then click on Properties Now, follow below to modify the entry for Target: Now the real task (we will be using the runas command) … Modify the shortcut’s target as follows, and remember to replace <domain\user> with the values that correspond to your environment : x64 SQL Server 2008 C:\Windows\System32\runas.exe /user:<domain\user> /netonly "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\binn\VSShell\Common7\IDE\Ssms.exe -nosplash" SQL Server 2005 C:\Windows\System32\runas.exe /user:<domain\user> /netonly "C:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\VSShell\Common7\IDE\SqlWb.exe -nosplash" x86 SQL Server 2008 C:\Windows\System32\runas.exe /user:<domain\user> /netonly "C:\Program Files\Microsoft SQL Server\100\Tools\binn\VSShell\Common7\IDE\Ssms.exe -nosplash" SQL Server 2005 C:\Windows\System32\runas.exe /user:<domain\user> /netonly "C:\Program Files\Microsoft SQL Server\90\Tools\binn\VSShell\Common7\IDE\SqlWb.exe -nosplash" Since we modified the shortcut, we will need to fix the icon for SSMS. We will fix it by pressing the Change Icon… button and pointing to the original “icon” providers. It is the executables for SSMS that hold the icon information, so we need to point to … x64 SQL Server 2008 %ProgramFiles% (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe SQL Server 2005 C:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\VSShell\Common7\IDE\SqlWb.exe x86 SQL Server 2008 %ProgramFiles%\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe SQL Server 2005 C:\Program Files\Microsoft SQL Server\90\Tools\binn\VSShell\Common7\IDE\SqlWb.exe When you start SSMS from a modified shortcut, you’ll be prompted for your domain password: SSMS will show up stating a different account in the username box, but the parameters from the configuration you are doing above do work and will pass on correctly.

Read the article
"This file came from another computer..." - how can I unblock all the files in a folder without having to unblock them individually?

- by Schnapple

Windows XP SP2 and Windows Vista have this deal where zone information is preserved in downloaded files to NTFS partitions, such that it blocks certain files in certain applications until you "unblock" the files. So for example if you download a zip file of source code to try something out, every file will display this in the security settings of the file properties "This file came from another computer and might be blocked to help protect this computer" Along with an "Unblock" button. Some programs don't care, but Visual Studio will refuse to load projects in solutions until they've been unblocked. While it's not terribly difficult to go to every project file and unblock it individually, it's a pain. And it does not appear you can unblock multiple selected files simultaneously. Is there any way to unblock all files in a directory without having to go to them all individually? I know you can turn this off globally for all new files but let's say I don't want to do that

Read the article
How to analyse logs after the site was hacked

- by Vasiliy Toporov

One of our web-projects was hacked. Malefactor changed some template files in project and 1 core file of the web-framework (it's one of the famous php-frameworks). We found all corrupted files by git and reverted them. So now I need to find the weak point. With high probability we can say, that it's not the ftp or ssh password abduction. The support specialist of hosting provider (after logs analysis) said that it was the security hole in our code. My questions: 1) What tools should I use, to review access and error logs of Apache? (Our server distro is Debian). 2) Can you write tips of suspicious lines detection in logs? Maybe tutorials or primers of some useful regexps or techniques? 3) How to separate "normal user behavior" from suspicious in logs. 4) Is there any way to preventing attacks in Apache? Thanks for your help.

Read the article
Jenkins projects not visible even though user has all privleges

- by Frank Rosario

We want to lock down Jenkins and specific jobs to certain personnel. I have my account with all global privileges granted with project based matrix security. A coworker has a similar account and has been granted all the same privileges. When I log in with my account, I can see all of the projects we have setup. When my coworker whom has the exact same privileges logs in, none of the projects are visible. I've double and triple checked the permissions matrix to make sure we have the same global privileges; we do. Some of the projects have project specific privileges setup as well, but again; I've confirmed that both of us have the same access to these projects as well. So why can I see all the projects and my coworker is unable to see any of the projects?

Read the article
how to separate a network for traffic

- by Student_CVO

At the moment our all computers in one big LAN, it is the intention to separate the admin and edu (it's in a school) especially for traffic and less for security. How do this best? I have a drawing, but can't post it (a can send it in a mail) Firewall?, VLAN?, IPCop (no two green zones)?, pfsense? ... Should there be two scopes on the dhcp server (WIN 2008 R2), one for admin and one for edu or is one scope enough? I would like your advice, I am a student in training with this task as a project. Thanks

Read the article
Integrated ads in phone apps - how to avoid wasting battery?

- by Jarede

Considering the PCWorld review that came out in March: Free Android Apps Packed with Ads are Major Battery Drains ...Researchers from Purdue University in collaboration with Microsoft claim that third-party advertising in free smartphone apps can be responsible for as much as 65 percent to 75 percent of an app's energy consumption... Is there a best practice for integrating advert support into mobile applications, so as to not drain user battery too much? ...When you fire up Angry Birds on your Android phone, the researchers found that the core gaming component only consumes about 18 percent of total app energy. The biggest battery suck comes from the software powering third-party ads and analytics accounting for 45 percent of total app energy, according to the study... Has anyone invoked better ways of keeping away from the "3G Tail", as the report puts it? Is it better/possible to download a large set of adverts that are cached for a few hours, and using them to populate your ad space, to avoid constant use of the Wi-Fi/3G radios? Are there any best practices for the inclusion of adverts in mobile apps?

Read the article
Concerns about a Dedicated (Windows Server 2008) + DDoS

- by TheKillerDev

I am have today a dedicated server with these specs: Intel Core i5 750, 2x120GB (ssd + raid), Windows Server 2008 Web, 200Mbps Network, 24 Gb DD3 And I would like to know what are the best thing I can do to prevent a DDoS Attack, since I know this will be a real threat by the importance of the files that will be archived in it. Today I have apache listening port 80 and RDC listening port 3389. But the security is beeing made only by Windows Firewall. So, any thoughts on what would be good to prevent from DDoS attacks?

Read the article
How can I create an Online compiler/Interpreter editor or is there any third party app that can be integrated? [on hold]

- by atjoshi

I am looking out for some solution where I can start developing an Online compiler/Interpreter editor. For Eg: http://code.hackerearth.com/5c4db5N Are there any third Party Pulgin Available or any way to do from scratch I am a PHP Dev. ? Looking for some possible hints how I can start with. Any link to good blog or tutorial. May be its not right place to ask this question but at least I can get best solutions here from experienced professionals. Thanks in advance

Read the article
Inexpensive degaussers or HDD shredders?

- by Nicholas Knight

I do a lot of work for a small cash-strapped business that has a lot of active hard drives, most are consumer-grade SATA of about five years of age, and predictably they are dying at an increasing rate, and a lot of the time they can't even be detected, let alone complete a zero-out cycle. Right now those drives are just being stored, but that can't continue forever. We've got a couple bad LTO tapes it'd be nice to deal with, too. There are very real security and legal issues that make dropping them off with someone who claims they'll be properly destroyed a gamble. I've looked around at degaussers and HDD shredders, and the ones that don't look like they come from some guy in his basement all seem to be $3000+, which is hard to swallow right now. Is there anything out there in the $500-1500 range that you would recommend? (Speed isn't a big issue, if it takes several minutes or even hours per drive, that's completely OK, we've only got 10 or so thus far.)

Read the article
Securing a persistent reverse SSH connection for management

- by bVector

I am deploying demo Ubuntu 10.04 LTS servers in environments I do not control and would like to have an easy and secure way to administer these machines without having to have the destination firewall forward port 22 for SSH access. I've found a few guides to do this with reverse port (e.g. howtoforge reverse ssh tunneling guide) but I'm concerned with security of the stored ssh credentials required for the tunnel to be opened automatically. If the machine is compromised (primary concern is physical access to the machine is out of my control) how can I stop someone from using the stored credentials to poke around in the reverse ssh tunnel target machine? Is it possible to secure this setup, or would you suggest an alternate method?

Read the article
Any problems with using a 301 redirect to force https traffic in IIS?

- by Jess

Is there any problem with using a 301 redirect to force all traffic to go to a secure-only site? We originally had redirect rules, but enforcing SSL-only seemed more secure. Here is how we set it up: Site 1: https://example.com/ Require SSL set Bound to 443 only Site 2: http://example.com Bound to 80 only Empty folder - no actual html or other data 301 Redirects to https://example.com This seems to work beautifully, but are there any issues with doing this? Would any browsers not recognize the 301 redirect, or could there be security warnings during the redirect?

Read the article

< Previous Page | 97 98 99 100 101 102 103 104 105 106 107 108 | Next Page >