Collaborate Disseminate
I am improving the security on my php website. I am not using any frameworks or cms. The credentials are currently stored in plain text in the relevant php files. While researching, I came across this question Why use .ENV? What’s wrong wi… Continue reading What is the most up-to-date secure method for storing .ENV variables?
On a nginx web-server running the following config is to possible to change $_SERVER[‘REMOTE_ADDR’] remotely?:
user www;
pid /run/nginx.pid;
error_log /dev/stderr info;
events {
worker_connections 1024;
}
http {
server_tokens off… Continue reading Changing $_SERVER[‘REMOTE_ADDR’] remotely
As a security in-charge, I just noticed that one of our production web apps was attacked by some hackers. The attacker accessed the .git/objects/ files.
I already modified .htaccess to make .git and its content inaccessible.
The attacker … Continue reading Security implications of stolen .git/objects/ files
I’m trying to build a list of configuration files that store secrets in Linux. By secrets I mean files that contains passwords, database string connection, hashes etc. The most notable example is, of course, /etc/shadow. /etc/pki/* is also… Continue reading Which config files in a linux install contain passwords or other secrets?
Last week, the United States Cybersecurity & Infrastructure Security Agency (CISA) advised on initial steps to take in response to the SolarWinds software that was compromised by advanced persistent threat actors. While federal agencies were under … Continue reading Continue Clean-up of Compromised SolarWinds Software
If they are doing that to stop threat actors then they only halted the normal users …. and if they are doing that to hide secrets and hard coded passwords then they are only obstructing the pentesters and security researchers.
I can’t fi… Continue reading Why do routers manufacturer tend to encrypt the router config even though it would be helpful if customers could view and modify it on the go? [closed]
pfSense is a very popular free and open source firewall solution. It does not only provide classic firewall services but has plenty of features like VPN server or can offer DNS, DHCP, proxy services… and many more. pfSense is also proposed by some companies as a commercial service with support.
The post pfSense Firewall Configuration Audit with pfAudit appeared first on /dev/random.
Continue reading pfSense Firewall Configuration Audit with pfAudit
I have setup squid proxy on a CentOs server where I set forwarded_for to delete and denied request headers on the /etc/squid/squid.conf file. However, whilst connected to the proxy, if I visit http://ip-check.net/detect-proxy.php it still … Continue reading How to make Squid Proxy undetectable by ip-check.net?
A number of high-profile data breaches have resulted directly from misconfigured permissions or unpatched vulnerabilities. For instance, the 2017 Equifax breach was the result of exploiting an unpatched flaw in Apache Struts allowing remote code execut… Continue reading Shared Responsibility and Configuration Management in the Cloud: SecTor 2020
I’ve used cleanbrowsing.org as a DNS filter, created an administrator account, logged in into that account, changed my usual (admin) account to a normal user and set the new admin account with a long password that I can’t remember (copy pa… Continue reading Configuring a macbook for a specific case