Tag Archives: security

rpaf for apache

Today I scan it.randomthemes.com with acunetix.
And suddenly found than
/server-status enabled with public access… WTF

/etc/apache2/mods-enabled # cat ./status.conf

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1 ::1
</Location>

And part of nginx config

  proxy_set_header   Host             $host;
  proxy_set_header   X-Real-IP        $remote_addr;
  proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

Headers looks o.k…

DAMN! I JUST FORGET TO INSTALL RPAF FOR APACHE:(

About apache rpaf
It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it’s list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure. It also takes the incoming X-Host header and updates the virtualhost settings accordingly. For Apache2 mod_proxy it takes the X-Forwared-Host header and updates the virtualhosts

How to secure wipe file system

Before you cancel rented dedicated server, it`s good practice to secure wipe disc drives. Reboot to recovery console, and:
Use shred, Luke!

shred -n 0 -f -v -z /dev/sda