1
00:00:04,660 --> 00:00:10,580
In this lesson we'll discuss a few simple configuration tweaks to further secure your in jinich server

2
00:00:11,030 --> 00:00:17,150
and with the focus of this course being on web specific servers will also cover some common configuration

3
00:00:17,150 --> 00:00:20,040
parameters to further secure your site.

4
00:00:20,210 --> 00:00:24,460
Before we begin I'll remove a few lines from the previous lessons.

5
00:00:24,540 --> 00:00:30,180
This limits zone and a bit further down the basic auth implementation.

6
00:00:31,210 --> 00:00:37,430
Save this and over to the command line reload the configuration and with that done.

7
00:00:37,440 --> 00:00:43,080
Let's start adding those final few configurations to harden our engineer server.

8
00:00:43,120 --> 00:00:49,840
An obvious but often overlooked or neglected action is that of keeping all engine exer supporting software

9
00:00:49,870 --> 00:00:57,010
up to date bondra abilities are discovered every day and with engine exis use of many third party libraries

10
00:00:57,070 --> 00:01:01,570
such as openness s l or even the g d image library.

11
00:01:01,570 --> 00:01:04,650
It's essential to keep these packages up to date.

12
00:01:04,750 --> 00:01:13,300
So with that said we can run apt get update to first update all of a petey's repos and saucers.

13
00:01:13,420 --> 00:01:20,680
Then with those all fetched upgrade all existing packages with app to get upgrade.

14
00:01:22,250 --> 00:01:24,890
For which you might get a few of these prompts.

15
00:01:24,890 --> 00:01:27,710
I'll just keep locally modified versions.

16
00:01:28,870 --> 00:01:30,930
And done an easy task.

17
00:01:30,940 --> 00:01:34,700
Then also when working with a custom build of engine x.

18
00:01:34,720 --> 00:01:40,720
Another worthwhile step here would be checking your version of engine X and seen from that engine start

19
00:01:40,750 --> 00:01:42,110
all changelog.

20
00:01:42,280 --> 00:01:48,550
If there's any critical update worth recompiling engine X for which we've covered a few times throughout

21
00:01:48,550 --> 00:01:49,670
the course.

22
00:01:49,720 --> 00:01:55,970
Now when the engine exchange log reflects an important security fix or something of that nature.

23
00:01:56,020 --> 00:02:02,170
This will of course only affect prior versions meaning that malicious users could target your server

24
00:02:02,440 --> 00:02:08,710
based on its version number to get engine X as version number remotely then is as simple as doing a

25
00:02:08,710 --> 00:02:16,540
cold request for the headers like so enter and there we have it burgeon one point thirteen point ten

26
00:02:16,870 --> 00:02:19,380
as per this version on the command line.

27
00:02:19,420 --> 00:02:25,240
So hiding this is definitely good as it certainly doesn't benefit us having the version in the response

28
00:02:25,240 --> 00:02:33,190
headers over to the configuration and right at the top here in the HTP context set server underscore

29
00:02:33,220 --> 00:02:39,040
tokens off easier that save and reload.

30
00:02:40,290 --> 00:02:42,750
Form the same SQL request again.

31
00:02:42,860 --> 00:02:46,550
And now we only get in Genex without that version.

32
00:02:46,700 --> 00:02:52,550
The next edition is one of the less engineered specific configurations but nonetheless important for

33
00:02:52,550 --> 00:02:55,810
web content X frame options.

34
00:02:55,820 --> 00:03:00,640
In short this will prevent malicious users embedding your site into their own.

35
00:03:00,770 --> 00:03:03,590
But what is typically known as click jacking.

36
00:03:03,590 --> 00:03:06,520
To demonstrate I'll create a new file on my computer.

37
00:03:06,530 --> 00:03:08,630
So not on the server.

38
00:03:08,720 --> 00:03:15,490
I'll sit this to be recognized as h.t. amelle in my editor and add a basic etched here muhl structure.

39
00:03:15,560 --> 00:03:21,840
Call this page origin test with this hvm old page now acting as the malicious site.

40
00:03:21,860 --> 00:03:30,920
Trying to click Jack my server then in the body add an eye frame linking to my service IP so their demo

41
00:03:30,920 --> 00:03:31,910
site.

42
00:03:32,240 --> 00:03:34,390
Give this some dimensions.

43
00:03:34,610 --> 00:03:35,690
Save.

44
00:03:37,720 --> 00:03:40,240
And I'll open this file in my browser.

45
00:03:42,340 --> 00:03:47,730
There but I framed loads indexed on HD email from my server without any issue.

46
00:03:47,870 --> 00:03:53,170
Now whilst you might very well want third party websites to be able to embed your content via an eye

47
00:03:53,170 --> 00:04:00,940
frame it's certainly never a good idea when your site contains any user specific pages such as logged

48
00:04:00,940 --> 00:04:03,370
in pages profiles etc..

49
00:04:03,670 --> 00:04:10,720
So do tell the browser to not allow this then we can add a simple header to our server responses in

50
00:04:10,720 --> 00:04:11,970
the server context.

51
00:04:12,100 --> 00:04:22,570
So going to all requests add underscore header x brain options same origin meaning only if the domain

52
00:04:22,600 --> 00:04:26,060
embedding the contain matches that of the content itself.

53
00:04:26,050 --> 00:04:28,220
Allow this safe.

54
00:04:28,980 --> 00:04:30,560
Reload engine x.

55
00:04:31,860 --> 00:04:34,120
And now when I reload this page.

56
00:04:34,170 --> 00:04:34,760
Nothing.

57
00:04:34,800 --> 00:04:43,380
We get this blank I frame open the developer tools console reload again and there we have it an error

58
00:04:43,830 --> 00:04:45,090
load denied.

59
00:04:45,090 --> 00:04:49,450
Our server does not permit cross origin framing or embedding.

60
00:04:51,010 --> 00:04:59,260
Along with that header we can also add x x s s protection or cross-site scripting protection sitting

61
00:04:59,310 --> 00:05:07,150
to one which is on and the mode to block delling the browser that if it detects crosseyed scripting

62
00:05:07,360 --> 00:05:09,340
this Able loading the page.

63
00:05:09,490 --> 00:05:14,600
So just a couple of additions to help secure your content once it's left the server.

64
00:05:15,430 --> 00:05:19,600
The next and final improvement is removing unused or dangerous.

65
00:05:19,600 --> 00:05:26,980
Engine X modules by default engine X gets compiled with a few built in modules of which some we might

66
00:05:27,010 --> 00:05:31,530
never use and others even posing potential security risks.

67
00:05:31,720 --> 00:05:38,530
So as with adding modules to a bold we can also remove default modules with the added benefit of reducing

68
00:05:38,530 --> 00:05:44,380
the installation size and requiring engine X to load less code in my home directory here.

69
00:05:44,380 --> 00:05:50,500
I still have the original source code so change into that running as before.

70
00:05:50,530 --> 00:05:57,070
In the current directory configure with the help flag to see a list of configuration parameters and

71
00:05:57,070 --> 00:05:59,670
modules that's available to compile.

72
00:05:59,710 --> 00:06:06,640
But notice that some of these flag state with out rather then worth as we've seen when adding modules

73
00:06:07,180 --> 00:06:13,560
these all being modules that will be added by default and to not have them pulled into in generics.

74
00:06:13,600 --> 00:06:15,270
We can use these flags.

75
00:06:15,460 --> 00:06:23,650
I'll filter to only those same configure command again using grep to only see with out there quite a

76
00:06:23,650 --> 00:06:24,330
few.

77
00:06:24,490 --> 00:06:30,970
You definitely want to be careful here not to remove and modules but for example a prime candidate for

78
00:06:30,970 --> 00:06:35,330
removal would be this HTP auto index module.

79
00:06:35,410 --> 00:06:41,650
This allowing engine X to respond to a directory request with the contents of that directory not something

80
00:06:41,650 --> 00:06:44,190
we ever want for a public facing website.

81
00:06:44,410 --> 00:06:48,930
So to rebuild engine X without this module then copy that flag.

82
00:06:49,270 --> 00:06:53,600
Get the current configuration with engine X capital V flag.

83
00:06:54,460 --> 00:07:02,800
Run configure in the source directory again paste the with out auto index module flag we copied and

84
00:07:02,830 --> 00:07:09,640
add the existing configuration to that like so there's now allowing us to reconfigure our source code

85
00:07:09,910 --> 00:07:15,890
to exclude the auto index module and follow the usual make and make install steps.