Locking down Apache Web Server

Written by  on July 23, 2009

I was just looking through a security audit of some sites, and half of the complaints include “the ability for people to know your underlying technology”. For those who are using Apache 1.3 or above (and using a distro that has configuration files in /etc/httpd/conf.d), you will find this solution helpful. Simply create a file called /etc/httpd/conf.d/0-security.conf with the below content:

ServerSignature Off
ServerTokens Prod
TraceEnable Off
<Directory />
<LimitExcept POST GET HEAD>
Order deny,allow
Deny from all

Save it, restart httpd and you are “more” protected… a few notes:

  1. This assumes that your application will only use GET, POST or HEAD. If your application is fancy (or you don’t know your app, then you might want to get rid of the LimitExcept directive)
  2. If your application (or application container such as PHP, Python or Java) generates additional HTTP headers that identify their technology, then you might want to use mod_headers to them.
  3. Anyone with an ounce of network knowledge would know that you can figure out the underlying technology by probing at the TCP layers (nmap with the OS fingerprinting option is very handy). So don’t let auditors fool you – you can’t hide unless you have a security device in front of your servers that remove traces of OS “uniqueness” in layer 3.

Nokia N97 – you are finally here…

Written by  on July 5, 2009

One of the great joys of being a gadget guy is to shamelessly spend money on shinny new gadgets… so out of a whim (and impulse), I search high and low to find my beloved Nokia N97 and sourced it from a store in Mississauga. Here are my first impressions:

  • The box: simple, elegant, relatively compact, and “mostly” environmentally friendly (bonus points here – the box is black and without the plastic shine, and still looks sleek… remember, the person just paid over $700 for an expensive electronic toy)
  • Phone: surprisingly light and solid. The keyboard slide movement is smooth and without any creaking noise – it feels like closing the car door of an expensive luxery automobile rather than a Chrysler K-Car! However, the battery door is purely plastic and prying it open to put in the battery is not a fun experience. If you use too much force, you’ll break every plastic tab from the cover, rendering your phone backless.
  • The power-on: it’s Series60 – what more can I say. You have to embrace the fact that you are booting up a computer rather than a phone. If you expect the phone to power up and be able to dial a number in 10 seconds – give up on owning a smartphone right now! (On a side note: if you think you have power off your BlackBerry by clicking on the icon on your home screen – you are sorridly mistaken. That power off is merely a suspend to save power – it doesn’t shut down the phone. You are better off pulling the battery out)
  • Guided setup and first impressions: Finally Nokia paid attention to the finer details of the whole-phone experience. I must say it rivals the G1 in terms of ease-of-use. I plugged in my SIM card into the phone, powered on, and within a minute I have a working phone. They even loaded all the useful software (such as Nokia Maps with all the maps, Facebook, Reuters, and a Guitar Hero imitation) into it so I don’t have to hunt it down on the Ovi Store – which I’ll get to my gripe in a second.
  • Overall: if you are a Nokia fanboy like myself, then this is the ultimate phone! It’s the most speedy Nokia phone yet, and it does everything an iPhone, Palm Pre, and G1 will do – and then some.

My gripes about the N97

  • Ovi – Who is running the Nokia marketing department? Good concept, terrible name, and badly executed. The Ovi Store is often down (or not accessible if you are not using your 3G connectivity), the prices are in Euro (I know, this is a European company with their user base in Europe), and the browsing app is not snappy at all. They should take a page from Apple iTunes App Store or BlackBerry App World and build a usable app. What got me more upset is that I have to download and install Ovi Store app initially – another 500KB of over the air download.
  • Web browser – great, you now show me a full-screen experience, but some very important features take too many screen tapping to access. For example – to go to the previous web page, you have to click on the “show menu” icon at the bottom right, click the “back” button, and then click on “select” button. I just want to go back to the last page – is it so difficult to ask for? Also, you’ll notice that your browser will mysteriously quit (probably due to out of memory or browser crash) – it happens to the iPhone Safari browser too, but the frequency is a bit too high (about once every 40 pages or about 10-15 minutes of web browsing)
  • E-mail – when will Nokia give a native HTML viewer for e-mails (it’s nice that you can click on the HTML attachment to see the message, but it’s not right)

I still love this phone – and it will take a lot for me to switch to the next good phone.  Though my HTC Dream is being shipped this week, as part of my renegotiation efforts with Rogers (and lowering my bill by $50/month). Anyone want a brand new HTC Dream?