Setting Up Apache Web Server With Secure HTTP

Incorporating the use of Secure Socket Layer (SSL) library is straight forward with Apache web server.  This is the library I always use for all of my Apache web servers installations.  From one robust open source software to another, they’re a perfect fit.  They make deployment quick and easy.  Here’s are the steps for Apache HTTP and OpenSSL:

Compilation

Assuming the OpenSSL installation in /usr/local/ssl, the Apache web server source code compilation will require the configure option:

–enable-ssl –with-ssl=/usr/local/ssl

I use the following:

./configure –prefix=/usr/local/apache2 -enable-ssl –with-ssl=/usr/local/ssl

Then just run:

make install

On Unix platforms like Solaris and Linux, the configure and compilation should work without a hitch.

Configuration

Go to the configuration directory and edit the httpd.conf file (in my example /usr/local/apache2/conf) and uncomment this line:

include conf/extra/httpd-ssl.conf

Then proceed to the /usr/local/apache2/conf/extra directory and edit the httpd-ssl.conf:

  1. Specify the machine’s IP address to “listen” on port 443.  Specifying an IP address is useful if the machine has multi-homed (multiple IPs configured).
  2. Ensure the Signed SSL Certificate is on this machine.  Store it in /usr/local/apache2/conf/www.website.com.cert pathname.  It can be anywhere that’s accessible from the web server level.
  3. The SSL key for the host needs to be available also, and stored in the same /usr/local/apache2/conf directory.
  4. For the <VirtualHost> tags, edit the _default_ with the IP address, and may look something like this:

<VirtualHost IPAddressNum:443>

ServerName www.website.com

SSLEngine On

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile “/usr/local/apache2/conf/www.website.com.cert”
SSLCertificateKeyFile “/usr/local/apache2/conf/www.website.com.key”

<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>

<Directory “/usr/local/apache2/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>

BrowserMatch “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog “/usr/local/apache2/logs/ssl_request_log” “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

</VirtualHost>

References

Further options and settings for SSL are available from the Apache.org site:

Got Hacked?

Green Lock (via Flickr)The talk around Twitter right now is the phishing scam via Direct Message, as reported by many including Read Write Web, Mashable, and Chris Pirillo.  The victims include Twitter accounts for Barack Obama, Fox News, Britney Spears, and Rick Sanchez of CNN.   Getting their Twitter account hacked is a potential public relations nightmare.  The bait was a simple message to direct recipients to a fake Twitter login page, and enters their Twitter passwords.  Unsuspecting users went ahead and entered their information.  A similar trick was done in e-mail for the longest time using pages that looked like E-Bay, PayPal, or a banking site.

I get similar complaints with the websites that I maintain.  What can server administrators do to figure out who’s behind these attacks?   Here are the steps I take:

  1. Ask the business or customer when the suspecting hack happened.  Find out the exact date and time, if possible.
  2. Comb through the web server logs to find the IP addresses of the hackers using the date and time range reported by user.  For example, in Apache HTTPD, the file is normally called “access_log”.
  3. Most hackers try multiple times, in quick successions.   In this case, running through web logs through an analyzer like Webalizer or Awstats will reveal the IP address with the most hits, within a specified time range.
  4. Find out who the IP belongs to using tools like dig or nslookup.
  5. Report the offending IP address to the Internet Service Provider (ISP) as indicated by the lookup tool.  It can be done via email to postmaster@<isp.name> or abuse@<isp.name>.
  6. Depending on the severity, a fax or a phone call to the ISP may be required.  This is usually done when the hacking continues and there’s no indication of the ISP intervention to stop it.
  7. Start using the web server IP filtering features to blacklist the offending IPs.  For example, in Apache it can be done via Deny directive for doc-root in httpd.conf or .htaccess file.
  8. For known hackers’ IP addresses, make it permanent by blacklisting them in the firewall or router level.

Users do get complacent with their username/password.  They type (or even share!) passwords to others without thinking twice.  With more and more sites requiring a login, it’s easy to forget about checking the legitimacy of the page presented on the web browser.  Proactively, the web applications need to be modified to prevent login hacking such as:

  • Using Secure Socket Layer (SSL)   With SSL, most phishing sites will not bother with it because of the cost involved.  If logins are not done securely, users need to be extra careful.
  • Using OpenID, the open standards user login.  A site needs to be registered with OpenID to be able to use this service.  This removes the guesswork if the site is legitimate or not.

Hopefully the word is out for both users and web developers, to do whatever is required to secure login passwords.

Image Credit: Ashenzil

Business Use for Twitter

I’ve been using Twitter for a while now, and I’ve used it mainly to connect with friends, bloggers, and geeks alike. Although it’s not ubiquitous, it is slowly becoming more and more popular among celebrities, scholars, politicians, and journalists. As more people are starting to spotlight Twitter, it’s inevitable the marketplace is also starting taking advantage of it. Businesses are starting to pay attention to it. There are successful companies on Twitter, such as Zappos, South West Airlines, and Comcast. However, since Twitter is such a new medium, most companies don’t know where or how to start.

I maintained marketing web sites for more than 11 years. I learned the process a company must do to succeed in marketing their product on the Internet. Twitter’s approach to product marketing is fundamentally similar to a web site promotion, with a few unique differences:

Preparation

  1. Have management, or executive level approval. It will serve as an insurance, or a due dilligence, if you will, in case something goes wrong and the finger-pointing starts.
  2. Form a social media committee. Choose the right people to handle Twitter updates. If possible, choose folks who understand Internet Social Media.
  3. Set an engagement policy. Everyone’s must be clear on what information (and when) to share with the public.
  4. Have direct lifeline to the support teams, both technical and business, to escalate difficult questions. These questions need not be handled on Twitter, but can be taken offline via phone, or e-mail.

Execution

  1. Create a professional looking Twitter profile. Update the Twitter profile’s background picture to include company logos, or brand images.
  2. Twitter updates (or tweets) must contain only useful information. Tweets must have value. A good example is OC Register’s @ocreggie. They hand picked the articles posted on Twitter. The human attention to detail is important.
  3. Start slow, and not rush into getting thousands of followers right away. Followers will come when they see the company’s updates are important to them.

The above are steps in the right direction for a business to adopt Twitter as its new communication and customer service tool. There are other suggestions on how companies can succeed with Twitter. There are also questions to ask if Twitter is right for corporations.  Either way, when business takes Twitter seriously, it will reap the benefits, and work out the disadvantages. As long as it focuses on providing creative and valuable information, using Twitter is going to feel natural and easy.