greenace92

I redownloaded the site2 certificate, I still get that error message. The error does say "server could not prove ... site2 ... certificate is from site 1" I'm not sure why that is? I downloaded the file again, maybe it is the key file? Can I place/specify a certificate outside of the directory /etc/ssl/certs? Site1 uses /etc/ssl/certs but site2 uses /etc/ssl/certs/site2 Maybe it doesn't go the secondary folder? I'll try to place it all in the same folder, as well as checking the key file. Well, the keys are different and I moved the files to the /etc/ssl, I will now check if the certificates are the same. I'll be danged, the chain files are the same, how did that happen? So I was just old that since they are "positive ssl's" they both have the same chain file...? At the moment still getting the same problem.

I don't understand what you mean by "accessible online"? I specified different directories for each ssl certificate/chain/key files will check again.

Wow this is great guys thanks a lot. So much to learn and implement for a secure web experience. I appreciate the new information, I will look into this more and will more than likely be back with more questions. I am concerned in this case about session-hijacking as jacques1 mentioned So I really have to know what is the purpose of the web application and cover all bases regarding potential attacks. I am hesitant to us any open source XSS filters' nothing against them, nor am I skeptical, I guess it goes back to being stubborn. I want to do it myself which doesn't make sense given my lack of knowledge and experience. Concurrent connections sounds bad, although I do it a lot. For example opening ssh/filezilla in multiple computers not comparing these to the risk of browser loggin's but I was really oblivious to this thought up till now. As I would allow my websites to log in more than once using the same account.

I get the standard "This connection is not trusted" in firefox, chrome says something regarding trust and https is in red and crossed out. I have this under technical details which doesn't make sense? site2.com uses an invalid security certificate. The certificate is only valid for the following names: www.site.us, site.us Maybe I used the wrong chain file? I'm not sure why one verison works and not the other perhaps I did put the wrong file in the certificate directory however the working version with www shows the right domain name when clicking on the green lock. When I perform a curl test in ssh using curl -v -v -v https://site2.com not sure why three -v's I get SSL no atlernative certificate subject name matches site2.com the https://www.site2.com version works and returns the index page. I'm not sure why the SSL's would be different but if they are based on what I have indicated then I will ask the provider why they are different. The ssl's I'm using are the $9.00 one's from namecheap. How do I show the certificates to you?

but the first one that works for both domain variants has the same ssl type as the second one which doesn't work? How do you explain that?

I actually think I got it to work, I just wasn't sure. There was a weird problem of one domain version working and not the other. This is my virtual host setup at the moment and the two port 443's are identical yet the first one works, while the second one has problems. Specifically the form https://site2.com throws an error regarding ssl by the browser but the https://www.site2.com version is fine. My SSL certificates cover both forms of domain www and non-www <VirtualHost *:443> ServerName https://www.site1.us ServerAlias https://site1.us DocumentRoot /var/www/html # CustomLog # ErrorLog <IfModule mod_ssl.c> SSLEngine on # SSLStrictSNIVHostCheck on this is to redirect from second site not working to first site SSLProtocol All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 SSLCertificateFile /etc/ssl/certs/www_site1_us.crt SSLCertificateKeyFile /etc/ssl/certs/www_site1_us.key SSLCACertificateFile /etc/ssl/certs/www_site1_us.ca-bundle </IFModule> </VirtualHost> <VirtualHost *:443> ServerName https://www.site2.com ServerAlias https://site2.com DocumentRoot /var/www/html/site2 # CustomLog # ErrorLog <IfModule mod_ssl.c> SSLEngine on SSLCertificateFile /etc/ssl/certs/site2/site2_com.crt SSLCertificateKeyFile /etc/ssl/certs/site2/site2_com.key SSLCACertificateFile /etc/ssl/certs/site2/site2_com.ca-bundle SSLProtocol All -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 </IfModule> </VirtualHost>

Caught red handed haha. I get that. Know what you are doing.

I'm researching about XSS at the moment. I read about stolen sessions. I don't understand how you would implement a stolen session, isn't this generally hard coded in php? How do you submit that to the website as if the website created that itself, or would it be used say in an injection attempt where the user is valid? In this case, should I not use account names/user names for session ids because these are seen in the public say from posts and then they could be attempted as valid session ids. I guess in this case I would have to generate session ids that expire at a certain time and renew.

Nevermind, it works, I missed a column

Thanks for the information Jacques1

It seems that adding this at the bottom of the execute line makes the insertion process take at least 10 seconds or more. Not sure why that is. $stmt->closeCursor(); $stmt = null; $pdo = null; sleep(60); Currently this is what I have but it is not inserting any data, despite the submission going through without errors. <?php /** if(extension_loaded('pdo')) { * echo "The PDO extension is loaded."; * } * else { * echo "The PDO extension is not loaded."; * } * if(extension_loaded('pdo_mysql')) { * echo "The PDO extension for mysql is loaded."; * } * else { * echo "The PDO extension for mysql is not loaded."; }**/ mysqli_report(MYSQLI_REPORT_ALL); error_reporting(E_ALL); error_reporting(-1); ini_set('display_errors',true); if($_SERVER['REQUEST_METHOD']=='POST') { // error check if (empty($_POST['entry'])) { $errors['entry']="You haven't written anything."; } else { $entry_received = $_POST['entry']; } if(empty($errors)) { // raw date $dt = new DateTime(); $now = $dt->format("m-d-y h:i"); $id = ''; $entry = $entry_received; $date = $now; $views = 0; $relate = 0; $comments = 0; // connection info $dbusername = " "; $dbpassword = " "; $link = new PDO('mysql:host=localhost;dbname=db',$dbusername,$dbpassword); $stmt = $link->prepare("INSERT INTO entries(id,entry,date,views,relate,comments) VALUES(:id, :entry, :date, :views, :relate, :comments)"); $stmt->bindParam(':id', $id, PDO::PARAM_INT); $stmt->bindParam(':entry', $entry, PDO::PARAM_STR); $stmt->bindParam(':date', $date, PDO::PARAM_STR); $stmt->bindParam(':views', $views, PDO::PARAM_INT); $stmt->bindParam(':relate', $relate, PDO::PARAM_INT); $stmt->bindParam(':comments', $comments, PDO::PARAM_INT); $stmt->execute(); } } ?> missed entry in entries(id...

I'm not sure if I am missing something here, I've looked over a lot of threads regarding PDO and sql-injection prevention. Do I need to use bindParam or does PDO do this? This is an example from an entry: <?php $db->prepare('SELECT * FROM table WHERE foo = ?'); $db->execute(Array("content")); ?> But there is no bindParam line? In my particular purpose, I am simply trying to insert data. These are my insert attempts at the moment, most recent at the top. Right now it is not working but this is the thought that I have to use bindParam... I'm new to PDO so I'm trying to be certain that I get it right. <?php $link = new PDO("mysql:host=$dbhost;$dbname=$dbname",$dbusername,$dbpasswrod); $statement = $link->prepare("INSERT INTO entries(id,date,views,relate,comments) VALUES(?, ?, ?)"); $statement->execute(array($id,$entry,$date,$views,$relate,$comments)); ?> <?php $dbh = new PDO('mysql:host=localhost;dbname= ', ' ', ' '); $sth = $dbh->prepare('INSERT INTO table VALUES (?,?,?,?,?,?)'); $sth->bind_param('issiii',$id,$entry,$date,$views,$relate,$comments); $sth->execute(); $sth->closeCursor(); $sth = null; $pdo = null; sleep(60); ?> I also ran across a problem about closing mysql/php process but I also read that after the script completes the connection is closed right away. So I'm wondering about that as well regarding the null and sleep lines. Thanks for any help.

I haven't gottent this to work. One thing that I'm not sure about, the openssl.conf file has it's own SSL Protocol directive and I'm supposed to declare directives within the cirtual hosts, so should I remove/uncomment the directive in the openssl.conf file? I think I'm supposed to have two openssl.conf files with two websites protected by separate ssl certificates. So far one website works, the other gives me a warning. Can anyone shed some light on this. Thanks

Man late again, alright oh man... account and password combination hhhhhh haha I guess at the very least, these accounts/passwords are for forums not really sensitive material

I figured it out, I had recently made apache2.conf immutable via chattr +i so I did chattr -i Now I'm having problems with apache starting whooo I purged it and re-installed

I just wanted to add to this, relevant, I think I locked the apache2.conf as I can't seem to save any changes. I think I may have used chmod go-rwx I am root and I can't modify apache2.conf what does that imply? Could it be the user/group which I changed to www-data ?

I ran across this website where you enter your email/account and it tells you whether or not you have been "pwned". Apparently my username has been "pwned" eg. was exploited or is vulnerable somehow. One of the places that came up was PHP Freaks. I'm wondering if PHP Freaks was hacked at all to get user account information? See the attached image where I checked my email at the site. The site is not shown on the image. I guess if this is true, PHP Freaks was hacked on October 2015

I've been messing around with security both through apache2.conf and an .htaccess. Right now if I try to visit my domain I am greeted with a Forbidden 403 message. I thought this was because of the Options -Indexes set in .htaccess but I commented it out and saved .htaccess and restarted the server. I set the initial <Directory > options to the default settings and I'm still getting the 403 Forbidden message. Any idea what I'm missing / what to check?

I have to go over your response in more depth. Not sure if I follow "up top" when you say that.

I'm going to use the ones defined by the distro, not sure why go with the latest as you mentioned. Thanks for your reply

I was informed that iptables-persistent was replaced by netfilter-persistent Thank you for the response.

Well I'll give that a shot, hopefully "it" chooses the latest version. I'm wondering if this will also install openssl as a "prerequisite" Yeah it installed, wow this was so much easier, I don't know what prompted me to think that this was not the case. Thanks Latest is 2.4.17 default installed 2.4.10 wonder if that has to do with stability or should I have specified which version to install? Tried to install latest by doing apt-get install Apache2=2.4.17-deb8u3 Says "Version '2.4.17-deb8ue' for 'apache2' not found. Maybe 2.4.10 is the best I can get at this point, not sure how detrimental that .17 is.

Can you accomplish both by paginating separately and then using one viewing page? So the indexing/seo is not affected by the viewer as they are separate, the viewer just pulls files to be viewed.

I'm working on securing my Debian 8 server and I have the option of setting up the iptables or firewall as implemented by my server provider. I intend to do both but I am wondering if that is redundant to do both. At any rate, I was following along this blog here: bencane.com/2012/09/iptables-linux-firewall-rules-for-a-basic-web-server/ For iptables rules. At first I udpate my server, then I install iptables-persistent, although I later realized I should install it after having modified iptables which I have determined comes as a loadable-kernel module mentioned in this thread's answer, number 2 http://superuser.com/questions/813323/iptables-module-ip-tables-not-found-for-root Anyway, I can't do this command to save #/etc/init.d/iptables-persistent save For one, the iptables-persistent folder is located in /usr/share/doc/ I don't think that it is supposed to be a folder rather a script file Inside the /usr/share/doc/iptables-persistent folder is changelog.gz I'm not sure what is going on. I save the rules by doing dpkg-configure iptables-persistent Verifying by cat /etc/iptables/rules.v4 I see that the rules are there, I have just rebooted to see if the changes are actually saved/implemented at boot. If someone can shed some light on this subject. Regarding the ports I think that there are a lot right? I mean I saw one port with a beginning number of 3000. If someone could just do a brief rundown on ports/ which ones are of concern. So far I have 20,21 as FTP, 22 SSH, 80 443 webserver, then there was talk of the port mysql uses 3036? Then there was mention of anything above 1024 being not for root users... I'm not sure kind of overwhelmed which ports to use and which ones to block. Thanks for any help.

Apache isn't included in my vps. The old version 2.2 used to be included in Debian 7 but even that no longer has Apache installed by default, I'm using Debian 8.