This is how you turn off directory list for yr Tomcat server.

1. Edit the default servlet in the {$CATALINA_HOME}/conf/web.xml file.

2. Look for the <init-param> section within the <servlet section>

<servlet>
<servlet-name>default</servlet-name>
<servlet-class>
org.apache.catalina.servlets.DefaultServlet
</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>

3. Change the <param-value> to false for the <param-name>listing</param-name> section.

<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>

Its sometimes necessary to limit who has access to a server via SSH. Most Linux security hardening checklist today require this to be enforced.

Fortunately this can be easily done with openSSH. Just edit the /etc/ssh/sshd_config file and add the desired directives shown below. You don’t need them all, just use what suits you needs.

openSSH provides 4 directives, AllowUsers, AllowGroups, DenyUsers and DenyGroups

AllowUsers buddy john doe
Only users buddy, john and doe will be able to log in via ssh.

AllowGroups sysadmin bkpadmin
Only users within groups sysadmin and bkpadmin will be able to log in via ssh.

DenyUsers rambo tina
This is the opposite of AllowUsers. All users except for rambo and tina will be able to log in via ssh.

DenyGroups hr payroll
This is the opposite of AllowGroups. All groups except for hr and payroll will be able to log in via ssh.

Firefox 2.0.0.13 has just been released. It fixes a few security issues.

XUL popup spoofing variant (cross-tab popups)
Java socket connection to any local port via LiveConnect 2008-17
Privacy issue with SSL Client Authentication
HTTP Referrer spoofing with malformed URLs
Crashes with evidence of memory corruption (rv:1.8.1.13)
JavaScript privilege escalation and arbitrary code execution

If the auto update does not work for you, download the latest Firefox.

Source: Mozilla | Mozilla Security Advisories

Beware, I received a phishing attempt today claiming that HSBC is carrying out it’s regular maintenance work and needs me to update my profile.

Always remember, banks never send us emails with action items.

Continue Reading ->

My DC operation guys access Linux servers on a daily basis but somehow they never remember to log out. This is a security risk as anyone could gain access to the open console and create caos.

Today, yet again I’m forced to play the bad guy by dummy proofing my Linux servers by implementing default timeout for user sessions.

Bash and Korn both support the TMOUT variable which I will use to set the default timeout.

The etc/.bashrc file will apply the timeout system wide but if you need it to be user specific then modify the ~/.bashrc file instead.

Here’s how it’s done.

echo "TMOUT=300 >> /etc/bashrc

echo "readonly TMOUT" >> /etc/bashrc

echo "export TMOUT" >> /etc/bashrc

Log off, start a new session and wait for 5 minutes. Your session should terminate