Linux servers can now be infected - Or can they ?

Linux gurus have always vouched on the safety and security of Linux - especially Linux running as servers. However, now after a developer named Denis Sinegubko has published his findings, they may just have to ponder over their words.

According to Denis, the Linux servers can be infected to be used in a botnet used to distribute malware.  The modus operandi of attack is as follows :

1. The bots target a domain name and inject a hidden <iframe> code in one of the web pages on the website pointing to the domain. 
2. The hidden iframe will contain link(s) pointing to web sites that host malicious content. 
3. These bots also infiltrated Linux web servers (mostly running nginx) and set up sites by using 100s of domain names registered on free dynamic DNS hosting providers such as dynDNS.com and no-IP.com.
4. When they set up sites, they invariably used the less checked 8080 port instead of the default port 80. 

Read the details of Denis Sinegubko's finding here.

Update your Linux Kernel in real time without rebooting your machine

When ever Ubuntu updates the Linux kernel to a more recent version, I have to go through the rigmarole of rebooting my machine for the changes to take effect. While for a home user, it may not be such a big thing, while running Linux in critical situations, it may not always be feasible to reboot the server each time the kernel gets updated because running applications have to be stopped, and daemons have to be terminated for the reboot to take place - which inevitably leads to loss of time and inconvenience to others.

Enter a new technology called Ksplice.

The Ksplice service called Uptrack will update the Linux kernel in your system while it is running without disrupting your operations or requiring a reboot.

Christopher Smart has written an in depth article on Ksplice where he dwells on the advantages of running the Uptrack service on your machine. Currently, the Ksplice Uptrack service is available for Ubuntu 9.04 aka Jaunty Jackalope.

Domain name theft - how it is done and steps to prevent it

Let's say you have a sudden insight on a name which is apt for your website and you wish to register this name as a domain name. You fire up your web browser and visit any one of the innumerable sites which help in checking if this particular domain name is available or not and to your absolute delight, nobody has yet registered your domain name.

So you decide to register it as soon as you can take time ... perhaps tomorrow because today you have an official deadline to meet. And the next day when you try to register the same domain name, you find to your dismay that it has already been snapped up by somebody else. How did this happen ? Was this a case of bad luck ? Maybe not. You may be the victim of a rogue company which has picked up your name after they intercepted your search the previous day. In effect the person or entity which has registered your domain name has stolen your domain research. The act of typing the domain name in the wrong place may allow these squatters to register the domain before you.

Jay Westerdal of domaintools.com has written an insightful piece on various precautions you can take while searching for your domain name prior to registering it. These steps help to a certain extent in mitigating domain name theft even before you have laid your hands on it.

Review : EnGarde Secure Linux

There are hundreds of Linux distributions targeting a diverse sets of users. While quite a number of these Linux distributions - especially the main stream ones - position themselves as a universal solution to all your Linux expectations, there are some of them which take a specialist role of one form or other, catering to a specific set of Linux users.

One such specialized Linux distribution which is targeted specifically at servers is the EnGarde Secure Linux. As the name indicates, this Linux distribution lays stress on the security aspect because servers should by default be secure out of the box. And EnGarde Secure Linux goes the extra length and pulls all stops to make sure the server is indeed secure. More on that later.

EnGarde Secure Linux is released by its parent company Guardian Digital in two forms - one is the Community edition which is available for free download and the other is the commercial Professional edition. The community edition of EnGarde is full featured, secure and is built entirely from open source and it contain many of the capabilities of the Professional edition. Guardian Digital claims they have over 500 corporate clients across USA, Canada and the rest of the world who use EnGarde Secure Linux.

I decided to install the Community edition of EnGarde Secure Linux on my machine and take it for a spin.

One of the unique aspects of EnGrade Secure Linux is that it ships with only those packages that are absolutely necessary to function as a server. So you won't find software such as a X Windows server or other desktop utilities which is expected in any normal Linux distribution. But EnGarde ships with the necessary databases, web server, mail server and DNS server and you can configure EnGarde to function as any of those or all of them.

Installation of EnGarde Secure Linux

Installation of EnGarde Secure Linux is as such, a trouble free affair and is achieved via its text based installer. On the other hand if you are just interested in trying it out, that is also possible because the ISO also functions as a LiveCD and you can try out all the features that EnGarde has to offer without installing it on your hard disk.

Basically, These are the steps I had to go through in installing EnGarde on my machine.

Fig: Booting from the CD-ROM Check out all of them

Fig: Decide on the partitioning scheme.Check out all of them

• Change root and webTool password - this is applicable only if you are using EnGarde as a LiveCD.
• Decide on whether you want DHCP or static networking
• Choose between running EnGarde in installation or LiveCD mode - Here I chose Installation mode as I wanted to install it on my machine.
• Choose the language - English is default.
• Decide on the partitioning of your hard disk. Here there are two choices. One is the automatic one where the installer will create the necessary partitions (usually /,/var and /home). And the other option is manual where you can decide to partition your hard disk as per your requirement. But either way, it is not possible to dual boot between OSes if you are installing EnGarde on your machine as it wipes out your whole disk. So backup your data before you proceed with your installation - you have been warned. I chose automatic partition option here.
• Decide on the type of hard disk - whether IDE or SCSI.
• Choose the packages - The packages are broadly classified into 6 sections namely Databases, DNS, Firewall, Mail services, Network Intrusion Detection and Web services. I selected all the packages and pressed OK and the installer started copying all the files to the hard disk.
• Next I had to configure the network card and provide information such as the IP address, netmask, the default gateway and the network address.
• Then it prompted me to provide a fully qualified domain name for my machine.
• Lastly I had to enter the IP address of the primary and secondary name server.
  

That was it. EnGarde secure Linux was now fully installed on my machine.

By default around 220 packages are bundled with EnGarde and using the versatile webTool you can also install an additional 300 or so packages all of them cherry picked for use at the server end. EnGarde is available for i686 and x86 64 bit architectures and uses RPM packages managed by apt-get.

Security aspect of EnGarde secure Linux
Engarde implements security by following a number of rules.

1. It locks down the box at the Host level by implementing a number of features such as TCP wrappers, implementing restricted user rights globally and running SELinux policies in enforcing mode.
2. At the network level, EnGarde ships with a plethora of network tools which allow a system administrator to analyse the security level of his machine and take preventive measures. EnGarde ships with a unique webTool through which you can do any and all system administration tasks from a remote location including rebooting or shutting down the server. This means that after installation, you can safely place the server in a locked room and not worry about its physical security.
3. Up to date security patches of software are released on a regular basis (more like every month) enabling system administrators to plug any security holes in the server software they run. This is automated to a certain level via the Guardian Digital Secure Network (GSDN). And you are prompted to register and create a GSDN account (for free) - it is not an option.
   

Webtool in Engarde Secure Linux

At the end of installation, you are notified that the most preferred way of administering the Linux box is via a web browser using the address https://<engarde-linux-ip-address>:1023/.

I initially typed the address but missed the 's' in 'https' and was flummoxed but later figured out my mistake and correctly typed the address. That is right, the web tool is accessed via secure http (using SSL).

You log in to the webTool using two different passwords depending on whether you are using EnGarde as a LiveCD or if you have installed it on a machine.

For LiveCD :
The login name is 'admin' and the password is the root password you set while booting the EnGarde Linux CD.

When Installed :

The login name is 'admin' and the password is "lock&%box". And the first time you log into the admin section, you are confronted with an initial configuration screen.

Here the first thing you are prompted to do is register for a GSDN account which is free. EnGarde Secure Linux makes use of the GSDN account to provide up to date automated security fixes to your server. Then specify (or rather change) the root and webTool password, specify the NTP servers as well as your geographic location and lastly fine tune the services you would require to run on your remote server.

Fig: WebTool main page
More screenshots of webtool interface

The web interface can be viewed in three languages at present namely English, Spanish and Italian with work going on to support more languages.

WebTool is the pivot with which you can effectively administer the system remotely from within a web browser.

I was really amazed at the things you can achieve from within the web tool. For instance, you can manage users, manage database servers, manage the web server (Apache), implement DNS, view all the security logs updated in real time, manage mail servers, enable and disable system level services, enable and configure firewall, even run most of the security tools such as Snort bundled with EnGarde and view their output in the web browser. In short the web tool is a one stop shop for troubleshooting and managing your server from a remote location. A very powerful interface indeed.

I can already see the possibilities where choosing EnGarde Secure Linux at the server end could circumvent some hardware limitations. Here is a scenario - Say you are interested in hosting a website on a VPS (Virtual Private Server) account. Now a days, it is possible to get a VPS account for as low as $7/month. While the price is equivalent to any shared hosting price, there is a catch which is that, at that low price, the memory (RAM) allocated to your virtual machine is not more than 64MB and the % of CPU cycles allocated is also limited. You can't possibly run CPanel or Plex in this account as they require at least 256 MB memory be allocated to your server to function efficiently. Since the webTool is integrated with EnGarde Secure Linux and does not utilize much memory, EnGarde turns out to be a viable alternative solution to an automated server not to speak of the importance it gives to security and performance.

To sum up, I found EnGarde Secure Linux to be a unique blend of a robust Linux server topped up with loads of security features coupled with a very powerful webTool which aids in administering the server remotely, all from within a web browser.

Cracking a 13 digit alphanumeric password in 160 seconds

The story might seem right out of science fiction. But it is true, with the rapid steep increase in computing power, it is now possible to crack a password from its encrypted state much more quickly with the aid of right kind of tools.

Jeff Attwood writes to indicate that he was able to crack a 13 digit alphanumeric password - the password in question is "Fgpyyih804423" - in just 160 seconds. For the cracking, he made use of an open source tool called Ophcrack - which is a Windows password cracker based on Rainbow tables.

A Rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plain text password from a password hash generated by a hash function. For example in Linux you can store your password encrypted using MD5 or the more powerful SHA1 and SHA256. I may add that while installing Debian, Mandriva or Open SuSE, the installer asks whether you want to encrypt your password in MD5 or the more powerful SHA encryption. Choose SHA because MD5 can be easily broken....

To see your passwords in hash form in Linux, just log in as 'root' and view the /etc/shadow file.

So what this open source tool called Ophcrack does is it uses the rainbow tables to crack the passwords (thankfully only Windows passwords) in real time. They have released a LiveCD based on SlaX Linux distribution which can be used to automate the process to a large extent. The ophcrack developers claim the liveCD cracks passwords automatically, no installation necessary, no admin password necessary (as long as you can boot from CD)- so there.

While Jeff does make it sound scary, with the right precautions, Rainbow password cracking can be made useless. Thomas Ptacek a security expert explains some of the secure password schemes and the precautions you can take to secure your machine from a remote attack based on Rainbow tables.

Is it possible to hack into a gmail address ? - Really scary

Who doesn't have a gmail id now a days ? In my honest opinion, I am yet to discover a more user friendly web mail host. Gmail is non-intrusive, provides all the advanced and usable features such as POP3, mail search and much more.

But recently at a Black Hat security convention, Robert Graham, the CEO of errata security, surprised attendees by hijacking a Gmail session on camera and reading the victim’s email. He went even further by demonstrating the attack by taking over another journalist’s Gmail account and then sending emails from that account. Really scary.

So how do you protect yourself from somebody sniffing your email while it is in transit and then hacking into your gmail account ? There is one way to make it much harder for sniffing your mails. That is by sending and receiving mails using Gmail's SSL feature. SSL stands for Secure Sockets Layer and is used to provide secure data transfer across the web, for instance ecommerce sites use SSL to transmit your credit card details. Google provides the SSL feature for gmail and all it takes to enable SSL in Gmail is by typing the address https://mail.google.com instead of http://mail.google.com. Make note of the 's' in 'https'. What this does is instead of encrypting only the username and password, Gmail encrypts the whole mail session and this makes it possible to transfer your mails in a secure manner.

So the next time you decide to log on to your gmail account, use https instead of http and you will be fairly safe from getting your mail sniffed in transit.

Howto: Build an selinux policy the Red Hat enterprise way

Red Hat / Fedora has now got GUI tools to help edit and create SElinux policy files. And it is much more simpler to create a custom selinux policy in Red Hat Enterprise Linux.

In this detailed article, Dan Walsh gently walks you through the policy module creation process.

A lot of people think that building a new SELinux policy is magic, but magic tricks never seem quite as difficult once you know how they’re done. This article explains how to build a policy module and gives you the step-by-step process for using the tools to build your own.

Read more on a step by step guide to creating an selinux policy module explained by Dan Walsh.

Update: Also check out this PDF presentation on Managing Red Hat Enterprise Linux 5 which also contain information on SELinux.

SSH tutorial for Linux

SSH stands for Secure SHell. This is similar to telnet but with the difference that while telnet sends all your data including your password as plain text across the network, SSH sends everything in encrypted format. This means that it is well impossible to snoop at your data or passwords while it is in transit across the Internet or network.

Over a period of time, I have written a couple of articles on this blog related to SSH. Today I came across a very well written tutorial on using SSH by Mark Krenz. He explains the concept of SSH, generating public private encryption keys, forwarding an X11 session on top of SSH, TCP forwarding, SOCKS5 proxying and so on. A very good article worth spending ones time to read.

Related articles:

• How to setup SSH keys and why ?
• SSH - Secure SHell explained
• Integrating SSH in GNU/Linux

How to find out if your Linux machine has been hacked ?

It is very rare that your Linux PC which you use as a Desktop will get compromised especially if you do not run any services like a web server, mail server and so on. More over many modern Linux distributions like for example Ubuntu, targeted at the end user ship with all the ports closed by default. And others like PCLinuxOS bundles with it a robust firewall. So it makes the job of an intruder all the more harder to crack into your machine.

But suppose after all the precautions you take, some resourceful cracker succeeds in finding a loophole and hacks into your machine, how do you detect that your machine has been compromised in the first place?

Lars has written a step-by-step process by which he ascertains that a Linux server run by his friend has been compromised by an intruder. His findings throw light on what you can expect and the steps to take when you are suspicious of getting your machine rooted.

The server was running a fairly updated Ubuntu 6.06 LTS. He goes on to conclude that the compromise could have been caused by :

1. An exploit unknown to the public.
2. A user accessing this server from an already compromised host. The attacker could then sniff the the password.
   

Read this very interesting article which throws some light on the actions of a hacker.

ClamAV gets acquired by Sourcefire

Remember ClamAV the free anti-virus solution released under a GPL licence ? A long time back, I had written an article on how to install and use ClamAV anti-virus software in Linux which you might find interesting.

Well, ClamAV just got acquired by Sourcefire. Sourcefire claim themselves to be world leaders in intrusion prevention and their flagship product is Snort which is an open source tool which is used by many thousands for detection of intruders on ones servers or rather keeping them at bay.

• The bottom line of the acquisition is that all the members of the core developer team of ClamAV will now be working as the employees of Sourcefire.
• The ClamAV engine and CVD will remain under GPL.
• Sourcefire now owns the ClamAV project and related trademarks, as well as the source code copyrights held by the five principal members of the ClamAV team. Sourcefire will also assume control of the ClamAV project including: the ClamAV.org domain, web site and web site content; and the ClamAV Sourceforge project page.
• As far as end users are concerned, the company claims nothing much has changed.
  

Read the official announcement here.

TrueCrypt Tutorial: Truly Portable Data Encryption

TrueCrypt is one of the many disk encryption tools available in Linux and other Unices. Some of the features of truecrypt are as follows (and I quote):

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
  
  1. Hidden volume (steganography).
  2. No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
• Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.
  

Lipiec at Polishlinux.org has written a very good tutorial which explains how to setup and use truecrypt in Linux. He explains right from the start which is - download the code, compile, and install it to creating encryption volumes. Just so you know, truecrypt has been made available in deb and rpm formats as well. So if you are using one of the major Linux distributions such as Debian, Ubuntu or Fedora, you can skip the compilation from source step.

Truecrypt is available for Linux and Windows but the developers have provided a easy to use GUI only for Windows platform. Linux users are still made to depend on the command line to setup and manage encrypted volumes using truecrypt.

(IN)Secure Magazine - a free security magazine in PDF format

One thing which any operating system worth its name should take seriously is the concept of security. In this internet age when more and more people are getting access to always-on broadband, security is all the more important.

I read in one article in a mainstream media that credit card fraud is becoming rampant and is on the rise. The fraudsters hack into vulnerable machines and access confidential data. While some operating systems struggle to contain the security threats, many others fare better in this department. Linux is inherently considered to be more secure. But the most secure operating system is by far OpenBSD which has seen only two vulnerabilities in its code in 10 years.

(IN)Secure is a magazine which is dedicated to discussing security related aspects of Operating systems. It is a monthly magazine which is freely made available for download in a PDF format. Mirko Zorz is its Chief Editor. The magazine carries security articles related to all operating systems. In the latest (11th edition) of the magazine, you may read an article on iptables titled - "IPtables : An introduction to a robust firewall". I may add that the article was contributed by me and so if you do read the article and find any faults, you may let me know about it rather than troubling Mirko ;-). You can download the 11th issue of the (IN)Secure magazine here (PDF file).

EnGarde Secure Linux 3.0.14

EnGarde Secure Linux is a Linux distribution developed by Guardian Digital - an open source Internet security company, and is designed with security in mind. Built from grounds-up, this product has been in development since 1999. EnGarde Secure Linux highlights its "Secure by default" tag as the one reason that it should be favored to be used as a Linux server. The developers have considerably reduced its size to include server-only applications and the whole administration of the server from the rebooting to its shutting down as well as configuring and maintaining web servers, database servers and so on can be done remotely from the confines of a web interface.

Guardian Digital has split EnGarde Secure Linux into three branches. Them being

1. The Unstable branch which contain bleeding edge packages and is open only to developers.
2. The community branch which is provided for free and is supported by the open source community. And lastly...
3. The professional branch which is officially supported by Guardian Digital. And which needs to be bought.
   

The main difference between the community branch and the professional branch apart from the fact that one is free and the other is paid version is that Professional branch is much better tested and documented and can avail of the official support of Guardian Digital. Compared to that, the community branch will have to rely on the mailing list for support.

Features of EnGarde Secure Linux are many and are as follows (as quoted from their website) :

• Linux 2.6 kernel for the latest hardware compatibility
• SELinux Mandatory Access Control provides high security by strictly enforcing service separation at the kernel level
• Guardian Digital Secure Network features free access to all system and security updates and allows for quick and easy updating of the entire server
• Broad support for server hardware, including 64-bit AMD architecture and hardware RAID
• Web-based management of all functions, including the ability to build a complete web presence with FTP, DNS, HTTP, SMTP and more
• Secure up-to-date LAMP stack serves virtual websites with Apache v2.0, MySQL 5.0, and PHP 4.4 (PHP 5.0 available as an optional package)
• Latest BIND 9.3 provides secure DNS services
• Completely new WebTool, featuring easier navigation and greater ability to manage the complete system via a secure web browser connection
• RSS feed provides ability to display current news and immediate access to system and security updates
• Integrated firewall with ability to manage individual firewall rules, control port forwarding, and creation of IP blacklists
• Commercial grade Network Intrusion Detection System displays and graphs incoming attacks in real time
• Built-in Host IDS monitors system files for unauthorized changes to ensure system integrity
• Built-in UPS configuration provides ability to manage an entire network of battery-backup devices
• Real-time access to system and service log information
  

Ryan Berens who is an open source advocate at Guardian Digital tells me that EnGarde Secure Linux is a fully functional platform distribution that focuses on integrated security and ease of management. EnGarde Secure Linux has also been released by Guardian Digital as a Live CD so that it can be taken for a test drive without installing on ones machine.

Free Security Apps for Linux - a comprehensive list

When you hear the words "security apps", as an end user, one always tend to think of virus scanners, rootkit detectors, firewalls, network tools and so on. And Linux does not have a dearth of these tools which make it one of the most secure if not the most secure OS. Of course, how secure you can make your Linux machine will ultimately depend on your choice of Linux distribution and in what way you configure your machine. You can make your Linux box as open or as closed as you want.

ITSecurity - a website related to security has assembled a list of 103 free security apps. A large number of them are for Windows and Mac users but still, a significant percentage of them for Linux have also made it to the list. The applications have been categorized into 13 categories them being, Spyware, antivirus, rootkit, firewall, email, web utility, network, Intrusion detection system, Virtual private network, temporary files, wireless, encryption and a miscellaneous section.

You won't find Linux applications in all the categories. For example, the spyware category contain only Windows apps ;-). But this is a comprehensive list which lists many applications for Linux that I am aware of for the first time. I thought that ClamAV antivirus was the only antivirus solution for Linux but I was wrong, there are many more. Do check out the full list which will throw light on many applications and then some more which may be of use to all Linux enthusiasts.

Care to break the law using GNU/Linux ? Then here are a couple of ways of getting free internet access.

The dawn of the internet era has seen more and more people jump on to the internet bandwagon and spend a significant part of their free as well as work time online. Each day we find different ways in which we can make use of the Internet and slowly but surely, the world wide web is getting more and more ingrained in our daily lives. And as with any popular medium, we find energy being dissipated in various quarters in getting free access to it by taking advantage of the loopholes found in the technology being used.

Doug has an interesting article where he describes how to use ICMP tunneling to get access to your neighbours internet connection.

ICMP stands for Internet Control Message Protocol which is used to carry the information about the status of the network. It has a wide variety of uses such as reporting on the availability of remote hosts, the errors in the underlying network and detecting network congestion. 'ping' - one of the most common programs which is used to test the network connectivity of up to three layers of OSI model uses ICMP to do its task.

And on a different note, Karl Bitz explains how to crack WEP using a machine running Ubuntu. The usual assumptions in both cases being that you as well as the neighbour in question rely on wireless technology to connect to the internet.

On a personal note, I do not support illegal ways of gaining things. In fact one very strong motivating factor for me to embrace GNU/Linux was the freedom from being dependent on (often pirated) proprietary software. But from a theoretical point of view, both the articles are interesting because they throw a wee bit more light on the technologies underlying the wireless internet access.

20 ways to secure your Apache configuration

In an earlier post I had explained how to host websites on ones personal machine using apache webserver as well as password protecting the website using .htaccess and .htpasswd files.

But there is much more to apache than these configuration features I described. For instance, there is the mod_rewrite module which is heavily used by most content management systems to provide a easy to remember permanent link to individual web pages and an indepth introduction to mod_rewrite will take up larger part of a big chapter.

Pete Freitag has written a very good article which lists the steps one can take to secure running Apache webserver on ones machine. What I like most about his article is the simple manner in which he explains the various configuration parameters aided with bits of code. A very informative read indeed.

How to securely erase the hard disk before selling ones computer

There are times when the news sites are abuzz with sensational news items. I am speaking of those news items which tempts one to pitch in and have his/her say come what may. And the news of someone who bought a laptop on ebay only to find it defective and how he took revenge on the seller by posting all the personal data on the hard disk on a website is by now a legend.

Now it is hard to decide who is in the right here - the person who published the private data on the website (for all you know, the laptop in question could have been damaged in transit) or the seller who is now the talk of the town, whose life is being dissected. There is no way to know. But that is besides the point. The truth is that it is scary to realize that it is next to impossible to delete all the data that one stores on ones storage media without completely destroying it. Because, with the right tools anybody can retrieve even deleted data.

So what can be done to alleviate the situation ? If you are using GNU/Linux or any other UNIX, then you have a tool called shred which can be used to wipe all the data from the hard disk. Here is how it works. Suppose I want to erase all the data on my hard disk, then I boot using a LiveCD like Knoppix and open a shell and type the following command:

# shred -vfz -n 100 /dev/hda 

Here /dev/hda is my whole hard disk. And I am asking shred to make (-n) 100 passes by overwriting the entire hard disk with (-z) zeros. And shred program (-f) forces the write by changing the permissions wherever necessary.

Another GPLed tool (though not specifically related to Linux) which is quite popular is Darik's Boot and Nuke (DBAN) which also does a swell job of wiping ones hard disk.

It is claimed that experts in the field of retrieving data can still get some data from a hard disk that has been wiped in the above manner. But atleast lesser mortals who buy second hand laptops and computers will find it beyond their means to lay their hands on the data.

.htaccess File Generator

Apache is one of the most flexible web server around. And one of the features that aids it in being flexible is a hidden file which goes by the name '.htaccess'. This file is used by web site administrators to make configuration changes on a per-directory basis especially when the administrator does not have access to the main configuration file of the apache web server.

You can use this file (.htaccess) to password protect files in a particular directory in your website, give mod-rewrite rules, force HTTP requests to use secure socket layer and so on. In fact, one can write just about any rule that he/she can configure in the main configuration file of the apache webserver.

But if you find writing code to be a hassle, then this webpage will aid in creating a .htaccess file from scratch with the parameters of your choice.