secure

Secure may refer to: read more at WikiPedia

  • This are my mod_evasive settings:
     
    LoadModule evasive20_module     /usr/lib/apache2/mod_evasive20.so
    <IfModule mod_evasive20.c>
      DOSHashTableSize 3097
      DOSPageCount 5
      DOSSiteCount 100
      DOSPageInterval 2
      DOSSiteInterval 2
      DOSBlockingPeriod 600
      DOSEmailNotify This email address is being protected from spambots. You need JavaScript enabled to view it.
    </IfModule>

    And this is a small documentation I've forget to add in the previous article:

    • DOSHashTableSize: is the size of the table of URL and IP combined. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.
    • DOSPageCount: is the number of same page requests from the same IP during an interval that will cause that IP to be added to the block list.
    • DOSSiteCount: is the number of pages requested of a site by the same IP during an interval which will cause the IP to be added to the block list.
    • DOSPageInterval:  Interval for the 'DOSPageCount' threshold in second intervals.
    • DOSSiteInterval:Interval for the 'DOSSiteCount' threshold in second intervals.
    • DOSBlockingPeriod: is the time the IP is blacked (in seconds
    • DOSEmailNotify: can be used to notify by sending an email everytime an IP is blocked
    • DOSSystemCommand: is the command used to execute a command when an IP is blocked. It can be used to add a block the user from a firewall or router.
    • DOSWhiteList: can be used to whitelist IPs such as 127.0.0.1
    So if anybody on my homepage request 5 times the same page in less than 2 seconds, it will get blacklisted.
    If anybody try to make more than 100 requests of my homepage in less than 2 seconds, it will get blacklisted.  
        
    In less than a week, the following Bots get blacklisted.

    84.80.211.6      Unknown Country
    62.226.126.102   Germany
    202.64.146.221   Chinese (Hong Kong)
    88.152.174.86    Unknown Country
    84.30.174.179    Dutch (Netherlands)
    84.154.17.72      GERMANY (DE) City: Muenchen Latitude: 48.15 Longitude: 11.5833
    70.225.166.33    United States
    202.63.102.211   Country: INDIA (IN) City: Hyderabad Latitude: 17.3833 Longitude: 78.4833
    69.148.83.2      UNITED STATES (US)
    195.38.6.181      Swedish (Sweden)
    81.242.199.145   BELGIUM (BE) City: Tournai Latitude: 50.6 Longitude: 3.3833
    217.120.138.11   NETHERLANDS (NL) City: Harlingen Latitude: 53.1833 Longitude: 5.4167
    195.145.98.50    GERMANY (DE) City: Heinsberg Latitude: 51.0333 Longitude: 8.15
    195.4.181.237    GERMANY (DE)
    80.166.87.34      DENMARK (DK)
    84.87.167.10      Dutch (Netherlands)
    81.208.83.238    ITALY (IT) City: Roma  Latitude: 41.9 Longitude: 12.4833
    66.249.66.199    UNITED STATES (US) City: Mountain View, CA Latitude: 37.402 Longitude: -122.078 GOOGLE
    84.137.16.79      GERMANY (DE)
    86.83.255.147    Dutch (Netherlands)
    66.249.65.99     UNITED STATES (US) City: Raleigh, NC Latitude: 35.8219 Longitude: -78.6588

     
     
  • site.down.hacked

    If you are running any of the following Joomla versions it might just be a matter of time before you too are hacked!

    • Joomla! 1.5.0
    • Joomla! 1.5.1
    • Joomla! 1.5.2
    • Joomla! 1.5.3
    • Joomla! 1.5.4
    • Joomla! 1.5.5
    • Joomla! 1.5.6
    • Joomla! 1.5.7
    • Joomla! 1.5.8
    • Joomla! 1.5.9
    • And maybe to a lesser extent Joomla! 1.5.10
    The latest, and most secure Joomla version is Joomla! 1.5.11 - and was released last week! Backup your site and database and just unpack the right Joomla! distribution now.
  • Nginx-logo

    nginx (pronounced “engine-x”) is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. It is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX and Microsoft Windows [WikiPedia]

    These are my reusable settings for any Joomla hosting, these are the most secure, and fastest settings to the best of my knowledge.

    Configuration files are provided using Gist&160; and are CONSTANTLY updated for added security and speed. Gist is a simple way to share snippets and pastes with others. All gists are git repositories, so they are automatically versioned, forkable and usable as a git repository. I recommend you to starred them to stay up to date.

    Joomla.conf for nginx

    Create a new directory nginx/conf to be able to place reusable nginx settings:

    mkdir -p /etc/nginx/conf

    vi /etc/nginx/conf/joomla.conf

    Edit or create joomla.conf, you can find the latest joomla.conf documented version in one of my Gist at https://gist.github.com/1620307

    Adding a new Joomla Site to nginx

    Create required directory anywhere on your disk, here is an example with a domain www.example.com

    mkdir -p /var/www/vhosts/example.com/httpdocs
    mkdir -p /var/www/vhosts/example.com/logs

    Set the right permission to the user and group you have defined in nginx.conf

    chown -fR www-data:www-data /var/www/vhosts/example.com/httpdocs

    Copy the nginx template and adapt to your liking

    cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example
    vi /etc/nginx/sites-available/example

    Edit or create example, you can find the latest file example documented version in one of my Gist at https://gist.github.com/1620307

    this file include Joomla.conf to avoid duplicating nginx settings

    Activate the new domain

    ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example
    service nginx restart
  • Recorded by me at Tech Tuesday Meetup group 4 Oct. 2016

    "Blockchain, cryptography, and consensus" By Christian Cachin (Cryptographer, IBM Research - Zurich)

    Christian Cachin is a senior researcher at IBM Research Zurich. His research focuses on information security and distributed systems, with emphasis on secure protocols for distributed systems. Two of his current research topics are blockchain and consensus protocols in general. He received his PhD in cryptography from ETH Zurich in 1997.

  • My mind map you can use as a checklist to secure your Linux server and Joomla has a new home, it is now located at:

    http://joomla-security.waltercedric.com

    I will update it regularly with new tips and how-to. Your feedback is as always welcomed, you can use the comment thread below.

  • chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the 'ps' command.
    Log to the server with ssh as root user

    Download 
    chkrootkit.
    # wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

    Unpack the chkrootkit you just downloaded.
    # tar xvzf chkrootkit.tar.gz

    go to that  directory
    # cd chkrootkit

    Compile
    # make sense

    Run
    # chkrootkit

     
    •Receive e-mail everyday with the result chkrootkit
    For Root user
    # crontab -e
    For any user
    # crontab -e -u username

    and add

    •0 3 * * * (./usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" -c This email address is being protected from spambots. You need JavaScript enabled to view it.,This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.)

    * the correct path can be found with which chkrootkit
    This will run chkrootkit at 3:00 am every day, and e-mail the output to This email address is being protected from spambots. You need JavaScript enabled to view it. and copies to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.

    False alarms:
     "Checking `bindshell'... INFECTED (PORTS: 465)" This is normal and  NOT really a rootkit.

    Nota
    If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed....)

    Links
    chkrootkit
  • Create a new RSA key

    # openssl genrsa -des3 -out server.key 1024
    Give a very lengthy key, and save it somewhere in a PGP file or TrueCrypt volume

    Create a non encrypted version for Apache

    # openssl rsa -in server.key -out server.key.unsecure

    Prepare the mark inquiry

    # openssl req -new -key server.key -out server.csr
    Attention enter the host from where the certificate will be use, since browser are matching content of certificate with host url.

    Sign the certificate

    # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    Add the SSL certificate to Apache

    Attention
    path to server.key and server.crt may differ!

    (SuSE 9.3 keys store at /etc/apache2/ssl.key/)
    # cp server.key.unsecure /etc/httpd/ssl.key/server.key
    # cp server.crt /etc/httpd/ssl.crt/server.crt
    # chmod 400 /etc/httpd/ssl.key/server.key
    # chmod 400 /etc/httpd/ssl.crt/server.crt

    Restart Apache

    BrutalGraceful

    # /etc/init.d/apache restart

    # apache2ctl gracefu
     
  • I am encountering strong spammings tentatives in my Wiki as well, that's why I decide to lock write changes to my WIki. This is how You can also do it.

    Open LocalSettings.php and set a new key $wgReadOnlyFile like this 

    $wgReadOnlyFile="./.lock.txt";

    The value must be the name of of a file, then put the reason for the lock inside the file using the wikipedia notation

    '''I've block my Wiki because of spammers! It will reopen as soon as I find a solution, if It annoy You can still contact me at http://www.waltercedric.com'''

    The contents of the file will be displayed to anyone trying to edit the wiki.

    Note that readonlyfile is not guaranteed to be absolutely safe; if you need to guarantee that MediaWiki will never write to the data, you need to do this on the database itself (e.g. revoke UPDATE,INSERT,DELETE from the wiki user, or put MySQL into read-only mode).

  • port.knocking.ssh.linux

    Port Knocking is a technique to secure services behind a firewall until a specific knock sequence is given. Once that sequence is given, the IP address that initiated the knock may be allowed to access the service for a short period of time. A knocking server listens to all traffic on an Ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server.

    This is a bit paranoid, but it add another layer of security, an attacker will have either to try all ports combinations or know the secret combination (knock) to be able to connect to your SSH daemon for example.

    First, you’ll have to be sure to have a port knocking client, or you will be kick out forever of your own server!

  • Official version of nginx for Ubuntu Precise is 1.1.19 but the latest available stable version is 1.2.2 (Changes), In this post I will present you how to update to the latest available version.

    vi /etc/apt/sources.list

    and add depending on your Ubuntu version either

    For Ubuntu 10.04 Lucid:

    deb http://nginx.org/packages/ubuntu/ lucid nginx
    deb-src http://nginx.org/packages/ubuntu/ lucid nginx

    For Ubuntu 12.04 Precise:

    deb http://nginx.org/packages/ubuntu/ precise nginx
    deb-src http://nginx.org/packages/ubuntu/ precise nginx

    Now you can run

    apt-get update

    When using the public nginx repository for Ubuntu, you’ll get this error

    W: GPG error: http://nginx.org lucid Release: The following signatures 
    couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62

    First of all this is only warning and you can ignore it, if you know what are you doing and in case you prefer to add public key, used for signing packages and repository, just run:

    gpg -a --export 7BD9BF62 |  sudo apt-key add -

    or

    wget http://nginx.org/packages/keys/nginx_signing.key
    cat nginx_signing.key | sudo apt-key add -

    apt-get update should now run fine, however after running an

    apt-get install nginx

    you may still get this kind of error:

    dpkg: error processing /var/cache/apt/archives/nginx_1.2.2-1~precise_amd64.deb (--unpack):
     trying to overwrite '/etc/logrotate.d/nginx', which is also in package nginx-common 1.1.19-1
    dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
    Errors were encountered while processing:
     /var/cache/apt/archives/nginx_1.2.2-1~precise_amd64.deb

    just remove nginx-common and retry

    apt-get remove nginx-common

    More at http://wiki.nginx.org/Install