security

Security is the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, nation, or organization. [read more at http://en.wikipedia.org/wiki/Security]

  • http://www.securitypatterns.org/index.html
  • A new site has open last months, purpose is to unite the individuals interested in Linux and Biometrics.LinuxBiometrics.com's purpose is to fill the biometrics void in the Open Source community.

    I hope that someone will write a driver for the Digital Persona or Microsoft fingerprint reader (which is the same device, one more true innovation from Microsoft Digital Persona)...Sometimes I hate being a Java specialist (and not a C++ developer) :-(


  • checklist

    An exploited or hacked server is one that is no longer fully under your control and someone else is now partially using your server for their own purposes.

    You’ll find in this mind map

    What bad guys can do and remedies

    Why a mind map?

    A mind map is a diagram used to visually outline information. mind map help you take notes, brainstorm complex problems, and think creatively.

    • Information are summarized efficiently to be usable and accessible,
    • Inter-relationships are clear between the different concepts,
    • It is the most flexible for organizing associative, divergent and convergent thinking (Convergent thinking involves aiming for a single, correct solution to a problem, whereas divergent thinking involves creative generation of multiple answers to a set problem),

    You can find the latest version at

    http://linux-compromised-server-checks.waltercedric.com/

  • I did create this mind map a while ago, and found it while going through my dropbox folders. Linux server Monitoring “You can't correct something you can't measure” is in version v 1.0.0

    You’ll find in this mind map

    What to monitor, how and the most useful commands to detect what happening on your Linux server.

    Why a mind map?

    A mind map is a diagram used to visually outline information. mind map help you take notes, brainstorm complex problems, and think creatively.

    • Information are summarized efficiently to be usable and accessible,
    • Inter-relationships are clear between the different concepts,
    • It is the most flexible for organizing associative, divergent and convergent thinking (Convergent thinking involves aiming for a single, correct solution to a problem, whereas divergent thinking involves creative generation of multiple answers to a set problem),

    &160;

    map

    Latest version at

    You may also like my now 4 years old&160; Joomla “Secure, Safe, Fast Linux Hosting” mind map at http://joomla-security.waltercedric.com/

    All mind map were created with http://freemind.sourceforge.net

  • I use to make mind map to organize my ideas, or to organize huge amount of data in a tree manner. Maintaining your own root server is time consuming, to say the least,  but it will also force you to put your energy in areas where there is a lot of new things to learn. Here I present you a mind map  that contains most of the tools and ideas of what you should monitor on a Linux server.

     

    This mind map is an ongoing work, that is why it has also a version number in it (v1.0.0). As soon as I will learn new tricks, the mind map will be updated. Your feedback is always welcomed!

    LinuxWhatToMonitor

    By clicking read more, You'll be able to go through the checklist as text, or download the mind map as a PDF (600kB)

    • Why
      • its critical to know what is going on
      • take preventive action
      • perform maintenance upfront
    • What to monitor
      • CPU utilization
      • Server RAM
      • Bandwidth usage
      • Disk space usage
      • Physical temperature
      • Logs files
    • Useful Bash Commands
      • top
        • Top will show you memory usage, number of users logged in, load averages, CPU consumption, total uptime, virtual memory, and how long each process has been running.

          htop - htop is an enhanced version of top, the interactive process viewer, which can display the list of processes in a tree form.

      • ps aux
        • list of every process running, the user running it, and even what action it is taking
      • vmstat
        • vmstat - System Activity, Hardware and System Information
        • vmstat 3
          • return information about processes, memory, paging, block IO, traps, and cpu activity.
        • vmstat -m
          • Display Memory Utilization
      • w
        • who is logged in  and what they are doing
      • uptime
        • return how long the system is running
      • ps
        • Display all processes running
        • ps axjf
        • ps -p pid  -o comm=
          • display the process name with pid = pid
        • ps -auxf | sort -nr -k 4 | head -10
          • return the 10 most consuming memory processes
        • ps -auxf | sort -nr -k 3 | head -10
          • return the 10 most consuming cpu processes
      • free
        • displays the total amount of free and used physical and swap memory
      • iostat
        • display Central Processing Unit (CPU) statistics and input/output statistics for devices, partitions and network filesystems (NFS)

      • mpstat
        • Displays activities for each available processor, processor 0 being the first one
        • mpstat -P ALL
      • proc
        • cat /proc/cpuinfo

          cat /proc/meminfo

          cat /proc/zoneinfo

          cat /proc/mounts

      • lsof
        • list open files, network connections and much more
    • Bandwidth usage
      • Webalizer
    • Tools
      • Nagios
        • Nagios is a popular open source computer system and network monitoring application software. You can easily monitor all your hosts, network equipment and services.

      • delayed
        • Munin
          • Easy monitoring your Linux server from web browser
            Munin creates graphs for just about everything going on in your system

            run every 5 minutes

        • online services
    • Login
      • check for empty user password

        • awk -F: '($2 == "") {print}' /etc/shadow

        Lock an account

        • passwd -l accountName

        Only root have uid = 0

        check account that may act like root

        • awk -F: '($3 == "0") {print}' /etc/passwd
    • Services
      • List all services that

        are autostarted at boot time

        • apt-get install chkconfig

          chkconfig --list | grep '3:on'

        Stop unwanted services

        • service serviceName stop
    • Network
      • list all open ports and associated programs
        • netstat -tulpn
        • nmap -sT -O localhost
    • Files system
      • Find world writable files
        • find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
      • find files with no owner
        • find / -xdev \( -nouser -o -nogroup \) -print
    • Log Files
      • Login attempts
        • /var/log/auth

          fail or success

          If too much failed attempts in log file

          -> may be hacker brute forcing login

          • block with IPTable

            block with fail2ban

            apt-get install fail2ban

      • Interesting log files
          • /var/log/kern.log: Kernel logs
          • /var/log/message: General message
          • /var/log/auth.log: Authentification logs
          • /var/log/mysqld.log: MySQL database server log file
          • /var/log/cron.log: Cronjob logs
          • /var/log/qmail/ : Qmail log directory
          • /var/log/maillog: Mail server logs
          • /var/log/httpd/ or  /var/log/apache2/:   Apache
          • /var/log/boot.log : System boot log
          • /var/log/secure: Authentication log
  • First let's refresh some definitions...
    set user ID (SUID)

    The SUID permission causes a script to run as the user who is the owner of the script, rather than the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems.

    set group ID (SGID)

    The SGID permission causes a script to run with its group set to the group of the script, rather than the group of the user who started it. It is normally considered extremely bad practice to run a program in this way as it can pose many security problems.

    Latest versions of the Linux kernel will even prohibit the running of shell scripts that have SGID/SUID attribute set.

    Use of the SUID bit on binaries (to run with root privileges, aka &8221;setuid bit&8221;) MUST be limited to those shown in
    the following list:

    /bin/ping
    /bin/su
    /usr/bin/at
    /usr/bin/chage
    /usr/bin/chfn
    /usr/bin/chsh
    /usr/bin/crontab
    /usr/bin/gpasswd
    /usr/bin/newgrp
    /usr/bin/passwd


    The other binaries that were installed with the SUID bit set MUST have this bit removed. Administrators can still run
    these binaries normally, but they are not available for ordinary users. There are also a number of SGID files on the system that are needed, it may depending on the number of tools, or your distribution. Use Google and query the web for the right list ;-)

    Similarly, the SGID bit MUST NOT be used to give group &8221;root&8221; privileges to any binary.
    To generate a list of all SUID/SGID programs on the system simply run the following command:

    # find / -not -fstype ext3 -prune -o \ -type f \( -perm -4000 -o -perm -2000 \) \ -print


    Then, for each file in this list that is not one of the permitted SUID or SGID programs, run the command
    # chmod -s FILE

    to remove the SUID and SGID bits. When done, re-run the find command to verify that the list matches the
    permitted programs.

    I recommend you installing also FAF (File Anomaly Finder) on your server to check periodically for file with too much rights or privileges

  • I start reading this book 2 days ago (135pages read of 412 pages), It is quite interesting, especially the chapter about pseudo-random generator quality and bias, Zero knowledge protocol, polymorphic virus body using relatively small algorithm (TEA)...It also propose some solutions but I did not reach this chapter...

    Hackers have uncovered the dark side of cryptography—that device developed to defeat Trojan horses, viruses, password theft, and other cyber-crime. It’s called cryptovirology, the art of turning the very methods designed to protect your data into a means of subverting it.

    Malicious Cryptography: Exposing Cryptovirology
    Adam Young, Moti Yung
    ISBN: 0-7645-4975-8

    • Understand the mechanics of computationally secure information stealing
    • Learn how non-zero sum Game Theory is used to develop survivable malware
    • Discover how hackers use public key cryptography to mount extortion attacks
    • Recognize and combat the danger of kleptographic attacks on smart-card devices
    • Build a strong arsenal against a cryptovirology attack

    Preface by security expert Bruce Schneier (Pratical Cryptography a reference)


  • Comments are welcomed!
    Here we go....
    I've patched the component Ako comment of Arthur Konze with a hashcash technology....:
    A new form hidden field:
    • with a random name (Hname),
    • with a random MD5 value (Hvalue),
    is now send to the user.

    If the user want to submit a comment, a browser has to:
    • Locate the random hidden field name (Hname) with javascript: (function replace())
    • Rehash with a javascript  MD5 the hidden field value (Hvalue) (and this is time consuming for spammer :-) )
    and send everything to server.

    If the spammer do not follow the challenge, the comment wont be accepted!

    required: com_log4php  and com_hashcash library
    The  zip file in download sections  contains the components and the mambot! decompress first before installing both.
    All credit to Arthur Konze for his wonderful component.



  • I know I am publishing too much news against M$ these past weeks but...this one is one more time... aheem interesting:

    Full text of a letter from Microsoft, in response to coverage of companies moving from IE to Firefox and other alternative browsers. Here at InformationWeek

    Visiting this page http://windowsmarketplace.com/content.aspx?ctId=63 with Opera 7.54 under Linux crash my browser each 2 link clicks. But It is running fine on Firefox 1.0

  • mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

    Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
    • Requesting the same page more than a few times per second
    • Making more than 50 concurrent requests on the same child per second
    • Making any requests while temporarily blacklisted (on a blocking list)

    This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it's a good idea to integrate this with your firewalls and routers for maximum protection.

    This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use. from  http://www.zdziarski.com/projects/mod_evasive/

    click read more for my HowTo

     
     Download the actual version of mod_evasive
    #  wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

    Unpack it
    #  tar xvzf mod_evasive_1.10.1.tar.gz/usr/local/src/mod_evasive

    Move to that directory
    #  cd /usr/local/src/mod_evasive
    And edit the file mod_evasive20.c, we will have to change the line 45 to
    define MAILER  "/bin/mail -t %s"

    We compile the module:
    Apache2Apache2-Prefork
    #  /usr/sbin/apxs2 -cia mod_evasive20.c#  /usr/sbin/apxs2-prefork -cia mod_evasive20.c

    Now we have to create a config file for mod_evasive:
    # touch /etc/apache2/conf.d/mod_evasive.conf
    and edit it
    # vi /etc/apache2/conf.d/mod_evasive.conf
    content of file

    Apache2Apache2-Prefork
    LoadModule evasive20_module     /usr/lib/apache2/mod_evasive20.so
    <IfModule mod_evasive20.c>
      DOSHashTableSize 3097
      DOSPageCount 5
      DOSSiteCount 100
      DOSPageInterval 2
      DOSSiteInterval 2
      DOSBlockingPeriod 600
      DOSEmailNotify This email address is being protected from spambots. You need JavaScript enabled to view it.
    </IfModule>
    LoadModule evasive20_module     /usr/lib/apache2-prefork/mod_evasive20.so
    <IfModule mod_evasive20.c>
      DOSHashTableSize 3097
      DOSPageCount 5
      DOSSiteCount 100
      DOSPageInterval 2
      DOSSiteInterval 2
      DOSBlockingPeriod 600
      DOSEmailNotify This email address is being protected from spambots. You need JavaScript enabled to view it.
    </IfModule>


    Restart Apache2 either  with:
    # rcapache2 stop
    # rcapache2 start
    or
    # /etc/init.d/apache2 restart

    Mod_evasive also deliver a sall perl script to try a DOS attack on your own webserver
    # cd /usr/src/mod_evasive
    # perl test.pl

    You should read http ok but after some seconds you will only get HTTP error 403 showing that mod_evasive is correctly running!
  • What is mod_evasive?

    mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

    Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

    • Requesting the same page more than a few times per second
    • Making more than 50 concurrent requests on the same child per second
    • Making any requests while temporarily blacklisted (on a blocking list)

    Installation

    apt-get install libapache2-mod-evasive
    mkdir /var/log/apache2/mod_evasive
    chown www-data:www-data /var/log/apache2/mod_evasive

    Configuration

    Create a new file

    vi /etc/apache2/conf.d/01_modevasive.conf

    with this content

    <ifmodule mod_evasive20.c>
     DOSHashTableSize 3097
     DOSPageCount 2
     DOSSiteCount 50
     DOSPageInterval 1
     DOSSiteInterval 1
     DOSBlockingPeriod 10
     DOSLogDir /var/log/apache2/mod_evasive
     DOSEmailNotify root@localhost
     DOSWhitelist 127.0.0.1
    </ifmodule>

    Restart Apache to activate the new module

    /etc/init.d/apache2 restart

    Documentation

    • DOSHashTableSize: Size of the hash table used to store the IPs.
    • DOSPageCount: Number of pages allowed per DOSPageInterval.
    • DOSPageInterval: Time in seconds used by DOSPageCount.
    • DOSSiteCount: Number of objects allowed per DOSSiteInterval.
    • DOSSiteInterval: Time in seconds used by DOSSiteCount.
    • DOSBlockingPeriod: Time in seconds that IPs will be banned. If an IP tries to access the server within this period, the count will be restarted.
    • DOSLogDir: Optional. Directory to store the logs. If not specified, /tmp will be used.
    • DOSEmailNotify: Optional. Mail where notifications will be sent.

    DOSSystemCommand: is Optional.&160; Command to execute if an IP is blocked. For example using iptables:

    DOSSystemCommand "/sbin/iptables -I INPUT -p tcp --dport 80 -s %s -j DROP"
  • smallbox_securityimages Some people have reported issue in the forum

    I've found the error in my code in some views but not all: 
        img src="/<?php echo JURI :: root() ?>/index.php?
    as a result, there is in image URL a double / which cause issues on some web host (no image displayed)

    I now provide a new patches versions for Joomla! 1.5.8 and 1.5.9 that can be downloaded:

    • Joomla! 1.5 patches 1.5.9 (stable / 2009-01-19)  Download
    • Joomla! 1.5 patches 1.5.8 (stable / 2009-01-19) Download

    These patches are ONLY for SecurityImages 5.1.0 or later, note the version of zip

    Joomla_1.5.8-Stable-Full_PackageForSecurityImages5.1.0_v01.01.00.zip
    Joomla_1.5.9-Stable-Full_PackageForSecurityImages5.1.0_v01.01.00.zip

    instead of v01.00.00


  • In OpenComment, the next commenting system for Joomla based on akocomment, the following functions are NOW running with AJAX.
    • Rating comments up and down,
    • Deleting comments,
    And soon, filtering operations and even publishing new comments.

    But working in computer science do not also mean: ready for production....because AJAX without taking precautions can be disastrous....This code is facing some strong securities issues I will have to solve:


    • AJAX code is not running in the Joomla sessions! so I have to re implement some low level operations like accessing the database (while already done in Joomla)
    • Who protect comment against replaying rating up attack? I will introduce a public key per article which has to be submitted to the server, and a private key store in the session, which will be destruct after the first operation.
    • How to make sure that the asynchronous operation on a comment is originated from a submitted page of my server?
      -> I will introduce a server challenges keys: a cryptographic fields which is highly depending of the following: server name, URL, time, and random part. This ticket will also have a time stamp in it, if you wait more than, lets say 20 minutes, you won't be able to rate or operate on comment. This is similar with com_hashcash, so nothing really new to me.
    • Avoid that a rating up operation for a comment A get hacked by injecting new parameters for comment B?
      -> Comments will be identified by their UUID (and not a simple ID like in akocomment)
      -> Users would have to know it to make an attack on multiple joomla site at the same time.
    If You see something else or know a similar code or algorithm in the open source world, contact me or post your remarks below.
  • If you consider using PHP on a new server, use  nothing else than PHP 5.2.3, it may be a pain to rewrite or patch foreign code, but PHP 5.2 is more secure and 100% faster than PHP4, moreover PHP4 is soon dead!

    PHP 4 end of life announcement
    "Today it is exactly three years ago since PHP 5 has been released. In those three years it has seen many improvements over PHP 4. PHP 5 is fast, stable & production-ready and as PHP 6 is on the way, PHP 4 will be discontinued.
    The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5. For documentation on migration for PHP 4 to PHP 5, we would like to point you to ourmigration guide. There is additional information available in thePHP 5.0 to PHP 5.1 andPHP 5.1 to PHP 5.2 migration guides as well. fromhttp://www.php.net/

    If you are not able to use the latest version, consider applying PHP hardening patches from http://www.hardened-php.net/hphp/how_to_install_or_upgrade.html and compiling PHP  for yourself (these patches are no more needed in PHP 5.2 since they are part of the main source tree). A lot of  people already do that,  even if it is not easy.

    PHP applications should not execute OS code... Disable certain PHP functions (system,exec,shell_exec, phpinfo)
    Malicious commands can be executed though PHP shell functions. If some programs still require these functions, consider:
    • Looking for another application working without these functions.
    • Patching the code.
    • Asking authors to remove them, or find a workaround.
    A lot of people do not configure PHP correctly...

    In fact not so much people are correctly configuring their PHP runtime, as shown in this study of 11 000 hosts based on phpinfo() . How can hacker find such kind of  vital informations? quite easily thanks to any search engine.
    For example, in Google (the engine I know the best) by typing allinurl: phpinfo.php I get 39200 hosts that are revealing these vital settings

    Conclusions from PHP configuration statistics
    [..]
    Configuration values hold surprises, or not. After reading those values, we may even wonder if some functionalities did require a directive or not...
    As usually, default values from the distribution are the most commonly used values : it shows how much trust PHP programmers have in the PHP group. Or, it may also show that too few people read the php.ini file, and understand it.
    [..]
    Rules:
    1. Allways use the latest patch level version.
    2. Open and setup ALL  php.ini on disk (find / -name php.ini) this is especially true if you run more than one php version (php4/php5 as module of fast cgi)
    3. It is recommended to run PHP as fastCGI
    4. Recommended settings for a secure PHP are:
      register_globals = 0
      safe_mode = 1
      // a well written PHP appliation should not rely on these functions to operate
      disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
      allow_url_fopen = 0
      magic_quotes_gpc = 1
      open_basedir = /www/httprootdir
    more to come here soon
  • This article is extracted from:
    Joomla! Web Security

    Secure your Joomla! website from common security threats with this easy-to-use guide

    image004
  • Learn how to secure your Joomla! websites
  • Real-world tools to protect against hacks on your site
  • Implement disaster recovery features
  • Set up SSL on your site
  • Covers Joomla! 1.0 as well as 1.5
  • For more information, please visit:
    http://www.PacktPub.com/joomla-web-security-guide/book

    Joomla!, a very popular content management system (CMS) is as you may know an easy-to-deploy-and-use content management system. This ease of use has lent itself to rapid growth of both the CMS and extensions for it. You can install it on almost any host, running Linux or Windows. This highly versatile software has found itself in such lofty places as large corporate web portals, and humble places such as the simple blog.

    Joomla! itself is inherently safe, but misconfigurations of the CMS, vulnerable components, hosts that are poorly configured, and weak passwords can all contribute to the downfall of your site. Hence, it's always better to ensure the security of your site.

    In this article by Tom Canavan, we will take a look at how SQL injection attacks can occur to your Joomla website, how we can test for SQL injection attacks, and how to stop SQL injection.

    Introduction

    Mark Twain once said, "There are only two certainties in life-death and taxes." Even in web security there are two certainties: It's not "if you are attacked", but "when and how" your site will be taken advantage of.

    There are several types of attacks that your Joomla! site may be vulnerable to such as CSRF, Buffer Overflows, Blind SQL Injection, Denial of Service, and others that are yet to be found.

    The top issues in PHP-based websites are:

    • Incorrect or invalid (intentional or unintentional) input
    • Access control vulnerabilities
    • Session hijacks and attempts on session IDs
    • SQL Injection and Blind SQL Injection
    • Incorrect or ignored PHP configuration settings
    • Divulging too much in error messages and poor error handling
    • Cross Site Scripting (XSS)
    • Cross Site Request Forgery, that is CSRF (one-click attack)

    SQL Injections

    SQL databases are the heart of Joomla! CMS. The database holds the content, the users' IDs, the settings, and more. To gain access to this valuable resource is the ultimate prize of the hacker. Accessing this can gain him/her an administrative access that can gather private information such as usernames and passwords, and can allow any number of bad things to happen. When you make a request of a page on Joomla!, it forms a "query" or a question for the database. The database is unsuspecting that you may be asking a malformed question and will attempt to process whatever the query is. Often, the developers do not construct their code to watch for this type of an attack. In fact, in the month of February 2008, twenty-one new SQL Injection vulnerabilities were discovered in the Joomla! land. The following are some examples presented for your edification. Using any of these for any purpose is solely your responsibility and not mine:

    Example 1

    index.php?option=com_****&Itemid=name&cmd=section&167;ion=-
    000/**/union+select/**/000,111,222,
          concat(username,0x3a,password),0,
        concat(username,0x3a,password)/**/from/**/jos_users/*

    Example 2

    index.php?option=com_****&task=****&Itemid=name&catid=97&aid=-
    9988/**/union/**/select/**/
    concat(username,0x3a,password),0x3a,password,
    0x3a,username,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0/**/
    from/**/jos_users/*

    Both of these will reveal, under the right set of circumstances, the usernames and passwords in your system. There is a measure of protection in Joomla! 1.0.13, with an encryption scheme that will render the passwords useless. However, it does not make sense to allow extensions that are vulnerable to remain. Yielding ANY kind of information like this is unacceptable.

    The following screenshot displays the results of the second example running on a test system with the vulnerable extension. The two pieces of information are the username that is listed as Author, and the Hex string (partially blurred) that is the hashed password:

    You can see that not all MD5 hashes can be broken easily. Though it won't be shown here, there is a website available where you enter your hash and it attempts to crack it. It supports several popular hashes.

    When I entered this hash (of a password) into the tool, I found the password to be Anthony.

    image001

    It's worth noting that this hash and its password are a result of a website getting broken into, prompting the user to search for the "hash" left behind, thus yielding the password.

    The important news, however, is that if you are using Joomla! 1.0.13 or greater, the password's hash is now calculated with a "salt", making it nearly impossible to break.
    However, the standard MD5 could still be broken with enough effort in many cases. For more information about salting and MD5 see: http://www.php.net/md5.

    For an interesting read on salting, you may wish to read this link:www.governmentsecurity.org/forum/lofiversion/index.php/t19179.htm

    SQL Injection is a query put to an SQL database where data input was expected AND the application does not correctly filter the input. It allows hijacking of database information such as usernames and passwords, as we saw in the earlier example.

    Most of these attacks are based on two things. First, the developers have coding errors in their code, or they potentially reused the code from another application, thus spreading the error. The other issue is the inadequate validation of input. In essence, it means trusting the users to put in the RIGHT stuff, and not put in queries meant to harm the system.
    User input is rarely to be trusted for this reason. It should always be checked for proper format, length, and range.

    There are many ways to test for vulnerability to an SQL Injection, but one of the most common ones is as follows:

    image003&160;

    In some cases, this may be enough to trigger a database to divulge details. This very simplistic example would not work in the login box that is shown. However, if it were presented to a vulnerable extension in a manner such as the following it might work:



    This "posting" method (presented as a very generic exploit and not meant to work per se in Joomla!) will attempt to break into the database by putting forward queries that would not necessarily be noticed.

    But why 1=1- - ? According to PHP.NET, "It is a common technique to force the SQL parser to ignore the rest of the query written by the developer with-- which is the comment sign in SQL."

    You might be thinking, "So what if my passwords are hashed? They can get them but they cannot break them!"

    This is true, but if they wanted it badly, nothing keeps them from doing something such as this:

    INSERT INTO jos_mydb_users
    ('email','password','login_id','full_name')
    VALUES (This email address is being protected from spambots. You need JavaScript enabled to view it.','default','Jdoe','John Doe');--';

    This code has a potential if inserted into a query such as this:

    http://www.yourdomain/vulnerable_extension//index.php?option=com_vulext
    INSERT INTO jos_mydb_users
    ('email','password','login_id','full_name')
    VALUES (This email address is being protected from spambots. You need JavaScript enabled to view it.','default','Jdoe','John Doe');--';

    Again, this is a completely bogus example and is not likely to work. But if you can get an SQL DB to divulge its information, you can get it to "accept" (insert) information it should not as well.

    


    This article is extracted from:
    Joomla! Web Security

    Secure your Joomla! website from common security threats with this easy-to-use guide

    image004
  • Learn how to secure your Joomla! websites
  • Real-world tools to protect against hacks on your site
  • Implement disaster recovery features
  • Set up SSL on your site
  • Covers Joomla! 1.0 as well as 1.5
  • For more information, please visit:
    http://www.PacktPub.com/joomla-web-security-guide/book


    Testing for SQL Injections

    The following examples are known good tests to detect some SQL Injection vulnerabilities.

    Check for input vulnerabilities using "Single Quotes", as used in the following login form:

    howdy' OR 1=1- -

    This popular method is sometimes used in the form of a URL and you may see it appended to the INDEX.PHP in your log as follows:

    /index.php?id=howdy' OR 1=1 - -

    You may also wish to try inputting one of these popular methods:

    ' OR 1=1 - -

    " OR 1=1 - -

    'OR 'x'='x

    There are several more methods and this only scratches the surface of SQL Injections. They attempt to pass unchecked INPUT to the database, which will try to divulge an answer, rather than providing no answer.

    Note that you may see the use of the keyword UNION in your logs (see earlier examples). This is usually an early indicator that an attempt is being made on your site.

    To learn more about SQL Injections from a developer's point of view, please refer to the following:

    http://us3.php.net/manual/en/security.database.sql-injection.php

    A Few Methods to Prevent SQL Injections

    This is somewhat beyond the scope of this article, but the following are some things to touch upon:

    Developers should ALWAYS validate the user input, that is, test for type, length, format, and range, and always consider what malicious input may be thrown at the queries.

    DO NOT assume anything about the user input. For example, you shouldn't assume that an upload box for images won't be used for some other purpose. You should restrict the uploads to file types that you want to accept.

    How will your application behave if a malicious user enters a 100-megabyte JPG where your application expects a username?

    What will happen to your site if a DROP TABLE statement is embedded in a text field? What about a database command such as INSERT?

    The answer is: Always enforce the size. If the maximum input is 2 Meg, then enforce it. Don't allow bigger inputs because your users might be unhappy. If the maximum character length should be eight, do not allow inputs beyond it. This will prevent a buffer overfl ow, and other madness.

    Test the content of the string variables and accept only the expected values. Reject entries that contain binary data, escape sequences, and comment characters. This is a common technique.

    DO NOT ALLOW SQL statements directly from the user input. Provide a solid user interface that validates the users' input and then uses it.

    String concatenation is the primary point of entry for a script injection. So NEVER concatenate user input that is not validated, and has been checked to ensure that it has no nasty payloads.

    ALWAYS assign user rights within your SITE (including you) with the LEAST privileges needed. This keeps down the possibility of using the unnecessary privileges to take over the site.

    NEVER connect to the database as an admin, superadmin, or the database owner. Always keep these particular users for administrative use only.

    And According to PHP.NET

    "Check if the given input has the expected data type. PHP has a wide range of input validating functions, from the simplest ones found in Variable Functions and in Character Type Functions (for example, is_numeric(), and ctype_digit() respectively), and onwards to the Perl compatible Regular Expressions support.

    If the application waits for numerical input, consider verifying data with is_numeric(), or silently change its type using settype(), or use its numeric representation by sprintf()."

    There are commercially available tools such as Accunetix that can test for SQL Injections, and several sites that list recent and past extension vulnerabilities.

    In essence, test your system using some of the methods mentioned, provide it an input that is totally off the wall, or find some of the exploits and try them on your test server.

    Lastly, keeping your system patched is probably one of the best methods to prevent SQL Injections.

    About the Author

    A twenty-three year veteran of the Computer Business, and a Data Center Technology Consultant to Fortune-1000 Companies, Tom Canavan is a Certified Ethical Hacker and has a degree in Robotics and Numerical Control. He is author of the book Dodging the Bullets &8211; A Disaster Preparation Guide for Joomla! Based Websites.

  •  .htaccess files are very versatile, and can easily protect some area of Your Homepage. In the case of Mambo, I am here giving You a way to secure it in less than 5 minutes. 

    All You have to do is to drop a file named .htaccess in Your /administrator directory

    Here is a templates of .htaccess You can use
    # Do not allow any user to access this file - to copy in all .htaccess
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    force admin area with .htaccess password
    AuthType Basic
    AuthUserFile /pathto/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Walter Cedric Administrator Area"
    <Limit GET POST>
    require valid-user
    </Limit>

    • pathto should normally be outside you public webserver directory!
      In plesk, that means outside the httpdocs directory!
    • .htpasswd is a Text file which contains a mapping login:password.

    Example of .htpasswd
    admin:XXXXXXX

    XXXXXXX must be replace by it's crypt version, use that Url to create a new
    crypted value:

    http://de.selfhtml.org/cgi-bin/cryptform.pl?password=aSI45I56B4KgR34542

    In this example, I want to have aSI45I56B4KgR34542 as password (my real password is even more complex!), the page then display me

    cziW29BR6Y3fM

    Be careful it is changing at each reload of the page since the system add "salt" to the password in order to avoid brute force attack with dictionnary.

    So I create a file .htpasswd which contains:

    Example of .htpasswd
    admin:cziW29BR6Y3fM

    So In order to be able to go in my administrator Mambo panel, I will have to type

     

    user name: admin
    password: cziW29BR6Y3fM

    HTACCESS is containing a lot more keywords and way to protect some data or directories.
    I recommend You to google a little bit to find some exhaustive articles like this one in german:
    optionen">http://de.selfhtml.org/servercgi/server/htaccess.htmoptionen

    If Youre using my component hashcash or any statistics log tools on YOur server, YOu may know the IP of the bad guys which try to break Your site. There is a way to block these attacking zombies at the server level. Just extends the section Limit of the .htaccess file

     <Limit GET POST>
    order allow,deny
    allow from all
    deny from
      XXX.XXX.XXX.XXX
    deny from .microsoft.com 
    </Limit>

    where XXX.XXX.XXX.XXX is the IP or part of the IP (XXX or XXX.XXX or XXX.XXX.XXX), but it can be a DNS. You can add as many lines as You want.

  • joomla_cms

    Following security guidelines of the joomla mailing list:

    • Edit globals.php to turn Joomla! register_globals emulation off. Although Joomla! emulation is safer than the PHP register_globals directive, it's best not to allow register_globals at all. Beginning with PHP 6, this will not even be an option, and it's about time. Here's the correct setting for turning Joomla!'s register_globals emulation off:
      Quote
      define( 'RG_EMULATION', 0 );
      Note that some extensions will not work correctly with register_globals emulation off:
      http://forum.joomla.org/index.php/topic,86525.0.html

    A lot of people have turn RG_EMULATION off and it has cause a lot of problems in some Joomla components including mine.My site is also not working properly...I should have found it alone, 3 days without emails and comments is  not usual ;-). Anyway the forums is working :-)

    So here are  my Joomla components:

    NEW AkoBookPlus 2.0.4 credits to Beat  
    Q&T Workgroup Sr. Member
    Download HERE Download at Joomla Forge
    NEW AkoCommentPlus 1.1.7 credits to Beat  
    Q&T Workgroup Sr. Member
    Download HERE Download at Joomla Forge
    NEW SecurityImages 3.0.8 The release 4.0.0
    with a lot of changes
    will follow this week 
    Download HERE Download at Joomla Forge
    NEW  JoomlaCloud 1.0.3 coming soon

    The release 1.1.0 
    with a lot of changes
    will follow this week 
    Download HERE Download at Joomla Forge
    NEW OpenComment beta1 coming soon Download HERE Download at Joomla Forge
    NEW com_log4php coming soon Download HERE Download at Joomla Forge
    NEW com_hashcasch 1.2.4 coming soon Download HERE Download at Joomla Forge


    Please report me any non working versions...so I can make changes  if necessary 
  • joomla_cms

    The demo site demo.waltercedric.com is automatically deleted (database and file system) and restored every 60 minutes to wipe the system clean for other new users.

    login to Administrator panel is

    login admin
    password admin

    How I've done it...
     green value have to been replace

    1. Create all needed directories
    Ex for plesk
    # mkdir /var/www/vhosts/waltercedric.com/private/db-demo-initial
    # mkdir /var/www/vhosts/waltercedric.com/private/file-demo-initial

    2. First make a INITIAL backup from the database
    In the state you want it to be for your demosite with mysqldump:
    # mysqldump -u [DatabaseUsername] -p [DatabasePassword] [DatabaseName] > /path/to/filename

    Ex for plesk
    Files are store in private directory so only me can access them.
    # mysqldump -uDatabaseUser -pDatabasePassword DatabaseName > /var/www/vhosts/waltercedric.com/private/db-demo-initial/DatabaseName.sql

    3. Then make an INITIAL backup of the file structure
    #  cp -pir srcDirectoy destinationDirectory

    Ex for plesk
    # cp -prf /var/www/vhosts/waltercedric.com/subdomains/demo/httpdocs/* /var/www/vhosts/waltercedric.com/private/file-demo-initial

    4. Then put everything in a CRONTAB

    The purpose of this task is to restore file periodically, You can use mysqqlimport (but it didnt worked for Me), so I use the mysql command line
    If you want lets say: restore database every 1 hours, ten past the hour, your crontab entry would look like this:

    10 */1 * * * mysql -u[username] -p[password] [databasename] < [/path/to/filename]

    If you want lets say: restore file every 1 hours, twenty past the hour, your crontab entry would look like this:
    20 */1 * * *  cp -pir srcDirectoy destinationDirectory

    Ex
    5 */1 * * * cp -prf /var/www/vhosts/waltercedric.com/private/file-demo-initial/*  /var/www/vhosts/waltercedric.com/subdomains/demo/httpdocs
    6 */1 * * * mysql -uXXXX -pYYYYY demo < /var/www/vhosts/waltercedric.com/private/db-demo-initial/demo.sql


  • Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:
    • MD5 hash compare
    • Look for default files used by rootkits
    • Wrong file permissions for binaries
    • Look for suspected strings in LKM and KLD modules
    • Look for hidden files
    • Optional scan within plaintext and binary files
    Rootkit Hunter is released as GPL licensed project and free for everyone to use. # wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
    # tar -xzvf rkhunter-1.1.4.tar.gz
    # cd rkhunter
    # ./installer.sh


    Receive e-mail everyday with the result Rootkit Hunter
    For Root user
    # crontab -e
    For any user
    # crontab -e -u username

    and add

    •0 3 * * * (./usr/local/bin/rkhunter –checkall 2>&1 | mail -s "chkrootkit output" -c This email address is being protected from spambots. You need JavaScript enabled to view it.,This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.)

    * the correct path can be found with which rkhunter 
    This will run Rootkit Hunter at 3:00 am every day, and e-mail the output to This email address is being protected from spambots. You need JavaScript enabled to view it. and copies to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.

    Nota
    If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed....)

    Links

    http://www.rootkit.nl/projects/rootkit_hunter.html
  • A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system. Rootkits have their origin in benign applications, but in recent years have been used increasingly by malware to help intruders maintain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules. [WikiPedia]

    Rootkit scanner is scanning tool which scans for rootkits, backdoors and local exploits by running tests like:
    • MD5 hash compare
    • Look for default files used by rootkits
    • Wrong file permissions for binaries
    • Look for suspected strings in LKM and KLD modules
    • Look for hidden files
    • Optional scan within plaintext and binary files
    Rootkit Hunter is released as GPL licensed project and free for everyone to use. You can download it at
    http://www.rootkit.nl/projects/rootkit_hunter.html

    This tools is just a tar with a set of files inside. It is highly recommended to run it from a read only media to avoid hacker tampering attempts.  run
    # ./installer.sh
    then
    # rkhunter

    h790663:/var/www/vhosts/waltercedric.com/private # rkhunter

    Rootkit Hunter 1.2.9, Copyright 2003-2006, Michael Boelen

    Under active development by the Rootkit Hunter project team. For reporting
    bugs, updates, patches, comments and questions see: rkhunter.sourceforge.net

    Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software,
    and you are welcome to redistribute it under the terms of the GNU General
    Public License. See LICENSE for details.


    Valid parameters:
    --checkall (-c)           : Check system
    --createlogfile <file>*   : Create logfile (file is optional, defaults to
                              : /var/log/rkhunter.log)
    --cronjob                 : Run as cronjob (removes colored layout)
    --display-logfile         : Show logfile at end of the output
    --help (-h)               : Show this help
    --nocolors*               : Don't use colors for output
    --report-mode*            : Don't show uninteresting information for reports
    --report-warnings-only*   : Show only warnings (lesser output than --report-mode,
                              : more than --quiet)
    --skip-application-check* : Don't run application version checks
    --skip-keypress (-sk)*    : Don't wait after every test (non-interactive)
    --quick*                  : Perform quick scan (instead of full scan)
    --quiet*                  : Be quiet (only show warnings)
    --update                  : Run update tool and check for database updates
    --version                 : Show version and quit
    --versioncheck            : Check for latest version

    --bindir <bindir>*        : Use <bindir> instead of using default binaries
    --configfile <file>*      : Use different configuration file
    --dbdir <dir>*            : Use <dbdir> as database directory
    --rootdir <rootdir>*      : Use <rootdir> instead of / (slash at end)
    --tmpdir <tempdir>*       : Use <tempdir> as temporary directory

    Explicit scan options:
    --allow-ssh-root-user*    : Allow usage of SSH root user login
    --disable-md5-check*      : Disable MD5 checks
    --disable-passwd-check*   : Disable passwd/group checks
    --scan-knownbad-files*    : Perform besides 'known good' check a 'known bad' check
    --check-deleted           : Perform 'deleted files' check
    --check-listen            : Perform 'listening applications' check

    Multiple parameters are allowed
    *) Parameter can only be used with other parameters



    False alarms:

    * Filesystem checks
       Checking /dev for suspicious files...                      [ OK ]
       Scanning for hidden files...                               [ Warning! ]
    ---------------
    /etc/.pwd.lock /dev/.udevdb
    ---------------
    Please inspect:  /dev/.udevdb (directory)


    /dev normally contains only device names and hence udev stores its private configuration information in a hidden directory. Rkhunter
    complains because rootkits are known to create such directories.
     
  • After Microsoft Warns of New Security Threat System monitoring programs, called rootkits, may pose a serious danger to your PC. it is time to see what offering is available to protect our PCs...

    A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows
    . [WikiPedia]

    The windows rootkit threat has never been so high as today: Rootkit creators turn professional
    All major antivirus software are now starting to provide solutions with more or less sucess:
    • SymantecHacktool.Rootkit comprises a set of programs and scripts that work together to allow attackers to break into a system. If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security.
    • Sysinternal is a company more known for his hacking or developer tool, but they have been the first to give away a free rootkit revealer and detection program.
    • F-Secure Corp has added rootkit-detection features to its product suite: F-secure Blacklist
    • MicrosoftStrider Ghostbuster is a future tool from the Giant.


    The only problem is that the only solution is to restore your system by using a "non corrupted" os version (the problem is to have enough backup)...

    Also do not forget to visit the biggest community (33 000 users) at www.rootkit.com


  • apache_maven

    Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing.

    Acunetix  can detect some security vulnerabilities among others, click here for a list

    Until now, Acunetix WVS does not support automated scanning via API's.  However, Acunetix WVS supports command line, which can provide similar functionality and is an easy way to integrate Acunetix WVS with other third party applications.

    The example I am providing is using Maven, and start in phase “integration-test” Acunetix against your web application. Note that running Acunetix is a costly operation, it cost CPU, take a lot of time, stress your network, so I recommend you to run it at night (3 or 4AM) so developer can a receive a feedback the day after. I have also define a Maven profile “WebappSecurityTesting” so I can trigger the check in a new Build in Jetbrains TeamCity/Atlassian Bamboo/Java Hudson with -PWebappSecurityTesting in Maven goals list.

    Trivial but worth mentioning:

    • You need in Maven phase “pre-integration-test” to deploy your web application to a running container: tomcat, jboss, weblogic, iis.. before running acunetix against it
    • You need to adapt values in red below to your runtime environment
    • the Ant task is run only if your OS match the string “Windows XP” so remove this or use the right OS's name  determined by the Java Virtual machine and set in the "os.name" system property.
    <profiles>
        <profile>
            <id>WebappSecurityTesting</id>
            <activation>
                <activeByDefault>false</activeByDefault>
                <!-- automatic activation
                    <file>
                    <exists>C:\acunetix\wvs_console.exe</exists>
                    </file>
                -->
            </activation>
            <build>
                <plugins>
                    <plugin>
                        <artifactId>maven-antrun-plugin</artifactId>
                        <executions>
                            <execution>
                                <phase>integration-test</phase>
                                <configuration>
                                    <tasks name="Run acunetix webscanner">
                                        <exec dir="C:\acunetix" executable="wvs_console.exe"
                                            os="Windows XP"
                                            output="${basedir}/target/acunetix/result.txt">
                                            <arg value="/Scan"/>
                                            <arg value="http://testphp.acunetix.com"/>
                                            <arg value="/Profile"/>
                                            <arg value="default"/>
                                            <arg value="/SaveToDatabase"/>
                                            <arg value="/GenerateReport"/>
                                            <arg value="${basedir}/target/acunetix"/>
                                            <arg value="/ReportFormat"/>
                                            <arg value="PDF"/>
                                            <arg value="/ReportExtraParams"/>
                                            <arg value="/r WVSComplianceReport.rep /k PCI12.xml"/>
                                            <arg value="--ScanningMode=Heuristic"/>
                                            <arg value="--UseAcuSensor=TRUE"/>
                                            <arg value="--EnablePortScanning=TRUE"/>
                                        </exec>
                                    </tasks>
                                </configuration>
                                <goals>
                                    <goal>run</goal>
                                </goals>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>
    </profiles>

    Explanation

    Acunetix WVS console application can be run by running 'wvs_console.exe' from the Acunetix WVS installation directory.  An example of a typical Acunetix WVS scan command including explanation, can be found below:

    /Scan http://testphp.acunetix.com: Instruct the scanner to launch a single site scan against http://testphp.acunetix.com.

    /Profile default: Use default profile for scanning.

    /SaveToDatabase: This parameter instructs the scanner to save scan results to reporting database.  If this parameter is not enabled, reports cannot be generated.

    /GenerateReport "c:\reports\": Generate scan report in the path 'c:\reports'.

    /ReportFormat PDF: Generate the report in PDF format.

    /ReportExtraParams "/r WVSComplianceReport.rep /k PCI12.xml": Generate a PCI version1.2 compliance report (PCI12.xml) using the Compliance reporting template (WVSComplianceReport.rep).

    --ScanningMode=Heuristic: This option is to instruct the scanner to use heuristic scanning mode against specified target.

    --UseAcuSensor=TRUE: Use AcuSensor Technology during scan. The AcuSensor client files must be installed and configured on the target for AcuSensor Technology to function.

    --EnablePortScanning=TRUE: Instruct the scanner to port scan the target as well, and run network security tests (Network Alerts) against the target.

    References

  • I know that Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux.

    This list is an ongoing work, thta is why it has also a version number in it (v1.0). As soon as I will learn new tricks, the list will be updated.

    By clicking read more, You'll be able to go through the checklist, or maybe you'll prefer the mindmap version HERE

     

  • This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas have been added.

    Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux.

    By clicking read more, You'll be able to go through the checklist, or maybe you'll prefer the mindmap version HERE

    The next mind map will be a how to forensic a hacked Linux server...

  • This list is an ongoing work and since the version 1.0 (01 March 2008), a lot of nodes/ideas and now links have been added. The tree is also now a  lot more structured...

    Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux.

    By clicking read more, You'll be able to go through the checklist as HTML, or maybe you'll prefer the mindmap version HERE

     

    mindmap

    powered by Freemind, free mind mapping