security

Security is the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, nation, or organization. [read more at http://en.wikipedia.org/wiki/Security]

  • Here is the latest version of my growing mind map that will help you to secure your Linux box. While some node are clearly targeted toward Joomla!, you can still safely apply a lot of my recommendations to any LAMP (Linux, Apache, MySQL, PHP) server.

     

    This mind map is an ongoing work, that is why it has also a version number in it (v1.6). As soon as I will learn new tricks, the mind map will be updated.

    map

    Added Crash – Kernel Panic / Password / Intrusion Detection / Joomla! links / PHP settings / mod security

    New mind map are currently in development:

    • Linux Compromised Server Checklist
    • Linux Server What to monitor

    By clicking read more, You'll be able to go through the checklist as text, or download the mind map as a PDF (2MB)

     

  • A interesting white paper (PDF version here) by the  The Apache Software Foundation explaining how to secure Your Apache Axis webservices and defining SOAP class of attack.
  • The National Security Agency (NSA)

    NSA/ Central Security Service (NSA/CSS) is a United States government agency responsible for both the collection and analysis of message communications, and for the security of government communications against similar agencies elsewhere. It is a part of the Department of Defense.... ) [WikiPedia]

    has developed and distributed configuration guidance for Microsoft Windows NT and Windows 2000 in the form of configuration guides. These guides are currently being used throughout the government and by numerous entities as a security baseline for their Windows systems.
    To assist our Windows XP user community, NSA has developed security configuration guidance for Windows XP, with the cooperation of other government agencies....
    Microsoft Windows XP Guides

    Unfortunatly no guide for Linux (except Solaris)

  • If you are on the paranoia side, and you better should, if you're using ebanking on an internet connected pc. 

     Secunia is a well known internet site, Secunia is a Danish computer security service provider best known for tracking vulnerabilities in more than 12,400 pieces of software and operating systems. Numbers of "unpatched" vulnerabilities in popular applications are frequently quoted in software comparisons.Secunia also tracks currently active computer viruses. Secunia has gained publicity and a notable reputation with the discovery of major zero-day vulnerabilities in Internet Explorer and other widely used programs

    What is really new and interesting is that they are providing a free tool,  Secunia PSI which scan your PC and let you download the latest secure version of all your installed software. Something Microsoft should have done before Secunia

    "The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors." [...]

     

    Highlights of TheSecunia PSI:

    • The Secunia PSI will be available free of charge
    • Calculates your unique Secunia System Score
    • Automatically scans your computer
    • Enables you to update Insecure/End-of-Life software
    • Provides Direct Download Links to security updates & patches
    • Detects and advises on more than 4,700 applications
    • Direct correlation between thousands of Secunia Advisories and your specific system and software
    • Secure SSL encrypted connection to Secunia

      Download | FAQ | About Secunia PSI & System Requirements | About Secunia

     

  • Joomla 2.5 is right around the corner, it is due on January 24th&160; 2012! Still not decided whether or not to upgrade to Joomla 2.5 from 1.5 or 1.0?

    upgrade_to_joomla25

  • SIM is a system and services monitor for ‘SysVinit’ systems. It is designed to be intuitive and modular in nature, and to provide a clean and informative status system.
    It does this by consistently verifying that services are online, load averages are in check, and log files are at reasonable sizes. Many other SIM modules sport different and in-depth features to bring a well rounded tool to your disposal to stop otherwise common issues daunting internet hosts.

    Features:
    - Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
    - Event tracking and alert system
    - Auto restart ability for downed services
    - Checks against network sockets & process list to ensure services are online
    - Advanced HTTP service monitoring, to prevent commonly encountered issues
    - System load monitor with customizable warnings & actions
    - Ability to auto restart system with definable critical load level
    - Priority change configurable for services, at warning or critical load level
    - Informative command line status display
    - Easily customizable configuration file
    - Auto configuration script
    - Auto cronjob setup feature
    - Simple & Informative installation script
    - Integrated auto-update feature
    - And more...

    From http://www.r-fx.org/sim.php

    Installation is one more time straightforward:

    # wget http://www.r-fx.ca/downloads/sim-current.tar.gz
    # tar xvf sim-current.tar.gz
    # cd sim-*

    The installation of sim is easily acomplished, a simple shell script named  'setup' is included with SIM. Running this script will tend to all the install tasks for SIM.

    # ./setup -i
    -i     Install
    -q     Quick install
    -u     Uninstall
    -c     Install/Uninstall cronjob

    Press "SPACE" to go to the next page when you read the licence.

    Press "RETURN" to quit

    The readme is then displayed, press "SPACE", then "RETURN"

    Ideally once SIM is configured it is best to run from a cronjob. The 'setup'
    SIM 2.5-4 <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    Creating installation paths:            [##########]
    Installing SIM 2.5-4 to /usr/local/sim:         [##########]

    SIM 2.5-4 installation completed, related notes:
    Executable:             /usr/local/sim/sim
    Executable symlink:     /usr/local/sbin/sim
    Config file:            /usr/local/sim/conf.sim
    Autoconf script:        /usr/local/sim/autoconf
    Autoconf symlink:       /usr/local/sbin/sim-autoconf
    Cronjob setup:          /usr/local/sim/sim -j

    SIM 2.5-4 must now be configured for use on this system, Press
    return to run the autoconf script (/usr/local/sim/autoconf).

    SIM 2.5-4 Auto-Config Script

    All questions default to value in brackets if no answer is given. If you
    make a typo during the autoconf process, hit CTRL+C (^C) to abort and
    rerun the autoconf script (/usr/local/sim/autoconf).

    The below are general configuration options for SIM:
    press return to continue...

    Where is SIM installed ?
    [/usr/local/sim]:
    "RETURN"

    Where should the sim.log file be created ?
    [/usr/local/sim/sim.log]:
    "RETURN"

    Max size of sim.log before rotated ? (value in KB)
    [128]:
    "RETURN"

    What is the location of your kernel log ?
    Found kernel log at /var/log/messages
    "RETURN"

    Where should alerts be emailed to ? (e.g: root, user@domain)
    [root]:  This email address is being protected from spambots. You need JavaScript enabled to view it.  
    "RETURN" enter a external email, not one from the mail server domain!

    Disable alert emails after how many events, to avoid email flood ?
    (Note: events stats are cleared daily)
    [8]:
    "RETURN"

    The below are configuration options for Service modules:
    press return to continue...

    Auto-restart services found to be offline ? (true=enable, false=disable)
    [true]:
    "RETURN"

    Enforce laxed service checking ? (true=enable, false=disable)
    [true]:
    "RETURN"

    Disable auto-restart after how many downed service events ?
    (Note: events stats are cleared daily)
    [10]:
    "RETURN"

    Enable FTP service monitoring ? (true=enable, false=disable)
    [false]:
    "RETURN"

    Name of the FTP service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
    Found service name as proftpd

    TCP/IP port that FTP operates on ?
    [21]:
    "RETURN"

    Path to FTP service init script ?
    [/etc/init.d/proftpd]:
    "RETURN"

    Enable HTTP service monitoring ? (true=enable, false=disable)
    [false]:true
    "RETURN"

    Name of the HTTP service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
    Found service name as httpd

    TCP/IP port that HTTP operates on ?
    [80]:
    "RETURN"

    Path to HTTP service init script ?
    [/etc/init.d/httpd]:
    "RETURN"

    Enable DNS service monitoring ? (true=enable, false=disable)
    [false]:true
    "RETURN"

    Name of the DNS service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
    Found service name as named


    TCP/IP port that DNS operates on ?
    Found service port as 53

    Path to DNS service init script ?
    Found service init script at /etc/init.d/named

    Enable SSH service monitoring ? (true=enable, false=disable)
    [false]:true
    "RETURN"

    Name of the SSH service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
    Found service name as sshd

    TCP/IP port that SSH operates on ?
    Found service port as 22
    "RETURN"

    Path to SSH service init script ?
    Found service init script at /etc/init.d/sshd

    Enable MYSQL service monitoring ? (true=enable, false=disable)
    [false]:true
    "RETURN"

    Name of the MYSQL service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
    Found service name as mysqld

    TCP/IP port that MYSQL operates on ?
    Found service port as 3306

    Path to MYSQL service init script ?
    Found service init script at /etc/init.d/mysql

    Enable SMTP service monitoring ? (true=enable, false=disable)
    [false]:   
    "RETURN"

    Enable XINET service monitoring ? (true=enable, false=disable)
    [false]:true

    Name of the XINET service as appears in 'ps' ?
    Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
    Found service name as xinetd

    TCP/IP port that any XINET service operates on (e.g: pop3, 110) ?
    [110]:
    "RETURN"

    In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source daemon which runs on many Unix systems and manages Internet-based connectivity. It offers a more secure extension to or version of inetd, the Internet daemon.

    xinetd features access control mechanisms such as TCP Wrapper ACLs, extensive logging capabilities, and the ability to make services available based on time. It can place limits on the number of servers that the system can start, and has deployable defence mechanisms to protect against port scanners, among other things. from WikiPedia

    Path to XINET service init script ?   seewww.xinetd.org/faq.html  and 
    Found service init script at /etc/init.d/xinetd

    Enable ENSIM service monitoring ? (true=enable, false=disable)
    [false]:
    "RETURN"

    Enable PGSQL service monitoring ? (true=enable, false=disable)
    [false]:
    "RETURN"

    The below are configuration options for Service Specific features:
    press return to continue...
    After an unclean HTTP shutdown, semaphore array's may remain allocated
    and cause the service to fall into a looping restart cycle. Using this
    feature clears semaphore arrays on HTTP restart.
    Enable semaphore cleanup ?
    [false]:
    "RETURN"

    This is an implamented feature in the http module, its purpose is to
    determine if/when the apache server locks up or otherwise stops
    responding.
    Enable URL aware monitoring ?
    [false]:
    "RETURN"

    HTTP log files can grow large and cause the service to crash
    (segfault), this feature will keep the main HTTP logs incheck.
    Enable HTTP log monitor ?
    [false]:true
    "RETURN"

    What is the location of your HTTP servers, log files ?
    (should point to a directory, not file)
    [/var/log/httpd]:/var/log/apache2

    Max size of HTTP log files, before cleared ? (value in MB)
    [300]:
    "RETURN"

    MySQL uses a /tmp symlink of its mysql.sock socket file. This
    feature verifies that the symlink exists from the main mysql.sock
    file, and if not it is recreated.
    Enable MySQL Socket correction ?
    [false]:
    "RETURN"

    The below are configuration options for System modules:
    press return to continue...

    Enable NETWORK monitoring ? (true=enable, false=disable)
    [false]:true
    "RETURN"

    interface to monitor ?
    [eth0]:
    "RETURN"

    Path to NETWORK init script ?
    Found service init script at /etc/init.d/network

    Enable LOAD monitor ? (true=enable, false=disable)
    [false]:
    "RETURN"

    Configuration completed, saving conf.sim...
    Done, conf.sim saved to /usr/local/sim.

    Now the SIM (System Integrity Monitor) has been configured! add it as cron

    # ./setup -c
    SIM 2.5-4 <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    Removed SIM cronjob.
    # ./setup -c
    SIM 2.5-4 <This email address is being protected from spambots. You need JavaScript enabled to view it.>
    Installed SIM cronjob.


    if everything goes well, you can check the installation by typing:

    # /etc/init.d/mysqld stop

    This will stop mysql daemon!, You will receive an email  at the same time, showing that mysql has been stopped and restarted

    System integrity monitor on xxxxx has taken action in responce to an event. Recent event logs are enclosed below for your inspection. There has been 1 events today, if an average of 8 events is reached, e-mail alerts will be terminated for the duration of the day.

    - Events Summary:
    Total event count:   1
    Average event count: 0

    - Service Summary:
    FTP       
    [online - 0 events]
    HTTP      [online - 0 events]
    DNS       [online - 0 events]
    SSH       [online - 0 events]
    MYSQL     [
    restart success1 events]
    XINET     [online - 0 events]

    - System Summary:
    NETWORK   [eth0 - online - 0 events]

    - SIM Log:
    [07/21/07 12:10:01]: touched log file.
    [07/21/07 12:10:01]: sim.dat not found, created.
    [07/21/07 12:10:01]: no .chk modules enabled.
    [07/21/07 12:15:03]: no .chk modules enabled.
    [07/21/07 12:20:01]: no .chk modules enabled.
    [07/21/07 12:25:01]: NETWORK is online.
    [07/21/07 12:25:01]: FTP service is offline.
    [07/21/07 12:25:01]: FTP service is offline.
    [07/21/07 12:25:01]: FTP restart failed, could not find /etc/init.d/proftpd.
    [07/21/07 12:25:01]: FTP restart failed, could not find /etc/init.d/proftpd.
    [07/21/07 12:25:01]: HTTP service is online.
    [07/21/07 12:25:01]: DNS service is online.
    [07/21/07 12:25:01]: SSH service is online.
    [07/21/07 12:25:01]: MYSQL service is online.
    [07/21/07 12:25:01]: XINET service is online.

  • openid-logo-2&160; I have now way to many sub domains and websites to not try to make the registration or login process more easier

    Each of the above domains/sub domains has its own registration and login process. I would like as soon as possible try to make people register only once and let them have an easy access to all these services.

    SSO

    Single Sign on?

    Basically One solution would be likely to use OpenID

    OpenID is an open, decentralized standard for user authentication and access control, allowing users to log onto many services with the same digital identity. As such, it replaces the common login process that uses a login-name and a password, by allowing a user to log in once and gain access to the resources of multiple software systems. [WikiPedia]

    Advantages

    • Joomla, Bamboo, JIRA are able to use OpenID
    • More than 200 million users worldwide
    • Free implementation and sometimes even some ready to use plugin

    But

    1200 users are registered, and how do I migrate them all??? not all are active but I can just delete their account…

  • joomla_cms

    joomla_socialsharing_logo_thumb4

    This small plugin add automatically to any articles a set of social icons that let your reader increase your social ranking. It support

  • tatice-linux-tux-10409

    Some useful Bash Linux alias taken from my user profile. If you have a long command that you type frequently consider putting it in as an alias.

    In computing, alias is a command in various command line interpreters (shells) such as Unix shells, 4DOS/4NT and Windows PowerShell, which enables a replacement of a word with another string. It is mainly used for abbreviating a system command, or for adding default arguments to a regularly used command. [WikiPedia]

    Description &160;
    Find all directories and and chmod them to rwxr.xr.x alias fixpermD='find . -type d -exec chmod 755 {} \;'
    Find all files and and chmod them to rw.r..r.. alias fixpermF='find . -type f -exec chmod 644 {} \;'
    Both above and set recursively user and user group in one shot alias fixUserAPerms='fixpermF; fixpermD; chown -R userA .;chgrp -R usergrp .'
    Make a directory and all files recursively read only, secure but a pain to maintain. see next&160; alias ro='find . -type f -exec chmod 444 {} \;find . -type d -exec chmod 555 {} \;'
    Make a directory and all files recursively read write, just the time to update your site. alias rw='find . -type f -exec chmod 644 {} \;find . -type d -exec chmod 755 {} \;'
    Lower case all files in current directory alias lowercaseallfiles='for f in *; do mv $f `echo $f | tr [:upper:] [:lower:]`; done'
    List all open connections to your server alias listOpenConnections='lsof –i'
    List all internet connections alias listinternetconnection='netstat –lptu'
    find the 10 biggest in size directories alias dirsizes=’du -cks * | sort -n | tail –10'
    Show open port alias openports='netstat -nape --inet'
  • Disabling root login will force any attempted hackers to use 2 passwords instead of only one. Making it more difficult for a hacker to break into your server.

    You must have another user which is NOT root already on the box

    vi /etc/ssh/sshd_config

    Search for line

    PermitRootLogin yes


    and change it to

    PermitRootLogin no


    restart sshd by typing
    /etc/init.d/sshd restart
  •  thief

    I was contacted 2 days ago by a thief. This technique is quite old (at least 3 years) but always worth mentioning.

    Your bank will credit the amount in a few days but. . . the certified check is a stolen one that will take 3 to 4 week to be rejected by your bank. Enough time for robber to get the item and some money from you (they will pick up the item and ask for the shipping fees back in cash :-)). In the end you loose, your item, some cash, and can get in trouble with your bank if you ever did use the credited money.

     

    Here is why they did sent to me

     

    Dear Sir/Madam,
    I am interested in purchasing this Bike it suits my requirements perfectly,I have two garages one in England and the other in the Netherlands i shuffle most of my time between the two.
    THESE ARE MY TERMS OF TRANSACTION:
    1) DO KINDLY GET IN TOUCH WITH THE LEAST PRICE.
    2) I WILL BE PAYING WITH A CERTIFIED EURO BANK CHECK WHICH I WILL ALLOW TO CLEAR BEFORE THE PICKUP/SHIPMENT OF THE BIKE.
    3) I WILL INCLUDE FEES FOR SHIPMENT IN PAYMENT, THIS MY SHIPPING AGENCY WILL USE FOR PICK-UP.
    The excess funds will go towards covering costs for shipping,shippers fees,insurance,tax and any other expenses that might be incurred getting it down to the new owner.
    I will want you to get in touch with the following details if my terms are okay:
    FULL NAME.............................
    ADDRESS.......................
    TELEPHONE NUMBERS....................(Mobile and Land)
    As soon as i have your details i can have payment effected immediately all things being equal we should have this wrapped up by the end of this week.
    Please note that you'll have to send on the balance on the funds that you'll get to my shipper so he can come attend to the pick up as soon as you make the Bike ready.
    I believe that most transaction are based on trust.
    So I will look forward to a successful transaction with you.
    Best Regards
    Graham Colemanson

  • A lot of Mambo/Joomla site has been hacked last week, since I've already help someone hardening an installation (mambo 4.5.2.3), I've decide to write a tutorial for the benefit of the open source community...

     Some steps are common sense while others are not.

    But:

    • Do not think that doing all steps below will protect You! nothing is secure in the computer world! or not very long...
    • Do not think that after doing all steps below, Joomla will be as user friendly for You as before! we are restricting rights, changing some behaviours of the webserver, it will be more difficult to publish content, on the other side, articles and content will be safer.
    • Security come always with a pain!.

    Consider this page as a work in progress, feedback is as usual welcomed. Click read more for the article

    Choose a (better) FTP password for accessing your Homepage which is not trivial! using rules in annexe A

    Requirements: having a valid login and password to your plesk account

    How: http://yoursite.com:8443/

    Go to main page, If your hosting company allow you to create many subdomains, click on the right one, here on www.waltercedric.com

     
    On Plesk main page, click on domain, herewaltercedric.comon the next page, on Setup 
      
    Then enter New FTP password, and save  
    Choose a DIFFERENT Joomla/Mambo administration password using rules in annexe A

    Requirements: having a valid login and password to your Joomla administrator account

    How:

    Go to Your administrator panel
    For ex http://yourhost/administrator/
    click on your login name, here onadmin
     
    Enter a new password 
    Choose aDIFFERENT Plesk password for the administration of Your site using rules in annexe A

    Requirements: having a valid login and password to your Plesk administrator panel

    Go to: http://yoursite.com:8443/ which is the default URL for Plesk, attention it may vary depending on your hosting company

    On the main page, click on editAnd enter new password
    Choose aDIFFERENT mySQL password for the Joomla/Mambo tableusing the rules in annexe A

    How
    Use the plesk administration panel

    On Plesk main page, click on domain, herewaltercedric.comon the next page, click on Databases
    Then on your Joomla database (here for memos)then click on the right user: heremosuser, Note that I have
    a special user for backup purpose with only select rights! and change password
      
    Open the file /configuration.php and change the key mosConfig_password 
    Adapt user rights of the mySQL Joomla user

    a mySQL user may have following privileges:

    This user, for example joomlaUser should ONLY have insert (new comment, guestbook) and deleteand updaterights on Joomla/Mambo database

    SHOW GRANTS FOR 'mosdev'@'%';
    GRANT ALTER,CREATE,CREATE TEMPORARY TABLES,CREATE VIEW,DROP,EXECUTE,LOCK TABLES,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO 'mosdev'@'%' WITH GRANT OPTION;
    FLUSH PRIVILEGES;

    Do not allow drop or create table, normal operation of Joomla do not require it! Of course as soon as You want to install a new component, You will have to temporarly allow joomlaUserto create new table (if the component require it)

    Adapt files right on your server

    Heritage of UNIX, file rights are organized in 3 groups, user, group, all. Each group may be able to read (r) write (w) or execute (x) file individually. the combinaison rwx is read in octal rwx = 7 for each group, so 777 is the worse settings: anybody may be able to delete or change your file on server...

    This is how look my file structure

    RecommendedSet toCHMOD equivalent
    files rights:r_ _r_ _r_ _444
    directory rightsr _ x r _ x r _ x555
    Exception for /cache directoryrwxrwxrwx777

    Howuse an FTP tool like CuteFTP, on selected resources, use right click menu , and check the bit:

    Example incuteFTP, note the command is not recursive!

    Side effects

    • You wont be able to use the upload function of HTMLArea: impossible to upload images or file using the administrator articles editor.
    • Each time You wan to publish a new articles with pictures inside, You'll have to copy them with FTP before editing in order to be able to insert them into the text.
    • In order to write a file into the directoy C in the path A/B/C, You will have to set temporary directory A and B and C to rwxr-xr-x rights (CHMOD 755)!
    Protect some part of Joomla using additionnal password like .htaccess

    Requirements: Your provider must support .HTACCESS per directory

    How:

    Read my tutorial HERE

    Side effects

    • Some component or code trying to read file form the admin area (if protected by a htaccess file), may bring a popup login windows to your users, but it is possible to find these problems and solve them quickly. My plugin securityimages in its first version was also having this error (coding)
    Run a part or your site in HTTPS mode

    For added security, you can force users to access your pages using an SSL (Secure Socket Layer) connection. This means transmitted data is encrypted, so passwords and webpages cannot be read in cleartext over the internet.

    Ideally only the administration part (all URL beginning with http://yousite/administrator/), or your whole site.

    Why:if your site run in http mode, all password and fields submitted to the server are send in cleartext (can be read). an attacker may be able to intercept or fake user by rerouting the http request. In https mode, data are travelling encrypted on the network and a session key avoid replaying attacks. Moreover it is not realistic to have a commercial business on internet without running https

    Requirements: Your provider/hosting company should allow it

    How

    Run FULL site in httpsRun PART of site in https
    • In plesk, just copy your Joomla/Mambo file structure from /httpdocs to the directory /httpsdocs with a FTP tool
    • Eventually put a file index.html in /httpdocs which redirect users to the protected https area to show to users that your site still exist (it will not bring an error 404: page nt found)
    This is certaimly not as easy as running Your full site with https,


    Side effects

    • If You install a new site, no problem
    • If You have an existing homepage and are heaviliy indexed by Google and Co and/or many users have Bookmark You, Users will be disturbed to say the least, and Google may think You are using some spammer techniques (moving and creating/dissimulating new content)
    Review OpenSEF/SEF 404 logs

    if a SEO/SEF component is installed, You may be able to look at unusual or incorrect url. This typically can reveal some SQL or parameter injection in existing code.

    SEO will in fact reject some URL and redirect user to your home root index.php, instead of displaying an error message or revealing informations about file structure, which is a positive side-effect

    ex:

    .../banner.php?id=120&client="select 1 from dual" someone is trying to test SQL injection in the component Banner

    Review access logs

    Search in log file about unusual behaviour, is someone accessing too often (in a small interval) to /index2.php (admin part of your site) -> this may be a brute force attack!

    Requirements: have a plesk access

    How:

    On Plesk main page, click on domain, herewaltercedric.comon the next page, on Log Manager
    • The server access log records all requests processed by the server. Access log for http:// and access ssl log for https://
    • The server error log, whose name and location is set by the error log directive, is the most important log file. This is the place where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it.
    • The xferlog file contains logging information from the FTP server daemon, ftpd
      
    Make Backup!

    Joke: "Real men don't do backup but they often cry"

    mySQL :
    4 ways to automate MAMBO database backup..

    Ftp
    use any FTP tool to sync or Plesk backup function

      
    Keep Your Joomla/mambo installation up to date.

    Always use the latest version of Joomla: www.joomla.org Or the latest version of Mambo: www.mamboserver.com

    As soon as a new version of Joomla/mambo is available, install it in the same day!

    • Hacker will look at the patch and search for unpatched server! It has never been so easy to search for running version of a certain CMS version, thanks to search engine. For giving You an example, a hacker may search in Google (but any search engine will work) all site running Joomla/Mambo with allinurl: administrator/index2.php so install patches very fast!
    • Make a backup (just in case), and install the new patch, you can also install the patch on your local running instance of Joomla
     For paranoid or How to push security even higher

    All actions below require some knowledge or time...

    Change regurly ALL password above!

    just in case, someone get Your password or part of it. Ideally You must change your password before a brute force can find it. Or as soon as logs reveal a possible attack just in case the hacker has not start doing something bad with Your account..

    With decreasing frequency:

    • Joomla Admin password
    • mySQL user password
    • Plesk admin password
    • FTP user password
    Attack surface reduction (ASR)

    Definition:
    M$ has a good article here (idea is not coming from them, but they are trying to evangelize a lot of developers with good articles)

    So bugs/security issues can not exist in a code if the code do not exist on the server.... :-)

    Quite easy to understand but really difficult to achieve, here is a way to do it....

    1. Define Your requirement, list all components/modules/mambots that you need to run.
    2. Unpublish all components/modules/mambots
    3. Test Your site,
    4. If everything run correctly, remove one components/modules/mambots at a time, and test Your site
    5. Take care when installing next CMS patch, that you do not copy uneeded files on your server. It may be surprising, but even if the component is not published but it's code is physically present on server dissk, it may cause a security vulnerabilities.

    You know have a customized version of Joomla/Mambo with a lot less code running and possibly a lot less unknow vulnerabilities! It will be a pain to maintain.

    Log are always telling the truth! (sometimes)

    You may want to install of write a tool which parse automatically Apache, Tomcat, PHP, mySQL logs to monitor

    Just for FUN....

    Just to give you an overview of some crazy things that can be done....

    • I've read some times ago, a person which have customized a linux version. In order to be sure that if someone ever get an access to the disk, it won't be able to execute any command, he rename all files and commands on disk...This is also possible for Joomla. Write a JAVA/C#/other parser which rename all files/directories and changes all include, include_once, require, require_once with UUID. It is possible but surely (a pain to) maintain.
    • If you have a full webserver for You, You can create a special user which will start PHP and Apache and not be able to write or erase file.
    • The last crazy thing I can imagine (but with time I can be more creative ;-) ) would be to create release of  my homepage, burn it on a DVD (Read only) and publish it on the webserver.
    Of course this latest example do not allow You to use the CMS normally, You have a bloody Read only site, but nobody will be able to tamper data...

     

     

    Normally Your provider is already doing a lot under the scene, and may have done some stuff for You. It can be useful to contact him for asking what it is already monitoring or doing from preventing Your site from being hacked.

    Congratulations, You have now a lot more secure Joomla/Mambo secure homepage!

    Comments are as usual welcomed, use the contact section of this site!

    Annexes

      
    A. Choosing a good password
    • NEVER use any words that can be found in a dictionnary! common brute force program can try million of passwords in seconds
    • Do not use your name, birthday, or part of your domain name
    • A good password is at least 10 or more character long! (brute forcing entropy get too high after 7 characters)
    • Use all character of keyboard! @_! and use different case and number

    Ex: dR2_z57zzU!sP is not a bad password

    B How to store all passwordsCreate a Text file, and crypt it with www.truecrypt.com or www.pgp.com (pgpdisk)
    C Class of attacksI've write a small article, listing all web vulnerabilities (HTML partiel) and (PDF complete)
    D Some tools
    • Beyond Compare from www.scootersoftware.com To deal with the huge amount of PHP files contained in Joomla/Mambo, and install more easily patches or synchronize folders, I strongly recommend You to try or buy a Beyond Compare Licence. This tool is able to compare directories, preview changes, and even compare a locale directory with a remote FTP server.

     

    E https rewriting for admin panelcreate a file .htaccess and copy it in /administrator, if a file already exist (it should!), add lines which ae missing in it

    # Do not allow any user to access this file - to copy in all .htaccess
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    #/administrator/.htaccess
    RewriteEngine on
    RewriteRule ^/$ /administrator/index.php
    RewriteCond %{SERVER_PORT} !443$
    RewriteRule ^(.*) https://www.waltercedric.com/administrator/$1 [R=301,L]

  •  

    rev 1.5


    "Security come from education not obscurity! when everybody will know how to attack applications, systems will be more secure (but on the other side, new class of attack will be created, so It will be and has to be an endless war)". Cédric Walter

    It may be sometimes good to understand all the technicals terms that try to explain vulnerabilities in software....I've done a "small" compilation for You, and have tried to give You meaningful descriptions, examples, and solutions.
    If something is not accurate or you want to provide a better example, please contact me...
    This page should be considered as a start, I have currently no plan to transform my homepage into a security portal, as it is a full time work for specialized company or group of individuals. After looking at this page, You may be frighten by the number of issues in todays softwares...


    Attack Categories:
    from the thread "Attack Categories" on mailing list "Web Application Security Mailing List Archiv" at
    http://lists.virus.org/ 

    • Client side trust issues
      • Input Validation
        • Cross Site Scripting (XSS)
        • Client-Side Manipulation
        • Path Traversal
        • URL Encoded Attacks
        • Buffer Attacks
        • SQL injection
        • OS command injection
        • Unicode Attacks
        • Format String Attacks
      • Parameter Tampering
        • Cookie Attacks
        • URL Attacks
        • Hidden Form Fields
        • Serialized objects
      • Authentication
        • Cookie Attacks
        • Brute Force
        • Session Hijacking
      • Browser Residue
        • Comment
        • Auto-Completes
        • Cache
        • History
    • Transport issues
      • Session Hi-Jacking
      • Traffic Sniffing
      • Replay attacks
      • Man in the middle attacks
      • DNS spoofing
    • Server side issues
      • Information Gathering
      • Mis-configuration
        • Debug Options
        • Samples hacking
        • Directory Browsing
      • Infrastructure Fingerprinting
      • Technology Fingerprinting
      • Spidering
      • Errors
    • Application Trojans
      • Cloneable java class's
    • Backdoors
    • Buffer Overflows
    • Unicode Attacks

    Bad design Attacks

    • Unsecure design:
      • Examples:
        • An application has no authentication mechanisms (a way to determine: who are You) and authorization (What can a user is allowed to do)
        • Confidential or client related data are store on a medium. could be a database or file on disk) with no confidentiality (crypting) and integrity (checking that nothing has been alter by a third person)
        • Nonrepudiation session, no auditing,, and Availability
        • Caching of permissions: be cautious with caching mechanism as it may compromise the whole system if it is inherently insecure.
      • Solution:
        •  
      • Links:
    • Back doors and debug options:Back doors are path in the application not documented or not intended to be use directly by the user, debug options are switch place by the developer to understand or correct the application if it behave not correctly.
      • Back doors can be data port or interface between components layers, or a port in the apllication which is not testing autorisation level and user authentification
      • Solution:
        • Reviews your code an design by an external company or another team, most of the time You need a fresh view.
        • Remove debug options in production,use precompiler mechanism to parse your code/bytecode before shipping.
        • Verify credential in each layer: even if it is time consuming, having a secure and a fast application may be antinomic.You can always use a profiler tool to
        • Reduce surface of attack technique:remove ALL code or functionnality not needed (eg from 3rd party vendors or open source frameworks), if during the testing phase, You discover functionnality not intended (positive/bad side effect but have security concerns), try to remove them. Alternatively You can also remove the webserver admin panel in production, and force maintener to use ssh to activate it before effectively use it, so an attacker has to steal a ssh key pair first.
        • Principle of least privilege Your program/indvidual layer/thread should run with the least possible privilige to operate correctly without compromising the system. In java You may use the security policy framework as a start.
      • Links:
    • Broken ACLs/Weak passwords. wrong file authorisation or inconsistent Access Control List permissions on file, resources, devices/ easy to find.or trivial password
      • Password admin for an admin panel, or default password of well known webserver like Tomcat, Weblogic.
      • Too much rights on a file which is exposed to the internet, for ex: no write, execute for the rest of the world, read is enough (rwxr--r--)
      • Solutions:
        • Reviews ACL,
        • Automatic scripts to scan directories and verify permissions, in order to avoid developer or deployment mistake
        • Audits
      • Links:
    • Weak session management:the web application do not manage correctly user session (a part of the memory is allocated to the user in the webserver)
      • The unique session key generator is weak, hacker can compute/guess key and try to steal user session data which may exist in the system at a given time.
      • Stealing Cookies may occur as a result.
      • Solution:redo design! use eprouved session framework
      • Links:
    • CGI-BIN manipulation
      •  
      • Solution:
      • Links:
    • Insecure use of cryptography:These attacks are the hardest to perform and require both a good skill in advanced math, knowledge of existing crypto algorithms and attacks, analytical skills and an ability to think of things other people cannot think of.
      • Why You MUST use open source algorithm and always publish inofrmations on Cipher used: Security through obscurity is BAD
      • Solutions:
        • Open source algorithm,
        • Eprouved cryptographic implementation.,
      • Links:

     

    Bad coding Attacks

    • Unsecure bad Coding habits:unsecure way of implementing which create securities concerns.
      • Examples
        • Common Coding Errors: not adequate primitives types (using a int instead of a long, or using too much precision: a long for person age)
        • Lazy Exceptions handling
        • Stack and Heap Overflows
        • Format String Vulnerabilities
        • Race Conditions in heavily paralell code: a singleton which is not a singleton
      • Solution:
        • Training: It may be time to send your developer to a training.... 
        • Use metrics technology:Metrics is a way to determine rapidly if some code has a bad smell. A lot of books and theory can be easily found on Google.
        • Structural Analysis: see links
      • Links:
    • Memory leaks -It is a part of memory that has been allocated but never got freed after its use. The more often this occurs the more memory will be wasted and taken away from other processes. In the worst case your application's memory usage will exceed the physical memory size and finally crash the system when the limit of virtual memory is reached after a period of heavy hard disc activity.
      • Possible in all development language, more easier in C++, possible in Java.
      • Solutions:
        • Memory leaks detector,
        • Testing your application and monitoring memory,
        • Framework for memory management
      • Links:

    Fooling the user

    • Cross-site scripting occurs when a web application gathers malicious data from a user and is a way to theft cookies
      • "Attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks."
        more athttp://www.cgisecurity.com/articles/xss-faq.shtml 
      • Solution:
        • Only follow links from the main website you wish to view
        • Observe how the link looks like before clicking on it!
      • Links:

    Fooling the application

     

    • Form/hidden field manipulation : a common (weak design) to store persistent data for a user is to use a HTML hidden field: it is a text variable store in the page that may use the application for its own business logic.
      • Hacker will modify them and post page to the server till they get the expected result
      • Solution:
        • Avoid hidden fields or reduce them to the least number.
      • Links:
    • Parameter Tampering is a simple attack targeting the application business logic by modifying some parameter
      • In a select box, examining hidden values and trying to send other or modified values.
      • Solution: blocking attackers via Input Validation
      • Links:
    • Errors triggering sensitive information leak: Pushing application to its limits (searching a way to crash it), in order to see if the aplication will give some important informations.
      • Examples:
        • You application display an error page containing servlet name, underlying crash reasons: logins with remote host ip in case of webservices, and even worse: part of code like SQL statements which has crash.
      • Solution:
        • Blinding Attackers via Output Sanitation/filtering...
      • Links:
    • Stealth Commanding is when you html page contains server page scripting that will be execute on the server.
      • Hacker has only to replace your command by a new to execute malicious code on the server.
      • Solution:
        • Validations or avoid this technology
      • Links:
    • SQL injection: A hacker may try to enter valid or invalid SQL statements instead of business parameter (a user name in a search field page) in the hope that the developper won't do validation and that his code will reach the backend database.
      • Hackers fill input fields with valid/invalid statements to see if the application crash or return incorect data or more information than allowed.
      • There is even some open source tools likeAbsinthe is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection.
      • Solutions: use prepareStatement or a Data Access Object (DAO) frameworks.
      • Links:
    • Hidden Manipulation
      •  
      • Solutions:
      • Links:
    • Command injection Insufficient URL validation

    Cookies Attacks

    During Web application logons, user credentials are authenticated against the Web server using standard HTTP protocols and cookies to maintains connections persistence since HTTP alone was not intended to be persistent.Cookies are small text file that track your browsing habits or store some passwords, inernal login parameters.

  • Cookie poisoning:Injecting new data or modifying some data inside a cookie in order to steal a user identity/ fake the login mechanism of a server.
    • If the cookie is Persistent (the cookie does not "die" when You close the browser and contains most of the times a expiration date), hackers may use a cookie editor or any text editor (Notepad) to change data in it.
    • If it is a Session cookie, Hacker may need to modify the code of an open source browser, which is more difficult but not impossible.
    • Solutions:
      • Encrypt the content of the cookie
    • Links:Hacking Web Applications Using Cookie Poisoning (pdf)
  • Cookie Snooping:attack unencrypted cookies not digitally signed or only protected by a timestamp
    • Most of the time, cookie are only encrypted in BASE64
    • Solution: encrypts, signs and time-stamps your cookies! avoid also ->Parameter Tampering
  • Cookie brute force attack: inspecting content of cookie and by guessing via a brute force attack on a parameter entering into a system.
  • Cookie manipulations:

     

    Sessions Attacks

    • Session Hijacking- involves an attacker using captured, brute forced, or reverse-engineered authentication tokens to seize control of a legitimate user's web application session while that user is logged into the application. This usually results in the legitimate user losing access or functionality to the current web session, while the attacker is able to perform all normal application functions with the same privileges of the legitimate user. This class of attacks usually relies on a combination of other simpler Session Management attacks (Brute Force, Session Replay) from http://www.owasp.org/projects/asac/sm-sessionhijacking.shtml
    • Session Replay - A web application is vulnerable to a replay attack if a user's authentication tokens are captured or intercepted by an attacker. A replay attack involving a web application means that an attacker directly uses these authentication tokens (e.g., session ID in URL, cookie, etc.) to obtain or create service to the user's account while bypassing normal user authentication (logging in with the appropriate username or password).from http://www.owasp.org/projects/asac/sm-sessionreplay.shtml
    • Session Brute Force - Brute-Forcing involves performing an exhaustive key search of a web application authentication token's key space in order to find a legitimate token that can be used to gain access. This usually takes the form of grinding through a list of usernames and passwords, looking for a particular response that indicates a valid session was found. from http://www.owasp.org/projects/asac/sm-bruteforce.shtml

    Url Attacks

  • I have some major issues trying to complete this document: http://waltercedric.com/Mambo/Java/Security/Typical-issues-with-webapplications-v1.5-4.html
    Mambo do not let me add new text in the content of this article.  that is why I now propose it as a PDF download (this PDF contains much more example of we applications security issues than the html version). Enjoy.

    Download Typical issues with webapplications v1.5 .pdf

  • Official version of nginx for Ubuntu Precise is 1.1.19 but the latest available stable version is 1.2.2 (Changes), In this post I will present you how to update to the latest available version.

    vi /etc/apt/sources.list

    and add depending on your Ubuntu version either

    For Ubuntu 10.04 Lucid:

    deb http://nginx.org/packages/ubuntu/ lucid nginx
    deb-src http://nginx.org/packages/ubuntu/ lucid nginx

    For Ubuntu 12.04 Precise:

    deb http://nginx.org/packages/ubuntu/ precise nginx
    deb-src http://nginx.org/packages/ubuntu/ precise nginx

    Now you can run

    apt-get update

    When using the public nginx repository for Ubuntu, you’ll get this error

    W: GPG error: http://nginx.org lucid Release: The following signatures 
    couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62

    First of all this is only warning and you can ignore it, if you know what are you doing and in case you prefer to add public key, used for signing packages and repository, just run:

    gpg -a --export 7BD9BF62 |  sudo apt-key add -

    or

    wget http://nginx.org/packages/keys/nginx_signing.key
    cat nginx_signing.key | sudo apt-key add -

    apt-get update should now run fine, however after running an

    apt-get install nginx

    you may still get this kind of error:

    dpkg: error processing /var/cache/apt/archives/nginx_1.2.2-1~precise_amd64.deb (--unpack):
     trying to overwrite '/etc/logrotate.d/nginx', which is also in package nginx-common 1.1.19-1
    dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
    Errors were encountered while processing:
     /var/cache/apt/archives/nginx_1.2.2-1~precise_amd64.deb

    just remove nginx-common and retry

    apt-get remove nginx-common

    More at http://wiki.nginx.org/Install

  • To stay secure and stable, stay up to date!

    The Joomla Project has announced the availability of Joomla 1.5.8.

    This release contains a number of bug fixes and two moderate-level security fixes and you would be well advised to upgrade to this version if you are running any other Joomla 1.5.x version. (Users of Joomla 1.0.x are urged to ensure they are running Joomla 1.0.15, but do not need to migrate to Joomla 1.5.8 immediately.

    Joomla patches for SecurityImages 5 will follow in a few hours... (before 22:00 GMT+1)

  • To stay secure and stable, stay up to date!

    The Joomla Project has announced the availability of Joomla 1.5.8.

    This release contains a number of bug fixes and two moderate-level security fixes and you would be well advised
    to upgrade to this version if you are running any other Joomla 1.5.x version. (Users of Joomla 1.0.x are urged to
    ensure they are running Joomla 1.0.15, but do not need to migrate to Joomla 1.5.8 immediately.

    Joomla patches for SecurityImages 5 will follow in a few hours... (before 22:00 GMT+1)

  • Forcing the spammer to pay the price (computing power) before submitting rubish to Your homepage (in comments or guestbook section for example). The user will have to create a new cryptographic value of a hidden field (Javascript code provided) and that may take 1 to 2 seconds, but may be more with RSA 1024....
    This also do not allow robot to easily sumbit code without parsing Your HTML page before...

    User developer guide of the cryptographic component framework for Mambo: com_hashcash

    A version 1.0 will be release soon....GNU/GPL

    Developer Documentation


    @component: com_hashcash
    @copyright (C) 2005 Walter Cedric for Mambo Integration
    @license http://www.gnu.org/copyleft/gpl.html GNU/GPL

    Free Software

    3rd partly Javascript

    3rd partly PHP

    • MD5/RSA/SHA1 part of PHP language.

    Based on:

    Kudo to all developer above! Thanks to GPL I do not have to reinvent the wheel...

    Links:

    Requirements

    • Component: com_hashcash - cryptographic facility for Mambo
    • Component already using com_hashcash:com_akobook 3.42 and hashcash1.0and com_akocomment 2.0 and hashcash 1.0
    • Required prior to installation: com_log4php

    Principe:

    Forcing the spammer to pay the price (computing power) before submitting rubish to Your homepage. The user will have to create a new cryptographic value of a hidden field (Javascript code provided) and that may take 1 to 2 seconds, but may be more with RSA 1024....
    This also do not allow robot to easily sumbit code without parsing Your HTML page before...

    How It works in details

    This code add a supplementary hidden field in all html form submitted to the user.

    - The hidden field name has a random name (Hname), each time different at each load of the page
    - The hidden field value is a cryptographic hashcode (MD5, MD4 or RSA) value. (Hvalue),

    Hvalue = Crypt(UserSessionID + mosConfig_absolute_path + UserBrowserAgent + TodayDate(F j, Y, g a))

    Crypt is the cryptographic PHP function: MD5, MD4 or RSA

    If the user want to submit a comment, the browser with the help of a small javascript will have to
    - locate the hidden field name (Hname) with javascript: (function replace())
    - rehash with MD5 the hidden field value (Hvalue) (it is time consuming)
    and send everything back to server.

    If the spammer do not follow the challenge, the comment wont be accepted....
    You Can switch ON/OFF this feature in Admin control panel under the tab posting of component akocomment and akobook

    Configuring HashCash

    open file /com_hashcash/settings.php with Your favorite text editor:

    key in filevaluesnotes 
    $hashcash_use = 'md5''md4','md5' or 'sha1'md4, md5 or sha1 
    $hashcash_debugtrue/falseWill write all informations in page by from submit 
    $hashcash_log_activetrue/falseSpams submission will be written to logs 
    $hashcash_log_alltrue/falseLog accepted and refused post -> be careful with size of logs! 
    $hashcash_log_file$GLOBALS['mosConfig_absolute_path'] . "/components/com_hashcash/hashcash.log"Location of the logs file 
    $hashcash_Notify_Admintrue/falseNotify an administrator by email? 
    $hashcash_log_sizeintegereach 64kb a mail will be sent to admin with the content of logs 
    $hashcash_AdminEmailvalid emailadmin email 

    Note: An Administrator frontend will be shipped with release 1.0

    Protecting Your Mambo Forms against Spammers and Robots

    php code send to the client (in the code where You create the form)
    # include and instance of Object, in the portion of code where Hashcash is needed, note that I have here a strong reference to the algorithm...(Here MD5)
    # This will be soon a factory
    include($mosConfig_absolute_path.'/components/com_hashcash/plugins/md5/php/CodeInliner.php');
    $MD5CodeInliner =& new MD5CodeInliner(true);

    ...

    Insert this JS (js1), the browser will use this js during submit to localize the random hidden field name, and encrypt its value
    echo $MD5CodeInliner->insertHashCashJavascript(false);

    ...

    Insert this code in your submit or validation JS method, this will call js1
    echo $MD5CodeInliner->insertSubmitJavascript();

    ...

    add the hascash input field in Your form
    echo $MD5CodeInliner->insertHiddenField($contentid);

    Verifying on the server in Your code that the user submission can be accepted

    in the code where You validate and do somethig interesting with the submission
    include($mosConfig_absolute_path.'/components/com_hashcash/HashcashChecker.php');
    $HashcashChecker =& new HashcashChecker();

    $submission = $HashcashChecker->check($submission, $contentid);

    $commentIsAccepted = strlen($submission) != 0;

    if ($commentIsAccepted)
    {

    ...

    }

    else

     

    Changelog:

    Real object model, abstract class and factory still missing...

     

  • I've installed the great component from Soeren (virtuemart.net) which allow to display and list all version of software I distribute on joomla forge.

    This component also allow me to add in all my components a link "check latest version" which will automatically tell You:

    • If You have the latest versions
    • Where to download te component
    • Where to see the release notes

    You can find it on my homepage HERE, please give me time to fill the Database, and release new version with the link "Check latest" (securityimage and joomlacloud already has it)

  •  

    LOGO_virtualized_vmware_S

    You'll need a lot of patience...Since there is no VMWARE Converter for Linux...

    My objective is to virtualizes my Internet server running SUSE in a VMWARE to ease the migration to a more powerful and up to date server.

     

    I am using RSYNC since:

    • I have no access to the machine, So I can't stop the server and make a binary images of the disk as the server is in a STRATO data center in Germany (Berlin)
    • I don't like operations down time.

    I HAVE TO virtualize my server because:

    • The operating system SuSE is too old and is no more security patches available.
    • I want to have a local reference in VMWARE of my Internet server.

    This tutorial can be see as an add-on of this one : http://www.linuxjournal.com/article/9942 (very good by the way) I just complete the missing steps or document some issues I've encountered..

    On your server, run

    # fdisk -l

    Disk /dev/sda: 164.6 GB, 164696555520 bytes
    255 heads, 63 sectors/track, 20023 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes

       Device Boot      Start         End      Blocks   Id  System
    /dev/sda1   *           1           7       56196   fd  Linux raid autodetect
    /dev/sda2               8         138     1052257+  82  Linux swap / Solaris
    /dev/sda3             139       20023   159726262+  fd  Linux raid autodetect

    Disk /dev/sdb: 164.6 GB, 164696555520 bytes
    255 heads, 63 sectors/track, 20023 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes

       Device Boot      Start         End      Blocks   Id  System
    /dev/sdb1   *           1           7       56196   fd  Linux raid autodetect
    /dev/sdb2               8         138     1052257+  82  Linux swap / Solaris
    /dev/sdb3             139       20023   159726262+  fd  Linux raid autodetect

    Disk /dev/md0: 57 MB, 57475072 bytes
    2 heads, 4 sectors/track, 14032 cylinders
    Units = cylinders of 8 * 512 = 4096 bytes

    Disk /dev/md0 doesn't contain a valid partition table

    Disk /dev/md1: 163.5 GB, 163559571456 bytes
    2 heads, 4 sectors/track, 39931536 cylinders
    Units = cylinders of 8 * 512 = 4096 bytes

    Disk /dev/md1 doesn't contain a valid partition table

    This is how partitions look like, sda1 is the root partition, sda2 is a swap partition and sda3 is my home.  The server use a RAID0 with 2 * 160GB disk.

    You'll have to recreate them in the virtual machine. Nothing force me to have a RAID0 also in my VMWARE. I will only create a normal disk layout (sda1,sda2, sda3). Save this output in a text file for further references. By reading the fstab, I will  be able to look at the mount point name later. On your server, run:

    # cat /etc/fstab
    /dev/md1        /       ext3    acl,user_xattr,usrquota 1       1
    /dev/md0            /boot                ext2       acl,user_xattr        1 2
    /dev/sda2            swap                 swap       pri=42                0 0
    /dev/sdb2            swap                 swap       pri=42                0 0

    devpts               /dev/pts             devpts     mode=0620,gid=5       0 0
    proc                 /proc                proc       defaults              0 0
    sysfs                /sys                 sysfs      noauto                0 0

    Download VMWARE Server, you'll have to register and will receive a limited in time version.

    Create a new Virtual machine matching as close as possible the distribution you are using on your production server. Boot the virtual machine with a Knoppix CD, type knoppix 2 at boot time to jump into console mode of Knoppix. Use cfdisk to create the same partition layout, this tool is very easy to use (use bottom menu). Use the same file system, partitions can be set bigger or smaller depending on your intentions with the virtual machine (backup or replacement of a productive machine). My Old server was using GRUB (and not GRUB2), GRUB do not accept to install a boot loader on partition with 256-byte inodes. Unfortunately this is exactly what cfdisk  create as default!

    The quickest and easiest option (when you have control of file system creation) is to format any new Ext3 file systems with 128-byte inodes. This command tells you your e2fsprogs version:

    # mke2fs -V
    mke2fs 1.40.8 (13-Mar-2008)
    Using EXT2FS Library version 1.40.8

    This is the usual command for creating new Ext3 file systems with e2fsprogs:

    # mkfs.ext3 /dev/sda1

    The newer versions that default to 256-byte inodes will emit this warning, and create your new file system anyway:

    Warning: 256-byte inodes not usable on older systems

    To force the creation of 128-byte inodes partitions:

    # mkfs.ext3 -I 128 /dev/sda1

    You can check your work with tune2fs, if you read 128 it is OK to continue

    # tune2fs -l /dev/sda1 | grep -i ‘inode size
    Inode size: 128

    Create new file system

    According to the # cat /etc/fstab

    # sudo mkfs -t ext3 /dev/sda1
    # sudo mkswap /dev/sda2
    # sudo mkfs -t ext2 /dev/sda3

    creating fylsystem

    RSYNC your data

    The example in article was not using a SSH connection with secure keys. If you use public private key pair (recommended), just copy your public, private key in Knoppix root home

    # su
    # cd ~/.ssh

    I have my RSA key on a USB stick, Knoppix mount it thanks to UDEV automatically

    # cp /mnt/usbstick/id_rsa* .

    Try to connect to your host

    # ssh -l root yourHostOrIP

    You'll be prompted for your pass phrase, enter it, if everything work...its time to sync the first partition /mnt/sda1

    # rsync -avx --numeric-ids --progress yourHostOrIP:/ /mnt/sda1/

    You'll be prompted for your pass phrase, enter it, if everything work just wait, when finished do the same for the second partition /mnt/sda3

    # rsync -avx --numeric-ids --progress yourHostOrIP:/home/ /mnt/sda3/

    That was easy.. the most difficult is to make this virtual machine boot, and that mean play with GRUB...

    TO BE CONTINUED... next part this week

  • Found on slashdot.org a poster has state:

    "I once built a very secure linux version. Here is the sorts of things it I did.
    1) It had no shells of any sort, nor any user interface of any sort.
    2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.
    3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.
    4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.
    5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).
    6) Data on the drives were encrypted.
    Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system. That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability."

    it is extreme :-)

  • Microsoft is still saying that proprietary code is far more secure than open source....a crazy point of view
    1. If we follow M$ assumption: exposed code is vulnerable...
    2. On the other side linux code has always been exposed...
    3. Windows code has always been safely locked away (true for end user or developer not affiliate with M$)
      The only conclusion to the point above is that Linux contains more bugs/security problems than Windows.

    But in real world, this conclusion is not realistic, since all webserver, and critical application are running under a UNIX system (Google Linux, and look at the crazy uptime of the 50 first server (average uptime of the first site is 1567 days. That's over four years!!!) running in the world on Netcraft: all are Linux based)

    For me it has to do with the quality of the code.

    Linux is open for a long time (start in 1991, and based on Unix concept a lot more older) and so it has been hardened. M$'s code will be the opposite since the only model for security so far has beensecret by obscurity (disastrous results as state by Kerckhoffs' principle from the late 1880s) and influencing lawmakers to produce draconian laws to try to prevent anyone from considering trying to bypass the security. This has resulted in M$'s laxness in security that a few hyped media campaigns and a couple of code patches is not going to solve. Morever, since M$ can not beat Linux with code quality (at least not before 2-3 years), the concept of Patents has popup in Europe and outside America. These big company are not only trying to kill an utopy, it is like trying to close the mouth of all individual computer hobbyist all over the world. Imagine yourself in a world where an idea can be patented, what a disaster for innovation, since every technologic improvment is based more or less on what has been done before....

    Some facts, easy to verify Yourself:

    1. Yes: It is possible TODAY to apply system/application/desktop patches to your machine without rebooting: Linux does it(except for kernel change)
    2. Yes. It is possible TODAY to remove all un-needed/un-wanted software from your machine (less code, less flaws, less security problems: see reduce surface of attack): Linux does it. A server can be configured with a graphical user interface, but do not need it to run. As an example Windows 2003 server is still containing and running in kernel space some dangerous program: Media Player and Internet Explorer just to name a few.
    3. Yes. It is possible TODAY to deinstall totally a software. Linux does it
    4. Yes it is possible TODAY to try Linux without hurting your computer: Knoppix and 130 others live Linux distributions are here to convince You

    So do You need to switch now from windows to linux? NO, switch only for some good reasons, as there is still some open issues, mainly because a lot of company do not support Linux when they release drivers for their peripherals.
    Remember, as in real life, it is not always the best companies, persons, or applications which wins, it is not because 90% of people use IE or M$, that it is the only browser choice. It is crazy but 400 years ago, all people were convince that the earth was flat....

    Links:
    if you are concerned by security, these sites are worth the visit:
    Secunia - Security and Virus Information
    Linux security
    Linux Exposed Security Solutions

  • debunking myths and facts,
    http://www.theregister.co.uk/2004/10/22/linux_v_windows_security/

    from the register,
    http://www.theregister.co.uk/security/security_report_windows_vs_linux/

    "Much ado has been made about whether or not Linux is truly more secure than Windows. We compared Windows vs. Linux by examining the following metrics in the 40 most recent patches/vulnerabilities listed for Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3:
    ...
    The results were not unexpected. Even by Microsoft's subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat's patches and alerts address flaws of Critical severity
    Also in PDF format here.

  • Microsoft has one more time proove that even If You have a lot of money, a lot of talented programmer it is impossible to improve security in an existing huge codebase like windows....

    Trustworthy Computing
    This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one.

    read more at http://isc.sans.org

    Someone has post this (see below) on slashdot, it explain clearly how You can get hacked...

     It's probably a hard problem to patch. From what I've gathered, this is a feature of WMFs, not a bug. They were designed before people even knew what the Internet was. WMFs, apparently, have the ability to specify code to be run on a failure to render. So the bad guys give you a bad WMF file, cleverly renamed as JPG, and stick it in an ad banner. You browse a site (with any browser), Windows fails to render the WMF (which it will recognize even if the filename says JPG), runs the specified failure code, and you're hacked. That fast.

    Changing code that's this deeply buried in Windows is risky. The interpreter for WMF is one of the remnants of code left over from single-user computers, and they'll have to test changes very thoroughly. They're GOING to break things with this patch, because they're removing a designed-in feature. They're probably working feverishly to figure out how to minimize the damage, but some damage is inevitable. And the problem could be far worse than it appears; that DLL could be riddled with problems. It may not have been audited in many years.

    This is yet another example of how you can't retrofit security; the first Windows versions were designed when security wasn't even an issue, when the Internet was barely a twinkle in Al Gore's eye. There's a mountain of code that was written just to work, not to worry about being handed malicious data. If a user passed bad values to a system call and it crashed, oh well. It was their fault for doing it. It's not like they had anything to gain from it, after all. They owned the computer. Why on earth would the computer need to protect itself from its owner?

    With the advent of the Net, Microsoft decided to both stay backward-compatible and extend what they had onto the Internet. And their focus for many years was on new features, not security. Essentially every security person at the time warned them -- stridently -- against the choices they were making. It was obviously going to be a trainwreck. This is just the latest in that ongoing collision between a single-user operating system and exposure to every computer in the world.

    Even worse, it is sooo bad that some people open source tool to increase invisibility of this issue...
    (News Here)
    We released a new version of the metasploit framework module  for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.

    Original Marketting information of Trustworthy Computingcan be found here.

    PS: SuSE 10.0 is not affected I know I know it is easy to hit someone laying on the ground  ;-)


  • Introducing the TASER XREP – the eXtended Range Electronic Projectile. XREP is a self-contained, wireless projectile that fires from a standard 12-gauge shotgun. It delivers the same Neuro-Muscular Incapacitation (NMI) bio-effect as our handheld TASER X26, but can be delivered to a distance of up to 100 feet, combining blunt impact with field proven TASER NMI.
    from www.taser.com