Tag Archives: security

Sysadmin: Brute force detection – custom rule for SMTP and SSH

I wrote before about excellent tool BFD that allows to block brute force password guessing attempts on different network services.
I prefer it to Fail2ban because of portability (bash script) system resource consumption (bash script!) and extendаbility (true “unix way” modularity).
I also wrote before a brief instruction on how to extend BFD with your own rule to fight with apache/Wordpress DOS attack.
In this post I will show you how to write custom rules to block SMTP password guessing brute force attempts and SSSHD

Read more »

Share Button

Windows: Set lightweight web browser as MS windows default web browser application.

qtwebI was thinking the other day – it’s not really safe to have MS windows default browser set to MS Internet Explorer, so any URL you accidentally click will be open with it. For the work related activity I user portable browsers. But what about everything else – this is not really safe no matter how many MS security updates are published every week.
So, I decided to find something really small and “feature-poor” to assign it to the default browser.
Read more »

Share Button

Sysadmin: How to see the name of PHP script that sent that e-mail

phplogo SPAM e-mail is the common problem these days and in most cases the cause of this problem is the lack of security on the hosted web sites. Various badly designed PHP scripts expose the hosting server MTA to be used as SPAM e-mails source. First and foremost step in resolving this problem would be to determine the originating PHP script that was used to send e-mails.
Read more »

Share Button

How to use BFD tool to block WordPress brute force attacks

I have written about the excellent and lightweight (unlike fail2ban which is more popular but too resource consuming and 3rd party tools dependent) tool BFD earlier. This tool is actually the set of bash scripts that looks for known pattern in the logs and executes actions against offending IPs based on the configuration. Little is known that it’s also modular and allows to extend it’s behavior by writing custom rules to assist with more uncommon situations.

I’ve also written about widespread WordPress brute force attacks that targets wp-logon.php script. The solution I’ve offered there takes care of single WordPress site. It’s getting more difficult to mitigate the attack in case you have multiple servers with multiple WordPress sites. So I decided to come up with more general approach.

Read more »

Share Button

Rant: Why I would never have facebook account

no-fb First of all – this is my opinion, it’s emotional, biased, personal and has nothing to do with you. If you are offended by my opinion – you are not required to read, agree with it or argue with me.
Read more »

Share Button

Sysadmin: block these pesky recursive DNS queries with iptables rate limiting rules

dns-reflectIf you are managing Linux server you have probably heard about recent DNS amplification attacks that were using misconfigured DNS servers.
Read more »

Share Button

Sysadmin: correcting file permissions recursively from the shell

In a way of troubleshooting web application there is the step when all known reasons why it doesn’t work exhausted so they just change permissions on everything to 0777 and hope that this drastic step would fix the problem. Most likely it does not but leaves the permissions broken and and the whole site wide open.
Usually nobody cares until first break-in, then everybody start looking for the responsible parties, and host is first and most likely last to blame.
In order to avoid this problem permissions (and possibly ownership) of the web content should be corrected.
Read more »

Share Button

Apache, PHP, SuEXEC: added security and control

suhosin
As we know from original article using Apache, PHP in CGI mode along with suExec gives us 2 important security advantages:
– suExec allows to run PHP process with (only) the file owner user privileges, enforcing proper permissions on PHP scripts and thus allowing to avoid cross-site exploits on the server that is running multiple dynamic web sites;
– per site php.ini.
That gives some unique opportunities for securing separate web sites on the server.
Read more »

Share Button

Using lsof to find trojan processes on Linux.

In my previous post I was telling about checking for programs using network on Linux using lsof tool.
Here I have “live” example of such backdoor found on one of our servers.
Read more »

Share Button

Looking for the backdoors or performance bottlenecks with lsof

When server is compromised via some PHP script security hole intruders are getting relatively low level of access to the server. Although its enough to install PHP shell script or start some backdoor network daemon or proxy server or network scanner.

Lets see if we can find them
Read more »

Share Button
Page 1 of 212