LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-06-2011, 03:42 AM   #61
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787

Quote:
Originally Posted by sneakyimp View Post
The email above appears to be the result of this cron job in /etc/cron.d/tiger
Tiger, when driven by cron like this, runs as "tigercron" taking crontab values from "cronrc" (locate and read "tigercron", from there find location of "cronrc"). To avoid the subject as it is now you have to 0) silence the cronjob output, write a script to find the report file and see if it isn't empty and then email it with the appropriate 'mail' command or 1) write your own crontab to handle different Tiger runs.


Quote:
Originally Posted by sneakyimp View Post
The error code in the email, con010c, is nowhere to be found in any of the explanation docs in /var/log/tiger nor in any logs there.
Sure it is:
Code:
 tiger]$ gfind doc/ con010c
doc/
doc/config.html:<A NAME="con010c"><P><B>Code [con010c]</B><P>
doc/explain.idx:con010c config.txt 54 68
doc/config.txt:%con010c

tiger]$ grep ^%con010c doc/config.txt -A 15
%con010c
The filesystem is not recognised by Tiger as a valid filesystem 
for this operating system and will not be analysed. If this is a local
filesystem then the configuration script for this operating system 
needs to be modified. You should report this as a bug in the software. 

You can use the following tigerrc variables to adjust this message
or adapt it to your system locally:

 - Tiger_FSScan_Local: if set, filesystems defined in it will be considered
   local and will always be analysed.
 - Tiger_FSScan_NonLocal: ff set, filesystems defined in it will be considered
   non-local and will not be analysed.
 - Tiger_FSScan_WarnUnknown : If set to 'N' this message will not be presented
   (this prevents it from being emailed when some of the Tiger scripts are run
    through cron)
Don't you have /usr/share/doc/samhain.*/manual.html/?


Quote:
Originally Posted by sneakyimp View Post
I've tried looking in the script /usr/sbin/tigercron, but I can't locate any place to put an -e or -E flag in there.
Put it in /etc/cron.d/tiger after the "-q ".


Quote:
Originally Posted by sneakyimp View Post
some people are treating it as a bug.
It is. Comment https://bugs.launchpad.net/ubuntu/+s...837/comments/3 seems the right fix to me as you will want it checked.


Quote:
Originally Posted by sneakyimp View Post
Maybe I could notify a developer or package maintainer somehwere? File a bug report?
As for /etc/services I wouldn't unless I were Sancho Panza (too much legacy to overcome) and the Tiger one was filed already.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
There is a file mentioned in the Ubuntu docs, /etc/environment. which does in fact contain a PATH variable. I'm wondering if the tiger complaint is applicable on an ubuntu system?
/etc/environment isn't mentioned in https://bugs.launchpad.net/ubuntu/+source/tiger or https://savannah.nongnu.org/bugs/?fu...ch&group=tiger so you could file a bug report if you can.


Quote:
Originally Posted by sneakyimp View Post
I want to understand the goal for these tiger complaints:
Code:
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
--WARN-- [misc026w] There is no default umask settings for user login shells in /etc/login.defs
It's to insure a umask of 022 for services and one of 027 for human users?[/QUOTE]
Both: /etc/init.d/rcS starts services and /etc/login.defs gets or should get consulted when users run a shell.


Quote:
Originally Posted by sneakyimp View Post
in the hope that the fail2ban (..) configure itself
Has got nothing to do with "hope" and hoping for things to automagically "configure themselves" to me isn't the wisest of approaches. Regardless of that it's just a case of adjusting the main config (excluding management IP ranges, setting amount of failed logins, log files to watch) and enabling services.


Quote:
Originally Posted by sneakyimp View Post
sftp - we'll need a file transfer program to maintain the website assets. I'm accustomed to installing protfpd or vsftpd but am hoping to make sure that all FTP connections are encrypted. Is that sftp? or ftp-over-ssl ?
That is something you could have googled yourself. FTPS is FTP over SSL and SFTP is the Secure File Transfer Program that comes with OpenSSH.


Quote:
Originally Posted by sneakyimp View Post
chkrootkit - this was apparently installed with tiger but you instructed me to run it separately. Any additional configuration detail for this would be most helpful.
Chkrootkit doesn't require additional configuration and saying it isn't as well-maintained as Rootkit Hunter or OSSEC HIDS would be an understatement. I do patch CRT, as I've done the last gazillion releases, though:
Code:
--- chkrootkit  2009-08-01 23:04:17.000000000 +0000
+++ chkrootkit  2009-08-01 23:04:18.000000000 +0000
@@ -29,7 +29,7 @@
 tcpdump top telnetd timed traceroute vdir w write"
 
 # Tools
-TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG"
+TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG promisctest"
 
 # Return Codes
 INFECTED=0
@@ -267,6 +267,9 @@
 }
 bindshell () {
 PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
+if [ -f "/etc/chkrootkit.portwhitelist" ]; then
+       source /etc/chkrootkit.portwhitelist || echo "${FUNCNAME}: failed to source /etc/chkrootkit.portwhitelist, using defaults."
+fi
    OPT="-an"
    PI=""
    if [ "${ROOTDIR}" != "/" ]; then
@@ -306,7 +309,7 @@
       fi
 
       if [ "${EXPERT}" = "t" ]; then
-         [ -r /proc/ksyms ] &&  ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null
+         [ -r /proc/kallsyms ] &&  ${egrep} -i "adore|sebek" < /proc/kallsyms 2>/dev/null
          [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null
          PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
          [ "$PV" = "" ] &&  PV=2
@@ -316,14 +319,14 @@
       fi
 
       ### adore LKM
-      [ -r /proc/ksyms ] && \
-      if `${egrep} -i adore < /proc/ksyms >/dev/null 2>&1`; then
+      [ -r /proc/kallsyms ] && \
+      if `${egrep} -i adore < /proc/kallsyms >/dev/null 2>&1`; then
          echo "Warning: Adore LKM installed"
       fi
 
       ### sebek LKM (Adore based)
-      [ -r /proc/ksyms ] && \
-      if `${egrep} -i sebek < /proc/ksyms >/dev/null 2>&1`; then
+      [ -r /proc/kallsyms ] && \
+      if `${egrep} -i sebek < /proc/kallsyms >/dev/null 2>&1`; then
          echo "Warning: Sebek LKM installed"
       fi
 
@@ -2519,6 +2522,42 @@
     fi
 }
 
+promisctest () { 
+ip="/sbin/ip"
+       if [ ! "$SYSTEM" = "Linux" ]; then
+               printf "%snot tested: non-Linux system.\n"
+               return ${NOT_TESTED}
+       elif [ ! "${VERSION:2:1}" -ge "4" ]; then
+               printf "%snot tested: unsupported kernel version.\n"
+               return ${NOT_TESTED}
+       elif [ ! -x ${ip} ]; then
+               printf "%snot tested: could not exec ${ip}.\n"
+               return ${NOT_TESTED}
+       fi
+       printf "%s\n"
+       ${ip} link show | ${egrep} "^[0-9]" | while read DEVF; do
+       DEVF=( ${DEVF} ); let DEVFLEN="${#DEVF[0]}+${#DEVF[1]}+${#DEVF[2]}"
+       if [ "${#DEVF[2]}" -le "4" -o "${DEVFLEN}" -le "9" ]; then
+               printf "%snot tested: device ${DEVF[1]} has only device flags: ${DEVF[2]}.\n"
+       else    
+               printf "%s${DEVF[@]}" | ${egrep} -qe "PROMISC"
+               case "$?" in
+               1)      if [ "${EXPERT}" = "t" ]; then
+                               printf "%s${DEVF[1]} has device flags: ${DEVF[2]}\n"
+                       else
+                               printf "%s${DEVF[1]}\tis not promisc\n"
+                       fi;;
+               0)
+                       if [ "${EXPERT}" = "t" ]; then
+                               printf "%s${DEVF[1]} has device flags: ${DEVF[2]}\n"
+                       else
+                               printf "%s${DEVF[1]}\tIS PROMISC\n"
+                       fi;;
+               esac
+       fi
+       done
+ }
+ 
 # main
 #
- details for promisctest you can find in my web log,
- /etc/chkrootkit.portwhitelist looks like this:
Code:
PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
(in which you basically add any legitimate open server ports to exclude from the check), and
- /proc/ksyms vs /proc/kallsyms you can google for.
If your CRT installation runs fine feel free to not patch it :-]
 
1 members found this post helpful.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 08-06-2011, 09:32 PM   #62
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
I think I'll remove the tiger cron.


[quote=unSpawn]
Sure it is:
Code:
 tiger]$ gfind doc/ con010c
(...)
Don't you have /usr/share/doc/samhain.*/manual.html/?
Although there are plenty of files in /usr/share/doc/tiger, this command on my machine returns nothing:
[code]sudo grep -irl con010c /usr/share/doc/tiger[/codee]


Quote:
Originally Posted by unSpawn
/etc/environment isn't mentioned in https://bugs.launchpad.net/ubuntu/+source/tiger or https://savannah.nongnu.org/bugs/?fu...ch&group=tiger so you could file a bug report if you can.
I would very much like to contribute to the community by helping with this, but it's going to have to wait until I get my server configured. This is taking so long and the learning curve is quite steep.

Quote:
Originally Posted by unSpawn
Both: /etc/init.d/rcS starts services and /etc/login.defs gets or should get consulted when users run a shell.
Ok that's very helpful thank you.

Quote:
Originally Posted by unSpawn
Has got nothing to do with "hope" and hoping for things to automagically "configure themselves" to me isn't the wisest of approaches. Regardless of that it's just a case of adjusting the main config (excluding management IP ranges, setting amount of failed logins, log files to watch) and enabling services.
I know this probably sounds feeble, but I have more faith in the package maintainers than myself. Samhainrc seems pretty manageable -- except for my inability to get the database stuff working (see the other thread).

Quote:
Originally Posted by unSpawn
That is something you could have googled yourself. FTPS is FTP over SSL and SFTP is the Secure File Transfer Program that comes with OpenSSH.
Apologies, I'll be looking into it. It would certainly have been helpful for an answer though. I'm doing all kinds of research just to try and keep up here.

Thanks for the chkrootkit patch. I will look into rootkithunter.
 
Old 08-07-2011, 06:24 PM   #63
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by sneakyimp View Post
Although there are plenty of files in /usr/share/doc/tiger, this command on my machine returns nothing:
Code:
sudo grep -irl con010c /usr/share/doc/tiger
Either it's not in that location or the maintainer stripped it. Best check the Samhain tarball.
 
Old 08-09-2011, 12:09 PM   #64
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Progress. I went back to an earlier snapshot prior to the samhain anomaly (missing /var/run/samhain folder) and started applying the various configuration changes we've covered.

Samhain is now compiled from source and writing the db. Samhainrc configured to scan logs I have whereas ones I don't are commented out. Samhain notifications are minimal. Fail2ban is installed and it bans me when I fail login too many times. And of course the IP tables and amazon security groups have all the ports locked down. There are still some tiger tasks I'd like to sort out (umask) but they are going to have to wait as I'm getting some unbearable heat to get the server moved. Incoming mail is handled by Google Apps. Outgoing mail handled by Amazon SES. DNS handled by Amazon Route 53. MySQL handled by Amazon RDS. That leaves Apache and PHP.

I'm going to take a snapshot of the machine in its current state and then commence with Apache and PHP install. Any advice is welcome.
 
1 members found this post helpful.
Old 08-09-2011, 12:18 PM   #65
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
I just listed my cron jobs and am wondering if any of these (e.g., "popularity-contest" or "john") might be removed or look suspicious. Also, you said that chkrookit doesn't require additional configuration on install, but my version of chkrootkit was installed by tiger and disabled it in the tiger configuration. Still, chkrootkit appears to have its own cron job.

Code:
root@ip-WWW-XXX-YYY-ZZZ:/home/jason# ls -rl /etc/cron*
-rw-r--r-- 1 root root  724 2010-04-15 06:51 /etc/crontab
-rw-r--r-- 1 root root   16 2011-08-09 00:55 /etc/cron.allow

/etc/cron.weekly:
total 4
-rwxr-xr-x 1 root root 887 2010-10-05 13:24 man-db

/etc/cron.monthly:
total 4
-rwxr-xr-x 1 root root 129 2010-04-15 06:51 standard

/etc/cron.hourly:
total 0

/etc/cron.daily:
total 56
-rwxr-xr-x 1 root root  3349 2010-04-15 06:51 standard
-rwxr-xr-x 1 root root  2149 2009-06-16 13:12 popularity-contest
-rwxr-xr-x 1 root root   606 2010-03-24 12:35 mlocate
-rwxr-xr-x 1 root root  1327 2010-10-05 13:24 man-db
-rwxr-xr-x 1 root root    89 2010-03-07 03:30 logrotate
-rwxr-xr-x 1 root root   256 2010-04-15 17:24 dpkg
-rwxr-xr-x 1 root root  2022 2009-11-05 06:21 chkrootkit
-rwxr-xr-x 1 root root   502 2009-11-10 18:35 bsdmainutils
-rwxr-xr-x 1 root root   314 2010-04-09 14:41 aptitude
-rwxr-xr-x 1 root root 15914 2011-05-30 05:43 apt
-rwxr-xr-x 1 root root   189 2010-04-19 08:56 apport

/etc/cron.d:
total 8
-rw-r--r-- 1 root root 607 2009-12-21 22:28 john
-rw-r--r-- 1 root root 145 2011-08-08 23:56 cloudinit-updates
 
Old 08-11-2011, 05:09 PM   #66
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by sneakyimp View Post
I'm going to take a snapshot of the machine in its current state and then commence with Apache and PHP install. Any advice is welcome.
Thanks for the report. It's nice to see that after the shaky start things are coming together. As far as Apache and PHP are concerned I'd say "just do it". We'll tackle hardening that part of your web stack once you've (re-!)read the relevant parts of the Ubuntu documentation and the Securing Debian manual. That would be a good start and it increases self-reliance.


Quote:
Originally Posted by sneakyimp View Post
I just listed my cron jobs and am wondering if any of these (e.g., "popularity-contest" or "john") might be removed or look suspicious.
None look suspicious: if in doubt just retrace jobs to their package. IIRC "popularity-contest" is specifically Debian: list the package description to find out what it's about then remove if unnecessary for day to day server ops.


Quote:
Originally Posted by sneakyimp View Post
Also, you said that chkrookit doesn't require additional configuration on install, but my version of chkrootkit was installed by tiger and disabled it in the tiger configuration. Still, chkrootkit appears to have its own cron job.
What I meant is it doesn't require tweaking a configuration file to run.


Quote:
Originally Posted by sneakyimp View Post
Code:
-rw-r--r-- 1 root root   16 2011-08-09 00:55 /etc/cron.allow
Contents of this file?


Quote:
Originally Posted by sneakyimp View Post
Code:
-rw-r--r-- 1 root root 607 2009-12-21 22:28 john
Is this john as in "John The Ripper" (JTR)? Else contents of this job?

Last edited by unSpawn; 08-11-2011 at 05:22 PM.
 
Old 08-12-2011, 01:36 PM   #67
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by unSpawn View Post
Thanks for the report. It's nice to see that after the shaky start things are coming together. As far as Apache and PHP are concerned I'd say "just do it". We'll tackle hardening that part of your web stack once you've (re-!)read the relevant parts of the Ubuntu documentation and the Securing Debian manual. That would be a good start and it increases self-reliance.
Almost forgot about the securing debian manual (so many things to keep track of). I should probably run tiger again too now that I've got apache and PHP set up. Although I wonder from a security perspective what it might mean, i think I like this cloud thing. I've offloaded outgoing mail to SES. It seems pretty good as far as I can tell. I've offloaded incoming mail to Google Apps. I've offloaded DNS to Amazon Route 53. I'm running my databases on Amazon RDS. It was a bit painful to set some of this up, but less painful than setting up and maintaining bind, imap, postfixadmin, squirrelmail, etc.


Quote:
Originally Posted by unSpawn View Post
Contents of this file?
Code:
$ cat /etc/cron.allow
root
sneakyimp
sneakyimps_boss

Quote:
Originally Posted by unSpawn View Post
Is this john as in "John The Ripper" (JTR)? Else contents of this job?
I don't know. man john says "john - a tool to find weak passwords of your users"
Here's the contents of the cronjob:
Code:
# cat /etc/cron.d/john
#
# Start john everyday at the same to try to crack the passwords. The
# second line will then later stop the process so that it doesn't
# consume system resources that are needed otherwise. You are
# encouraged to change the times.
#
# Also notice that John is 'nice'd, if you don't like this (you 
# believe that your system can run fine with john doing its work)
# just remove the 'nice' call
#
# JOHN_OPTIONS = foo bar (man 5 crontab)
#
#00 1	* * *	root	[ -x /usr/share/john/cronjob ] && nice /usr/share/john/cronjob start
#00 7	* * *	root	[ -x /usr/share/john/cronjob ] && /usr/share/john/cronjob stop

I spent a good deal of time pruning my old PHP code to get rid of deprecated files, scanning for viruses, doing grep searches for any network or file access I could think of. Couldn't find any nastiness, but then again there are 846 PHP files alone. Any tips here would be welcome.

I'm also thinking I'd like to set up samhain to keep an eye on my PHP source directory. I see that it might be easy enough to add it to the samhainrc. Is there some way to exclude a sub-folder of my public_html directory that receives uploaded images? Or to exclude individual files? I don't know if sequence matters for the samhainrc settings or what.
 
Old 08-18-2011, 05:01 PM   #68
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
OK so I did spend some time following the advice of the Securing Debian manual, but I was not able to chroot everything, etc. as I just could not justify more effort on this to my partner/client. I took one last snapshot of my server configuration and took it live (which has been quite a chore) and it is serving pages. The site is using a new SSL certificate and a new transaction key for the payment gateway. Samhain writes to notifies me if I change a file. Fail2ban has been banning some IP addresses and letting me know about it. I feel much safer now but want to make sure I'm going everything I can reasonably do to keep the system safe.

Should the system get compromised again, I can restore from the snapshot created prior to launch. I have a handful of questions that I hope you can answer.

Q1: Why does Samhain send me so many notifications?
Samhain notifies me when I change one of the files it is monitoring which is quite pleasing. However, I get hit with a barrage of notifications when I reboot the server (this happens every time I take a snapshot). I noticed that samhain_file (the samhain database, I believe) still has a date of August 9. Am I to understand that the samhain database is only ever altered when you initialize it and is otherwise never updated by samhain? If so, I'm guessing I should make a new samhain DB that reflects the state of my server after various configuration changes.

Q2: Is it possible to exclude the yahoo bot from fail2ban's apache-noscript jail?
I've enabled the apache-noscript jail in fail2ban and I'm happy that it has banned a few visitors, but one of the banned IPs appears to be the yahoo web crawler and I definitely don't want to ban that lest I jeopardize our search engine rankings. I see that the filter file has an ability to ignore certain entries but am not familiar with the pattern matching syntax in use -- I also wonder if simply allowing lines that contain the word 'yahoo' is a good idea. Is there some way to use a CIDR block to let yahoo bot do its thing?

Q3: Are there other exercises I can do to harden the web stack?
Aside from tiger/samhain/Securing Debian, do you have any additional directions to harden this machine? Keep in mind it's just running Apache 2.2 and PHP 5.3.2. The DNS, mail, and MySQL stuff is all served elsewhere.
 
Old 08-18-2011, 07:28 PM   #69
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by sneakyimp View Post
I was not able to chroot everything, etc.
As I said before only you decide what measures to implement and besides security does not involve chrooting everything without giving it thought anyway.


Quote:
Originally Posted by sneakyimp View Post
it is serving pages.
Congratulations.


Quote:
Originally Posted by sneakyimp View Post
The site is using a new SSL certificate and a new transaction key for the payment gateway.
...which files you secured by using strict file permissions and put under Samhains watchful eye.


Quote:
Originally Posted by sneakyimp View Post
Should the system get compromised again, I can restore from the snapshot created prior to launch.
Indeed, but that doesn't absolve you from finding out the point of entry before doing so (or risk exposing the same hole again and again until you do).


Quote:
Originally Posted by sneakyimp View Post
I get hit with a barrage of notifications when I reboot the server
...which is a Good Thing as it shows Samhain works OK, shouldn't be any other way. As you've posted no example alert messages I'd say there's two choices: live with it or temporarily disable email reporting pending reboot. Since you're not supposed to reboot production servers that often anyway I'd suggest you live with it and only seek to change behaviour if the nuisance becomes a problem.


Quote:
Originally Posted by sneakyimp View Post
Am I to understand that the samhain database is only ever altered when you initialize it and is otherwise never updated by samhain?
(As long as you keep an off-site backup) you can update the database ('man samhain': "-t update").


Quote:
Originally Posted by sneakyimp View Post
Is it possible to exclude the yahoo bot from fail2ban's apache-noscript jail?
Is Yahoo listed in /etc/fail2ban/filter.d/apache-badbots.conf perchance?


Quote:
Originally Posted by sneakyimp View Post
Are there other exercises I can do to harden the web stack?
Aside from tiger/samhain/Securing Debian, do you have any additional directions to harden this machine?
So far you've been securing the operating system itself and we haven't talked about any network hardening (except basic firewall rules and fail2ban usage) and whatever your web stack comprises of except that you should run tests against it. There will now be a short interlude during which you have time to look at the 2011 CWE/SANS Top 25 Most Dangerous Software Errors...
 
1 members found this post helpful.
Old 08-23-2011, 11:20 AM   #70
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
OK I've seen the top 25 list before but it was nice to pay a refreshing visit to it again. I've always been extremely careful about preventing SQL injection and a great deal of effort has gone into validating user input for this particular site. As for OS command injection, I can't speak for the various components of the stack, but this site doesn't make use of any OS commands via PHP. I need to get a better understanding of XSS. I'll be studying that.

I think I will also update my samhain database after I've checked the hashes of my installed packages. I'm starting to feel some real love for samhain. My faithful watchdog. I've got it watching my entire www directory.

As for fail2ban banning the bots, it's because of the apache-noscript jail I enabled and not because of the badbots jail. These bots are getting banned by fail2ban because they repeatedly request nonexistent scripts. I may have to disable this jail, but would prefer to exclude the yahoo and msnbots from the fail2ban checks, ideally by specifying their CIDR blocks. Is this possible with fail2ban?
 
Old 08-25-2011, 05:22 PM   #71
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Thanks for posting feedback, much appreciated.

Quote:
Originally Posted by sneakyimp View Post
I may have to disable this jail, but would prefer to exclude the yahoo and msnbots from the fail2ban checks, ideally by specifying their CIDR blocks. Is this possible with fail2ban?
As far as I can see the "apache-noscript jail" utilizes Shorewall. Shorewall does come with a load of manual pages and if you start at 'man shorewall-exclusion' I'm sure you'll find the shorewall way to exclude nets.
 
1 members found this post helpful.
  


Reply

Tags
hardening, lamp, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is this a compromised machine. jovie Linux - Security 1 03-14-2007 04:18 AM
Configuring a transparent proxy on a client machine ONLY instead of a server machine. clinux_rulz Linux - Networking 1 05-31-2006 02:53 AM
Machine compromised, now have ports opened tvn Fedora 1 09-13-2005 05:30 PM
Compromised machine delling81 Linux - Security 3 04-05-2005 10:20 PM
If I had a compromised machine... TheIrish Linux - Security 9 11-28-2003 01:31 PM


All times are GMT -5. The time now is 10:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration