Memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Memcached is a great piece of software that was designed with performance in mind. Still, memcached has little (or should I say none?) security features built-in. If we run memcached on a public ip and unprotected, anyone will be able to reach it and make memcached connections. This guide is intended to show some simple steps that can be used to secure your memcached setup.

You might say that you are not saving any private information in memcached and just cache parts of your public pages. Well, even in this case you will want your memcached daemon protected and not open to DOS attacks. Basically, regardless of the data you will cache (even if this is public or backend sql private data), you will probably want to control who can access it and since memcached doesn’t have any built-in authentication and doesn’t require any user or password we will have to use external protection methods like a iptables or other firewall rules for protection. Read the rest of this entry »

Guardian Digital released yesterday, December 4, 2007 the latest version of their security targeted distribution: EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). ISOs for i686 and x86_64 are available for direct download and also as torrent images. The download size is very small ~570 MB but it includes all the necessary tools to run a secure standalone or application server.

Changes in 3.0.18 include among others:

• New Guardian Digital Health Center for proactive hardware monitoring
• FwkNop and PSAD Tools for new levels of Security (featured in the the new Linux Firewalls book by Michael Rash)
• New stress-kernel package with a new stress testing suite
• Several new packages such as drbd (8.2.1), dsniff (2.3), psad (2.1), quota (3.15), sdparm (1.02), stress-kernel (3.0).
• The latest stable versions of MySQL (5.0.45), asterisk (1.4.14), kernel (2.6.23), openswan (2.4.10), samba (3.0.27a), syslog-ng (2.0.5), webtool (3.18), etc.
• Numerous fixes and features enhancements

Read the rest of this entry »

Applies: apache 1.3.x / apache 2.0.x
Required apache module: -
Scope: global server configuration
Type: security

Description: How to disable the HTTP TRACE method on recent apache versions.

Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.

Read the rest of this entry »

Clamav is probably the most popular open source antivirus software for Linux. At this time it contains 153727 signatures that will detect most viruses and the signatures are updated regularly to allow many mail servers to filter out the viruses before even reaching the users mailboxes.

This post will show how easy it is to install and use SaneSecurity 3rd party Clamav signatures to extend the antivirus protection built-in clamav with Scam and Phishing filtering. This can be very useful as these types of emails can be hard to detect by common antispam rules (spamassassin for ex.) - like the latest pdf spams, or phishing mails that are not always easy to detect. These will be filtered out directly by Clamav that is normally running prior to antispam measures.

Read the rest of this entry »

Here we go again… phpAdsNew is a great software, but anyone using it will know that we need to be very careful to patch it quickly to avoid to have our system exploited by many of the bugs that are constantly discovered (this is not only true for phpAdsNew, but most of the popular php scripts have this problem…). Anyway, yesterday (20061024) there was new bugfix version released, 2.0.8-pr1, and anyone logging in the phpAdsNew admin interface was warned to perform the upgrade as soon as possible.

Read the rest of this entry »

When we setup an FTP server software (regardless if this is proftpd, vsftpd, etc.) we might face a dilemma: we want to restrict the access that ftp users will have (limited access to files normally in their own home directory) but also we want to allow them access to another folder that is normally in a different location (like development files for whatever work they are doing).

Read the rest of this entry »

Every sysadmin will try its best to secure the system/s he is managing. Hopefully you never had to restore your own system from a compromise and you will not have to do this in the future. Working on several projects to restore a compromised Linux system for various clients, I have developed a set of rules that others might find useful in similar situations. The type of hacks encountered can be very variate and you might see very different ones than the one I will present, or I have seen live, but even so, this rules might be used as a starting point to develop your own recovery plan.

Read the rest of this entry »

In general all the great ideas are the simple ones. Many times we see a great idea in practice and we wander why didn’t we thought of that before? It is just so simple… The first time I have seen the knockd project I liked it instantly. The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. We can see this as a remote control to our server: once we hit the right button it will take the appropriate action!

How does a port knocker work?

• we install the port knocker daemon on our server (knockd)
• we configure some port sequences (tcp, udp, or both), and the appropriate actions for each sequence.
• the knockd daemon will be running in the background, at low level passively on the network interface. It is completely stealth and it will not open any ports on the server.
• once it will see a port sequence it will run the configured action for the sequence.

Read the rest of this entry »

From the category of log based tools I have chosen to present fail2ban because I consider it to be the best available log based brute force blocker. Basically, as any other log based brute force blockers, fail2ban will monitor the system log files and when certain configured events occur they will trigger fail2ban to block the offending host.

Here are the main features of fail2ban:

• running as daemon (no delay to take actions as in cron based tools).
• can use various methods to block the attack:
  • iptables (this is the default, and will most certainly be the best choice for most users)
  • TCP Wrappers (/etc/hosts.deny): this might be particular useful if you are running a VPS that has no access to iptables rules.
  • any other method you might need to implement in your firewall setup (you will have to define the rules yourself in this case).

• can handle more than one service: sshd (default), apache, vsftpd/proftpd, etc.
• can send e-mail notifications.
• can ban IPs for a limited amount of time and since 0.6.1 can also permanently ban hosts.

Read the rest of this entry »

Most of the time we will protect our servers with firewall rules, but in some situations this might not be applicable (like in a VPS environment where we don’t have access to iptables). TCP wrappers (Wietse Venema’s TCP wrappers library) can be used in such cases to allow or deny access based on the configured rules in /etc/hosts.allow and /etc/hosts.deny. Most of the daemons that we might consider protecting this way will probably have build-in support for TCP Wrappers (ssh, ftp, xintetd, etc.), but how can we be sure? We might be writing the correct lines in hosts.allow/deny but we can’t see any results. In this little post I will show how we can verify if any daemon has been build with TCP Wrappers support. Read the rest of this entry »