The geoip iptables extension allows you to filter, nat or mangle packets based on the country’s source or destination. This does exactly what the geoip apache module does, or the regular geoip binary, but at the iptables level. I would not go into the details why you would want to use that, but there are many ‘positive’ ways it can be useful… For example myself I use it in a project where we want to serve customized content for different countries. Since this is a high traffic site running on many web servers behind a loadbalanced setup, we prefer to split this at the loadbalancer level and not at apache level, to simplify our setup. We serve customized content to the US based visitors, while for the other countries we serve another international site.

Now this has been working fine for a long time now, using the original geoip module and patch-o-matic-ng method of installation (similar to what is very well described here). Still, this is unmaintained, and starting with kernel 2.6.22 it is no longer working. There is a patch that will make it work with a newer kernel, but if you run iptables 1.4.x this will again fail and even if there are some manual walkarounds this is still not the best solution.

The solution is called Xtables-addons. Xtables-addons is the successor to patch-o-matic-ng. Likewise, it contains extensions that were not, or are not yet, accepted in the main kernel/iptables packages. Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile the kernel, sometimes recompiling iptables is also not needed.
The latest version 1.12 supports: iptables >= 1.4.1 and kernel-source >= 2.6.17.

Read the rest of this entry »

Awstats will consider as a page hit any entry from the log it processes. By default some file extensions (for regular image types and css/js) are excluded from what awstats will consider as a page:
NotPageList="css js class gif jpg jpeg png bmp ico"(this is the default). All other file types will be counted as pages. Now, if we want to completely ignore some files, or even all the content of one folder from the awstats processing we can use the SkipFiles parameter. We might want to do this to ignore some frames, hidden pages, ajax calls, etc.

Read the rest of this entry »

Description: This will show how to hide the lighttpd version to remote requests.

Useful: there is really no need to disclose this information to everyone. As shown in “Discover the web server software and version of a remote server” anyone can find valuable information from our web server banner. Hiding it  will not protect in any way from real vulnerabilities if they exist, but it will at least make their life harder. This will also not stop more complex fingerprinting programs to detect some information on the web server, but at least we should not make their life easier .

Read the rest of this entry »

You can quickly test with dig if a DNS resolver is using random source ports for queries:
dig +short @<IP_DNS_SERVER> porttest.dns-oarc.net txt
for more details check out my post about this: “How to check if your DNS server implements source port randomization“

Today Amazon announced the public beta of Amazon CloudFront, their AWS service for content delivery. This is the service that many users of Amazon S3 (Simple Storage Service) have been waiting for a long time. Even if S3 was never a ‘real’ CDN (content delivery network) it was used by many sites to serve static content. The main limitation of this approach was that it had no geographical awareness as content delivery networks usually have; the fact that S3 is highly scalable and well priced made this solution acceptable on S3.

CloudFront is the answer to all users’ requests about using S3 as a CDN, delivering the content using a global network of 14 edge locations. CloudFront uses S3 to store the original file, and caches copies of the content close to end users locations, lowering latency when they download the objects.

Read the rest of this entry »

PPTP is known to be less secure than other VPN software, but if you need a quick solution for a VPN server that will connect out of the box from Windows workstations PPTP is the obvious choice. This post will show how easy it is to setup a pptp vnp server on Debian Etch.

A while ago setting up a pptp server was not so simple. It involved patching the kernel and the ppp daemon. These days in Debian Etch everything comes out of the box and we just have to install the pptpd server and configure it based on our needs. First let’s install pptpd:
aptitude install pptpd
(this will install also some dependencies: bcrelay and ppp). The default pptpd configuration file is installed under /etc/pptpd.conf ; you can change any of the available options (samples are included in the configuration file as comments), but really the only thing that needs to be configured is the ip of the local server used by pptpd as the local gateway for the remote hosts and the remote users assigned ips: Read the rest of this entry »

I have been working with various Cisco devices for many years now. Even though I hold a valid CCNP, I didn’t had the chance to work during the past months with Cisco devices as much as I was when I was actively working in the ISP field. Sill, from time to time I take on small consulting Cisco related projects. This post will show how to overcome the frustration on the top line Cisco ASA firewalls not supporting interface ip aliases.

Cisco PIX firewalls have been around for many years and I was aware of the stupid limitation they had about not being able to add ip aliases on their interfaces. Again this was many years ago… Today when I had to configure a small Cisco ASA 5505 device, I didn’t even thought that the fanciest line of Cisco firewalls still has this limitation. You could say that the 5505 is the cheapest models and this is the reason for the limitation. Well, it costs much more than any other similar hardware firewall and honestly every other box I have seen support this (I can’t even call it feature)… I can’t be certain as I don’t have such a device to test out, but from what I can tell, all the ASA product line has the same issue, including the higher level 5550 and 5580.

Read the rest of this entry »

Memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Memcached is a great piece of software that was designed with performance in mind. Still, memcached has little (or should I say none?) security features built-in. If we run memcached on a public ip and unprotected, anyone will be able to reach it and make memcached connections. This guide is intended to show some simple steps that can be used to secure your memcached setup.

You might say that you are not saving any private information in memcached and just cache parts of your public pages. Well, even in this case you will want your memcached daemon protected and not open to DOS attacks. Basically, regardless of the data you will cache (even if this is public or backend sql private data), you will probably want to control who can access it and since memcached doesn’t have any built-in authentication and doesn’t require any user or password we will have to use external protection methods like a iptables or other firewall rules for protection. Read the rest of this entry »

Guardian Digital released yesterday, December 4, 2007 the latest version of their security targeted distribution: EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). ISOs for i686 and x86_64 are available for direct download and also as torrent images. The download size is very small ~570 MB but it includes all the necessary tools to run a secure standalone or application server.

Changes in 3.0.18 include among others:

• New Guardian Digital Health Center for proactive hardware monitoring
• FwkNop and PSAD Tools for new levels of Security (featured in the the new Linux Firewalls book by Michael Rash)
• New stress-kernel package with a new stress testing suite
• Several new packages such as drbd (8.2.1), dsniff (2.3), psad (2.1), quota (3.15), sdparm (1.02), stress-kernel (3.0).
• The latest stable versions of MySQL (5.0.45), asterisk (1.4.14), kernel (2.6.23), openswan (2.4.10), samba (3.0.27a), syslog-ng (2.0.5), webtool (3.18), etc.
• Numerous fixes and features enhancements

Read the rest of this entry »

Applies: apache 1.3.x / apache 2.0.x
Required apache module: -
Scope: global server configuration
Type: security

Description: How to disable the HTTP TRACE method on recent apache versions.

Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.

Read the rest of this entry »