Set Up a Secure SSH Tunnel Proxy and Surf in Private

Textile

2009-09-23T19:29:43+02:00

192

1366

en 0 5 set_up_a_secure_ssh_tunnel_proxy_and_surf_in_private

2009-09-24T05:15:16+02:00

published

Do you want to bypass a firewall that has too many restrictions? Well, all you have to do is set up a secure SSH Tunnel. It's easy and once you do it, you can surf the web privately in addition to not being at the mercy of a network administrator who's decided to block your favorite sites. In this HowTo, you'll learn how to create an SSH Tunnel Proxy and then set up your web browser to use it in Linux, Windows, and even Mac.

Set Up a Secure SSH Tunnel Proxy and Surf in Private

2009-09-26T02:31:41+02:00

110

http://www.netdip.com/ssh-tunnel-proxy-how-to-set-it-up-with-linux-windows-or-mac/

#<Comment:0x2b188422f4f8> <h3>Removing .NET ClickOnce Support from Firefox</h3> <table> <tr> <th>Microsoft .NET Framework 3.5 Service Pack 1, released earlier this year, installs a Firefox extension which could not be uninstalled easily (registry hacking was needed). To make matters worse, this extension came with a pretty big security hole (at least, that’s what everyone says). A newer version of this extension has been pushed out in May, which can be uninstalled the proper way. As it turns out, Firefox apparently has a limitation in that extensions installed at the machine level (instead of the user level) cannot be uninstalled from within the extensions <span class="caps">GUI</span>.</th> </tr> </table> <p><a href="http://www.osnews.com/story/21591">story</a></p> <h3>Stop-gap Solution To uninstall the ClickOnce support for Firefox from your machine</h3> <p><a href="http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx">Uninstalling the Clickonce Support for Firefox</a></p>

Textile

h3. Removing .NET ClickOnce Support from Firefox |_. Microsoft .NET Framework 3.5 Service Pack 1, released earlier this year, installs a Firefox extension which could not be uninstalled easily (registry hacking was needed). To make matters worse, this extension came with a pretty big security hole (at least, that's what everyone says). A newer version of this extension has been pushed out in May, which can be uninstalled the proper way. As it turns out, Firefox apparently has a limitation in that extensions installed at the machine level (instead of the user level) cannot be uninstalled from within the extensions GUI.| "story":http://www.osnews.com/story/21591 h3. Stop-gap Solution To uninstall the ClickOnce support for Firefox from your machine "Uninstalling the Clickonce Support for Firefox":http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx

2009-06-13T10:49:33+02:00

899

en 0 6 uninstalling_the_clickonce_support_for_firefox

2009-06-15T04:09:31+02:00

published

Microsoft is really making it hard not to distrust them, aren't they?

Uninstalling the Clickonce Support for Firefox

2009-06-20T12:06:16+02:00

110

http://blogs.msdn.com/brada/archive/2009/02/27/uninstalling-the-clickonce-support-for-firefox.aspx

Textile

2009-06-04T00:55:11+02:00

857

en 0 3 install_and_configure_ipplan_ip_manager_in_opensuse

2009-06-05T19:11:07+02:00

published

IPplan is a free opensource IP Address management application. IPPlan is a web based IP address management software and tracking tool simplifying the administration of your IP address space. IPplan goes beyond IP address management including DNS administration, configuration file management, circuit management and storing of hardware information.

Install & Configure IPplan IP Manager in openSUSE

2009-06-05T21:11:09+02:00

110

http://www.susegeek.com/networking/install-configure-ipplan-ip-manager-in-opensuse/

Textile

2009-05-28T00:29:48+02:00

819

en 0 1 highlight_domain_and_subdomain_for_ssl_websites_in_firefox

queued

When you visit a Secure website in Firefox chances are that the FavIcon for the website is replaced with a Green bar with the details of the company. This is because of the default properties in Firefox to display detailed information of the website from the Extended Validation Certificate on the website. However, if the website doesn’t host a Extended Validation certificate then the website URL (link) in the address bar is not highlighted or in otherwords shows as a normal website URL.

Highlight Domain & Subdomain for SSL websites in Firefox

2009-05-28T00:29:48+02:00

http://www.susegeek.com/internet-browser/highlight-domain-subdomain-for-ssl-websites-in-firefox/

HTML

2008-08-24T00:12:09+02:00

396

en 0 2 nessus_vulnerability_scanner_in_opensuse

queued

The Nessus vulnerability scanner, is the world-leader in active scanners, featuring high speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs, and across physically separate networks. Nessus can also be used for ad-hoc scanning, daily scans, and quick-response audits.

Nessus Vulnerability Scanner in openSUSE

2008-08-29T11:32:06+02:00

http://www.susegeek.com/security/nessus-vulnerability-scanner-in-opensuse/

#<Comment:0x2b18841f2080>

HTML

2008-08-23T01:33:26+02:00

395

en 0 3 acetoneiso2_a_full_feature_rich_image_iso_tool_for_opensuse

2008-08-29T09:32:19+02:00

published

AcetoneISO2, is a feature-rich and complete software application to manage CD/DVD images. Thanks to powerful open source tools such as fuseiso, AcetoneISO2 will let You mount typical proprietary images formats of the Windows world such as ISO BIN NRG MDF IMG and is more than a simple ISO mount software.

Acetoneiso2 - A full feature rich Image/ISO tool for openSUSE

2008-08-29T11:32:21+02:00

http://www.susegeek.com/multimedia/acetoneiso2-a-full-feature-rich-imageiso-tool-for-opensuse/

Textile

2008-08-18T04:20:06+02:00

390

en 0 2 how_to_know_if_your_dns_server_y_vulnerable

queued

It is just so easy, you can doit in linux with one line.

How to know if your dns server is vulnerable!

2009-02-27T10:04:15+01:00

http://dclavijo.blogspot.com/2008/08/como-saber-si-nuestro-servidor-dns-es.html

DELETED

HTML

2008-08-08T00:26:40+02:00

372

en 0 1 truecrypt_free_opensource_on_the_fly_disk_encryption

suspended

TrueCrypt is a free opensource software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

TrueCrypt - Free opensource on the fly Disk Encryption

2008-08-10T13:07:04+02:00

#<Comment:0x2b18841cc380>

HTML

2008-08-08T00:26:38+02:00

371

en 0 1 truecrypt_free_opensource_on_the_fly_disk_encryption_tool

queued

TrueCrypt - Free opensource on the fly Disk Encryption tool

2008-08-08T00:26:38+02:00

http://www.susegeek.com/security/truecrypt-free-opensource-on-the-fly-disk-encryption-tool/

Textile

2008-07-28T18:35:00+02:00

355

en 0 5 how_to_patch_bind9_against_dns_cache_poisoning_on_debian_etch

2008-08-04T17:40:38+02:00

published

This article explains how you can fix a BIND9 nameserver on a Debian Etch system so that it is not vulnerable anymore to DNS cache poisoning.

How To Patch BIND9 Against DNS Cache Poisoning On Debian Etch

2008-08-12T23:35:57+02:00

http://www.howtoforge.com/how-to-patch-bind-to-avoid-cache-poisoning-debian-etch

Textile

2008-07-28T18:34:03+02:00

354

en 0 3 patch_bind_to_avoid_cache_poisoning_fedora_centos

2008-08-04T17:40:34+02:00

published

Dan Kaminsky earlier this month announced a massive, multi-vendor issue with DNS that could allow attackers to compromise any name server. Here you'll learn how to patch bind on Fedora/CentOS.

Patch BIND To Avoid Cache Poisoning (Fedora/CentOS)

2008-08-04T19:40:35+02:00

http://www.howtoforge.com/how-to-patch-bind-to-avoid-cache-poisoning-fedora-centos

Textile

2008-07-17T14:36:01+02:00

331

en 0 2 dns_resolution_with_tor_and_dnsmasq_in_spanish

queued

This explains hoe to setup the experimental version of tor and dnsmasq as a dns-cache pointing to it it will require a tap interface.

DNS resolution with Tor and Dnsmasq (in spanish)

2008-07-17T22:12:46+02:00

http://dclavijo.blogspot.com/2008/07/resolucion-de-dns-con-tor-y-dnsmasq.html

#<Comment:0x2b18841953a8> <h2>Check the <span class="caps">DNS</span> Server</h2> <p>Click on the right side of <a href="http://www.doxpara.com/">http://www.doxpara.com/</a> on “Check My <span class="caps">DNS</span>”.</p> <p>After a few seconds you see a dialog like</p> <pre><code> Your name server, at 125.123.2.11, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 51491 </code></pre> <h2>What shall I do if it is vulnerable</h2> <p>If it is your own <span class="caps">DNS</span> Server please apply the latest security fixes otherwise contact you <span class="caps">ISP</span> Provider.</p>

Textile

h2. Check the DNS Server p. Click on the right side of "http://www.doxpara.com/":http://www.doxpara.com/ on "Check My DNS". p. After a few seconds you see a dialog like <pre><code> Your name server, at 125.123.2.11, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 51491 </code></pre> h2. What shall I do if it is vulnerable p. If it is your own DNS Server please apply the latest security fixes otherwise contact you ISP Provider.

2008-07-09T13:39:38+02:00

319

en 0 5 check_if_your_dns_server_is_vulnerable_against_dns_cache_poisoning

2008-07-09T12:51:48+02:00

published

Check if your DNS Server is vulnerable against DNS Cache Poisoning

Check if your DNS Server is vulnerable against DNS Cache Poisoni

2008-07-10T05:25:15+02:00

http://www.doxpara.com/

Textile

2008-07-03T17:06:08+02:00

309

en 0 3 an_introduction_to_the_kismet_packet_sniffer

2008-07-05T10:12:59+02:00

published

Kismet is a wireless "detector, sniffer, and intrusion detection system," and one of the growing list of essential open source tools for computer network security professionals. Kismet runs on any POSIX-compliant platform, including Windows, Mac OS X, and BSD, but Linux is the preferred platform because it has more unencumbered RFMON-capable drivers than any of the others.

An introduction to the Kismet packet sniffer

2008-07-05T12:13:02+02:00

http://www.linux.com/feature/139754

Textile

2008-06-23T13:19:36+02:00

287

en 0 6 gentoo_booting_encrypted_system_from_usb_stick

2008-06-23T13:16:44+02:00

published

A tutorial that shows you how to encrypt the entire hard drive with LUKS, partition it with LVM, and boot it from USB stick. All done manually, but it follows the KISS principle (tries to keep things as simple as possible). If you want a no-frills, do it yourself guide on how to encrypt your entire hard disk and boot it from an USB stick, this article may be of use to you.

Gentoo: Booting encrypted system from USB stick

2008-09-25T19:54:38+02:00

111

http://www.gentoo-wiki.com/Booting_encrypted_system_from_USB_stick

Textile

2008-06-22T18:45:55+02:00

281

en 0 3 intrusion_detection_for_php_applications_with_phpids

2008-06-22T20:54:51+02:00

published

This tutorial explains how to set up PHPIDS on a web server with Apache2 and PHP5. PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. It recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.

Intrusion Detection For PHP Applications With PHPIDS

2008-06-22T22:54:51+02:00

http://www.howtoforge.com/intrusion-detection-for-php-applications-with-phpids

#<Comment:0x2b1884166328> <h2>Install</h2> <p>Gentoo users do</p> <pre><code>emerge -av vlock</code></pre> Debian (and *buntu) users have to type <pre><code>aptitude install vlock</code></pre> <h2>Usage</h2> Lock the current screen (useful if you only want to lock a root shell) <pre><code>vlock -c</code></pre> Lock all ttys with <pre><code>vlock -a</code></pre> for more information and options study <pre><code>man vlock</code></pre> or <pre><code>vlock --help</code></pre> <p>Have a nice and secure day.</p>

Textile

h2. Install Gentoo users do <pre><code>emerge -av vlock</code></pre> Debian (and *buntu) users have to type <pre><code>aptitude install vlock</code></pre> h2. Usage Lock the current screen (useful if you only want to lock a root shell) <pre><code>vlock -c</code></pre> Lock all ttys with <pre><code>vlock -a</code></pre> for more information and options study <pre><code>man vlock</code></pre> or <pre><code>vlock --help</code></pre> Have a nice and secure day.

2008-06-15T20:09:06+02:00

256

en 0 4 vlock_lock_your_screen_while_you_are_away_from_your_desk

2008-06-15T23:05:33+02:00

published

Simple tool to lock your ttys to prevent others to access your computer.

vlock: Lock your screen while you are away from your desk

2008-06-16T01:46:18+02:00

<h2>How it works</h2> <p>They keyword is stored on the server, so it is never revealed to the client. Processing is performed on the server-side via an <span class="caps">AJAX</span> request and the decrypted redirect is returned to the client, opening a mail composer window… just like normal mailto link.</p> <h2>Usage</h2> <p><a href="http://howflow.com/trick/file/220/cipher_mail.zip">Download the plugin from the file area</a> of this trick (the original svn is gone) and install it in <strong>vendor/plugins</strong>.</p> <pre> <code> <%= ciphermail_to "John Smith", "someone@somedomain.com" %> </code> </pre> <h2>Copyright</h2> <p>Copyright © 2007 Michael Behan aka “JabberWock” (jabberwock /AT tenebrous /DOT com) Released under the <span class="caps">BSD</span> license</p>

Textile

h2. How it works p. They keyword is stored on the server, so it is never revealed to the client. Processing is performed on the server-side via an AJAX request and the decrypted redirect is returned to the client, opening a mail composer window… just like normal mailto link. h2. Usage p. "Download the plugin from the file area":http://howflow.com/trick/file/220/cipher_mail.zip of this trick (the original svn is gone) and install it in *vendor/plugins*. <pre> <code> <%= ciphermail_to "John Smith", "someone@somedomain.com" %> </code> </pre> h2. Copyright p. Copyright © 2007 Michael Behan aka "JabberWock" (jabberwock /AT tenebrous /DOT com) Released under the BSD license

2008-06-02T11:00:53+02:00

/var/rails/howflow/public/trick/file/220/cipher_mail.zip 220

en 0 1 rails_plugin_ciphermail_backup_archive_from_svn

queued

CipherMail provides a safe alternative to the mail_to helper by hiding mailto links from e-mail harvesting bots. The generated output is completely obfuscated by a 1024 bit random key.

Rails Plugin CipherMail (Backup Archive from svn)

2008-06-02T11:02:17+02:00

Textile

2008-06-02T09:41:29+02:00

219

en 0 1 deploying_a_content_filtering_proxy_server_with_safesquid

queued

A content filtering proxy server, helps distribute Internet access while providing control to the administrators over the content delivered. It is usually used in organizations or schools to ensure that Internet usage conforms to the local acceptable use policy.

Deploying A Content Filtering Proxy Server With SafeSquid

2008-06-02T09:42:10+02:00

http://www.howtoforge.com/content-filtering-proxy-safesquid

#<Comment:0x2b188413bd08>

Textile

2008-05-26T07:44:07+02:00

199

en 1 5 how_to_gain_system_level_access_to_windows_vista

queued

This video shows how to gain system-level access to Windows Vista. No login required. This comes in handy if you've lost your password. All you need is a Linux live CD called BackTrack.

How to Gain System-Level Access To Windows Vista

2008-05-27T17:33:24+02:00

http://www.offensive-security.com/movies/vistahack/vistahack.html

317cc4d2ea452a77cdc8ffd1e13ed40581633ec8

Textile

2008-05-22T17:59:48+02:00

192

en 0 4 intrusion_detection_system_with_ossec_hids_and_ubuntu_hardy

2008-05-23T20:20:54+02:00

published

OSSEC-HIDS is a host based intrusion detection system. It offers rootkit detection, file system integrity checks, log file analysis, time based alerting and active responses. This howto will walk you through the very simple installation of the OSSEC-HIDS application.

Intrusion detection system with OSSEC-HIDS and Ubuntu Hardy

2008-05-23T23:20:21+02:00

http://boilinglinux.blogspot.com/2008/05/intrusion-detection-system-with-ossec.html

#<Comment:0x2b1884124810> <span class="caps">NOTE</span>: since fail2ban >=0.8.1 there is allready a the action file ’/etc/fail2ban/action.d/iptables-allports.conf’. <br> if you use a version >=0.8.1 you can skip point 1 and 2 and continue with 3. <br> <br> <p>You must create two new files in /etc/fail2ban.</p> <p>1. create /etc/fail2ban/action.d/iptables-allports.conf</p> <p>2. insert the text below</p> <pre> <code> # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko <debian@onerussian.com> # made active on all ports from original iptables.conf # # $Revision: 658 $ # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP [Init] # Defaut name of the chain # name = default # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = all </code> </pre> <p>3. create /etc/fail2ban/filter.d/apache-w00tw00t.conf</p> <p>4. insert the text below (NOTE: maybe you must change the regex if you have a other logformat! you can test your regex with fail2ban-regex <FILE> <REGEX>)</p> <pre> <code> #<HOST> - - [29/Apr/2008:22:54:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 326 [Definition] # Option: failregex # Notes.: regex to match the w00tw00t scan messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching. # Values: TEXT failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex = </code> </pre> <p>5. edit your /etc/fail2ban/jail.conf and insert the text below to the end of file or wherever you want.</p> <pre> <code> [apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables-allports[name=w00tw00t] mail-whois[name=w00tw00t, dest=<YOURMAIL>] logpath = /var/log/apache2/access_log maxretry = 1 bantime = 86400 </code> </pre> <p>6. restart your fail2ban and wait for new mail :D</p>

you must create two new files in /etc/fail2ban. 1. create /etc/fail2ban/action.d/iptables-complete.conf 2. insert the text below [code] [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I INPUT -j fail2ban- # Option: actionend # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures # unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban- 1 -s -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures # unix timestamp of the ban time # Values: CMD # actionunban = iptables -D fail2ban- -s -j DROP [Init] # Defaut name of the chain # name = default # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = all [/code] 3. create /etc/fail2ban/filter.d/apache-w00tw00t.conf 4. insert the text below (NOTE: maybe you must change the regex if you have a other logformat!) [code] # - - [29/Apr/2008:22:54:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 326 [Definition] # Option: failregex # Notes.: regex to match the w00tw00t scan messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching. # Values: TEXT failregex = ^ -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex = [/code] 5. edit your /etc/fail2ban/jail.conf and insert the text below to the end of file or wherever you want. [code] [apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables-complete[name=w00tw00t] mail-whois[name=w00tw00t, dest=<YOURMAIL>] logpath = /var/log/apache2/access_log maxretry = 1 bantime = 86400 [/code] 6. restart your fail2ban and wait for new mail :D

Textile

NOTE: since fail2ban >=0.8.1 there is allready a the action file '/etc/fail2ban/action.d/iptables-allports.conf'. <br> if you use a version >=0.8.1 you can skip point 1 and 2 and continue with 3. <br> <br> p. You must create two new files in /etc/fail2ban. p. 1. create /etc/fail2ban/action.d/iptables-allports.conf p. 2. insert the text below <pre> <code> # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko <debian@onerussian.com> # made active on all ports from original iptables.conf # # $Revision: 658 $ # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP [Init] # Defaut name of the chain # name = default # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = all </code> </pre> p. 3. create /etc/fail2ban/filter.d/apache-w00tw00t.conf p. 4. insert the text below (NOTE: maybe you must change the regex if you have a other logformat! you can test your regex with fail2ban-regex <FILE> <REGEX>) <pre> <code> #<HOST> - - [29/Apr/2008:22:54:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 326 [Definition] # Option: failregex # Notes.: regex to match the w00tw00t scan messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching. # Values: TEXT failregex = ^<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex = </code> </pre> p. 5. edit your /etc/fail2ban/jail.conf and insert the text below to the end of file or wherever you want. <pre> <code> [apache-w00tw00t] enabled = true filter = apache-w00tw00t action = iptables-allports[name=w00tw00t] mail-whois[name=w00tw00t, dest=<YOURMAIL>] logpath = /var/log/apache2/access_log maxretry = 1 bantime = 86400 </code> </pre> p. 6. restart your fail2ban and wait for new mail :D

2008-05-01T23:09:24+02:00

/var/rails/howflow/public/trick/file/124/apache-w00tw00t.conf.txt 124

en 0 4 block_w00tw00t_scan_hosts_with_fail2ban

2008-05-01T21:14:45+02:00

published

here i explain my solution to ban a host that scans my system with dfind/w00tw00t. this solution requires a preinstalled fail2ban.

block w00tw00t scan-hosts with fail2ban

2008-06-22T21:01:21+02:00

#<Comment:0x2b1884113d80> <p><strong>Please <span class="caps">DO NOT</span> do this on a hard drive with valuable data on it</strong></p> <p>Boot your favorite Linux live CD and (given that your hard disk is called /dev/hda) enter</p> <code> <pre> hdparm -I /dev/hda </pre> </code> <p>Have a look at the very last line. If you can see something like this, your drive has the necessary feature:</p> <code> <pre> 66min for SECURITY ERASE UNIT. or 66min for SECURITY ERASE UNIT. 66min for ENHANCED SECURITY ERASE UNIT. </pre> </code> <p>Now you can erase your data with one of the following commands:</p> <code> <pre> hdparm --security-erase /dev/hda or hdparm --security-erase-enhanced /dev/hda </pre> </code> <p>The advantage of this procedure is that it even overwrites bad blocks. “Enhanced” means, that it overwrites the data with a random pattern.</p> <p><strong>Please <span class="caps">DO NOT</span> do this on a hard drive with valuable data on it</strong> You have been warned!</p>

Textile

p. *Please DO NOT do this on a hard drive with valuable data on it* p. Boot your favorite Linux live CD and (given that your hard disk is called /dev/hda) enter <code> <pre> hdparm -I /dev/hda </pre> </code> p. Have a look at the very last line. If you can see something like this, your drive has the necessary feature: <code> <pre> 66min for SECURITY ERASE UNIT. or 66min for SECURITY ERASE UNIT. 66min for ENHANCED SECURITY ERASE UNIT. </pre> </code> p. Now you can erase your data with one of the following commands: <code> <pre> hdparm --security-erase /dev/hda or hdparm --security-erase-enhanced /dev/hda </pre> </code> p. The advantage of this procedure is that it even overwrites bad blocks. "Enhanced" means, that it overwrites the data with a random pattern. p. *Please DO NOT do this on a hard drive with valuable data on it* You have been warned!

2008-04-26T13:12:47+02:00

en 0 5 secure_erase_how_to_erase_a_hard_drive

2008-04-26T14:58:00+02:00

published

If you want to erase all your data from a hard drive, hdparm is the right tool for this job.

Secure Erase: How to erase a hard drive

2008-11-24T10:45:18+01:00

#<Comment:0x2b1884102300> <pre> <code> #!/bin/sh for ip in `cat /var/log/apache2/error_log | grep w00tw00t | awk '{print $8}' | sed 's/]//g' | sort -ug`; do countoff=$[$countoff+1] countwoot=$[$countwoot+1] iptables -I INPUT -s $ip -j DROP iptables -I OUTPUT -s $ip -j DROP done </code> </pre>

Textile

<pre> <code> #!/bin/sh for ip in `cat /var/log/apache2/error_log | grep w00tw00t | awk '{print $8}' | sed 's/]//g' | sort -ug`; do countoff=$[$countoff+1] countwoot=$[$countwoot+1] iptables -I INPUT -s $ip -j DROP iptables -I OUTPUT -s $ip -j DROP done </code> </pre>

2008-04-25T23:45:42+02:00

en 0 3 blocking_dfind_scans_w00tw00t_with_iptables

2008-04-26T00:34:23+02:00

published

If you find a lot of "w00tw00t" entries in your web server log files, this little script might be useful for you.

Blocking DFind scans (w00tw00t) with iptables

2008-05-01T19:00:10+02:00

2008-04-20T21:20:24+02:00

en 0 3 harden_the_ubuntu_linux_kernel_with_sysctl

queued

I ran across a nice sysctl.conf file that will help secure your computer and prevent many different attacks on your computer like Man In the Middle Attacks, Syn attacks, source routing scans/attacks, spoofing protection/logging, and many others.

Harden the Ubuntu Linux Kernel with sysctl

2008-05-03T13:37:43+02:00

http://www.ubuntu-unleashed.com/2008/04/howto-harden-ubuntu-linux-kernel-with.html

#<Comment:0x2b18840e7a28> tr -cd "[:graph:]" < /dev/urandom | head -c 7

tr -cd "[:graph:]" < /dev/urandom | head -c 7

BBCode

2008-04-13T16:28:59+02:00

en 0 5 generate_a_random_secure_password

2008-04-14T12:20:10+02:00

published

tr -cd "[:graph:]" < /dev/urandom | head -c 7

Generate a random secure Password

2008-05-12T22:39:47+02:00