mypapit gnu/linux

August 2, 2011August 1, 2011

How to secure server from SYN-flood attack using iptables

SYN-flood attack is commonly utilized as a mean to disrupt network communication and it is a form of (Distributed Denial-of-Service) DDOS attack. RFC4987 details common mitigation to deal with SYN-flood attack.

However in this post, I’m going to share you the method that I use to reduce the risk of SYN-flood attack from my department computers, with iptables
[bash]
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit –limit 100/second –limit-burst 100 -j RETURN
/sbin/iptables -A syn-flood -j LOG –log-prefix "SYN-flood attempt: "
/sbin/iptables -A syn-flood -j DROP
[/bash]

RFC4987 suggests the use of SYN-cookie for added protection. You can enable SYN-cookie protection in Linux by running this command (as root):
[bash]
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
[/bash]

hope that helps…

Note: I’m not a full-time sysadmin as I’ve a different dayjob, but I was put incharged in securing part of my school’s computer network, so there.

August 1, 2011July 31, 2011

Please update/patch and secure Litespeed web server

Due to the widespread of Litespeed 0-day attack which has affected local websites, it’s imperative for all sysadmin and website operator to patch/update and upgrade the security of the Litespeed web server.

This attack is dangerous particularly because the attacker can gain shell access with the same privileges of the web server or the user that runs the web server. Usually this allow the attacker to peek into database content and downloads it.

Patch now!, the security and privacy of your users are at the stake!

July 31, 2011

How to Enable Outgoing Keyserver port with iptables firewall

Keyserver is used for storing and distributing OpenGPG keys. The Ubuntu project also maintains its own keyserver ( http://keyserver.ubuntu.com ) for distributing public-key to users.

keyserver uses HKP Keyserver protocol which listens on port 11371

Here’s how to enable the keyserver port on iptables:
[bash]
iptables -A OUTPUT -p tcp -d <key server ip> –dport 11371 -j ACCEPT
[/bash]

July 30, 2011

Rant: About Starting up an E-commerce Site….

A bit of advice when starting up an e-commerce (especially storefront) site, please use proper e-commerce software for the job. Do not ‘force’ a general-purpose (CMS) to be an e-commerce site via plugins (or *cough* *cough* ‘component’), it’s gonna be a pain-in-the-ass to secure ’em.

So do yourself (and the sysadmin guys) a favor, use a proper e-commerce software platform or just turn to blogger.com for selling your stuffs…

July 30, 2011August 15, 2015

How to convert AVI video files to Animated GIF using ffmpeg (in Linux)

Here is the command-line you can use to conver AVI video to Animated GIF, which then can be embedded in forum or profile signature.


ffmpeg -i video_original.avi gif_animation.gif

Note that ffmpeg must support the video encoding of the AVI file, (usually DiVX or XviD).

July 29, 2011July 25, 2011

How to Hide Apache2 and PHP version without using mod_security in Ubuntu Linux

Although security by obscurity is not the best policy to protect your IS assets, but it is still useful to thwarts simple network scanner or newbie crackers.

Note: This tip is written for Ubuntu Linux, the steps is similar to other GNU/Linux distro, albeit with a slight variant.

Hiding Apache2 version
Edit /etc/apache2/apache2.conf

Add these lines at the end of the file:
ServerSignature Off
ServerTokens Prod

Restart Apache2
[bash]
sudo /etc/init.d/apache2 restart
[/bash]

Hiding PHP version
Edit /etc/php5/apache2/php.ini file

Find these lines, and switch it off:
expose_php = Off
display_errors = Off

Additionally you may disable certain ‘risky’ functions in php by editing the disable_functions line:
disable_functions = phpinfo, system,show_source,

Finally, you may restart Apache2 web server.
[bash]
sudo /etc/init.d/apache2 restart
[/bash]