Tag: security

Posted on

Mypapit GNU/Linux blog is now served with CloudFlare!

After long and careful consideration, I decided to enable CloudFlare for my blog.

CloudFlare is a content delivery network which aims to enhance website security and performance. CloudFlare CDN offers protection againts many forms of malicious activity including: spammers, email harvesters, SQL Injection, XSS, denial-of-service attack and suspicious web requests. Therefore saving valueable bandwidth from the web hosting machine.

My Personal Experience with CloudFlare
After a while using CloudFlare, I’ve notice that:

  • My site uses less bandwidth
  • The php-fcgi uses less (valueable RAM)
  • Less comment spam received from blogs
  • Site loads faster, not prone to being bogged down during peak hour

So far, so good, I love using CloudFlare…

Posted on

Securing Ajax and Web Services

It is undeniable that Web services and AJAX-ified interfaces are the trend now. Application that utilizes internet to retrieve data (such as mobile application or other thin client) uses web services alongside with its data format. AJAX-ified interface and website gives a modern and edgy look can make websites more attractive and can create great impression to the users.

However the issue of the web application security would still remain the same, if not more challenging, since there are so many ways to exploit the vulnerability of websites that utilizes Web Services and AJAX transfers on the background.

Therefore, it is imperative to use the right technique in order to evaluate the security of these services before deploying them out in the open.

For that matter, now I’m currently reading Ajax Security (Hoffman,B. & Sullivan, B.) and Securing Ajax applications (Wells, C.) which in my opinion is a pretty good start for somebody like me to understand common methods for securing web services and websites which uses AJAX heavily.

Hopefully the situation would improved as there are a lot of campaigns around to raise the state of awareness of web application security.

Posted on

Bitcoin spending and transaction can be traceable

It seems that Bitcoin is only designed to eliminate the need for centralized issuer and central authority, but not anonymity, which is a common misconception among internet users as according to one of its developers (Jeff Garzik), transaction is recorded in public log and although the identity of the parties involved can’t be directly identified, the transaction can be easily traced and linked to other accounts through data mining and statistical analysis.

So it is harder to stay anonymous in transactions that involve large currency value.

bitcoinBitcoin is not anonymous

  • The Battle Is On – Silk Road vs Government, and Bitcoin Anonymity
    • Posted on

    How to secure server from SYN-flood attack using iptables

    SYN-flood attack is commonly utilized as a mean to disrupt network communication and it is a form of (Distributed Denial-of-Service) DDOS attack. RFC4987 details common mitigation to deal with SYN-flood attack.

    However in this post, I’m going to share you the method that I use to reduce the risk of SYN-flood attack from my department computers, with iptables
    [bash]
    /sbin/iptables -N syn-flood
    /sbin/iptables -A syn-flood -m limit –limit 100/second –limit-burst 100 -j RETURN
    /sbin/iptables -A syn-flood -j LOG –log-prefix "SYN-flood attempt: "
    /sbin/iptables -A syn-flood -j DROP
    [/bash]

    RFC4987 suggests the use of SYN-cookie for added protection. You can enable SYN-cookie protection in Linux by running this command (as root):
    [bash]
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    [/bash]

    hope that helps…

    Note: I’m not a full-time sysadmin as I’ve a different dayjob, but I was put incharged in securing part of my school’s computer network, so there.

    Posted on

    Please update/patch and secure Litespeed web server

    Due to the widespread of Litespeed 0-day attack which has affected local websites, it’s imperative for all sysadmin and website operator to patch/update and upgrade the security of the Litespeed web server.

    This attack is dangerous particularly because the attacker can gain shell access with the same privileges of the web server or the user that runs the web server. Usually this allow the attacker to peek into database content and downloads it.

    Patch now!, the security and privacy of your users are at the stake!