• Keep operating system and browser patched.
• Use hardware or software firewall.
• Use and regularly update quality anti-virus and anti-spy ware programs.
• Read all end user license agreements and privacy policies carefully. If in doubt, don’t install the software.
• Beware of “free” software, often offered in exchange for accepting adware.
• Don’t normally run as administrator. Set up a regular user account for day-to-day work and log on as administrator only to install patches, etc.
• Think about what software actually need.
• Never click on links in email unless you know/can verify who sent it.
• Beware of pomography, online gaming, get-rich-quick and other high-risk web sites.
Monday, July 20, 2009
Monday, July 13, 2009
Spam control
Spam control is big business in organizations. Employees having to deal with unsolicited commercial/bulk mail are something that not only reduces productivity but also eats into the company's bottom-line.
Another thing that eats into the company's bottom-line is the lack of productivity and disturbance caused by Microsoft Windows due to its various vulnerabilities, viruses, worms , trap doors and other malwares not to mention crashes of course.
Spam control has to invariably fall under one of the following categories.
• Bayesian filtering and contextual analysis
• Heuristical filtering based on known keywords/bad words
• CRM114 Markovian chain based filtering
• Vipul's razor approach of DCC (Distributed checksum computation) with manual interference – gmail uses this heavily
• Greylisting to stop spam right at the MTA level
• IP address blacklisting and e-mail address whitelisting.
• TMDA – cure worse than the disease (Only approved senders can send mail)
• RBL lists , spamhaus (politically sensitive spam control techniques)
• Sender Policy Framework(SPF) (not a bad idea per se) but does not work well
Another thing that eats into the company's bottom-line is the lack of productivity and disturbance caused by Microsoft Windows due to its various vulnerabilities, viruses, worms , trap doors and other malwares not to mention crashes of course.
Spam control has to invariably fall under one of the following categories.
• Bayesian filtering and contextual analysis
• Heuristical filtering based on known keywords/bad words
• CRM114 Markovian chain based filtering
• Vipul's razor approach of DCC (Distributed checksum computation) with manual interference – gmail uses this heavily
• Greylisting to stop spam right at the MTA level
• IP address blacklisting and e-mail address whitelisting.
• TMDA – cure worse than the disease (Only approved senders can send mail)
• RBL lists , spamhaus (politically sensitive spam control techniques)
• Sender Policy Framework(SPF) (not a bad idea per se) but does not work well
Friday, July 10, 2009
New IDS/IPS technology
Recently while parusing the intertubes I ran across a new IDS/IPS technology (PHPIDS) "http://www.php-ids.org". This is an interesting and simple concept that can add an additional layer of security to your web application(s).
Tuesday, July 7, 2009
Benefits of Firewalls
A firewall provides a leveraged choke point for network security. It allows the corporation to focus on a critically vulnerable point: where the corporation’s information system connects to the Internet. The firewall can control and prevent attacks from insecure network services. A firewall can effectively monitor all traffic passing through the system. In this manner, the firewall serves as an auditor for the system and can alert the corporation to anomalies in the system. The firewall can also log access and compile statistics that can be used to create a profile of the system.
Some firewalls, on the other hand, permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside but permit users on the inside to communicate freely with the outside..
Firewalls are also important since they can provide a single choke point where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective phone tap and tracing tool. Firewalls provide an important logging and auditing function. Often, they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.
The following are the primary benefits of using a firewall:
• Protection from vulnerable services
• Controlled access to site systems
• Concentrated security
• Enhanced privacy
• Logging and statistics on network use and misuse
• Policy enforcement
Some firewalls, on the other hand, permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside but permit users on the inside to communicate freely with the outside..
Firewalls are also important since they can provide a single choke point where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective phone tap and tracing tool. Firewalls provide an important logging and auditing function. Often, they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.
The following are the primary benefits of using a firewall:
• Protection from vulnerable services
• Controlled access to site systems
• Concentrated security
• Enhanced privacy
• Logging and statistics on network use and misuse
• Policy enforcement
Sunday, July 5, 2009
Wireshark 1.2 tutorial: Open source network analyzer's new features
Wireshark is a staple of any network administrator's toolkit, and it can be equally useful for any network solution providers or consultants who troubleshoot business networks. Most of the readers of this tutorial have probably used Gerald Combs' open source protocol analyzer for years. In this edition of Traffic Talk, I'd like to discuss a few new features of Wireshark as present in the 1.2 version released on June 15, 2009. I use Windows XP SP3 as my test platform.
To try Wireshark 1.2, I uninstalled Wireshark 1.0.8. I had no trouble replacing 1.0.8 with 1.2, and I allowed the installer to replace my old version of WinPcap with the newer WinPcap 4.1beta5 bundled with Wireshark 1.2.
I decided to try running Wireshark as a user with no administrative privileges. I relied on manually starting the WinPcap driver called "NPF" in order to give Wireshark the privileges required to sniff traffic on my laptop's wireless NIC. To start NPF manually, I ran the following:
C:\>runas /u:administrator "net start npf"
Enter the password for administrator:
Attempting to start net start npf as user "NEELY\administrator" ...
C:\>sc query npf
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
The "net start npf" command is sufficient to launch Wireshark with sniffing capabilities. I ran the "sc query npf" to show details on the NPF driver.
Now I was ready to start Wireshark, which I did using the desktop icon added during installation. I was surprised to see the following screen.
To try Wireshark 1.2, I uninstalled Wireshark 1.0.8. I had no trouble replacing 1.0.8 with 1.2, and I allowed the installer to replace my old version of WinPcap with the newer WinPcap 4.1beta5 bundled with Wireshark 1.2.
I decided to try running Wireshark as a user with no administrative privileges. I relied on manually starting the WinPcap driver called "NPF" in order to give Wireshark the privileges required to sniff traffic on my laptop's wireless NIC. To start NPF manually, I ran the following:
C:\>runas /u:administrator "net start npf"
Enter the password for administrator:
Attempting to start net start npf as user "NEELY\administrator" ...
C:\>sc query npf
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
The "net start npf" command is sufficient to launch Wireshark with sniffing capabilities. I ran the "sc query npf" to show details on the NPF driver.
Now I was ready to start Wireshark, which I did using the desktop icon added during installation. I was surprised to see the following screen.
Wednesday, July 1, 2009
DenyHosts Installation and Configuration
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/messages on OpenSuSe, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
DenyHosts attempts to address the above... and more by by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses, adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
Features include:
* Parses authentication log to find all login attempts and filters failed and successful attempts
* Synchronization mode allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks
* DenyHosts Can be run from the command line, cron or as a daemon
* Records all failed login attempts for the user and offending host
* For each host that exceeds a threshold count, records the evil host
* Keeps track of each non-existent user when a login attempt failed
* Keeps track of each existing user (eg. root) when a login attempt failed
* Keeps track of each offending host
* Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
* Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
* When the log file is rotated, the script will detect it and parse from the beginning
* Appends /etc/hosts.deny and adds the newly banned hosts
* Optionally sends an email of newly banned hosts and suspicious logins
* Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts
* Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it's default shell to something like /sbin/nologin
* Upon each run, the script will load the previously saved data and re-use it to append new failures
* Resolves IP addresses to hostnames, if available
* /etc/hosts.deny entries can be expired (purge) at a user specified time
Installation: Use "1-click" installer to install DenyHosts
OpenSuSe 11.1 - Install DenyHosts
OpenSuSe 11.0 - Install DenyHosts
Configuration of Denyhosts:
You can find the main configuration: /etc/denyhosts.conf where most of the settings are good for any normal operation of DenyHosts but you can also tweak it more to suite your needs. look into the comments in this file to know more about the configuration details
Few other important setting:
# vi /var/lib/denyhosts/allowed-hosts
# vi /etc/hosts.allow
you'll want to add in these 2 files the IP(s) you will use to connect to your system that's running Denyhosts so that you aren't inadvertently denied access to your own system(s).
Starting the service and marking it to run on each system reboot:
# service denyhosts start; chkconfig --level 2345 denyhosts on
If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/messages on OpenSuSe, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
DenyHosts attempts to address the above... and more by by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses, adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
Features include:
* Parses authentication log to find all login attempts and filters failed and successful attempts
* Synchronization mode allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks
* DenyHosts Can be run from the command line, cron or as a daemon
* Records all failed login attempts for the user and offending host
* For each host that exceeds a threshold count, records the evil host
* Keeps track of each non-existent user when a login attempt failed
* Keeps track of each existing user (eg. root) when a login attempt failed
* Keeps track of each offending host
* Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
* Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
* When the log file is rotated, the script will detect it and parse from the beginning
* Appends /etc/hosts.deny and adds the newly banned hosts
* Optionally sends an email of newly banned hosts and suspicious logins
* Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts
* Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it's default shell to something like /sbin/nologin
* Upon each run, the script will load the previously saved data and re-use it to append new failures
* Resolves IP addresses to hostnames, if available
* /etc/hosts.deny entries can be expired (purge) at a user specified time
Installation: Use "1-click" installer to install DenyHosts
OpenSuSe 11.1 - Install DenyHosts
OpenSuSe 11.0 - Install DenyHosts
Configuration of Denyhosts:
You can find the main configuration: /etc/denyhosts.conf where most of the settings are good for any normal operation of DenyHosts but you can also tweak it more to suite your needs. look into the comments in this file to know more about the configuration details
Few other important setting:
# vi /var/lib/denyhosts/allowed-hosts
# vi /etc/hosts.allow
you'll want to add in these 2 files the IP(s) you will use to connect to your system that's running Denyhosts so that you aren't inadvertently denied access to your own system(s).
Starting the service and marking it to run on each system reboot:
# service denyhosts start; chkconfig --level 2345 denyhosts on
Subscribe to:
Posts (Atom)