Category: Information Technology

Adding “client denied by server configuration” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is another useful filter for fail2ban. Once this plugin is installed it will prevent malicious visitors from trying to brute-force folder and file discovery. After 5 attempts to visit a non existing file/folder the visitor is banned…

like always… BASH IN! :D

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-clientd]
enabled = true
port = http,https
filter = apache-client-denied
logpath = /var/log/apache*/*error.log
maxretry = 5

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-client-denied.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] client denied by server configuration:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

Adding “File Does Not Exist” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is a quick post to a common question… adding a filter to fail2ban for bot/scanners searching for files, folders or simply doing recon which can result in exploit discovery, this filter will automatically block a visitor/bot after 4 attempts to scan for a file that does not exist on your domain/server.

like always… BASH IN! (lol…)

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-nofile]
enabled = true
port = http,https
filter = apache-nofile
logpath = /var/log/apache*/*error.log
maxretry = 4

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-nofile.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] File does not exist:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

The Future Of Decentralized Computing And It’s Impact On Social Justice On The World Wide Web

 

Get ready people we are living once again in exciting times for the internet, it’s evolving! We are living in times where information can no longer be suppressed which will have a major impact in overall society. People all around the world are becoming involved in the preservation of privacy and social justice. Here are some ideas of how I think decentralized computing will change the world.

 

1) Open Source Decentralized Political Registry

Everyone who is a political or public official should be registered on this site, their entire public record could be open sourced and controlled by a community, decentralized platform would eliminate illegal confiscation of infrastructure or prevent censorship. rendering covert corruption difficult.

2) Open Source Decentralized Criminal Registry

Every person on this planet would now be able to report any crime about any person including a public official (police, federal, military officer etc…) at any time and keep it in public domain. This would eliminate extortion, threats and possible cover-ups by any person/group or agency in the world. This platform would also be decentralized to eliminate confiscation or hack.

3) Open Source Decentralized News Registry

Every person on this planet would now be able to report any crime about any person including a public official (police, federal, military officer etc…) at any time and keep it in public domain. This would eliminate extortion, threats and possible cover-ups by any person/group or agency in the world. This platform would also be decentralized to eliminate confiscation or hack.

4) Open Source Decentralized Education Registry

Every Person in the world would now have access to any knowledge without propaganda, lies, manipulation, managed by a global community on a credit system so popular vote always wins.

 

The overall idea is to create an infrastructure that anyone can post any information without censorship, but the information must remain check able, other “wallets” with “coins” or credits should have the ability to change or revise any post, as the post is modified the amount of credits required to modify the post increases, groups of wallets/users could donate amounts to a pool key to also use their limited credits to help causes they might believe in, this will discourage the act of one person acquiring many credits and overwhelming a specific record or trying to hijack its content, a group of wallets/users would always be able to override a single user modifications.

Banking 2.0 is Coming, Central Banks Across The World Begin To Scramble, The Threat Of Crypto Currencies Is Real

Weather you like it not crypto-currencies are here to stay, governments continue to play off their numbered days as to in some way discredit the notion or idea of monetary policy outside of their control. The reality is simple banking 2.0/3.0 is coming and the banks know this, they maybe able to kill of the 1st Generation Bitcoin protocol but like any “idea” once its grasped by the public the sky is the limit.

Since the conception and public release of Bitcoin by Satoshi Nakamoto ( probably a fake name to hide the real creators identity, to protect him from banks and any hostile institutions trying to get their hands on “specific” code ) I have seen numerous crypto currencies appear on the market some offering much higher levels of security others portability. Like everything with time it will be perfected and centralized banking will lose all control and governments will have to adapt, imagine that a system that cannot be influenced by greedy self-righteous entitled douchebags.

Any government who decides to adopt/integrate digital currencies early into its economy will flourish, as people learn more about crypto currencies, more will make the jump from fiat to digital. Already countries around the world are looking for alternate commodities to hedge against the collapsing US Dollar. So Why not buy a Bitcoin right? It looks like China, Russia, Germany and many more EU countries are following, they all need to dump their dollars and what better way to do it then investing into the future.

So when you hear government officials come out with their PR stunts to try and discredit Bitcoin, show the TV the middle finger, it’s being a hypocritical lier.

Don’t believe me? Watch the flow of bitcoin around the world in real time.
http://www.fiatleak.com

Installing OwnCloud On Ubuntu Server 12.04 With SSL Support

Tired of paying for dropbox services? Why not use owncloud to setup your own personal and secure dropbox for free :)

 

Follow the steps below as root:

 

  1. Bash in to get root access… ( sudo bash ).
  2. Install server dependances ( apt-get install apache2 php5 php5-gd php-xml-parser php5-intl vim-nox ).
  3. Install more server dependances ( apt-get install php5-sqlite php5-mysql php5-pgsql smbclient curl libcurl3 php5-curl ).
  4. Download owncloud source files from http://owncloud.org/sync-clients/#linux
  5. Upload extracted files to your apache root ( default is located at /var/www ), you can install vsftpd server( apt-get install vsftpd )or any other type of ftp server service.
  6. Inside your owncloud root directory create a new folder called “data” ( mkdir data )
  7. For owncloud to configure & work correctly apache needs to be given ownership of certain folders so their is no problem for apache to read and write data inside your website.Run the following commands.
    ( chown -R www-data:www-data /var/www/apps )
    chown -R www-data:www-data /var/www/config )
    chown -R www-data:www-data /var/www/data )Note: Keep in mind that /var/www is just the default root folder of apache yours might be different, just make sure you make the appropriate changes so they point to your apache/web install.

     

  8. Your going to want to enable mod_rewrite ( a2enmod rewrite ).
  9. Restart your apache service ( service apache2 restart )
  10. Create a new database in mysql and call it owncloud, create a new user and password with specific access to the owncloud database. These credentials will be used later in the process.

 

Now lets install our SSL and get it configured correctly:

 

  1. Enable SSL Module ( a2enmod ssl )
  2. Now your going to want to create a directory to store your SSL certs ( mkdir /etc/apache2/ssl )
  3. now lets generate a general cert with the following command ( openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt )

    Note: Your going to be asked a couple of questions after you run this command, answer them as accurate as possible as this will be displayed on your cert when people try to access your site.
  4. Edit default-ssl in sites-available folder in your apache install ( vim /etc/apache2/sites-available/default-ssl ) and comment out lines add the following lines 51 & 52 (use a #).
    Then add the following lines right under
    (

    SSLCertificateFile /etc/apache2/ssl/apache.crt

    SSLCertificateKeyFile /etc/apache2/ssl/apache.key 

    )

     

  5. Finally run ( a2ensite default-ssl )
  6. Restart your apache service ( service apache2 restart )

 

At this point your should be able to visit your box’s url ( https://localhost or https://127.0.0.1 or https://www.yourdomain.com ) and finish installing owncloud with the native install wizard.
Once your install is complete you will be able to download ownclouds own filesync client or you can use a WebDAV client to navigate through your files. You can do the same for your mobile device or tablet.

Securing Apache In Ubuntu Server 12.04

Securing Apache can be different if you have custom modules running,  for this quick note/tutorial I am going to assume that it is a fresh install of Apache or a lamp stack (sudo apt-get install lamp-server^)…

 

bash in… (sudo bash)

as root:

  • Change default apache web root, vim /etc/apache2/sites-available
  • Change default ServerSignature Settings to “Off”, vim /etc/apache2/conf.d/security
  • Change default ServerTokens Settings to “Prod”, vim /etc/apache2/conf.d/security

 

I am sure you can do a lot more to “secure” your apache installation, but this is a good start, it will hide your server information from port scanners and scripts trying to detect what your server version is. This makes it much harder to exploit your box, it’s hard to exploit something you have no idea what its running.
You can also make your default directory your home directory if you wish to encrypt your files. If you want more security I would consider tools to encrypt the entire partition/drive, you can find out more about full disk encryption for uOS Server 12.04 here.

Google Glass Security & The Surveillance State, Privacy Beware

url

Like usual all the Google Fanboys, marketing buffs are in full effect as Google and their millions of dollars begin to influence the masses with what they call revolutionary… Google Glass.
As usual all the sheeple are blinded by the fad and how their social status will be after wearing these glasses. What people are failing to see are the numerous privacy issues that these type of devices bring to the table, if you think hacked cellphones are a problem lets dive into some of the possibilities with Google Glass…

  • Camera Hacking/Hi-jacking
  • Microphone Hacking/Hi-Jacking
  • Video Interception/Hi-Jacking
  • GPS Tracking

Camera Hi-Jacking
This Could be used on a compromised device to take snapshots of meetings, projects, monitors/screens and so on. Now days cameras on smart devices tend to embed GPS information into pictures, which can result as another tracking vector.

Microphone Hacking/Hijacking
This Could be used to snoop in on private meetings, talks, calls and things along these lines.

Video Interception
One of my favorites,  If pulled off correctly this could allow a potential attacker/agency the ability to record/view multiple locations at a single time. This could also be used in conjunction with facial recognition, it would allow multiple glasses to work as spy cams, which are a lot closer to people (when worn) ultimately creating a more effective facial recognition system/surveillance grid. This could also be used to spy on peoples workplace, their meetings, life or anything that could be exploited/copied/stolen by eavesdropping.

GPS Tacking We all know how that works, but what most people don’t know is that this has actually been secretly done for YEARS using cell phones as part of another NSA program. This would just be another vector used.

Does every still believe that Google is just out for your best interest? I mean it’s no coincidence that an ex-NSA director just happened to get hired by Google. If you know anything about computer science or information technology, you know that NOTHING IS UN HACK-ABLE and that no corporation is out for your best interest…

Installing And Securing phpmyadmin In Ubuntu Server 12.04/12.04.2

This post is important because phpmyadmin no longer just works after apt-get install, it requires additional steps to get working.
Aside from these changes, due to recent reports on phpmyadmin being exploited it’s important to secure it, you can do this in a couple of ways but I am going to assume you want access to it via web.

2 Parts

  1. Installation of phpmyadmin
  2. Securing the installation via htaccess
  3. Discussing more secure methods of accessing phpmyadmin

 

Lets begin the install muahahaha…

 

Enter root mode:

sudo bash

 

Install:

apt-get install phpmyadmin

 

Open Apache Config File

vim /etc/apache2/apache2.conf

 

Insert the following line at the very bottom of apache2.conf

Include /etc/phpmyadmin/apache.conf

 

Restart Apache server:

service apache2 restart

 

Securing phpmyadmin from public access to web panel…

 

Edit phpmyadmin’s apache configuration file:

vim /etc/phpmyadmin/apache.conf

 

Under the directory section (<Directory /usr/share/phpmyadmin>), add the line “AllowOverride All” under “Directory Index”:

        <Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All

 

create .htaccess file in phpmyadmin’s root directory:

vim /usr/share/phpmyadmin/.htaccess

Copy the following into the newly created .htaccess file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/.htpasswd (make sure you set this path to a secure place outside your web root)
Require valid-user

 

Generate the password file where passwords will be stored for authentication/access to phpmyadmin root

htpasswd -c  /var/.htpasswd username (username should be your username, you will be asked for your password once you execute the command)

 

Restart Apache so updates can take effect:

service apache2 restart

 

If you want this to be more secure then I would suggest rethinking your server/network architecture…

  1. seperate your apache and mysql services into their own box
  2. only have apache server open on port 80 (public) and have it talk to your mysql server locally.
  3. if you need to change something in your database or need to access phpmyadmin I would vpn into your local network and access the mysql/phpmyadmin box.

If you have any questions or comments use the section below :)

NIC Bonding In Ubuntu 12.04/12.04.2 WORKING!

 

 

A REAL setup guide for NIC bonding in Ubuntu Server 12.04/12.04.2 because everyone online sucks at actually posting the correct information, probably due to the current explosion of online “experts” plagiarizing other “experts” online…

This was tested on a HP DL380 with Dual Broadcom NICS.

enter root mode:

sudo bash

 

then install the bonding drivers:

apt-get install ifenslave-2.6

 

edit /etc/network/interfaces

vim /etc/network/interfaces

 

You can pretty much copy the following into interfaces after line 5 # The loopback network interface

################################################

 

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
 bond-master bond0

auto eth1
iface eth1 inet dhcp
 bond-master bond0

auto bond0
iface bond0 inet static
 address 192.168.1.xxx  <----------( Enter Your Actual Server IP )
 netmask 255.255.255.0  <----------( Enter Your Actual Subnet )
 gateway 192.168.1.1     <----------( Enter Your Actual router/gateway IP )
 bond-slaves none
 bond-miimon 100
 bond-mode balance-rr ( Driver Mode )

 

################################################

edit /etc/modules

vim /etc/modules

 

and add bonding under rtc value

loop
lp
rtc
bonding

 

reboot your box or restart network services, Thats pretty much it… questions or comments? Use the comment functionality :)