Securing Apache In Ubuntu Server 12.04

Securing Apache can be different if you have custom modules running,  for this quick note/tutorial I am going to assume that it is a fresh install of Apache or a lamp stack (sudo apt-get install lamp-server^)…

 

bash in… (sudo bash)

as root:

  • Change default apache web root, vim /etc/apache2/sites-available
  • Change default ServerSignature Settings to “Off”, vim /etc/apache2/conf.d/security
  • Change default ServerTokens Settings to “Prod”, vim /etc/apache2/conf.d/security

 

I am sure you can do a lot more to “secure” your apache installation, but this is a good start, it will hide your server information from port scanners and scripts trying to detect what your server version is. This makes it much harder to exploit your box, it’s hard to exploit something you have no idea what its running.
You can also make your default directory your home directory if you wish to encrypt your files. If you want more security I would consider tools to encrypt the entire partition/drive, you can find out more about full disk encryption for uOS Server 12.04 here.

Google Glass Security & The Surveillance State, Privacy Beware

url

Like usual all the Google Fanboys, marketing buffs are in full effect as Google and their millions of dollars begin to influence the masses with what they call revolutionary… Google Glass.
As usual all the sheeple are blinded by the fad and how their social status will be after wearing these glasses. What people are failing to see are the numerous privacy issues that these type of devices bring to the table, if you think hacked cellphones are a problem lets dive into some of the possibilities with Google Glass…

  • Camera Hacking/Hi-jacking
  • Microphone Hacking/Hi-Jacking
  • Video Interception/Hi-Jacking
  • GPS Tracking

Camera Hi-Jacking
This Could be used on a compromised device to take snapshots of meetings, projects, monitors/screens and so on. Now days cameras on smart devices tend to embed GPS information into pictures, which can result as another tracking vector.

Microphone Hacking/Hijacking
This Could be used to snoop in on private meetings, talks, calls and things along these lines.

Video Interception
One of my favorites,  If pulled off correctly this could allow a potential attacker/agency the ability to record/view multiple locations at a single time. This could also be used in conjunction with facial recognition, it would allow multiple glasses to work as spy cams, which are a lot closer to people (when worn) ultimately creating a more effective facial recognition system/surveillance grid. This could also be used to spy on peoples workplace, their meetings, life or anything that could be exploited/copied/stolen by eavesdropping.

GPS Tacking We all know how that works, but what most people don’t know is that this has actually been secretly done for YEARS using cell phones as part of another NSA program. This would just be another vector used.

Does every still believe that Google is just out for your best interest? I mean it’s no coincidence that an ex-NSA director just happened to get hired by Google. If you know anything about computer science or information technology, you know that NOTHING IS UN HACK-ABLE and that no corporation is out for your best interest…

Installing And Securing phpmyadmin In Ubuntu Server 12.04/12.04.2

This post is important because phpmyadmin no longer just works after apt-get install, it requires additional steps to get working.
Aside from these changes, due to recent reports on phpmyadmin being exploited it’s important to secure it, you can do this in a couple of ways but I am going to assume you want access to it via web.

2 Parts

  1. Installation of phpmyadmin
  2. Securing the installation via htaccess
  3. Discussing more secure methods of accessing phpmyadmin

 

Lets begin the install muahahaha…

 

Enter root mode:

sudo bash

 

Install:

apt-get install phpmyadmin

 

Open Apache Config File

vim /etc/apache2/apache2.conf

 

Insert the following line at the very bottom of apache2.conf

Include /etc/phpmyadmin/apache.conf

 

Restart Apache server:

service apache2 restart

 

Securing phpmyadmin from public access to web panel…

 

Edit phpmyadmin’s apache configuration file:

vim /etc/phpmyadmin/apache.conf

 

Under the directory section (<Directory /usr/share/phpmyadmin>), add the line “AllowOverride All” under “Directory Index”:

        <Directory /usr/share/phpmyadmin>
        Options FollowSymLinks
        DirectoryIndex index.php
        AllowOverride All

 

create .htaccess file in phpmyadmin’s root directory:

vim /usr/share/phpmyadmin/.htaccess

Copy the following into the newly created .htaccess file:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/.htpasswd (make sure you set this path to a secure place outside your web root)
Require valid-user

 

Generate the password file where passwords will be stored for authentication/access to phpmyadmin root

htpasswd -c  /var/.htpasswd username (username should be your username, you will be asked for your password once you execute the command)

 

Restart Apache so updates can take effect:

service apache2 restart

 

If you want this to be more secure then I would suggest rethinking your server/network architecture…

  1. seperate your apache and mysql services into their own box
  2. only have apache server open on port 80 (public) and have it talk to your mysql server locally.
  3. if you need to change something in your database or need to access phpmyadmin I would vpn into your local network and access the mysql/phpmyadmin box.

If you have any questions or comments use the section below :)

NIC Bonding In Ubuntu 12.04/12.04.2 WORKING!

 

 

A REAL setup guide for NIC bonding in Ubuntu Server 12.04/12.04.2 because everyone online sucks at actually posting the correct information, probably due to the current explosion of online “experts” plagiarizing other “experts” online…

This was tested on a HP DL380 with Dual Broadcom NICS.

enter root mode:

sudo bash

 

then install the bonding drivers:

apt-get install ifenslave-2.6

 

edit /etc/network/interfaces

vim /etc/network/interfaces

 

You can pretty much copy the following into interfaces after line 5 # The loopback network interface

################################################

 

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
 bond-master bond0

auto eth1
iface eth1 inet dhcp
 bond-master bond0

auto bond0
iface bond0 inet static
 address 192.168.1.xxx  <----------( Enter Your Actual Server IP )
 netmask 255.255.255.0  <----------( Enter Your Actual Subnet )
 gateway 192.168.1.1     <----------( Enter Your Actual router/gateway IP )
 bond-slaves none
 bond-miimon 100
 bond-mode balance-rr ( Driver Mode )

 

################################################

edit /etc/modules

vim /etc/modules

 

and add bonding under rtc value

loop
lp
rtc
bonding

 

reboot your box or restart network services, Thats pretty much it… questions or comments? Use the comment functionality :)

Setting up a FUNCTIONING LAMP Stack on Ubuntu Server 10.4

This is a quick tutorial *notes* for me as I constantly have to look for these simple things every time I have to install a lamp server on a nix box.
If you do this kind of stuff to this list might come in handy

  1. install Ubuntu 10.4 LTS
  2. install ssh server [ sudo apt-get install openssh-server ]
  3. install text editor [ sudo apt-get install vim ]
  4. install lamp stack [ sudo apt-get install lamp-server^ ]
  5. install ftp server [ sudo apt-get install vsftpd ]
  6. install phpmyadmin [ sudo apt-get install phpmyadmin ]
  7. install mail server [ sudo aptitude install postfix ]

This should pretty much set you up with a complete/working dev nix box.
You might also need this in some cases…

  1. cURL PHP module [ sudo apt-get install php5-curl ]
  2. IMAP PHP module [ sudo apt-get install php5-imap ]

If you experience any problems hit me up.

Bonding Network Cards & Load Balancing in Ubuntu Server 10.4 LTS

Afters a couple of hours wasted looking online for the answers I ended up coming up with my own. I use vim as my text editor sooooo… if you use nano or whatever just use that.

The Following configuration is ideal for Load Balancing scenarios, you can find our more about different bond modes at the bottom of the post.

 

Lets install the correct software to support the bonding…
sudo apt-get install ifenslave 

 

open up a shell/terminal window and edit…
sudo vim /etc/network/interfaces

 

Copy this info, replacing the ip’s provided with your own…

#The Loopback Network Interface

auto lo
iface lo inet loopback

#The Primary Network Interface

iface eth0 inet manual
iface eth1 inet manual
auto bond0

iface bond0 inet static
bond_miimon 100
bond_mode balance-rr
address 192.168.1.x <——————- USE YOUR OWN LOCAL IP (ASSIGN IT ONE)
netmask 255.255.255.0 <—————- USE YOUR OWN LOCAL SUBNET
gateway 192.168.1.1 <——————- USE YOUR OWN LOCAL GATEWAY IP
up ifenslave bond0 eth0 eth1
down ifenslave -d bond0 eth0 eth1


Save and exit

 

now open aliases.conf…
sudo vim /etc/modprobe.d/aliases.conf

 

copy this…

alias bond0 bonding
options bonding mode=0 miimon=100 downdelay=200 updelay=200

 

Save, Exit and Reboot your computer…
sudo reboot

 

This is tested and working in a live environment with dual GB nics, if you have any problems or would like to bond more then 2 nics leave a comment as the topic is beyond this quick post.

 

MODE INDEX

mode=0 (balance-rr) Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

mode=1 (active-backup) Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor) XOR policy: Transmit based on [(source MAC address XOR’d with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast) Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad) IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

  • Pre-requisites:
  • Ethtool support in the base drivers for retrieving the speed and duplex of each slave.
  • A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.

mode=5 (balance-tlb) Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

* Prerequisite: Ethtool support in the base drivers for retrieving the speed of each slave.

mode=6 (balance-alb) Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.


Lost connection to MySQL server at ‘reading initial communication packet’, system error: 111 – ERROR FIXED!

 

So I finally decided to document this little issue I seem to have every time I need to set up a lamp server. The error Lost connection to MySQL server at ‘reading initial communication packet’, system error: 111can be a pain in the butt if your unfamiliar with linux lamp servers.
To quickly ellaborate on the problem, the problem is 99.9% usually caused because of the following:

  1. Forgot to open/forward your mysql port (default 3306)
  2. Your forgot to edit your my.cnf and update your bound address (default 127.0.0.1/localhost)
  3. Your hosts.allow is not setup to allow in any incoming connections to the server. ( mysqld: ALL: ALLOW )
  4. Correct user privileges have not been set to the remote user account in MYSQL.

This problem typically happens when you have 2 servers trying to communicate across the net. both servers are behind firewalls. The MYSQL Server by default comes bound with the localhost address (127.0.0.1). Which becomes a problem when your local network is trying to forward sql packets to your server. Since your MYSQL server is bound to 127.0.0.1 it will ignore any packet requests outside of its bound address.

To fix this issue simply check your LAN ip using your console/terminal.

Once you have your LAN ip you will want to go to your my.cnf (mysql config file) and edit the bound ip to your local LAN address (in some cases 192.168.1.x or 10.10.1.x etc…)

Run a second terminal window and sudo reboot your box.
once rebooted make sure you have created a mysql user with the correct remote access/permissions and log in.
At this point you should not be getting the error anymore. If you are check and make sure your scripts are using the correct credentials and selecting the correct database.

If you have any questions or require further assistance comment below.

“Remember Remember The 5th Of November… We Are Legion, Expect Us!” – Anonymous

Its been a couple of months now since Anonymous made their plans public, to destroy Facebook on the 5th of November.
I for one can’t wait to see what happens, as a network engineer I can say it’s totally possible.
How is it possible might you ask? There are actually many ways what will be particularly interesting to me is which one they use. Some methods will only disrupt service, some can actually destroy it.
For the most part I agree with their actions, government is out of control mechanizing every aspect of life, and becoming extremely intrusive under the guise of “security”. What does Facebook actually have do with government right? EVERYTHING…

 

If we look back to January 2011 when Goldman Sachs announced their investment into Facebook – 450 Million to be exact ( One of Many Sources ). Why would Goldman Sachs invest into Facebook? because of Facebook advertising revenues?
One thing is for sure I don’t trust Goldman Sachs, they don’t seem to have a good history, especially in the past couple of years. Maybe it’s because they wanted control or access information they could monetize ( One of Many Sources ).
Clandestine Agencies could use this data to generate massive databases with physiological profiles of every person in the world. In fact this surely has already begun years ago ( Project In-Q-Tel ). How you might ask? Easy, by creating logical algorithmic bots that makes/processes decisions based on calculation, for example:

 

  1. A Bot (or in some ways AI Software) setup on a computer can go to any Facebook profile/fan page.
  2. The bot begins to scrape all the page data and categorizes by relation/type and stores it.
  3. After Storing, the Bot begins to go though all the followers/likes/subscribers/friends, meticulously categorizing them by predetermined psychological/physiological values. Everyone in someway is connected or exploited into giving up their personal information.
  4. After accessing all your relationships it begins creating physiological profiles about you, what you typically do, act and why you do the things you do. Where you live and you visit the most, what time of the year you might typically be gone… you get the picture.
  5. Now we have all these advertisements in our faces about things you might have been subliminally thinking about getting. All suggested by a mathematical calculation of your personal data. This already happens, Gmail is a great example of this. When you log in for the first time into your Gmail account you get some random ad but as you continue to use it receiving and sending emails the adds become more personal. This is done by reading your email then analyzing it for any suggestions of wants or needs, popular topics etc…

 

Weaponization of Social Networks has already been done, by using social networks to sway/steer public opinion or create Fan pages used to capture potential political activists, an already known fact ( one of many sources )

Imagine the power any Clandestine agency would have with this kind of knowledge. What if Facebook has been selling it to them to capitalize on an until recently – actual business model. If you recall until Facebook started their marketing platform they really didn’t generate any money. Sustaining a 200-500 Million Network isn’t cheap, being innovative isn’t either. Whatever happens I hope its for the good but if it’s one day discovered that Facebook was purposely selling private information, it will destroy them.

 

What do you think? Is it right or wrong? do you agree or disagree?

Removing Facebook ‘like’ feature to protect anonymity.

I Decided to remove the Facebook ‘like’ feature from my blog and company blog. I didn’t want any government tracking being done based on any similar opinions someone might have. Although I do believe in security I still believe people should have the right to be anonymous and still share their opinion. Also Facebook is getting old and as a professional the look and feel of Facebook does not fit business. Aside from privacy issues, any person can go through the process of socially engineering its victim into accepting a stalkers invite (A living nightmare). Imagine what you could learn about someone right away by simply looking into their profile and relationships, after all you are who you hang out with. This is already being done, redundant databases are being generated about any living person based oh a physiological profile. Guess who is helping with this large task? Facebook fits the perfect model for any intelligence agency, Facebook generates databases based on self inputted user data, some of your most private facts can be found in one way or another on Facebook. Lets not mention all your relationships and their psychological profles, all this information used to create a calculated profile about you. Now imagine a very dangerous person after you and he knows everything about you and who you hang out with. All this only because you decided to share your opinion.
At this point in time I would rather give any visitor the choice of privacy.
For business I will remain using Facebook but only as a marketing node used to direct traffic.

Visual Fox Pro x64 ODBC Drivers NOT GONNA HAPPEN… Instead try this :)

OK so the story goes a little like this… At our company we use a client record management system called American Contractor (Maxwell). We have employees who needed to access the AC database in order to generate reports through Crystal Reports. The problem was that we could not find x64 drivers because according to the multitude of MSDN forums good old microsoft decided it would abandon any support for the dinosaur database type (visual fox pro… duh? :P). So i began to look and look for any possible 3rd party drivers but got no luck… then after about an hour of digging I was able to find some information…
If you have a Windows Vista, 7 or any type of x64 workstation you need to:

1) First understand that their is no x64 version of VFP driver, that being said you can definately run a x86 driver in a x64 OS.

2) Download the x86 Visual Fox Pro ODBC Driver here http://msdn.microsoft.com/en-us/vfoxpro/bb190233 (or Google “Visual Fox Pro ODBC Driver”)

3) In any x64 you cannot access the x86 ODBC Control Panel by navigating to the native START>CONTROL PANEL>ADMINISTRATIVE TOOLS>DATA SOURCES (ODBC), You must access the x86 Data Source Panel.

4) To access your 32bit Data Sources Panel Navigate to C:\WINDOWS\SysWOW64/odbcad32.exe and run it.

5) Run and Install what you need. If you still don’t see the VFP Drivers make sure you’ve already installed them :) (doi! :P)

6) Go tell your boss your a genius… muahahahah

I hope this helps anyone who experienced this problem.