After years of running my own webservers and Mail-servers, I got annoyed by the amount of spam I had to handle and the almost daily task for it. But still I have to stop spam and after some googling I bumped into started using MX …
Some of you might have read the posting about the infection issues on Mac OS X I just looked into it and guess it’s easy to detect if you’re ‘infected’: $ sudo -u root cat /etc/sudoers | grep NOPASSWD | grep -v ^# | wc …
Again a nice movie by Deloitte where you have as an company a program on awareness on Cyber Security.
A nice movie on IT Security by Deloitte.
I’ve ordered via http://www.cheapssls.com/ a simple SSL-certificate signed by Comodo for use with apache… although a lot of browsers (Firefox on Mac OS X, all browsers in Linux) didn’t accepted it (CA was not know…)
After some discussion with …
If you have your own MTA running… you are probably known with the spam-problems… Once you’ve tuned the filters, you have to do it again… because a new spam-run comes in. I also blocked whole /8 subnets in different countries (India/China/…)… but that is not a “real” solution… aka I want to block the whole country…
The “DNSBL” countries.nerd.dk allows you to do so… the map ip-adresses to countries based on whois-information… so on my MTAs I added the following lines to the mc sendmail file:
FEATURE(dnsbl,`br.countries.nerd.dk', `554 - Rejected - SPAM from Brazil:$&{client_addr} rejected')dnl
FEATURE(dnsbl,`in.countries.nerd.dk', `554 - Rejected - SPAM from India:$&{client_addr} rejected')dnl
FEATURE(dnsbl,`kr.countries.nerd.dk', `554 - Rejected - SPAM from Korea:$&{client_addr} rejected')dnl
FEATURE(dnsbl,`cn.countries.nerd.dk', `554 - Rejected - SPAM from China:$&{client_addr} rejected')dnl
FEATURE(dnsbl,`ro.countries.nerd.dk', `554 - Rejected - SPAM from Romenia:$&{client_addr} rejected')dnl
FEATURE(dnsbl,`co.countries.nerd.dk', `554 - Rejected - SPAM from Colombia:$&{client_addr} rejected')dnl
FEATURE(dnsbl,`mk.countries.nerd.dk', `554 - Rejected - SPAM from Macedonia:$&{client_addr} rejected')dnl
FEATURE(dnsbl,`vn.countries.nerd.dk', `554 - Rejected - SPAM from Vietnam:$&{client_addr} rejected')dnl
FEATURE(dnsbl,`ru.countries.nerd.dk', `554 - Rejected - SPAM from Russia:$&{client_addr} rejected')dnl
And within a few hours the first are already blocked… I hope this will reduce the amount of incomming spam at the “front door”. Because simply… I don’t know people in these countries…
Today I noticed a very nice article about enabling Google’s two-factor authentication for Linux SSH.
After reading it… I found some time to play with it… so I enabled it within 10 minutes on my CentOS 5 64bit play-ground server… but there are some small ‘caveats’.
hg – Command
To checkout the code, you must make install the mercurial RPM… this one is available via the EPEL repositories.
So after having the EPEL repositories enabled, run as root:
yum -y install mercurial
Compiling the PAM module
When you checked out the code.
hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/
You cannot compile directly the module… therefor you must apply a small change to the Makefile.
Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)
$ make
$ sudo make install
Now you’ve to update the /etc/pam.d/sshd so it contains:
#%PAM-1.0
auth required pam_google_authenticator.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Configure SSH
You also have to make sure that in /etc/ssh/sshd_config the following settings are set on yes:
ChallengeResponseAuthentication yes
UsePAM yes
And restart the SSH-daemon
Set up your smartphone/credentials on the system
$ google-authenticator
https://www.google.com/chart?chs=200×200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
67868696
26247332
54815527
54336661
71083816
Do you want me to update your “~/.google_authenticator” file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
And you’re done 
Give it a try to SSH to that box…
TIP: Make sure you’ve an SSH session still open… or you might lock yourself out of the system…
A lot of discussion is about one of the last kernel exploits… the one that you can become root using 32bit code on a 64bit machine. So I wanted to know if I’m vulnerable as well… just wanted to know how it works
So I simply did (as normal us…
Normally I used to have a backup-retention-script in place that will create a TAR-ball of the backup data (using Herakles). But this way I was not able to have a retention of longer then 3 days 
So I had to look into another solution, I could add a new harddrive in the server… but there should be something else possible. So I ended up by using LVM snapshots. So I created a Volume group of about 100GB. In that volume group I created a logical volume of about 30GB, which is enough (and if not, we can ‘grow’ the Filesystem thanks to LVM 
)
After having all that done, I’ve created a script located in /root/scripts/lvm-snapshot. This script runs every midnight and creates a snapshot.
#!/bin/bash
#
# Create LVM Snapshots
#
#
#—————————————————————————————————————
CURRENT_SNAPNAME=”snap-“$(date “+%Y%m%d%H%M%S”)
VOLUME2SNAPSHOT=”/dev/vol_backup/lvm0″
LVMSNAPSHOTCMD=”/usr/sbin/lvcreate -L 2G -s -n $CURRENT_SNAPNAME $VOLUME2SNAPSHOT”
LINE=”———————————————————————————————————————“
echo $LINE
df -h /mnt/data
echo $LINE
$LVMSNAPSHOTCMD 2> /dev/null
#—————————————————————————————————————
SNAPSHOT_RETENTION=15
CURRENT_SNAPSHOT_COUNT=$(lvdisplay | grep “^ LV Name /dev/vol_backup/snap” | sort | awk ‘{ print $3 }’ | wc -l)
OVERFLOW=$(echo $CURRENT_SNAPSHOT_COUNT – $SNAPSHOT_RETENTION | bc)
if [ $OVERFLOW -gt 0 ];
then
echo $LINE
for files in $(lvdisplay | grep “^ LV Name /dev/vol_backup/snap” | sort | awk ‘{ print $3 }’ | head -n$OVERFLOW);
do
/usr/sbin/lvremove -f $files 2> /dev/null
done
fi
#—————————————————————————————————————
echo $LINE
/usr/sbin/vgdisplay vol_backup
echo $LINE
/usr/sbin/lvdisplay $VOLUME2SNAPSHOT
And the crontab entry is:
# crontab -l
0 0 * /root/scripts/lvm-snapshot
On a kind of “intranet” website, which is secured with username/password combinations and HTTPS I’ve implemented the next feature:
– Authorized users can read everything on the website
– Files with in their filename “classified” requires a valid SSL-Client certificate…
Here is the output of my apache config:
<Directory /usr/sites/ssl-site/intranet/htdocs>
Options Indexes MultiViews
AllowOverride Authconfig
Order allow,deny
Allow from all
AuthName “intranet”
AuthType “Basic”
AuthUserFile /usr/sites/ssl-site/intranet/etc/users.pwl
require valid-user
</Directory>
<LocationMatch .*(c|C)(l|L)(a|A)(s|S)(s|S)(i|I)(f|F)(i|I)(e|E)(d|D).+>
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +OptRenegotiate
</LocationMatch>
I still have to sort out some issues, like directories having a directory with the name “classified” in them.
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible and enable advertising to provide you free content. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.