bizante http://bizante.com bizante Mon, 07 Dec 2015 21:16:05 +0000 en-US hourly 1 Stop SSH Brute Force Attacks http://bizante.com/stop-ssh-brute-force-attacks/ http://bizante.com/stop-ssh-brute-force-attacks/#respond Sun, 22 Nov 2015 10:01:56 +0000 http://bizante.com/?p=987 Continue reading →]]> Using IPtables to Stop SSH Brute Force Attacks

I like to think of this approach similar to flow rates with pipes. Bigger pipes allow more water to flow. Smaller pipes can handle less water.

Control ssh access with iptables

To block a SSH brute force attack, we just need to slow down the flow of requests. We can do this by rate-limiting requests to SSH with iptables.

Essentially, we create a smaller pipe for new SSH sessions. This slows brute force attacks to a point where they become ineffective.

The iptables rules are relatively simple.

/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j DROP

This rule will block an IP if it attempts more than 3 connections per minute to SSH. Notice that the state is set to NEW. This means only new connections not established ones are impacted. Established connections are the result of a successful SSH authentication, so users who authenticate properly will not be blocked.

If you need to see what’s being done, you may want to log these drops. You can do so by setting up a log rule and then using these rules instead.

/sbin/iptables -N LOGDROP

/sbin/iptables -A LOGDROP -j LOG

/sbin/iptables -A LOGDROP -j DROP

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j LOGDROP

Notice that I’ve changed the rule from DROP to LOGDROP. This way your drops will get logged and you can see the results in your logs:

Effectively Stopping SSH Brute Force Attacks

I always try to get a sense of effectiveness of any tool or configuration we deploy. I find many “security” tools that are popular among the web hosting crowd provide little to no value. In many cases, appropriate configuration of your server or web application could achieve similar results without the hassle of maintaining a third party product.

Are the IPTables rules effective? In short yes.

During a recent attack on a server, the SSH service remained fully accessible with no service interruption.

Previously such aggressive attack would have caused service interruptions. So on the service side, this approach works. When I dug into the logs, I found three failed user attempts against SSH prior to the rate-limiting kicked in. The attack then sent 67 more attempts before it gave up.

Benefits of Using IPtables to Block SSH Attacks

The benefit of this approach is you don’t need any added software. IPtables is likely sitting on your server already, so you can easily and quickly deploy this solution.

Also, there are no “ban lists” to maintain. People forget passwords or incorrectly setup their SSH/SFTP programs. As a result, they trigger a block and get locked out. You then have to manually edit some ban list to remove them or whitelist IPs. Over time or with multiple servers, this is a time-consuming server management tasks. By using iptables, there’s no list to maintain — leaving you time to work on more important things.

One of the drawbacks is that this approach does not lock accounts. A slow, distributed attack could fall under the radar. If it was a directed attack against a specific user account, the attacker could churn away for days or weeks without detection. For that, you would need something that can lock user accounts after failures. PAM includes a module called pam_tally that does just this. If you fail too many times, an account is locked.

]]>
http://bizante.com/stop-ssh-brute-force-attacks/feed/ 0
Best VPN Protocol? http://bizante.com/best-vpn-protocol/ http://bizante.com/best-vpn-protocol/#respond Fri, 20 Nov 2015 09:07:55 +0000 http://bizante.com/?p=984 Continue reading →]]> PPTP vs OpenVPN vs L2TP over IPsec vs SSTP

Want to use a VPN? If you’re looking for a VPN provider or setting up your own VPN, you’ll need to choose a protocol. Some VPN providers may even provider you with a choice of protocols.

This isn’t the final word on any of these VPN standards or encryption schemes. We’ve tried to boil everything down so you can grasp the standards, how they’re related to each other — and which you should use.

PPTP

Don’t use PPTP. Point-to-point tunneling protocol is a common protocol because it’s been implemented in Windows in various forms since Windows 95. PPTP has many known security issues, and it’s likely the NSA (and probably other intelligence agencies) are decrypting these supposedly “secure” connections. That means attackers and more repressive governments would have an easier way to compromise these connections.

Yes, PPTP is common and easy to set up. PPTP clients are built into many platforms, including Windows. That’s the only advantage, and it’s not worth it. It’s time to move on.

In Summary: PPTP is old and vulnerable, although integrated into common operating systems and easy to set up. Stay away.

OpenVPN
OpenVPN uses open-source technologies like the OpenSSL encryption library and SSL v3/TLS v1 protocols. It can be configured to run on any port, so you could configure a server to work over TCP port 443. The OpenSSL VPN traffic would then be practically indistinguishable from standard HTTPS traffic that occurs when you connect to a secure website. This makes it difficult to block completely.

It’s very configurable, and will be most secure if it’s set to use AES encryption instead of the weaker Blowfish encryption. OpenVPN has become a popular standard. We’ve seen no serious concerns that anyone (including the NSA) has compromised OpenVPN connections.

OpenVPN support isn’t integrated into popular desktop or mobile operating systems. Connecting to an OpenVPN network requires a a third-party application — either a desktop application or a mobile app. Yes, you can even use mobile apps to connect to OpenVPN networks on Apple’s iOS.

In Summary: OpenVPN is new and secure, although you will need to install a third-party application. This is the one you should probably use.

L2TP/IPsec
Layer 2 Tunnel Protocol is a VPN protocol that doesn’t offer any encryption. That’s why it’s usually implemented along with IPsec encryption. As it’s built into modern desktop operating systems and mobile devices, it’s fairly easy to implement. But it uses UDP port 500 — that means it can’t be disguised on another port, like OpenVPN can. It’s thus much easier to block and harder to get around firewalls with.

IPsec encryption should be secure, theoretically. There are some concerns that the NSA could have weakened the standard, but no one knows for sure. Either way, this is a slower solution than OpenVPN. The traffic must be converted into L2TP form, and then encryption added on top with IPsec. It’s a two-step process.

In Summary: L2TP/IPsec is theoretically secure, but there are some concerns. It’s easy to set up, but has trouble getting around firewalls and isn’t as efficient as OpenVPN. Stick with OpenVPN if possible, but definitely use this over PPTP.

SSTP
Secure Socket Tunneling Protocol was introduced in Windows Vista Service Pack 1. It’s a proprietary Microsoft protocol, and is best supported on Windows. It may be more stable on Windows because it’s integrated into the operating system whereas OpenVPN isn’t — that’s the biggest potential advantage. Some support for it is available on other operating systems, but it’s nowhere near as widespread.

It can be configured to use very secure AES encryption, which is good. For Windows users, it’s certainly better than PPTP — but, as it’s a proprietary protocol, it isn’t subject to the independent audits OpenVPN is subject to. Because it uses SSL v3 like OpenVPN, it has similar abilities to bypass firewalls and should work better for this than L2TP/IPsec or PPTP.

In Summary: It’s like OpenVPN, but mostly just for Windows and can’t be audited as fully. Still, this is better to use than PPTP. And, because it can be configured to use AES encryption, is arguably more trustworthy than L2TP/IPsec.

OpenVPN seems to be the best option. If you have to use another protocol on Windows, SSTP is the ideal one to choose. If only L2TP/IPsec or PPTP are available, use L2TP/IPsec. Avoid PPTP if possible — unless you absolutely have to connect to a VPN server that only allows that ancient protocol.

]]>
http://bizante.com/best-vpn-protocol/feed/ 0
WordPress XMLRPC Vulnerability http://bizante.com/wordpress-xmlrpc-vulnerability/ http://bizante.com/wordpress-xmlrpc-vulnerability/#respond Tue, 13 Oct 2015 08:11:39 +0000 http://bizante.com/?p=979 Continue reading →]]> Disable Pingbacks And Trackbacks

In WordPress Settings | Discussion clear the checkbox Allow link notifications from other blogs (pingbacks and trackbacks) .

]]>
http://bizante.com/wordpress-xmlrpc-vulnerability/feed/ 0
Parallels Plesk Panel, “502 Bad Gateway” http://bizante.com/parallels-plesk-panel-502-bad-gateway/ Sun, 20 Sep 2015 18:26:06 +0000 http://bizante.com/?p=976 Continue reading →]]>

APPLIES TO:

  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux
  • Plesk Automation 11.1
  • Plesk Automation 11.5

/var/log/sw-cp-server/error_log contains the following error message:

recv() failed (104: Connection reset by peer) while reading response header from upstream,
client: 123.123.123.123, server: , request: "POST  <some url>

Resolution
As a possible workaround, increase the buffer size inside the file /etc/sw-cp-server/config as follows: Before:

After:

After editing the file, restart the below services:

 

root@hostname:~# grep buffer  /etc/sw-cp-server/config
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;
root@hostname:~# grep buffer  /etc/sw-cp-server/config
    fastcgi_buffers 32 32k;
    fastcgi_buffer_size 64k;
root@hostname:~# /etc/init.d/sw-cp-server restart
root@hostname:~# /etc/init.d/sw-engine restart
]]>
Codes for SAMSUNG Galaxy TabPRO 10.1 WiFi http://bizante.com/codes-for-samsung-galaxy-tabpro-10-1-wifi/ Tue, 01 Sep 2015 09:57:36 +0000 http://bizante.com/?p=972 Continue reading →]]> *#*#4636#*#* – full information about tablet
*#*#7780#*#* – factory reset data default
*2767*3855# – tablet format
*#*#34971539#*#* – phone camera update
*#*#273283*255*663282*#*#* – copy files (the backup created)
*#*#197328640#*#* – service mode

WLAN, GPS and Bluetooth Test Codes
*#*#232339#*#* OR *#*#526#*#* OR *#*#528#*#* – WLAN test; *#*#232338#*#* – Shows Wi-Fi MAC address;
*#*#1472365#*#* – GPS test; *#*#232331#*#* – Bluetooth test;
*#*#232337#*# – Shows Bluetooth device address.

Firmware version information
*#*#44336#*#* – PDA, Phone, CSC, Build Time, Change list number;
*#*#2222#*#* – FTA HW Version;
*#*#1111#*#* – FTA SW Version, *#*#1234#*#* – PDA and Phone*;
*#*#4986*2650468#*#* – PDA, Phone, H/W, RFCallDate.

Factory Tests
*#*#3264#*#* – RAM version, *#*#0*#*#* – LCD test, *#*#0842#*#* – Device test (Vibration test and Backlight test), *#*#2663#*#* – Touch screen version, *#*#2664#*#* – Touch screen test;
*#*#0588#*#* – Proximity sensor test.

]]>
Secure internet on Macbook http://bizante.com/secure-internet-on-macbook/ Mon, 31 Aug 2015 09:30:58 +0000 http://bizante.com/?p=970 Continue reading →]]> Continue reading →]]> Show hidden files on OS X except .DS_Store http://bizante.com/show-hidden-files-on-os-x-except-ds_store/ Sun, 23 Aug 2015 15:58:36 +0000 http://bizante.com/?p=967 Continue reading →]]> defaults write com.apple.finder AppleShowAllFiles -bool YES

]]>
http://bizante.com/965/ Sat, 22 Aug 2015 08:32:47 +0000 http://bizante.com/?p=965 Continue reading →]]> APPLIES TO:

  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux

Symptoms

  1. The domain domain.tld is hosted on the Parallels Plesk Panel (Plesk) server.
  2. Mail for domain.tld is hosted on an external mail server.
  3. An attempt to send a message through the Plesk server to a mailbox on domain.tld fails

Cause

Plesk configured the mail server to treat domain.tld as a local domain.

 

Resolution

disable the mail service on the subscription using the command-line utility mail:

/usr/local/psa/bin/mail --off domain.tld

To disable the mail service for every subscription on the server, use the following command:

 

mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -Nse"select name from domains where parentDomainId=0"|while read i; do /usr/local/psa/bin/mail --off $i && echo "Mail service for $i subscription has been disabled" ;done
]]>
Self development for the technical. http://bizante.com/self-development-for-the-technical/ Thu, 13 Aug 2015 14:45:45 +0000 http://bizante.com/?p=959 Continue reading →]]> So here is a short list of website’s I use to keep the cogs oiled.

https://www.howtoforge.com

Linux tutorials.

https://www.coursera.org

Free online classes from 120+ top universities and educational organisations

http://www.lynda.com

Offers technology, creative and business skills courses

]]>
How to disable mail service for only one domain on the subscription? http://bizante.com/how-to-disable-mail-service-for-only-one-domain-on-the-subscription/ Mon, 15 Jun 2015 13:55:17 +0000 http://bizante.com/?p=953 Continue reading →]]> APPLIES TO:
Plesk 11.0 for Linux
Plesk 11.5 for Linux
Plesk Automation 11.1
Plesk Automation 11.5

Log into server as root

# /usr/local/psa/bin/domain -u domain.tld -mail_service false

where domain.tld is name of required domain.

]]>