Archive for category Security

Easy Linux Firewalling using IPTables

Posted by on Sunday, 21 March, 2010

A lot of our customers have asked for firewalls, and since this is a common theme, i decided that I would help them out. Of course it can be a mission to learn how to make your own and what to do or not do, and some of the pre-made ones can be confusing.

So i decided to simplify it a little for you all by writing a firewall script. I originally took a script made by somebody else, then totally modified it to suit myself, then modified it again to suit any machine. You *should* be able to literally drop this in place on any server and have it *just work*.

All you need to do is edit the top couple of lines to set what ports you want open or closed. edit the other options (ie ssh port etc). Full instructions as follows

wget http://b.ri.mu/files/firewall
nano firewall # ctrl+x to exit when finished editing
chmod +x firewall
./firewall

If you are still able to connect to your VPS in all the usual ways then you can add that into your init scripts. To check what ports you have open and want the outside world to connect to you can use

netstat -pant |grep LISTEN

If you are unable to login then you may need to log into the console of your VPS at https://rimuhosting.com/cp/vps/console.jsp

Adding it into the init scripts

cp firewall /etc/init.d/firewall

Debian Based (debian.ubuntu etc)

update-rc.d firewall defaults

Centos/RPM based

chkconfig --add firewall

Apache modules to help your server

Posted by on Friday, 27 November, 2009

libapache2-mod-bw – bandwidth limiting module

This module allows you to limit bandwidth usage on every virtual host or directory or to restrict the number of simultaneous connections.

The bandwidth control, for example, can be configured according to the criteria: origin of the connection, file extension, file size or user agent of the client.
Example:

LoadModule bw_module /usr/lib/apache2/modules/mod_bw.so
BandWidthModule On
BandWidth all 40000
MinBandWidth all 10000
ForceBandWidthModule On

libapache2-mod-defensible – module for Apache2 which provides DNSBL usage

mod_defensible implements usage of DNSBL servers to block access to a Web site or to specific locations.

Example:

DnsblUse On
DnsblServers httpbl.abuse.ch sbl-xbl.spamhaus.org
DnsblNameserver 145.253.2.75

libapache2-mod-evasive – evasive module to minimize HTTP DoS or brute force attacks

mod_evasive is an evasive maneuvers module for Apache to provide some protection in the event of an HTTP DoS or DDoS attack or brute force attack.

It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.

Example:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
</IfModule>

Comes with a perl script to test it also.

vps:/etc/apache2/mods-available# perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

libapache2-mod-line-edit – search-and-replace line editor module for apache 2

mod_line_edit is a general-purpose apache 2 filter for text documents. It operates as a simple on-the-fly line editor, applying search-and-replace rules defined in a configuration or .htaccess file. Both simple text and regular expression search and replace are supported.

Example:

SetOutputFilter line-editor
SetEnv LineEdit “text/plain;text/css;text/html”
LELineEnd ANY
LERewriteRule https?://(www\.)?example\.com http://example-development.yoursite.co.nz Ri

Throw something like that into your or somewhere and you instantly fixed all those problem URLS on your development system, without touching the source files at all.
This is ideal to stop/prevent people exploiting various holes in web applications and inserting javascript redirects etc.

Please note: the name of all these modules is debian/ubuntu related. Centos or RedHat based distros may have another name for the same modules. If you need any of these installed just drop an email into the support box and let us know.


WordPress Update Script – 2.8.6 and WordPress MU 2.8.5.2

Posted by on Monday, 16 November, 2009

New WordPress came out last Friday, Sorry about the delay updating the script.

This script will update all instances of wordpress that are not the most current. Run it as root, it will make backups in /root/wp_upgrades of both databases and files in case things go wrong.

It will determine if its a WordPress or WordPress Multi User and apply the correct fix.

wget http://b.ri.mu/files/wordpress-upgrade-2.8.6.sh
sh wordpress-upgrade-2.8.6.sh

You may need to change the ownership of the wordpress files after install, I will fix this bug and write it into the script in the next couple of versions.

If you have any bugs or problems with it, please let me know.