Loading...
 
Blogs > Michaels Corner
Blog: Michaels Corner
Created by Michael Shinn20382 points  on Tue 31 of Aug., 2004 14:27 EDT
Last modified Tue 22 of Mar., 2005 23:56 EST

(6 posts | Activity=22.00)
Description: Security and Technology Tips.
RSS feed

Find:
By Michael Shinn20382 points  on Sat 29 of Jan., 2005 21:56 EST

How to use RBL's to protect apache from compromised and infected systems

RBLs, "Realtime Blackhole lists", or just plain "blacklists" are used by mail servers to protect against spam. In recent years these Realtime Blackhole Lists have expanded to include not just open relays and know sources of spam, but also lists of systems that have been broken into, are infected with viruses, worms and are running open proxies.

Webservers can benefit from using RBLs/blacklists that include lists of machines which have been broken into and are being used by attackers as a mid point to hide their tracks. This helps you to cut down on the attacks on your systems. Setting up apache to block these hosts is a fairly simple process, that involves replacing the mod_access module on your system with a patched version that understands how to do this. With Apache 1.x, this is accomplished by replacing mod_access with mod_access_rbl (external link). mod_access_rbl, at present, only works with apache 1.3, so to get it to work with Apache 2.x you need to patch mod_accesss, using a small and easy to install patch.

How to use RBL's to protect Apache 2.x

1. Make a copy of your current mod_access.so file. If you don't know where it is, try running this command on your system:

locate mod_access.so

cp /location/of/mod_access.so /some/safe/place

2. Download the patch for mod_access.

3. Locate your copy of the Apache source tree for your OS or distribution , or get a copy of the apache source for your system. Make sure you get the right version for your OS or distribution, and that you install any OS/distribution specific patches. You don't want to miss anything important in your mod_access module. We're going to replace your old one completely. Also, if you are using Apache 1.3, do not use this patch. Its for Apache 2.x.

4. Once you have found or installed the apache source for your system, you need to patch one file: mod_access.c. It is generally found in this directory:

httpd-2.x.x/modules/aaa

Once you have found mod_access.c, you will want to run this command to patch it:

cat /patch/to/mod_access_rbl.diff | patch -p1

5. Once it is patched, you can compile and install the patched mod_access.

cd httpd-2.x.x/modules/aaa
apxs -i -a -c mod_access.c

6. That command should also install the new mod_access into your running apache process. At this point, you will want to restart apache to make sure the new module works as the old one did, so carry out some testing to make sure all the old functionality is still working properly.

/etc/init.d/httpd restart

Or whatever command you need to use to restart apache.

7. If all the old functionality is still working properly, you can then add in the new functionality afforded by the patch. To start blocking blackholed sites, you can take one of two approaches.

To protect all the sites on your server add this to your httpd.conf file. Remember, this will apply the blocking to every web directory and website on your server: 

 \<Limit GET POST OPTIONS PROPFIND>
 order allow,deny
 allow from all
 deny via xbl.spamhaus.org
 \</Limit>

If you add this to your httpd.conf, you will need to restart apache again.

The other way is to limit the blocking to specific virtual servers and/or web directories. This also lets you define different RBLs for each resource, file, web directory and/or virtual server you want to protect. To take this granual approach, you simply use .htaccess files. Just add or modify a .htaccess file in the web directory you wish to protect, and then put this at the top of the file: 

 <Limit GET POST OPTIONS PROPFIND>
 order allow,deny
 allow from all
 deny via xbl.spamhaus.org
 </Limit>

In both of these examples "xbl.spamhaus.org" is the RBL we are using, but you can choose to use any RBL you like in the "deny via" command. Keep in mind, this will only deny connections for those methods (GET, POST, OPTIONS and PROPFIND) defined in the <limit> directive. If you want to block other methods, then you will need to add them. Since those other methods are largely used by things like DAV, if you don't use DAV, then you can just deny all other methods except for GET, POST, OPTIONS and PROPFIND by adding this to either your httpd.conf or your .htaccess file: 

 <LimitExcept GET POST OPTIONS PROPFIND>
 Order deny,allow
 Deny from all
</LimitExcept>

mod_access, when configured in this manner, will look up all incoming connections against the RBL you have defined (again, in this example, we used spamhaus.org's Exploit Block List (external link) (cache) ). Keep in mind, that this process will introduce a small delay on all incoming connections and that mod_access will not cache these lookups. You can minimize this non-caching behavior by running a local DNS server to cache the connections on the server you intend to implement this on. Make sure you also configure the system apache is running on to use the local DNS running on that same machine. You might get a little boost by pointing to a DNS running on another server on the same LAN, but you'll get the best performance if your DNS server is running on localhost (127.0.0.1).

Print
Permalink 5 comments
By Michael Shinn20382 points  on Sat 01 of Jan., 2005 20:35 EST

A quick list of privacy enhancing tools for Windows and UNIX

Heres a quick list of some useful privacy enhancing tools for windows and UNIX. We'll add these to the Wiki as well shortly.

Privoxy

(Works with Windows, Linux, BSD, MacOS and other OSes)

Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page content, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a very flexible configuration and can be customized to suit individual needs and tastes. Privoxy has application for both stand-alone systems and multi-user networks.

Privoxy is based on Internet Junkbuster (tm).

http://www.privoxy.com (external link)

Bugnosis

(Only works with Windows)

"Bugnosis is a Web bug detector. As you surf the Web, it analyzes every page you visit and alerts you when it finds any Web bugs. With Bugnosis, you don’t have to be a code expert to tell when your browsing habits are being observed."

http://www.bugnosis.org/ (external link) (cache) (Works only with Internet Explorer)

TOR

(Works with Windows, Linux, BSD, MacOS and other OSes)

"Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and more. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

"Your traffic is safer when you use Tor, because communications are bounced around a distributed network of servers, called onion routers. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several servers that cover your tracks so no observer at any single point can tell where the data came from or where it's going. This makes it hard for recipients, observers, and even the onion routers themselves to figure out who and where you are. Tor's technology aims to provide Internet users with protection against "traffic analysis," a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security."

http://tor.eff.org/ (external link) (cache)

Adblock

(All platforms that can run Mozilla or Firefox)

"Adblock is a content filtering plug-in for the Mozilla and Firebird browsers. It is both more robust and more precise than the built-in image blocker. Adblock allows the user to specify filters, which remove unwanted content based on the source-address. If this sounds complicated, don't worry: it's not. Just add a few filters. Every time a webpage loads, Adblock will intercept and disable the elements matching your filters. See?- nothing to it."

http://adblock.mozdev.org/ (external link) (cache)

Print
Permalink 1 comment
By Michael Shinn20382 points  on Fri 01 of Oct., 2004 13:22 EDT

The top nine ways to stop spyware from infecting your computer

Nearly 30% of all the support calls top IT support companies receive are from users who's computers have been infected with spyware. Read on for the top nine ways used to stop spyware from infecting your computer.

Click Permalink to read on for more.

1. Dump Internet Explorer and start using Mozilla or Firefox

Yes, I know, some of the websites you visit may not work. The truth be told, IE is the #1 way spyware gets on computers. Nothing else comes close, well aside from just plain installing it (see tip #8). If you want to avoid spyware, ditch IE.

As for websites that other browsers may not work with, there is no easy solution to this, but the good news is that both Mozilla and Firefox work with nearly every website we have tested them with. It is thankfully rare that some website won't work with them, so swallow the pill and start using either of these browsers. If you find a site that does not work with Mozilla or Firfox, and you can prove to yourself that it really doesn't won't work, then and only then should use IE with that website.

A word of caution though, some spyware developers know that users will do this, and deliberately break some websites so that they will not work with IE. Or, they will install code to make sure you are running IE, and if not they will report that the website does not work with IE. If this happens to you, try using one of the plug ins for Mozilla or Firefox that trick these programs into thinking you are using IE.

These work by allowing you to change the "User Agent" field of your browser. Here is an extension that works with both Mozilla and Firefox which will give you the ability to do this:

http://extensionroom.mozdev.org/more-info/useragentswitcher (external link)

If all else fails, and you must use IE with a website, make absolutely sure that you trust that website.

You can download mozilla and firefox from the Mozilla website:

http://www.mozilla.org (external link)

2. Install anti-spyware tools

There are plenty of free ones, so if cost is an issue, start with these:

Spybot

http://www.safer-networking.org (external link)

AdAware personal

http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button (external link)

If you have the money to spend, then try some of the commercial products out there.

3. Install and run anti-virus

Along with anti-spyware tools, you should be running anti-virus software as well.

An in case cost is an issue, yes Virginia, there are free anti-virus tools too. One that I am familiar with is ClamWin. Keep in mind that ClamWin does not do "on the fly" scanning of executables when you load them, as some commercial anti-virus products do. ClamWin is an anti-virus scanner in the classic sense only. You have to tell it to scan your hard drive. You can download it form here:

http://www.clamwin.com/ (external link)

My advice would be to run a commercial anti-virus product though. ClamWin is nice, and if you are on a budget you can get by, but the lack of "on the fly" scanner is a real weakness in its ability to protect you.

4. Keep your system patched!

I can't say this one enough. If you aren't keeping your system patched, you're asking for trouble.

5. If your browser asks you a question, take the time to read it, don't just click "Yes".

And after you read that warning or notice, if you can't prove that you need to allow your browser to do whatever it claims it needs to do, don't let it. When in doubt, don't let it do it.

6. Don't install "search helpbar" tools, except from trusted sources

And even then, don't install them. Odds are that you really don't need it. Yeah, it looks cool, but its probably not something you need. Stick with the golden rule, if you can't prove that you need it, then you can live without it.

7. Configure Mozilla or Firefox to block pop-ups

Yes my IE using friends, Mozilla and Firefox will block pop-ups for you, and these two venerable browsers have been able to do this for a very long time.

8. If you install software, only use products that do not include spyware

This one seems simple enough, but I'm always reminded of a phrase coined by Robert Heinlein, TANSTAAFL (There Ain't No Such Thing As A Free Lunch). Sometimes the really cool free game that you just have to install on our computer comes with a little extra surprise, spyware. Recently we ran into a user that had to have their computer rebuilt 6 times in 3 months. It was always infected with the newest trojans and spyware, sometimes even the best anti-spyware products couldn't remove it. Where did all come from? The user installed it. This poor victim had a penchant for goofy games, the more the merrier. We know he didn't mean to wreck his computer, he was just a little too trusting. When installing software it pays to be a little paranoid. Sometimes, if you're not careful, you can do the spyware makers job for them. As a good friend pointed out "Even if you're client is clean, that doesn't make much of a difference if you're downloading stuff that isn't."

On that subject, its time to discuss P2P clients. Too many P2P products include spyware these days. Whats worse is that you probably do not need to use a lot of these products. Ask yourself this, do you really need to run that P2P client, on that computer?

Also, keep in mind that you have no idea what you're really downloading from someone else when using some of these clients. If the source isn't trusted, really trusted, then you might just be downloading spyware, trojans, or viruses. And as you probably already know, all that bad stuff is on the P2P networks as it is everywhere else.

So, if you really must use P2P software, then be sure to pick a client that, itself, doesn't install bad things on your computer when you install it, and be cautious about what you download from someone you don't know.

Thankfully, there are many P2P clients to choose from that do not include spyware. When in doubt, if the vendor won't say that their product does not include spyware, assume that it does. Yes, this might unfairly cause you to rule out some nifty P2P product that doesn't include spyware, but again, if you can't tell that they do not include spyware, its better to stay away from that piece of software.

Heres a quick list:

eMule

http://www.emule-project.net/ (external link)

Shareaza

http://www.shareaza.com/ (external link)

LimeWire

http://www.limewire.com (external link)

Gift

http://gift.sourceforge.net (external link)

9. Don't log into or use an administrator account

Set your login account to be a "limited priviliges" account. By default, when you install Windows it will setup user accounts for you, and those accounts will have full Administrator priviliges. This is a sure path to ruin. Administrator accounts have totally unrestricted access to every corner or your system, which something you do not really need to work with your computer. Its dangerous to run all your programs this way, which is exactly what happens when you are logged in as an administrator, every program you are running to destroy your system.

So, unless you have a specific administrative task to carry out, don't log into an account with Administrator priviliges. Do all your real work under an account with very limited priviliges, otherwise you make it easy for the spyware makers to take over your system completely. With limited priviliges, the programs you are running, which might include a virus, trojan or new piece of spyware, may not be able to sucessfully attack your system without those administrator priviliges.

Sometimes you may need administrator priviliges, for instance, if you need to install a new driver or a piece of software, just log in as administrator, install what you need, and log back out. Don't stay logged in with those administrator priviliges. Otherwise, you'll make it trivially easy for all that spyware to take your computer over.

Print
Permalink 1 comment
Page: 1/3 Next Page Last Page
1 2 3

Our Books