Hello,
What's the list's preferred techniques for preventing spidering of a
web application (in this case Mediawiki) by misguided web robots?
robots.txt already in place, but they ignore that of course.
Ideally Apache-based.
I don't particularly care if they are still able to download the
content or not, I just don't want them taking up every single
process slot thus impacting non-abusive 'real' web clients. So a
rate-limiting solution would be acceptable.
Cheers,
Andy
Hi,
On 15th December a customer asked for help in diagnosing high system
load and unusual Apache logs which contained login credentials for
MySQL.
Upon further investigation it appeared that around 30th November one
of the site's legitimate Wordpress admins had logged in from an
unexpected place (a Tor exit node) and had uploaded a PHP file which
appeared to enable full filesystem traversal, downloading of file
content, shell command execution as Apache user, etc.
This was also used to read the content of the Wordpress
configuration files thereby to gain access to the database as the
Wordpress user.
It appears that the Wordpress admin's own system was earlier
compromised and this opportunity was used to further compromise
sites they were known to have access to.
A copy of the hostile PHP upload can be found here:
https://gist.github.com/4299683
It is difficult to strongly critique the customer's setup since the
compromise was as a result of a legitimate user account with admin
privileges being used to further attack the system.
It is easy to advise that web applications should run under limited
permissions, with little access to the filesystem or other database
content. Security measures such as SELinux could be used in order to
even limit what the root user can achieve, though no proven root
compromise was noted in this case. These recommendations are easy to
make though I suspect much harder for people to put into practice on
their own personal hosting setup.
Still, perhaps this example can spur us all to think about what the
consequences could be if privileged users of our systems get
themselves compromised.
The customer's VPS has since been fully reinstalled.
Cheers,
Andy
About this email:
https://tools.bitfolk.com/wiki/Security_incident_postings
--
http://bitfolk.com/ -- No-nonsense VPS hosting
I'm having some odd issues with one of my clients not being able to send
emails to the domain kohinoorfoods.co.uk via my server.
>From Exim's logs:
2012-12-31 12:01:09 1Tpe3E-0001wT-Fy kohinoorfoods.co.uk [50.57.203.17]
Connection refused
2012-12-31 12:01:09 1Tpe3E-0001wT-Fy == xxx(a)kohinoorfoods.co.uk
R=dnslookup T=remote_smtp defer (111): Connection refused
2012-12-31 12:01:09 1Tpe3E-0001wT-Fy == yyy(a)kohinoorfoods.co.uk
R=dnslookup T=remote_smtp defer (111): Connection refused
2012-12-31 12:01:09 1Tpe3E-0001wT-Fy == zzz(a)kohinoorfoods.co.uk
R=dnslookup T=remote_smtp defer (111): Connection refused
Oddly they can send mail to them from their Blackberry, but to me their
DNS looks wrong - no MX records for a start (ip is of their web server).
I checked the following two websites to verify that it wasn't just me:
http://centralops.net/co/DomainDossier.aspx?addr=kohinoorfoods.co.ukanddom_…http://dnscheck.iis.se/?time=1356957861&id=2916138&view=advanced&test=stand…
However their IT support advise: "Looking at their logs it appears that
when they are doing the DNS lookup to find the MX records for your
domain its unable to find any records, this to me indicates a problem
with their DNS server, the site they have used to check
http://centralops.net doesn't seem to find any MX records for your
domain, but if I google MX Lookup and run the same test from at least
the top 5 MX Lookup sites I can successfully see that the MX records are
a.mx.apm-internet.net and b.mx.apm-internet.net
As there is on one person who seems to be having this problem I would
suggest therefore that the problem is actually with the DNS servers that
they are using to route mail out, if multiple places were reporting the
same problem then it may be a problem with whoever hosts your domain."
Can anyone else verify that this isn't just a problem with my server?
Thanks
Gavin
Hi all,
Has anyone here used ipset (specifically with iphash) on a Bitfolk VPS?
I'm currently running a '2.6.32-5-686-bigmem' kernel and wondered if
anyone had compiled in the required modules or a more recent kernel?
I compile kernels on my home kit, but haven't touched anything on my
VPS as of yet. If there are any hidden gotchas I would be grateful if
someone could point them out in advance.
Cheers,
Gerald
Hi,
The feature request to edit and view reverse DNS and reverse DNS
delegations in the Panel:
https://tools.bitfolk.com/redmine/issues/25
has now been implemented, so you can edit your IPv6 reverse DNS
delegations in the same way as you have been able to for IPv4.
I know it is rather clunky the way you do this, but it is at least
now possible, so no more support tickets for that.
There is still a feature request for making it prettier:
https://tools.bitfolk.com/redmine/issues/43
but that is much lower priority and kind of relies on me learning
how. :)
Looking at the list of feature requests:
https://tools.bitfolk.com/redmine/projects/bitfolk/issues?query_id=1
I'll probably be working on SMS alerting and disk snapshots next.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Following recent discussions, I thought I would admit to my own incompetence,
and thereby perhaps educate others!
Despite having ssh listening on a non-standard port number, I noticed logwatch
reported 103 attempts on sshd, which should not be possible if fail2ban was
doing its job properly.
I realised that my /etc/fail2ban/jail.local did not have the following line:
backend = polling
This line is non-standard, but without it fail2ban may not work, depending on
your distribution, package version etc. This is a known bug. Despite being
very well aware that this line is required, I somehow missed it on this
server.
To compound the problem, I failed to test that fail2ban was actually banning.
So a few suggestions:
Install logwatch and ensure the emails generated by it are getting through to
you. If it hadn't been for logwatch working correctly, I would have been
oblivious to the fact that fail2ban was not working.
Install fail2ban, but make sure you have "backend = polling" in your config.
Run sshd on a non-standard port, but don't forget to update the port in
fail2ban as well.
And don't forget to test that fail2ban is actually banning!
Let the mocking commence :)
--
Chris Roberts
Hello,
As is now customary, we should do some Christmas drinks in London in
December. If you'd be up for that please help pick a date:
http://doodle.com/exakuhgyagsmys6v
Everyone welcome, partners too.
I'll give it about a week and then will book a table somewhere.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Dear All
I very much appreciated meeting some folks of the bitfolk community. Andy,
thank you very much for the initiative!
Regards
Sam
--
Samuel Bächler
Obere Bläsistrasse 1
8049 Zürich
Web: boeser.ch
Tel: +41(0)43 817 46 28
Mob: +41(0)79 478 49 42
Hello,
From time to time BitFolk customer VPSes occasionally become subject
to various kinds of compromise. Frustratingly, the kinds of
compromise encountered are generally the result of run of the mill,
completely preventable and unremarkable root causes.
I would like to find a way to raise awareness of these very simple
security concerns amongst the customer base, in order to hopefully
cut down on how often they happen.
I was thinking that if customers saw how often these things happen
to people very much like themselves then it might help remove some
of the "yeah I've heard of that but it will never happen to me"
mindset that we all regrettably can fall into.
So I was contemplating posting an email thread to this ("users")
list every time we become aware of a customer compromise, and I was
wondering what you thought of that idea.
It might look something like this:
Today at around 04:30 we became aware of a customer VPS
initiating an abnormal amount of outbound SSH connections (~200
per second). The VPS's network access was suspended and customer
contacted.
It was later determined that a user account on the VPS had been
accessed starting 3 days ago, via an SSH dictionary attack. The
attacker installed another copy of the SSH dictionary attack
software and set it going. We do not believe that root access
was obtained.
The amount of detail would vary because we may only become aware of
a compromise when the customer's VPS itself starts perpetrating
abusive activity, and then we rely on the customer to investigate
why that is.
If the customer is unable/unwilling to do this then we may never
know why their VPS began misbehaving. We don't examine customer data
unless given permission to do so, and even then this is often too
time-consuming to undertake on an unpaid basis. I would consider the
above an example of the maximum amount of detail we would go into.
No identifying information regarding the affected customer would be
shared. We already share non-identifying information similar to the
above to peers within the industry to aid deterrence and detection
of future abuses.
Would this sort of posting be welcomed or would it be unwelcome
noise? If the consensus is that it would be unwelcome noise then I
may create a new list specifically for it, but I would rather not do
so as then that is just another list that we have to raise awareness
of.
Please also note that those with an extremely low tolerance for
email noise may wish to quit this list and instead join the
"announce" list, as it contains only announcements from BitFolk with
no customer discussion whatsoever:
https://lists.bitfolk.com/mailman/listinfo/announcehttp://lists.bitfolk.com/lurker/list/announce.html
(just 19 threads this year)
Thoughts?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Earlier in the week we were notified that a customer VPS was hosting
a web site pretending to belong to a major high street bank.
Upon investigation it seems that the TinyPortal mod for Simple
Machines Forum (SMF) was exploited in order to upload several HTML
documents into the /tp-images/File/ area.
Cheers,
Andy
About this email:
https://tools.bitfolk.com/wiki/Security_incident_postings
--
http://bitfolk.com/ -- No-nonsense VPS hosting
