In Apache HTTPD server normally when you have no index or default page in a directory, a visitor may be served with a full list of files in that the directory. This could pose a serious security risk. It also exposes your files to the world at large, allowing them to be indexed by search engines and at the least pose privacy risk. There are well known Google hacks which exploit this feature. To stop default directory listing, add this to the htaccess file.

Read more (137 words) »

On running ./configure in dansguardian (web content filter for Linux), I got the following error - configure: error: pcre-config not found!
configure: WARNING: Cache variable ac_cv_prog_PCRE contains a newline.. The solution, as usual, is simple:
Read more (49 words) »

Every major & minor version of WordPress (1.5, 2.0, 2.1…) comes with teething problems which are then fixed in patch releases. Will WordPress 2.5 release finally break the curse? Maybe not…

Read more (400 words) »

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Read more (141 words) »

You never worry about your site security until after your site has been hacked for the first time. It is always a moment of truth, when you first realize how vulnerable you (your site & your data) truly are. You have probably dozens of scripts running on your server ranging from weblog software, comment form, maybe a CMS like Mambo or Joomla, not to mention your home-grown scripts. Have you ever had them audited? Do you always keep updating them whenever a new release is available? Do you run all your applications and scripts in chroot jail? Do you regularly check for rootkits? The answer to most of the above is probably no. The truth is that any of them can lead to your site and data being compromised. In this context an intrusion detection system can provide you early warning when something goes wrong so you can fight it. Let’s look at Samhain, a popular intrusion detection system.

Read more (283 words) »

This WordPress blog was hacked for few hours on 24th December (nice Christmas present!) from Russia. The hacker exploited several WordPress vulnerabilities in administrative scripts to gain full access to the website (as permitted to apache user), including the ability to upload & run scripts, delete any file owned by apache user, view the file and directories etc. This is a full disclosure on the how the site was hacked and how I detected and removed the hack along with few comments on the state of WordPress security. I added a WordPress plugin and made modifications to prevent any such hacking attempts in future using WordPress. This is a must read for WordPress bloggers.

Read more (2226 words) »

SSH is aptly termed as poor man’s VPN. You can use it to either forward local host host name and port to a remote server running ssh daemon. You can also use it to forward remote server’s port to a local host and port.

Read more (224 words) »

DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list from Spamhaus, consisting of stolen ‘zombie’ netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL advisory designed for use by firewalls and routing equipment. It can also be implemented in iptable rules as explained below.

Read more (292 words) »

I used to receive around 5,000-7,000 spams daily on angsuman [at] taragana [dot] com email which is publicly available on the internet. It was consuming too many productive hours daily to fight spam. I decided to fight back. To reduce the spams I first made changes to my postfix configuration with the aim to stop most spams upfront. With 6 simple changes to my postfix configuration my spams dropped from 5,000 - 7,000 to a manageable 5-20 spams daily, often less. Let’s look at these 6 simple postfix changes in details to drastically reduce your spam count too. I am consistently getting over 99% spam reduction after implementing these changes.

The changes proved to be safe and without false positives. In several weeks of manual browsing through the log file, I couldn’t spot a single false positive (a case where legitimate mail is rejected).

Note: This changes do not involve (nor do they conflict with) spamassasin or clamav, which I might add later.
Read more (823 words) »

OpenSSL is a free, popular, robust, high quality, open source (Apache License) toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. It is available on multiple platforms (Linux, BSD & Windows). In short it means that you can use OpenSSL to easily create certificate signing request (csr file) for your server to request certificate from certification authority like Verisign, Thawte etc. You can also use OpenSSL to create self-signed certificate to use on your Apache web server, Dovecot and other SSL enabled services. Let’s look at how we can easily create a CSR using SSL and also how we can create a self-signed certificate using OpenSSL.

Read more (502 words) »