≡ Menu

Security

How To PFSense Configure Network Interface As A Bridge / Network Switch

I have Soekris single board communication embedded computers which is optimized for low power and network usage. The server has four Ethernet ports. I’ve installed PFSense firewall on it and configure WAN + LAN ports. How do I setup IPv4 software bridge using PFSense so that the rest of ports act as a network switch?
[click to continue…]

Sysadmin because even developers need heroes!!!

Linux: Hide Processes From Other Users

I run a multi-user system. Most users access resources using ssh client. How can I stop leaking process information to all users on Linux operating systems? How do I prevent users from seeing processes that do not belong to them on a Debian/Ubuntu/RHEL/CentOS Linux server?
[click to continue…]

Linux: Log Suspicious Martian Packets / Un-routable Source Addresses

I run a web-server and I would like to log packets with un-routable source addresses on Linux operating system. How can I log spoofed packets on Debian / Ubuntu / CentOS / RHEL / Linux based server? How can I log a Martian packet (packet from Mars) on Linux operating systems?
[click to continue…]

Increase NFS Client Mount Point Security For a Web-Server noexec, nosuid, nodev Options

I am using NFS server version 4.x on a CentOS/RHEL based system. I’m mounting my shared /var/www/ directory on five Apache based nodes using the following syntax:

mount -t nfs4 -o rw,intr,hard,proto=tcp rocknas02:/httproot/www /var/www/

I noticed that due to bug in my app user can sometime upload executable or other device files to get out of chrooted Apache server. How can I prevent such security issues on a CentOS or RHEL based NFS client and sever setup?
[click to continue…]

Nginx: Allow All But Block Certain POST Request URLS For Selected Spammer IP Address/CIDR

I am a small business and ecom site owner. I also run a WordPress based blog to connect with my customers. However, I get too much spam from certain IPs and net-blocks. How do I block access to certain url(s) such as example.com/blog/wp-comments-post.php for selected IP address and CIDRs? How do I allow everyone including IP address 1.2.3.4 to access my blog but block IP address 1.2.3.4 accessing only example.com/blog/wp-comments-post.php? How do I block POST requests for selected IPs/CIDR on nginx?
[click to continue…]

Ubuntu Linux: Turn On Exec-Shield Buffer Overflow Protection

I am trying to set exec-shield protection on Linux as described here but getting the following error on Ubuntu Linux server version 12.04 LTS:

sysctl -w kernel.exec-shield=1
error: “kernel.exec-shield” is an unknown key

How do I fix this problem and make sure exec-shield buffer overflow protection security feature turned on Ubuntu Linux?
[click to continue…]

Debian / Ubuntu: Set Port Knocking With Knockd and Iptables

My iptables based firewall allows only port TCP 80 and 443. I also need tcp port # 22, but I do not have static IP at my home. How do I open and close TCP port #22 on demand under Debian or Ubuntu Linux based server systems? How do I install a port-knock server called knockd and configure it with iptables to open tcp port #22 or any other ports?

[click to continue…]

Nginx: Block URL Access (wp-admin/wp-login.php) To All Except One IP Address

I am the small business owner and runs my own web-site. I have noticed increased cracking activity against by blog. What’s the best way to block WordPress URLs such as example.com/blog/wp-login.php and example.com/blog/wp-admin/ in the nginx web-server?
[click to continue…]

Linux: Turn On TCP SYN Cookie Protection

I am under DoS attack. My cloud based server hosting company asked me to enable TCP SYN cookie protection to save my domain from SYN Attack. How do I turn on TCP Syn cookie protection under Ubuntu or CentOS Linux based server?
[click to continue…]

Linux Iptables Setup Firewall For a Web Server

I have setup an Apache web server on CentOS Linux. How do I configure firewall to allow or block access? How do I setup firewall for a web server under RHEL or CentOS Linux v6.x?
[click to continue…]