Lighttpd Traffic Shaping: Throttle Connections Per Single IP (Rate Limit)

Posted on in Categories Apache, CentOS, fedora linux, FreeBSD, Howto, Iptables, lighttpd, Linux, Networking, PF Firewall, RedHat/Fedora Linux, Security, Ubuntu Linux, UNIX last updated June 21, 2009

If you do not control or throttle end users, your server may run out of resources. Spammers, abuser and badly written bots can eat up all your bandwidth. A webserver must keep an eye on connections and limit connections per second. This is serving 101. The default is no limit. Lighttpd can limit the throughput for each single connection (per IP) or for all connections. You also need to a use firewall to limit connections per second. In this article I will cover firewall and lighttpd web server settings to throttle end users. The firewall settings can be applied to other web servers such as Apache / Nginx and IIS server behind PF / netfilter based firewall.

Slowloris DoS Tool: It Can Bring Down Apache 1.x/2.x

Posted on in Categories Apache, Networking, News, PF Firewall, RedHat/Fedora Linux, Security Alert, UNIX, Windows server last updated June 19, 2009

Apache Security Update – a flaw In Apache can be used to carry out DoS. Slowloris is a new Apache DoS tool which can use slow Internet links to bring down Apache servers, rather than flooding networks. Most D/DoS tool requires faster net connections but this tool works with minimal bandwidth. This tool can lead to a DoS attack on Apache 1.x, 2.x, dhttpd, GoAhead WebServer, and Squid, while MS IIS6.0, IIS7.0, and lighttpd are confirmed not vulnerable to this attack.

Linux x86_64: Detecting Hardware Errors

Posted on in Categories CentOS, Debian Linux, fedora linux, Gentoo Linux, Hardware, Howto, kernel, Linux, Linux distribution, Networking, package management, RedHat/Fedora Linux, Shell scripting, Sys admin, Tips, Troubleshooting, Ubuntu Linux last updated June 2, 2009

The Blue Screen of Death (BSoD) is used for the error screen displayed by Microsoft Windows, after encountering a critical system. Linux / UNIX like operating system may get a kernel panic. It is just like BSoD. The BSoD and a kernel panic generated using a Machine Check Exception (MCE). MCE is nothing but feature of AMD / Intel 64 bit systems which is used to detect an unrecoverable hardware problem.

Program such mcelog decodes machine check events (hardware errors) on x86-64 machines running a 64-bit Linux kernel. It should be run regularly as a cron job on any x86-64 Linux system. This is useful for predicting server hardware failure before actual server crash.

ss: Display Linux TCP / UDP Network and Socket Information

Posted on in Categories Debian Linux, Howto, Linux, Monitoring, Networking, RedHat/Fedora Linux, Sys admin, Tips, Troubleshooting, Ubuntu Linux last updated June 2, 2009

The ss command is used to show socket statistics. It can display stats for PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets, and more. It allows showing information similar to netstat command. It can display more TCP and state information than other tools. It is a new, incredibly useful and faster (as compare to netstat) tool for tracking TCP connections and sockets. SS can provide information about:

  • All TCP sockets.
  • All UDP sockets.
  • All established ssh / ftp / http / https connections.
  • All local processes connected to X server.
  • Filtering by state (such as connected, synchronized, SYN-RECV, SYN-SENT,TIME-WAIT), addresses and ports.
  • All the tcp sockets in state FIN-WAIT-1 and much more.

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

Posted on in Categories CentOS, Debian Linux, fedora linux, Gentoo Linux, GNU/Open source, Linux, Linux distribution, Networking, RedHat/Fedora Linux, Security, Slackware, Suse Linux, Ubuntu Linux last updated May 27, 2009

Linux kernel is the central component of Linux operating systems. It is responsible for managing the system’s resources, the communication between hardware and software and security. Kernel play a critical role in supporting security at higher levels. Unfortunately, stock kernel is not secured out of box. There are some important Linux kernel patches to secure your box. They differ significantly in how they are administered and how they integrate into the system. They also allow for easy control of access between processes and objects, processes and other processes, and objects and other objects. The following pros and cons list is based upon my personal experience.

Lighttpd Install mod_geoip For Country / City Level Geo Targeting

Posted on in Categories CentOS, Debian Linux, FreeBSD, Gentoo Linux, Howto, lighttpd, Linux, Networking, package management, RedHat/Fedora Linux, Suse Linux, Ubuntu Linux, UNIX last updated March 29, 2009

Geolocation software is used to get the geographic location of visitor using IP address. You can determine country, organization and guess visitors location. This is useful for:

a] Fraud detection.

b] Geo marketing and ad serving.

c] Target content.

d] Spam fighting.

e] And much more.

mod_geoip is a Lighttpd module for fast ip/location lookups. In this tutorial you will learn about mod_geoip installation and php server side examples to determine visitors country.

Security Through Obscurity: MAC Address Filtering ( Layer 2 Filtering )

Posted on in Categories data center, fedora linux, FreeBSD, Gentoo Linux, GNU/Open source, Hardware, Iptables, Linux, Networking, RedHat/Fedora Linux, Security, Ubuntu Linux, UNIX, Windows, windows vista, Wireless networking last updated February 17, 2009

MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or wireless network / devices. Is this technique effective?

FreeBSD 7.2RC Released

Posted on in Categories FreeBSD, Hardware, Howto, Networking, News last updated January 25, 2009

The second of two planned Release Candidates for the FreeBSD 7.2-RELEASE cycle is now available. ISO images for Tier-1 architectures are now available on most of the FreeBSD mirror sites.

The freebsd-update(8) utility supports binary upgrades of i386 and amd64
systems running earlier FreeBSD releases. Systems running 7.0-RELEASE,
7.1-RELEASE, 7.2-BETA1, or 7.2-RC1 can upgrade as follows:

# freebsd-update upgrade -r 7.2-RC2

During this process, FreeBSD Update may ask the user to help by merging
some configuration files or by confirming that the automatically performed
merging was done correctly.

# freebsd-update install

The system must be rebooted with the newly installed kernel before continuing.
# shutdown -r now

After rebooting, freebsd-update needs to be run again to install the new
userland components, and the system needs to be rebooted again:

# freebsd-update install
# shutdown -r now

Vsftpd FTP Server With Virtual Users ( Berkeley DB + PAM )

Posted on in Categories CentOS, FTP Server, Howto, Linux, Networking, package management, RedHat/Fedora Linux, Security last updated January 21, 2009

VSFTPD supports virtual users with PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services such as ssh or smtp.

Vsftpd Set Download Only Anonymous Internet Server

Posted on in Categories CentOS, fedora linux, Howto, Iptables, Linux, Networking, PF Firewall, RedHat/Fedora Linux, Security last updated January 21, 2009

This example shows how you might set up a large internet facing FTP site for distributing file or software updates. The emphasis will be on security and performance. VSFTPD will make sure only world-readable files and directories are served to the world via anonymous / ftp account. You force to originates FTP port connections from a secure port – so users on the FTP server cannot try and fake file content. You will hide the FTP server user IDs and just display ftp in directory listings. This is also a performance boost. Set a 40000-60000 port range for passive connections. This will help firewall setup.