Webservers can benefit from using RBLs/blacklists that include lists of machines which have been broken into and are being used by attackers as a mid point to hide their tracks. This helps you to cut down on the attacks on your systems. Setting up apache to block these hosts is a fairly simple process, that involves replacing the mod_access module on your system with a patched version that understands how to do this. With Apache 1.x, this is accomplished by replacing mod_access with mod_access_rbl. mod_access_rbl, at present, only works with apache 1.3, so to get it to work with Apache 2.x you need to patch mod_accesss, using a small and easy to install patch.

How to use RBL's to protect Apache 2.x

1. Make a copy of your current mod_access.so file. If you don't know where it is, try running this command on your system:

locate mod_access.so

cp /location/of/mod_access.so /some/safe/place

2. Download the patch for mod_access.

3. Locate your copy of the Apache source tree for your OS or distribution , or get a copy of the apache source for your system. Make sure you get the right version for your OS or distribution, and that you install any OS/distribution specific patches. You don't want to miss anything important in your mod_access module. We're going to replace your old one completely. Also, if you are using Apache 1.3, do not use this patch. Its for Apache 2.x.

4. Once you have found or installed the apache source for your system, you need to patch one file: mod_access.c. It is generally found in this directory:

httpd-2.x.x/modules/aaa

Once you have found mod_access.c, you will want to run this command to patch it:

cat /patch/to/mod_access_rbl.diff | patch -p1

5. Once it is patched, you can compile and install the patched mod_access.

cd httpd-2.x.x/modules/aaa

apxs -i -a -c mod_access.c

6. That command should also install the new mod_access into your running apache process. At this point, you will want to restart apache to make sure the new module works as the old one did, so carry out some testing to make sure all the old functionality is still working properly.

/etc/init.d/httpd restart

Or whatever command you need to use to restart apache.

7. If all the old functionality is still working properly, you can then add in the new functionality afforded by the patch. To start blocking blackholed sites, you can take one of two approaches.

To protect all the sites on your server add this to your httpd.conf file. Remember, this will apply the blocking to every web directory and website on your server:

 \<Limit GET POST OPTIONS PROPFIND>
 order allow,deny
 allow from all
 deny via xbl.spamhaus.org
 \</Limit>

If you add this to your httpd.conf, you will need to restart apache again.

The other way is to limit the blocking to specific virtual servers and/or web directories. This also lets you define different RBLs for each resource, file, web directory and/or virtual server you want to protect. To take this granual approach, you simply use .htaccess files. Just add or modify a .htaccess file in the web directory you wish to protect, and then put this at the top of the file:

 <Limit GET POST OPTIONS PROPFIND>
 order allow,deny
 allow from all
 deny via xbl.spamhaus.org
 </Limit>

In both of these examples "xbl.spamhaus.org" is the RBL we are using, but you can choose to use any RBL you like in the "deny via" command. Keep in mind, this will only deny connections for those methods (GET, POST, OPTIONS and PROPFIND) defined in the <limit> directive. If you want to block other methods, then you will need to add them. Since those other methods are largely used by things like DAV, if you don't use DAV, then you can just deny all other methods except for GET, POST, OPTIONS and PROPFIND by adding this to either your httpd.conf or your .htaccess file:

 <LimitExcept GET POST OPTIONS PROPFIND>
 Order deny,allow
 Deny from all
</LimitExcept>

mod_access, when configured in this manner, will look up all incoming connections against the RBL you have defined (again, in this example, we used spamhaus.org's Exploit Block List (cache) ). Keep in mind, that this process will introduce a small delay on all incoming connections and that mod_access will not cache these lookups. You can minimize this non-caching behavior by running a local DNS server to cache the connections on the server you intend to implement this on. Make sure you also configure the system apache is running on to use the local DNS running on that same machine. You might get a little boost by pointing to a DNS running on another server on the same LAN, but you'll get the best performance if your DNS server is running on localhost (127.0.0.1).

Privoxy

(Works with Windows, Linux, BSD, MacOS and other OSes)

Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page content, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a very flexible configuration and can be customized to suit individual needs and tastes. Privoxy has application for both stand-alone systems and multi-user networks.

Privoxy is based on Internet Junkbuster (tm).

http://www.privoxy.com

Bugnosis

(Only works with Windows)

"Bugnosis is a Web bug detector. As you surf the Web, it analyzes every page you visit and alerts you when it finds any Web bugs. With Bugnosis, you don’t have to be a code expert to tell when your browsing habits are being observed."

http://www.bugnosis.org/ (cache) (Works only with Internet Explorer)

TOR

(Works with Windows, Linux, BSD, MacOS and other OSes)

"Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and more. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

"Your traffic is safer when you use Tor, because communications are bounced around a distributed network of servers, called onion routers. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several servers that cover your tracks so no observer at any single point can tell where the data came from or where it's going. This makes it hard for recipients, observers, and even the onion routers themselves to figure out who and where you are. Tor's technology aims to provide Internet users with protection against "traffic analysis," a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security."

http://tor.eff.org/ (cache)

Adblock

(All platforms that can run Mozilla or Firefox)

"Adblock is a content filtering plug-in for the Mozilla and Firebird browsers. It is both more robust and more precise than the built-in image blocker. Adblock allows the user to specify filters, which remove unwanted content based on the source-address. If this sounds complicated, don't worry: it's not. Just add a few filters. Every time a webpage loads, Adblock will intercept and disable the elements matching your filters. See?- nothing to it."

http://adblock.mozdev.org/ (cache)

1) Create phishing emails, 2) Send them to all your network users, 3) Fire anyone who falls for them.

That's it. Period. If you have users who are dumb enough to post their bank login information, then there's no way you can secure your network with them on it. So get rid of them.

They said it couldnt be done. They said it was impossible.

They were wrong.

What they said was: It is (almost) impossible to successfully compile a working funge source.

Chris Pressey, the author of befunge93, wrote a program called bef2c, which would take a befunge source file and translate it into another C file to be compiled. The c source was a complete mapping of the 2d funge space, complete with goto links to every neighboring instruction, so the program would function just like a befunge93 application. To date this is the only attempt I've seen of a 'true' b93 compiler. Another user did similar, but the result was an interpreter, not a compiled b93 app. There were 3 very large limits to Chris Pressey's implementation though:

1) the stringmode operator ( " ) was not supported

2) the modify operator ( p ) was not supported

3) the result was very large. For every b93 instruction, 4 copies were made. Each had its own label and goto link, with code to execute the instruction, each for one direction.

example: the 0 opcode pushes a 0 into the b93 stack. The above compiler would generate:

_op_0_0_left:    push(0); goto _op_79_0_left;
_op_0_0_right:  push(0); goto _op_1_0_right;
_op_0_0_up:     push(0); goto _op_0_24_up;
_op_0_0_down: push(0); goto _op_0_1_down;

repeat for the other 1999 entries in a b93 app (its an 80x25 screen of code) The reason the same code is repeated 4 times is so when the IP (instruction pointer) changes direction, all that was needed to do was jump to the correct direction label for the next instruction and the app would follow that chain of code, going in the new direction. Now you probably have an idea how hard it would be to support stringmode/modify operations, it would be extremely difficult to modify all 4 instances of that code or inject logic to process stringmode.

I've written a compiler that does most of the above. But it supports string mode AND modify operations, and takes no where near as much room as the above compiled source does. And it is extremely fast. Somewhere in the range of over 20 million b93 instructions per second on a p3 1ghz. While not staggeriing, it is a large improvement over the classic loop with opcode switch statement for a b93 interpreter.

The trick to my version is with the following (break out your x86 assembler manuals):

opXY:            call [opXhandler]
opXYJumps:   dd leftop
                    dd rightop
                    dd upOp
                    dd downOp
                    dd opValue

There are 2000 of these structures, each initialized so the opXYJumps values are set set to the neighboring 4 cells around it. This includes wraparound on the borders of the 80x25 page, so ip movement tracking is elimiated.

opXhandler is the pointer to the handler for a b93 opcode. When the compiler starts, it initializes that address to a default opcode handler, which does nothing but advance to the next opcode. When the compiler loads a b93 source, it replaces the correct locations with the proper handlers for each b93 opcode loaded. When done, the compiler jumps into the compiled array. Whenever a stringmode (") op is encountered, the app switches to a loop that will trace thru the array, pushing opValue onto the b93 stack until the next (") is found, where it will resume normal execution. When a modify (p) instruction is found, it will replace the call address of opXhandler with the new opcode's instruction handler, and load the opValue into the correct cell, therefore maintaining the self-modying nature of b93.

The source will be available soon, as right now it is in pure x86 win32 assembler. Im working on a c equivalent that will dump a binary to run directly on the system, the current version compiles the b93 app in memory and executes it.

Click Permalink to read on for more.

1. Dump Internet Explorer and start using Mozilla or Firefox

2. Install anti-spyware tools

3. Install and run anti-virus

4. Keep your system patched!

5. If your browser asks you a question, take the time to read it, don't just click "Yes".

6. Don't install "search helpbar" tools, except from trusted sources

7. Configure Mozilla or Firefox to block pop-ups

8. If you install software, only use products that do not include spyware

9. Don't log into or use an administrator account

2. Patch your systems!

3. Pick strong passwords or use a two-factor system like SecurID

4. Remove all unused and default accounts

5. Turn off all the services you can not PROVE that you need

6. Install "personal" firewalls on all your desktops and servers, and only allow in services you can PROVE you need to allow in

7. On Windows computers, install anti-virus and anti-spyware

8. Ditch IE, use a browser that is not so closely integrated with your OS, such as Mozilla (cache), Firefox (cache), Opera and others.

9. Configure your e-mail client to not display images, ActiveX or javascript

...break...

Our tests included Windows XP, Windows 2000, Redhat 9 with 2.4 kernels, Redhat 9 with 2.6 kernels and FC 2. In all of the cases, except for a few laptops running Redhat 9 with 2.4 kernels, we experienced no problems with the cards or the service. On some of our test laptops, the USB subsystem in the 2.4 kernels would cause a kernel panic, in an annoyingly random manner, and crash the entire box. So, we upgraded the Redhat 9 machines to a 2.6 kernel, and all was well.

As an aside, setting these cards up on Windows is a breeze, just pop in the CD, click next, next, next and you're done. For Linux, its a little more work. The most important step is that to activate the card you will have to first pop it into a Windows box running the Verizon software, after that, you only need Windows occasionally to install new firmware updates to the card. As for configuring it under Linux, there is an excellent doc by Phil Karn at this URL that explains it all in easy to follow instructions:

http://www.ka9q.net/5220.html

As for the service, when you can get a good signal its proved to be suprisingly resiliant in the few areas we've tried out in: Washington DC and New York City. Unfortunately, the high speed broad band service is not available everywhere in the U.S., but Verizon is adding more cities every month, so check with them to see if your city is covered. Should you be in an area where the high speed service is not available, the card will simply fall back to the RTT network. Its better than nothing, if you can't find a hotspot, but the RTT service is painfully slow compared to its higher speed cousin, and woefully inadequate if you're used to WiFi?.

All in all, I can't say enough positive things about this service. The bandwidth is pretty good, considering that you don't need to find a hotspot, and it even works in most of the office buildings that we have tested it in. There are also third party add on antennas that reportedly extend the range of the transceiver and some contend that these antennas will also help you to realize faster speeds on the network, but I can't confirm that. We've just recently gotten our hands on a few of these antennas from a Verizon Rep and are still testing them. At the very least, these antennas do help tremendously with the signal, so if you have weak signal problems get one of the external antennas.

You can find the antennas here:

http://evdo-coverage.com/

So, if you're looking for the ultimate in mobile high speed connectivity, we recommend the Verizon High Speed Wireless Broadband service. At $79.99 a month, the price may be a little steep for some, but if you're a really mobile user like me, its a small price to pay for nearly guaranteed high speed connectivity.

• ) DHCP snooping: the switch sees a DHCP lease and then locks that leased IP to the port that requested it.
• ) The new Cisco Security Agent prevents dumb users and dumb software from doing dumb things.
• ) NAC code is being integrated into anti-virus software (Trend, Symantec, McAfee) so that the anti-virus software can validate your virus signatures and OS patches to the network before you're allowed to talk. If you fail, you get thrown into network quarantine (perhaps you can connect to the Internet to get patches, perhaps you can get nowhere, it's the admins choice).
• ) Security zones: ACLs on all the switches so that if you 802.1x into the "web designer" group, you can only access systems in the "web designer" ACL group. All automated, all 802.1x.
• ) If you plug into a port, and you're not 802.1x authenticated, you get nowhere, or maybe you get dropped onto a "guest" network.

All of this integrates with the wireless network, too. Combine 802.1x with WPA and SecurID, and you'll sleep much better at night, instead of having nightmares about your wireless infrastructure.

I've seen one language in particular called BeFunge that gives a user a fixed size 2d programming environment, where every instruction is a single character and the instruction pointer (like the pc register in Intel cpus) can move around freely left, right, up or down. 3d adds another dimension to that and now you have 6 directions: down, left, right, forward and back.

What I'm getting at is, would a beast such as this be worthwhile? Currently I have a VM (virtual machine, like a java interpreter) in the works that does exactly this, with the hopes that it could possibly provide a way to write extremely dense code in 3 dimensions, using less space than a typical compiled binary would yet be just as good if not better. The only drawback is there is no way at the moment to write source in the ways we are used to, using a text editor or other tool to generate "source code" for the vm. All I have at the moment is equivalent to writing x86 machine code by hand in a hex editor. Granted this gaurantees that what you write is what you intended, but hex editing a large 64x64x64 cube of hex code is a bit of a task, even for me. I have a visual tool in the works as well, sort of a 3d hex editor, based on opengl and its almost there, but for this to really be useful, there has to be some way to type in semi-english looking code in a file and produce the same hex output the vm expects. Any ideas, thoughts, flames are welcome. Just be gentle =)

Phrase: How much wood would a woodchuck chuck if a woodchuck could chuck wood?

Password: Hmwwawciawccw?

See, it's simple. Just take the first letter of each word in the phrase, including capitalization and special characters, and turn it into your password. That's all there is too it. The strength of passwords like that are just as good as a random password of the same length. And it's easier to remember. Two caveats, though: 1) Make sure the resulting password is long; short passwords, no matter the phrase, are subject to attack with Rainbow tables and are effectively useless, and 2) for goodness sake don't use a common phrase, or my example, or any other example. Make the phrase something only you would know, and not anything common. Any questions?!

Yep, you heard right, BASH scripts. What you got here is a 100% shell based portknocking server and client, with neither directly exposed to the traffic coming into the box its protecting. This is a really handy feature, not being a service and not parsing packets directly, because that means we don't have to directly worry about our client and server handling them. You can find out more in the forums as well:

www.gotroot.com/tiki-view_forum.php?forumId=26

The client being written as a script means that we can use it on almost any OS, provided that we have sha1sum on the client and it can parse bash scripts.

The server and client are posted in the forums as attachments.

Basically, it works like this:

A -> NAT_A -> inet -> NAT_B -> B

A sends packets to NAT_B on some UDP port, preferably a high port so B can setup a listener with no priviliges on that high port, but it doesn't have to be, the port could be anything. Lets say port 10000.

NAT_B will drop those packets, because its not listening for anything on that port. Just let A happily hammer away on that port. Meanwhile, have B send packets to NAT_A with a source port of 10000. NAT_A will accept those packets in and send them on A, because its already waiting for packets on that port, meanwhile, NAT_B, seeing UDP packets go out on its port 10000 will now allow in that steady stream from A. NAT_B will then send the packets on to B, and bingo! We have a bi-directional tunnel thru two NAT firewalls, from two NATed hosts.

So, what we have now is A and B talking directly to one another, with two firewalls doing all the heavy lifting and getting the packets to each other. Since we're using UDP, we can route an protocol we want over UDP, such as IP, or TCP. UDP is the protocol of choice for this sort of tunneling as it won't choke or stall trying to do all that nifty traffic management tricks that TCP would - and TCP is a terrible protocol to build tunnels over. You can do it, but things can go horribly wrong (we'll cover that in another article).

So, what can you do now? Anything you like. Which is why you don't want to let UDP out of your network. Tis a frightfully easy protocol to open your network up with.