Category: Security

Phish-safe Firefox

Phishing is serious business, so a while back I looked around for safeguards to assist me while browsing.

In computing, phishing is a criminal activity using social engineering techniques.[1] Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out using email or an instant message,[2] and often directs users to give details at a website, although phone contact has been used as well.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures

And ta-da, I found McAfee SiteAdvisor. Their site states:

We test the Web to help keep you safe from spyware, spam, viruses and online scams.

I’ve been using the Firefox plugin for about a year and so far it works pretty good. What happens is when you search with Google, Yahoo! or MSN, SiteAdvisor’s safety ratings appear next to search results. Also as you browse the web, a small button on your browser toolbar changes color based on SiteAdvisor’s safety results.

Take it easy! ;0)

Yoggie, a miniature security firewall appliance solution

A friend and coworker of mine, Arthur Freyman, told me about a miniature device that provides all the security you’ll ever need out-of-the-box. It’s called Yoggie.

Reading the specs and services it provides is so far pretty good – and not surprising, it runs Linux under the covers.

Just think how cool it would be taking this device/gadget along with you when you’re on a road trip or working/surfing at a Starbucks…I think it’s an excellent idea and product from a bird’s eye view. Unfortunately, neither of us has tried it yet, but one of us will soon.

Here’s a screenshot of the architecture.

If you have one, let me know, and watch out for a future blog post on this in the not so distant future. =0)

Password-Protecting your pages with .htaccess

If you develop websites or adminster them, you’ve probably been asked or required to password-protect parts of a website. 

So, to help you out, here’s a quick how-to in Apache using .htaccess:

  1. Open a terminal window and navigate to the folder or page(s) you’d like to add a password requirement.
  2. Once there, type the following: htpasswd -c .htpasswd username.  BTW, you can name .htpasswd to another name (something that is hard to guess is preferable).
  3. Enter the password you’d like to associate with the username (from above).  This will create the user and an encrypted password.
  4. Next, create the .htaccess file by typing: vi .htaccess, and add the following in the .htaccess file:

To protect a folder

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName “Your Secret Folder”
Require valid-user

To protect a page

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName “Your Secret Page”
<Files “yourpage.html”>
  Require valid-user
</Files>

Note: You can use a different name for .htpasswd so it’s harder for a hacker to figure it out.

5.   Type :wq! to save and exit. 

6.   For better security, perform a chmod on .htaccess, like so: chmod 644 .htaccess.

As you can see, the steps above are pretty straight-forward.  Also as an FYI, Apache blocks any requests for anything that start with “.ht”.

That’s basically it, I hope this post helps you out.  =0)

iptables script

I’ve been running Fedora Core 1 for about, hmm…5 years(?) on my little ‘ole work-horse server, but this reliable/stable OS has started showing its age.  Repository issues, keeping software and everything else up-to-date.  Ugh.  =0( 

I was initially sold on installing RHEL ES 4 (I had the disks already), but my server had problems with the “transferring image to install…” phase.  So, I took it as a sign to stick with Fedora, which I was happy about since I’m used to it.  More importantly, however, it was an opportunity to try out the new Fedora Core release.

So with tools in hand, I backed up all my scripts and website files and installed Fedora Core 6 last night.  It took about 4 hours to install and configure – in fact, I started a “how-to” on my wiki, just in case I have to do it all over again.

OK, so enough of the rambling.  This post is, after all, about iptables (hats off to to the netfilter.org guys/gals and thanks to Dan Farino for helping out with this).  BTW, I had to disable the security firewall on Fedora to have more control over the firewall.

Steps to take:

  1. Open up a terminal
  2. cd /usr/local/src
  3. mkdir iptables
  4. vi iptables
  5. Copy and paste the script below
  6. chmod 777 scriptname
  7. ./scriptname

Verify no errors occurred, then once done, type the following:

tail -f /var/log/messages

From this point, watch for some interesting stuff.  =0)

Simple enough, huh?  Hopefully, you can make use of this script to build your personal *nix firewall.  Take care.

Make sure /proc/sys/net/ipv4/p_forward is ‘1’ and both ip_conntrack_ftp & ip_nat_ftp modules are loaded (use modprobe modulename).

#————————————————-#

# flush and delete chains
iptables -F
iptables -X
iptables -t nat -F

# default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -t nat –policy PREROUTING ACCEPT
iptables -t nat –policy POSTROUTING ACCEPT
iptables -t nat –policy OUTPUT ACCEPT

# new user-defined chains
iptables -N tcp-state-flags
iptables -N fragments
iptables -N spoof
iptables -N syn-flood

iptables -N log-tcp-state
iptables -N log-drop-spoof

iptables -N log-input-accept

iptables -N log-input-drop
iptables -N log-fwd-drop

#————————————————-#

# input rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! eth0 -j ACCEPT
iptables -A INPUT -p tcp -j tcp-state-flags
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -f -j fragments
iptables -A INPUT -m state –state NEW -j spoof
iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A INPUT -j log-input-drop

# forward rules
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j log-fwd-drop

# output rules
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state INVALID -j DROP

#————————————————-#

# tcp-state-flags rules
iptables -A tcp-state-flags -p tcp –tcp-flags ALL NONE -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags SYN,FIN SYN,FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags SYN,RST SYN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags FIN,RST FIN,RST -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,FIN FIN -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,PSH PSH -j log-tcp-state
iptables -A tcp-state-flags -p tcp –tcp-flags ACK,URG URG -j log-tcp-state

# fragments rules
iptables -A fragments -f -j LOG –log-level info –log-prefix “___ipt:fragment___: “
iptables -A fragments -f -j DROP

# spoof rules
iptables -A spoof -s 127.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 10.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 255.255.255.255 -j log-drop-spoof
iptables -A spoof -s 0.0.0.0/8 -j log-drop-spoof
iptables -A spoof -s 169.254.0.0/16 -j log-drop-spoof
iptables -A spoof -s 172.16.0.0/12 -j log-drop-spoof
iptables -A spoof -s 192.0.2.0/24 -j log-drop-spoof
iptables -A spoof -s 192.168.0.0/16 -j log-drop-spoof
iptables -A spoof -s 224.0.0.0/4 -j log-drop-spoof
iptables -A spoof -s 248.0.0.0/5 -j log-drop-spoof
iptables -A spoof -s 240.0.0.0/5 -j log-drop-spoof

# syn-flood rules
iptables -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG –log-level info –log-prefix “___ipt-fw:syn-flood___: “
iptables -A syn-flood -j DROP

# log-tcp-state rules
iptables -A log-tcp-state -j LOG –log-level info –log-prefix “___ipt:invalid-tcp-flag___: “
iptables -A log-tcp-state -j DROP

# log-drop-spoof rules
iptables -A log-drop-spoof -j LOG –log-level info –log-prefix “___ipt:spoof,mcast___: “
iptables -A log-drop-spoof -j DROP

# log-input-accept rules
iptables -A log-input-accept -j LOG –log-level info –log-prefix “___ipt:input-accept___: “
iptables -A log-input-accept -j ACCEPT

# log-input-drop
iptables -A log-input-drop -j LOG –log-level info –log-prefix “___ipt:input-drop___: “
iptables -A log-input-drop -j DROP

# log-fwd-drop
iptables -A log-fwd-drop -j LOG –log-level info –log-prefix “___ipt:fwd-drop___: “
iptables -A log-fwd-drop -j DROP

#————————————————-#

# postrouting
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#————————————————-#

# activate rules
iptables-save
iptables-save > /etc/sysconfig/iptables
service iptables restart

#————————————————-#