Security :: Modsecurity - Switching From Logging To Denying
Apr 17, 2011
Just had ModSecurity with CRS installed for me on my hosted website, which I'm hardening after a recent hack. My site is a php-based user community with MySQL back end, so people register as members via php.
First, I'd like to properly log malicious activity Then I'd like to deny access where an attack looks likely Thing is, I'm not sure which /etc/apache2/modsecurity_crs modsecurity config files to tweak.then I can't even see my login page because I'm forbidden from the .php file it loads.I'm guessing I need to change rules individually but I have no idea how or which to change to stop attacks. The CRS documentation is just a bit too heavy to give me the basics.
View 5 Replies
ADVERTISEMENT
Aug 30, 2010
I tried updating my modsecurity core ruleset to the latest version 2.0.8 and something seems broken. I didn't change any of my configs, I just downloaded the latest ruleset archive and extracted it just like I always do, If I go back to the previous version I was using, 2.0.4. everything works fine. Has anyone else had problems with 2.0.8?
View 4 Replies
View Related
Oct 23, 2009
We use PAM to control access to our RHEL4 servers. We would like PAM to give a message, of our choice, when users who are not allowed to login try to login. PAM's default is to let the user try 3 times without any explanation.
View 7 Replies
View Related
Mar 21, 2011
I have both xmonad and Gnome installed and tend to switch between them quite often. Normally, I need to log out and log back in which is starting to become annoying because I need to open any running applications again.I have tried using "Switch User", but it doesn't work. I go to the switching screen when I am logged into Gnome and log in again after selecting Xmonad, but it brings me back to my Gnome session.
So is there any way to log in as the same user with two different desktop environments at the same time?
View 1 Replies
View Related
Feb 28, 2010
I have an external USB drive that is NTFS. It mounts fine under my account and my wife's, but only if I fully shut-down the computer between switching. While switching users or logging out then in with a different account it will not mount the drive. I am not sure what to do... but we both access data from the same drive.
View 2 Replies
View Related
Oct 19, 2010
As part of server hardening process i would like to know the Best way of System Logging and Auditing.Following pointould be taken into consideration.Logging of critical eventsLogging access to critical accountsSecure storage and availability of logsReview of logsSecurity of logs
View 2 Replies
View Related
Apr 26, 2010
Where I work we have a lan, it is almost 100% windows machines except for 2 CentOS machines in which some clients connect to, via VPN. (very small network, <50 ip's used)
I would like to know if there is a way to block access from that machines to others in the network. I'm already logging traffic (with IPTraff) to see if they're accessing other machines in the network others than the ones they should connect.
View 7 Replies
View Related
Mar 11, 2010
I've enabled the root account on Ubuntu 9.10, however I want to stop it from being used to login via GDM. 9.10 seems to have a different GDM version, how can I carry this out under 9.10
View 9 Replies
View Related
Oct 8, 2010
A friend of mine has a private forum setup so he and I can communicate back and forth so we don't have to send emails. The link is a "https://" so I'm assuming it's secure. I'm a newbie to ubuntu and I have already switch 3 of my computers at home to ubuntu.
I'm using Ubuntu 10.04 and google chrome as my browser. When I log into his forum it pops up with a screen saying "The site's security certificate is not trusted" and I always click proceed anyways. I'm not worried about this because I'm 110% sure that it's his website that I'm trying to access. My question/problem is it also pops up with a little box telling me to enter my Username and Password every time. When I was using WindowsXP, I had to enter this info once and then I wouldn't have to enter it again.
View 4 Replies
View Related
Jul 19, 2010
Sitting at the console, I log in with any user name and NO PASSWORD IS REQUESTED. I get logged in automatically without entering the user's password.
I did:
passwd joeuser
To change his password and still he goes right in without being asked for a password!
Possibly related- 10 days ago, my smtp server was breached as a spam relay. The username they cracked was deleted. I added fail2ban for postfix. The logs show no further intrusion.
View 14 Replies
View Related
Jun 21, 2010
Brief overview of my current setup:
Code:
The ip_blacklist chain is used to immediately drop any traffic from specified address ranges, while the tcp_, udp_, and icmp_packets chains contain rules for further processing of those protocols. The last rule in each of the latter three chains drops all packets that didn't match any rules above it; so tcp, udp, and icmp packets should NOT get caught by the default INPUT policy (DROP). The goal of the last rule on the INPUT chain is to then log any packets that are picked up by the default policy. However, it's not working.
I can tell that there are packets being picked off by the default policy because the counters are being incremented, but nothing is logged by that last rule. My conclusion is that it's only looking for tcp, udp, and icmp packets and ignoring everything else.
How to get iptables to log all the other protocols (or whatever is being caught by the default policy)?
View 5 Replies
View Related
Sep 30, 2010
I'm going to start monitoring our Linux servers with a log management/correlation tool to take a proactive approach to the security of our systems.
Right now I'm going to search for log events that include the following:
Any other commands or logs that would be good to correlate or be alerted on when a potential breach or suspicous activity is happening on the box? Logging cleared, permission changes on accounts or particular files or directories? What would you want to see while monioring your servers?
View 3 Replies
View Related
Mar 28, 2011
I am wondering if it's possible to log the number of bytes a connection transfered when the connection is complete with iptables. I know I've seen this sort of information in Cisco FWSM logs, where the "Teardown" entry of the logs has the bytes transferred for that connection. Is it possible to have something similar to that with iptables? Where the initial connection attempt is logged (i.e. NEW, which I have logging fine) AND an entry for that connection that includes the bytes transferred?
View 6 Replies
View Related
Oct 18, 2010
I am trying to figure out what command to use to show the number of DROPPED and INVALID packets that the firewall is handling.I'm going to put these commands into a log analyzer script which will run every 15 minutes with cron. The firewall is running and operating the way I want it to. I'm running CentOS 5.4.
View 2 Replies
View Related
Sep 30, 2010
I need to login as root, or at least get root privileges, in a cron triggered backup run. The straight way to do this would be the backup server making an ssh connection to the server to be backed up (this way because I want to avoid many servers being backed up in parallel and the backup server itself would be managing this diversity), via the rsync command which would be performing the backup's synchronization step.
I'm looking for alternatives to this in some form. I'd like to disallow direct root login to my ssh port (not 22One idea I have is to have the backup server initiate an ssh login as a non-root user, to either the actual source server, or to a server that can reach the source server ... and set up port forwarding. Over the forwarded port, then initiate the rsync that logs in as root via another port that allows direct root, but cannot be reached from the internet at all (because the border firewall doesn't include this port as allowed in).FYI, these logins will be using ssh keys, not passwords. I do need to keep ownership metadata for files being backed up, so this is why I am using root. Also, rsync is needed to get the incremental updates to keep bandwidth usage lower (otherwise I could just transfer a tarball each day).Anyone have any other ideas or comments, for security issues, based on experience doing things like this (backups, routine data replication, etc)?
View 5 Replies
View Related
Feb 22, 2010
I wanted to disable root logins in console, so I searched for that. I found that if I change root's bash to "/sbin/nologin" in "/etc/passwd", root user will not be able to login. So I did that. But when I wanted to use sudo command, it didn't show me root bash, but it only do the same thing as logging in as root in single user mode (shows message that this account is disabled). So, how I can disable root logins, but keep enabled sudo command for standard users?
View 6 Replies
View Related
Apr 19, 2011
I have a program that generates large amounts of apparmor log messages. I'm happy to enforce restrictions on the program but I really don't want it to fill my log with messages every time it attempts to read a file.
Is there a way to let it enforce restrictions but not log denials?
View 9 Replies
View Related
Mar 17, 2010
On April 10, 2010, I upgraded some packages on my Ubuntu 9.04 server. This included an upgrade to "ufw 0.27-0ubuntu2". I rebooted the server, and all appeared to be fine.
Now I've noticed that UFW is not logging blocked packets since that reboot. It used to do this. It is still logging the allowed packets that I've configured it to log.
Here's what a "ufw status verbose" says code...
View 2 Replies
View Related
Feb 23, 2011
I have just complied Snort 2.9.0.4 under Ubuntu 10.10 x86_64 installed with all Lamp package.The syntax i used to compile Snort as follows below
[Code]...
View 2 Replies
View Related
Sep 1, 2009
I switched over to Fedora a couple of days ago. I'm using the built-in firewall shipped with it but I can't find out how to enable logging of dropped packets. Among others I'd like to use psad that needs firewall logging. Is there an easy way to do this? I'm not an iptables "expert".
View 6 Replies
View Related
Dec 18, 2010
I have tried to not allow root access and have created a wheel user.
Now I can not logged in as root.
Its okay but when am logging as wheel user and trying to access root then it says:
Code:
View 14 Replies
View Related
May 3, 2010
use dual boot with win 7 and ubuntu 10.04, i installed Win7 first on one partition, and afterwards Ubuntu 10.04 on a second partition on the same drive. Now when i try to delete some files in windows like old games that where on a other harddrive it sais "You require permission from S-1-5-21-293015479-4145159318-3171105019-500 to make changes to this folder"How do i resolve the problem that ubuntu takes ownership over some folder/files
View 3 Replies
View Related
May 1, 2010
i want to deny certain users based on time to login to my machine i am using CentOs 5.0 any sugestions?
View 2 Replies
View Related
Apr 19, 2011
My firestarter is denying connections on ports 80 and 443, despite the fact that I have set rules to allow both the services, and indeed any connection from my gateway (the source of the connections).
Can someone please advise why this might be?I can surf the 'net fine, unfortunately I cannot load facebook, gmail, or another couple of sites that require logins, and I assume this is due to HTTPS not communicating properly.(On the off chance anyone can answer these real quick, I'm also trying to solve my resolution resetting every time I restart, and one of the icons in my KDE panel turning into a widget from an icon every time I restart. Still working on these, but just if anyone knows already).
View 1 Replies
View Related
Apr 3, 2011
I have installed the graphic user interface for IPtables and enabled this firewall. However, I find it a bit strange. What is the difference between rejecting and denying the traffic? If I want to configure IPtables as two-way, how can I define which of my apps can connect to the internet and which can't? If this firewall is enabled, does it really run in the background, protecting the user,or does it run only when its GUI is opened?
View 9 Replies
View Related
Apr 28, 2011
My apologies if this is the wrong board for this thread, but seeing how the issue appears to be related to where I'm connecting from, I thought this would be the place to look.To start off, I've been running VSFTPD on the box for a good year or so now. Until recently, everything seemed to be working fine, but during the past few days I've run into issues with it and have been having trouble pin-pointing the problem. I've gone as far as reinstalling VSFTPD and rechecking every line in the conf file to no avail.The issue presents itself when I try to login to the FTP server remotely. The moment I put my user name in, I get disconnected without any error message, simply connection closed. That isn't the case when I'm connecting locally from the server.If I try to connect remotely using eth0 (internal network), it works fine again... but if I try eth1 (external network)... it fails. I'm thinking it might be related to PAM, but so far have been unable to figure out what I need to change in the configuration there. Additionally, the PAM log file doesn't show any activity if I'm connecting through eth1, but displays it if connecting through eth0.
View 1 Replies
View Related
Apr 12, 2010
I run ProFTPd with TLS authentication on my Debian Lenny server. My problem is that despite of the fact that my users connect chrooted, one of my friends had root privileges after logging in form a Macintosh and could browse the root directory, too.
View 1 Replies
View Related
Jul 29, 2009
I want to use KDM, but I cant find where to change default gdm to kdm.
View 2 Replies
View Related
Aug 2, 2010
I recently purchased a new laptop for school and installed Slackware64 13.1 I love Slackware, don't get me wrong, in ten years of using Linux, it is by far THE BEST distro I've ever used. However, after about a week's worth of use, I'm doubting the "advantages" of using a 64 bit version. Frequent incompatibilities, library headaches, almost no performance difference, the list goes on. In truth, I have no real need for 64 bit, and 32 bit would probably solve most, if not all, of these little headaches. My question is, what is the best way to switch to 32-bit? Should I just backup, format and re-install using the 32-bit version? Would a simple kernel recompile work? If I re-install using 32-bit, should I format first? I'm personally thinking that I should do a "bare metal install" and cut the Gordian knot instead of trying to untie it. The following is the technical specifications of the computer in question.
Acer Aspire 5538 Notebook
Cpu: AMD Athlon X2 Dual-Core @ 1.2 Ghz
RAM: 4GB DDR2
HDD: 320GB/298 GiB
ATI Radeon 3200HD Graphics
ATI RS780 Azalia Sound card
Atheros 928x 802.11 b/g wi-fi
I'm aware that some of this hardware is slightly exotic, but I've had no trouble getting any of it working on Slackware64 13.1 and I don't anticipate any problems with it when I switch to 32-bit, but I have been wrong before.
View 6 Replies
View Related
May 9, 2010
I am considering switching from Ubuntu to another distro.
Is it possible to crossgrade from Ubuntu to Debian rather than reinstalling? Has anyone ever done that before? Are there any instructions for this anywhere?
View 10 Replies
View Related