Archive for the ‘Work’ Category
Saturday, February 20th, 2010
I wrote a new article this weekend, titled Web Application Protection- Ways to Protect a Web Application from Hackers. I wrote this article to help some of my clients, who have asked about the different methods available to prevent an attacker from successfully compromising a web application. The methods recommended include setting up SSL to encrypt traffic, using mod_security, and using iptables to block netblocks or domains that would never use the web application (for instance .cn, .af, .lt, .ru, etc). However, there are a few methods that I didn’t talk about:
Use .htaccess to further restrict requests to web directories
Using .htaccess files can be a great way to restrict access to a web application, or add a password authentication feature where such a feature does not exist (for instance, to protect a private wiki). A nice benefit that .htaccess authentication gives us is the ability to authenticate against a MySQL or LDAP database. Combined with SSLv3 encryption, .htaccess authentication can be very secure.
Snort-Inline
Although I did mention mod_security can be used to firewall the web application (if you are running Apache), another solution is to use Snort-Inline to secure your web application. Although not for the faint of heart (it’s fairly easy to make a mistake when installing Snort-Inline, and lock yourself out of the server), Snort-Inline goes above and beyond what mod_security offers. Acting as a Network Intrusion Prevention system, Snort-Inline doesn’t stop at just filtering web application attacks, but can also be extended to monitor practically every major server software solution.
Hopefully, these tips will have helped out both clients and readers alike- in today’s world of automated bot scans and worms, it is far too common that web applications are exploited. Some of these measures will mean the difference between a successful compromise, and a harmless attempt.
Here is the article:
http://linuxconsultant.info/tutorials/web-application-protection-protect-a-web-application-from-hackers.html
Tags: Apache security, Linux firewall, web application protection
Posted in Work | No Comments »
Sunday, December 20th, 2009
We have all heard the saying, “an ounce of prevention is worth a pound of cure”. This is especially true when the topic of server maintenance comes up.
All too often, I have worked on Linux servers that were woefully out of date, or that didn’t have a backup plan in place. Sometimes a client’s initial problem could have been fixed easier and cheaper just by following some routine maintenance tasks. At a minimum, here is a list of things that should be done monthly to maintain a Linux server:
Installation of Operating System updates
Examine all available system and daemon logs for irregularities
Confirm backup integrity
Check available system resources (and make plans to upgrade resources, when necessary)
These simple maintenance tasks can help prevent ugly surprises (no one likes those), and increase server uptime. In addition, the installation of Operating System updates helps keep your server secure (the second most common compromise method is through insecure software). Most of us know the security impacts of not installing security updates on our workstations- why not carry over that mentality to your server?
Also, it wouldn’t hurt to occasionally check for updates on software which might not come from your Linux distributor (such as Wordpress, PhpBB, etc). Too often, my clients will think that their site is secure, only to be surprised when an old exploit is used against their blogging or forum software.
The best part about regular server maintenance is that is isn’t really expensive when compared to the cost of fixing an out of date server. My own Linux server maintenance services start at just $25. The nice thing about the way that I have organized this offering, is that it gives my clients choices as to the level of maintenance that is performed on their server monthly. Some of my clients prefer little more than Operating System updates, while others sleep better at night knowing that their server’s security has not been compromised. In addition, I also email my clients monthly reports, which let my clients know exactly what is going on with their servers. I have example reports available for the Basic, Advanced, and Premium maintenance plans.
Which plan you decide is best for your server is entirely your choice- but I’m a big fan of the advanced maintenance plan. It combines the most common (and important) maintenance tasks together, in a package price that’s easy to afford. The important thing to remember is that no matter who works on your server, it is maintained in a sensible and responsible manner. Nothing is worse than a disaster that could have been avoided with routine maintenance!
Posted in Work | No Comments »
Tuesday, October 13th, 2009
This weekend, I spent all day Saturday posting articles to websites, and getting backlinks for a client. The client wanted a fairly easy goal- 100 backlinks. However, the client didn’t want to pay an arm and a leg for these backlinks (honestly, who would). I admit that I briefly thought about outsourcing the work, and saving myself the time and effort of getting backlinks for this client’s website. After all, who wants to spend their Saturday in front of a computer, posting content to a website?
When I came up with this SEO plan for this client, I realized that it would be less effort and stress NOT to outsource the work. Yes, I would essentially be working for less than what I normally charge (I didn’t even want to think about what this paid per hour). Yes, this work is less than glamorous (really, who enjoys building backlinks?). However, if I would have outsourced this particular task, I would have spent many days going back and forth with the freelancer building backlinks (differences in time zones, and all of that). Plus, the client would have paid more money in the end (the amount that I quoted the client was the average outsourced price, I could have cut maybe 20% off of that by haggling, and then add in the costs for me to supervise and double-check the work of the freelancer).
Don’t get me wrong here, I’m not against outsourcing. Heck, a part of my business depends on it. When your budget isn’t too tight (here, the amount that I quoted the client was quite low), you can find freelancers that will be able to follow the specifications on work without much supervision. However, link building campaigns are horrible campaigns for finding talent (if you want it done cheap). As an example, I once had a freelancer who, upon “completion” of the SEO backlinking campaign, I discovered had linked his own blog instead of my client’s website (the freelancer was instructed to use three links per article, and the freelancer used 2 of those three links to promote the freelancer’s own blog). As another example, I had a freelancer work on a similar campaign a while back, and the freelancer did great work. Minimal supervision (always good) was required, and the individual understood the work to be done. The difference between these two outsourced projects was the price. The project that had a bad freelancer was a short and cheap project. Conversely, the project that had a higher budget and a longer deadline had the better freelancer.
The way that I see it, if I can get a particular task done in less than a day, sometimes it’s best not to outsource. I’m paying that price right now, where I’m waiting on a Perl programmer to email me a fix to his script (it’s been 5 days now). Outsourcing has it’s place- just not with the small and cheap projects.
For those who are wondering (this isn’t a service I advertise), I do often manage projects involving outside coders or freelancers. I’ve been involved with projects ranking from 30 line scripts, to large software deployments. My experience has told me that sometimes, it’s best not to outsource a particular project. Instead, roll up your sleeves, and get the job done yourself. It might not be fun, but neither is the hassle of outsourcing work!
Posted in Work | No Comments »
Tuesday, September 29th, 2009
If it’s one thing that I hate worse than spam, it’s CAPTCHA. We’ve all seen CAPTCHA ages before, they look like a three year old scribbled some random letters on a piece of paper, and than spilled a can of paint in the middle of that paper. Somehow, we are supposed to be able to read these letters, and insert the correct characters in order to submit a form. Most of the time, the CAPTCHA level of noise, or amount of ink splots and other material added to distort the letters, is so high that I can’t even tell if a character is even a member of the same alphabet that I use.
Perhaps the most damaging part of CAPTCHA is the assumption that you are up to no good. A website is placing an undue amount of stress upon you, for what? To enter a comment on a blog? To register for an email address? To send someone a message? I wonder how many potential customers and clients alike have been turned away from a website or vendor because of their CAPTCHA implementation. Personally, I’m afraid of it as well (on my contact form), that’s why I haven’t implemented it yet on that form.
However, alternatives to CAPTCHA are gaining ground. Acceptable alternatives, in my opinion, involve the least troublesome challenges to your website visitors or clients. Examples include:
Simple math questions (What is four plus three?)
Logic questions (when you freeze water, is it cold or hot?)
Requiring the user to select pictures of familiar animals (click on the kittens)
The problem that most opponents have with CAPTCHA alternatives is that they can be easily spoofed, if the script creator doesn’t add enough random challenges into the mix. Admittedly, if your form only contained the challenge, “Is ice cold or hot?”, you would be in some trouble shortly. However, you can always combine challenges, and with a set greater than 20 challenges, have a very formidable defense against spam bots. Especially, when you combine images with text. Consider the following challenge:
Is ice hot or cold? ________
Now, this challenge isn’t particularly difficult for most spam bots, you just need to re-write some code. You could even allow it to guess, buy inputting as the answers “is”, “ice”, “hot”, “or”, and cold”- until you finally got the right answer. However, let’s take it a step further. Let’s do this:
 _______
Now, we’ve got the same question, just inserted into our site as an image. Assuming that the image is randomly named, this is an excellent way of combining different CAPTCHA workarounds. Now, in order to defeat our form script, a bot writer will have to implement OCR technology into his script, and also implement a routine that submits every word in the challenge sentence, in order to try and fool our form script.
Now, let’s make things interesting. In our form script, let’s have a set of, say 20 questions. These 20 questions are selected from a database (to make things a bit easier to add or remove questions), and we randomly pick our question from that database. We can go further from our “Is ice hot or cold”, to include such questions as “What is the name of the planet that you live on?”. In this last example, the correct answer, earth, is not located anywhere in that question. Now, the person writing a bot to spam our form has to hand write each and every answer to every question.
We can stop this game at any time, but the bottom line is that with the proper amount of preparation, our form script can be harder to beat than CAPTCHA. Most importantly, it will not cost us ANY visitors, clients, or customers. The humans can still easily submit information to us using our form, and all of the spam bots won’t know what to do with our web form.
Now, the tricky part is just getting everyone else to switch over from CAPTCHA to one of these alternatives. Perhaps over time, these alternatives to CAPTHA will gain in popularity. Only then will I finally be able to create an account on a website without pulling my hair out at a mixture of something from Picaso’s works and the modern alphabet.
Posted in Work | No Comments »
Wednesday, September 9th, 2009
I wrote a new article this weekend that identifies the main reason that Yahoo temporarily defers mail messages with an error 421. With spam mail messages on the constant rise, we can hardly blame Yahoo for being more strict on blocking mail messages that aren’t guaranteed to be spam free. With this problem, Yahoo has a solution for businesses that have to send commercial or bulk email- DKIM. DKIM solves Yahoo’s spam problem by allowing them to authenticate emails sent from your server, and it solves a businesses’ problem of ensuring that important non-unsolicited bulk email is delivered.
Many administrators and email marketers alike have been frustrated by the addition of SPF and DKIM authentication, and few know how to properly tackle this burden. As always, if you need help installing a DKIM filter, or adding SPF to your domain’s DNS records, be sure to contact me.
Here is the article:
http://linuxconsultant.info/tutorials/yahoo-temporarily-defers-email-with-error-message-421.html
Posted in Work | No Comments »
Sunday, June 14th, 2009
Normally, I’m not a blog person. Simply put, I am the type of person that would rather call someone, than post a blog. However, there are times when I want to share stuff that I’ve found with server software that maybe your average Joe doesn’t know about. Enter this blog.
Over the days, months, or however long I decide to keep this blog up and running, I’ll post the latest challenges in my life (technical, anyways!). Maybe someone will find value on this (they’d better), or maybe not.
Anyways, here’s the first post. Now I’m off to install the shiny plugins!
Posted in Work | No Comments »
|
