Turner also added that Microsoft is by no means declaring peace. “And we’re really getting the message out about the fraudulent perception of free in the marketplace as it relates to open source. IT pros and decision-makers are starting to get it, that it’s not free, that there’s a lot of TCO that goes along with that, and there’s also substantial security risks that go along with it. And so we’re really making some traction in this area, and we’re going to continue to hit the gas and go more and more aggressive as it relates to winning share,” he stated.

So, let’s try to figure this out.
Initial Cost of Ownership:

Linux is free. You don’t PAY anything for it, whatsoever, at least you SHOULDN’T. If you do, you’re foolish enough to buy into a system you can get for free. Even RHEL can be obtained as CentOS, for nothing at all.

Windows is NOT free, and must be purchased individually. If you have multiple pc’s, you can’t run the same version or copy of Windows. Pricing as follows:

XP : (good luck finding it any more): $89-180
Vista : $100-300
Server Edition: 500-3000

Already, Windows is losing this battle, and on server editions, it’s GROSSLY losing the battle. That’s ok, though, let’s continue the comparison.

Hardware:
Linux will run on virtually anything, as the Asus Eee has repeatedly proven. You can’t GET Windows to boot with 512 M Ram any more.

Windows, on the other hand has very specific requirements for the setup. With Vista, you’re looking at (minimum) 30 gig drive and 1 gig ram, and optimum 4 gig ram.

Once again, advantage Linux, for providing cheap(er) solutions.

Administration:
Linux doesn’t require a TON of experience, but you’re better off by hiring a Linux admin to look after your servers. This can run you (if you do it right) from $65-300/month per server. Not a lot, but not a small chunk of change either

Windows doesn’t require a TON of experience either, however windows admins start off a LOT more expensive than Linux, from 50+ / hr, and good luck getting one to work on a monthly rate as quoted above.

Software:

It’s my experience that Windows, every once in a while, needs a ‘refresh’, or an OS reload to keep things running smoothly. This should be done every few months to clear up registry issues, fix slow PC’s (and servers), etc. At an hour or two per reload, this can get costly, because those of us in any sort of ’service’ business know that time is money.

Linux? I’ve kept Linux servers running on the same old OS for years. Of course, that’s not recommended, as hardware needs change, things update, all that, but still. The idea is that less time is required to maintain the Linux side of things.

Day to Day maintainance:
Here, we’re almost tied. In most cases, this is going to be hardware related, not OS, and, it’s not that hard to compare the two, because they’re comparable.

So, someone, please, tell me what I’m missing here? In the end, Microsoft LOSES every point in this battle except the last, because THEY cost more. The F.U.D. they’re spreading about ‘we cost less’ is just that, it’s F.U.D. Overall, the Microsoft OS (Windows) costs MORE to run and operate on a day to day basis!

Hacking, in the true and pure form is simply modification. It’s not even always ‘unwanted’ modification, it’s just modification. For example, for many of my clients, I “hack” VBulletin to get what they want done. Now, is that a ‘bad’ thing? Not at all.

Usually, I’d turn to the dictionary for a reference on what ‘hacking’ is, but in this case it’d be worthless, because Websters, and online dictionaries don’t have a clue what it is (or if they do they’re hiding it;)) .

There are a few forms of hacking, many evidenced by some sort of ‘credit’ being given to the hacker.

1. Code Injection
   Code injection is simply inserting X code in X application, in order to get it to do something you don’t want it to do (or something it wasn’t designed to do). This is typically done by some sort of a ’script’. A great example of this is phpbb, which is known for it’s “code injection” hacks over the years. Typically these are run by teenagers who just want to get famous at someone else’s expense (if they’re even teenagers), hence the term ’script kiddies’ was adopted.

   The best way to avoid this kind of attack is to use your own code, or keep your code up to date. Developers frequently release updates, and no mattter HOW modified your code is, you should always get it updated, ALWAYS!

2. SQL Injection
   SQL injection involves the attacker gaining access to your web page, and ‘injecting’ certain code into the database itself. This is a very messy hack, and very complicated to remove in many cases. In many cases, the website is often restored to a much earlier backup state, or the website is started ‘from scratch’.

   How to avoid ’sql injection’? Two things come to mind here:
   Firstly, keep your website code up to date. This is a critical issue and without keeping your website up to date, you’re going to go through this quite constantly.
   Secondly, make sure that you are using proper code. SQL injections are focused on certain codebases because they’re easier to exploit. PHPBB and the nuke products (phpnuke, cpgnuke, etc) come to mind, as they’re easily manipulatable, and have very minimal security.

3. Website Manipulation
   Website manipulation relies on individuals being able to actually get things into the website. For example, let’s say your server is running a ‘file upload’  service, and that service doesn’t secure the directories properly. Well, of course, you’re going to run into issues with manipulation there, and of course, that’s going to be exploited.

   Ways to avoid “website manipulation”? Never, EVER give anyone write permission to your website’s subdirectories. There ARE secure alternatives to this (storing things OUTSIDE of the webroot is a perfect example of that) that don’t actually require full insecure permissions. The idea is to keep things random, and to keep things stored PROPERLY, not in a 777 (a+xrw) directory just inside of your webroot named downloads, attachments, or some other hysterical garbage!

4. System Manipulation
   This is the most complicated of them all, and usually by this point you’re screwed, quite literally.
   If a hacker has gotten into your system, you’re going to need to be reloaded, from the ground up. Forget anything you had on the system, it’s all lost, it’s all gone. Oh, sure, you MIGHT (note:might) be able to recover the system, but it will NEVER be trustworthy again!

Now, there are a lot of schools on ‘hacking’, and a lot of things that can come from it.  Some consider hacking ‘ethical’, some don’t . Personally, I say it’s all about choice. The only thing that all humans should live by is one very simple statement (and it applies here as well)

Do No Harm

An even MORE appropriate statement? Something we ALL should have been taught growing up

If it’s not yours, don’t touch it

I don’t care if you’re testing something on something, as long as it belongs to you and you’re fully aware of what CAN happen. The second you tread on someone else’s territory and website is the SECOND you violate that rule, and the SECOND you deserve any and all reprocussions you’re going to get, legal, and non.

Next week? The benefits of PROPER, ETHICAL hacking. Until then, keep checking back, as I might just post something sooner!

Tom

During the two week “cyber war” against Estonia, hackers shut down the websites of banks, governments and political parties using “denial-of-service” (DoS) attacks, which knock websites offline by swamping servers with page requests.

Seriously, folks, a ddos is NOT a ‘hack’ . This is just ridiculous nonsense put out by media that is clueless, absolutely clueless as to what a real hack is, or a real hacker DOES.

So, I thought I’d take a while, explain what ‘hacking’ is, what the different types of ‘hacking’ are, how to be safe from them (you can’t ever be completely safe, mind you), and the general ‘ethics’ of hacking. This is going to be something that will be discussed over what will probably take a good month or two, weekly articles as I find the time. I’ve been looking for something creative to write about, and this just seems to fit the bill.

For starters:
I have been the victim of true hacking in the past, and let me tell you it’s not fun, or funny. It is what started me down the path of administration and security actually, and it was something that the hacker and I laugh about every year when we see each other.

You see, in the pre-2000 Linux distribution era, security was a concern, but there just wasn’t as much of it. I ran howlin (Oh those were the days) and managed to piss off the wrong person (or group of people), so they took control of the server (which a friend was generous enough to provide, no root access mind you) through my shell (the coder had the password), gained root privs through a sudo (IIRC) exploit, and poof, he was root.

Of course, again, it should be pointed out that I had no root access to the server, this was a friend’s “network pc” that it was being hosted on, and, well, what could I have done, right? Lesson learned? Coders can be a pain in the ass to work with . I got a copy of my code back, but I was never allowed back on that server again, as the ‘admin’ was a bit paranoid about the person who’d hacked him in the first place.

I share that only to share a perfect example of what ‘being hacked’ is, or what a ‘hacker’ does. Now, I’m not saying a DDOS (or dos) is bad, but, kids, it’s NOT a hack! Seriously. The reporter from the BBC that quoted this as ‘hacking’ should literally be fired for incompetence. When you WRITE stuff, you’d damn well bettter know what it is.

Anyways, I digress. Next week, the topic of ‘hacking’, what is it? What really is involved in a true ‘hack’, what KINDS of hacking are there, and, what kinds of ethics are behind those who truly think they’re hacking ‘ethically’. Till then, keep coming back for more!

Tom

Sorry about the downtime, folks, in the process of moving things around to a more efficient database server, I ended up (accidentally) deleting the blog database. Thankfully, I follow my own advice and had backups a plenty ready, but, OOPS!

Yes, it took me a few days to realize, with all the craziness of life, and again, I apologize. I’ll try not to do it again, though I’m hardly perfect!

That’s not the topic of this one though . In this entry, I’ll cover a few tricks for getting rid of spam bots, comments, and the like. Please note that a LOT of this stuff is more advanced than the regular setup, and believe it or not, it takes a LOT of work to get off the ground and going right.

Trackbacks, comments, forum spam, etc, they’are all becoming more and more common, because people are learning that mail spam just isn’t always the best way to get attention. of course, there’s always going to be new methods, and fighting those new methods is always going to be a major, major pain in the tail end. On average, I deny about 1-500 spam connections across 3 servers through multiple forum points. Why? Because of various things

• Bots that don’t follow rules set forth by the web standards (ie: robots.txt)
• Individuals who have been previously marked (other resources) as spammers
• Individuals who are currently in RBLs

Because I run multiple points of (possible) intrusion, it’s not realistic for me to expect other sites to carry my burden, so I went about creating my own little rbl , which I use to pass data back and forth from. In doing so, I deny individuals the rights to enter various websites on my server if they are above a certain predetermined threshhold. Why? Because spam is evil! Because users should never have to deal with the amount of spam that is out there, and because web spam is just another way of attacking a server. Bad bad spammer.

So, how can you do this, and how can YOU help get something like this working on your website? Well, it’s not as easy as 1,2,3. In fact, there really are no ’straightforward’ answers to this, only tips, guides and tricks. Here’s a couple methods I use. Keep in mind that I’ve developed a ‘wrapper’ to load at the top and bottom of my pages, not only to scan for bad stuff, but also to trap spammers as it were, using blind links.

Step #1:
If you’re going to be using this on a massive basis (anything more than 100 queries a day), you’ll find it’s better to setup your own system , check your own system first, BEFORE passing all of this off to the potential visitor. A very simplistic query of (insert ip into database) , (check database for ip) is all that is needed, and it saves everybody time and money.

Step #2:
Project Honeypot provides a great starting place for individuals with integration and plugins for Wordpress and phpbb, as well as a couple of others. As well, there are a few php scripts out there that will query their database and do what you tell them to with the data. Google is your friend, search it out, I don’t have the links on me any more.

Step #3:
RBLs are your friend. Determine whether or not the visitor is in an RBL, and if they are, or if they are in multiple RBLs, deny the IP address connection, plain and simple. Again, there are multiple scripts out there that tell you how to determine this, google is your friend.

Step #4:
Proxies are bad, mmmkay. There is no reason whatsoever that a person should be accessing your ‘free’ services, or services in general behind a proxy. If they have to do this, there are problems from the beginning. Resolve THOSE and you’ll be fine. There are multiple scripts out there that will check for proxy usage, and while none can be 100% accurate, it’s entirely possible to be close.

Step #5:
Go about creating you own traps for individuals to fall into . Things like blind links, or links that don’t show to the average user work here. For example, soemthing like

<!– <a href=/contact.php>contact us</a> –!> won’t show up to the average user, but WILL show up to bots. Just make sure to tell bots to stay away from that page in robots.txt.
What good does the above step do? A LOT! A LOT of individuals will run something like site rippers which will attempt to grab ALL of the content on your page immediately! To do this, they ignore robots.txt, which is the industry standard ‘exclusion’ (ie: don’t go there) page. Of course you want to ban people like this immediately.

So, how do you go about integrating all of this? Well, there are a few ways, but the BEST way is to create two wrappers

Wrapper #1:
This wrapper goes into your head includes, before ANYTHING else. All this does is checks the database (and respective RBLs if necessary) to see if the ip address is listed. If itt’s listed, display a message, and kill the connection. No fuss, no muss, the person doesn’t need to see anything else, period. In my case, I’ve given the user a link to my own rbl, which is not protected by that wrapper (and it shouldn’t be) so that they can see the issue and resolve it.

Wrapper #2:
This wrapper goes in one of two places:

If you’ve got session data, or ‘login’ data, you need to call it AFTER that data is called, otherwise it’s going to cause issues with the sessions and headers.
If you DON’T have session or head data, call it immediately after Wrapper #1

The purpose of wrapper #2 is your own spam trap, as discussed before. This should be the first link on the page in order to trick bots into thinking they need to go THERE first. Of course, you should always tell friendly robots to stay out of there (via robots.txt)

Like I said, it’s complicated, and it’s a very tricky situation, but denying bot access is 100% possible to do!

Have a great weekend and a Merry Christmas. I’ll see you all in the new year with more tips and howtos!

Tom

Why? Well, this is a guaranteed way to get your mail through (well almost). Any reasonable company will have support@ addressed through mail, almost guaranteed, and of course, it’s a spammer’s dream! Guaranteed delivery of e-mail, WOOH!

There are three solutions to this problem, all 3 will be covered here:

• Don’t accept the mail
  This response , or solution, isn’t really a response, or solution after all. In this case, you don’t have the mail routed anywhere, you have it nulled completely, and customers can’t get ahold of you through the most common of email addresses. Like I said, not really a solution there, is it?
• Return the mail
  This response receives mail to X address, informs individuals that “this is an unmonitored mailbox, submit a ticket”, then bounces the mail.
  The problem with this solution is that it allows no “tracking” of incidents, and makes your clients do a bit more work. This is, of course, wrong.
  SOME security “experts” will say that this  is more “secure”, as people will email passwords, but that’s not the case. They’re going to put the password into the helpdesk ANYWAYS, which is insecure to begin with (it IS stored unencrypted in mysql, right?), so who cares about email?
• Require registration
  This is the most feasible and realistic of all 3 options. This allows your clients to mail your support desk , after a minor registration. If they’re NOT registered, they receive a mail back saying that their ticket wasn’t accepted and that they need to register @ your helpdesk. Otherwise, the ticket will go right on through. Of course, only a handful of email systems actually have THAT in place, but those that do have some pretty thankful customers

Now, out of those 3, the 3rd is the best used in my opinion.  Of course, yours may differ, but the fact is that spam is a problem. Allowing users to just blindly send spam mail to commonly known and abused email addresses leads to more time fighting and deleting spam than anything else. Why shouldn’t you want to combat spam?

To start off, you will need to remove spamassassin. Spamassassin is well known to cause load in your servers, and is a poor implementation of “spam protection” at best. Don’t worry, we will tell you how, but this needs to be done. To do this:

Go into WHM -> service manager and uncheck the “spamd” services, then click save
Now, go into WHM -> configuration, and UN check the following options

• SpamAssassin Spam Filter
• BoxTrapper Spam Trap

Now, go and license CPanel PRO on your server (at this time it is free). You will need this for a couple of the plugins you are going to install

Once you’ve licensed Cpanel PRO , you can install the clamd plugin. Go into WHM -> Manage Plugins and click on the clamav connector there, then submit.

After a few minutes, your clamd plugin will be installed. Then, you need to go out and pick up the ASSP Cpanel plugin. There are two approaches to this.

These guys offer a free script, which works, and integrates directly into your user’s control panel
This script works, is closed source, and is not free. Of course, this as well will integrate into your control panel. The only downfall is it is encoded, and it’s not free. It’s up to you to decide whether you would trust that script.

Both of the above scripts work (reportedly) reasonably well, though I can attest to the first one working, and installing ASSP + necessary files. I can’t as far as the second one, only because it’s not worth it for me to pay and install something like this that I can’t trust (it’s encoded) with root access.

Once you’ve got the script, follow the script’s instructions. For the first one, it’s as simple as downloading their tar file (in the shell), and installing it . To do this, extract the tar file

tar zxpf asspx.tar.gz
cd asspx
sh ./install.sh

When you get all done, you will need to go to WHM -> Sultan Server ASSPX for Cpanel and change a few things around. All of this can be done from inside of WHM -> Sultan Server ASSPX for Cpanel (at the bottom)

1. Remove all boxtrapper settings
2. Remove all Spamassassin Settings
3. Install ASSP
4. Set Password
5. Set SRS  Secret Key
6. Install cPanel interface
7. Install Exim configuration

Once you’ve done all of this, restart BOTH ASSP and Exim

service assp restart
service exim restart

This will ensure that  settings will take.

Now, managing your ASSP installation can be tricky. For beginners, I’d advise staying with the settings they give you. If you continue to get spam, or get continued complaints about settings just not being right, please, feel free to contact us, and we’ll set you up with a quote for setting things up . We’ve got a pretty good setup going here that has been running incredibly effectively (stats here) for a year or better.

Next time? RBLs, what to do, which to use, which to stay away from and how to tell if YOU are listed!

What is this distribution you may ask? Yeah, ok , maybe you don’t care, but I’ll answer anyways .The LTN Distribution of php is a bit more advanced, and quite a bit more secure than the “standard” distribution of php. How so?

Firstly, LTN :: php incorporates mail patches which have been updated, since the php5 (and 4) updates to mail headers. This means that you’re going to SEE who’s abusing what script, instead of actually wondering WTF is going on! Great idea, unfortunately, support by author is sporaddic, so I’ve added this to the list.

Secondly , suhosin support is added in. I’m not talking about a crappy “module”, I’m talking about patched into the core of php. Modules are great, but they suck when you recompile php and they can’t be activated. BOOOH!

Should LTN :: PHP be trusted? I’ll say this for it. I use it myself, and recommend that ALL individuals use it. Why? Because I said so, damnit. Ok, ok, so you need a better reason than that, I get it.

1. PHP is insecure. I’m not talking just globals, mail, etc, but the whole thing, it’s shot, and insecure. It’s good, but it doesn’t do jack for “security”.
2. PHP has bad mail handling capabilities. I mean, bad, bad, bad. They’ve improved on them, but it is still possible (with proper abilities) to send out mass spam to individuals. This should be stopped @ the core.
3. PHP has functions which are easily abused. Rather than DISABLE those functions, wouldn’t it seem more appropriate to patch the functions so that hey, they’re not so abusable? I mean, usability is key. If I can’t USE php functions, why, on god’s green earth am I bothering to use php as a core language, right?
4. PHP constantly releases premature, buggy releases. Rather than use something that’s premature, problematic and ick, why not use something that’s stable, utilized and tested? I’m not saying I’m not going to update php patches when necessary (cuz I will), but I’m not going to patch and update immediately. It’ll happen soon after the original release gets put out (within 2 weeks) to ensure that everything is dandy and copacetic.

The bottom line? Why NOT provide your clients with some sort of security? And hey, documentation, not a bad thing either! Took a couple hours to get 2.x gig across, but it’s there, and I will sync daily, so THAT part will be 100% updated and current. Support your local linux tech, use the UNofficial php documentation!

Peace out, enjoy your weekends.

P.S.:
I know I owe you a bit of an update on the RBL thing. I’ve been working on it. In the meantime, please, feel free to track the stats here. These are real time stats, updated whenever something happens . I’ve been a bit swamped lately with a rather large project, so bear with me. I promise, I’ll get it there, it’ll just take time!

cron/user: Permission denied

What caused this? Why is it here? How to resolve? Read more

This was caused because of a faulty CPanel setup, or a faulty server setup. Either way, permissions were not set appropriately for fixing this issue. Here’s how I got it fixed, and a brief explanation of HOW this happens, WHY it happens, and whatnot (ie: the tech crap)

This happens because the user did not have permission to write to the specific file that cron needs to change in the /var/spool/cron directory. There are two ways to change this:

1. Make the directory world writable. This is a security risk, because this would let anything write anything to this directory, without any sort of security. Bad idea, but if you want to do this, you can do this like so.
   

   chmod a+w /var/spool/cron

2. Fix the permissions on cron so that the user can execute it with suid priviledges. This will allow the binary to write to this specific file, but ONLY the binary.
   

   chmod 4775 /usr/bin/crontab

Obviously the second way is more secure, because it enforces strict rules as to what can be done, what can’t be done, and the like. This keeps things secured to a degree, while still allowing security measures to be in place. Of course, someone abusing the crontab binary is STILL possible, but that’s for another entry.

Secondly, don’t just use ONE option to filter for spam, use MULTIPLE! For example, check RBLs, check Helo’s (not Halos), RBLs, hostname, whitelists, RDNS, PTRs, etc. Don’t deny mail based on just ONE option, but build yourself a list, and go from there.  Also, don’t just ban based on ONE RBL (though, admittedly I do), but do multiple RBL failure checks.
Spam has gotten so bad that individuals have resorted to “comment spam”, the newest, and most heinous form of spam, as it is no longer “private”, and requires moderation on a day to day basis. Thankfully, there are those out there that are helping to fight this, and there are ways to develop “wrappers” around your application that will deny ip addresses based on spam entries alone.

Unfortunately, the oh-so-wonderful U.S. government has all but made spam legal with the Can-Spam act of 2003. For all they’re concerned, as long as the sender uses a legal email address, and jumps through a few hoops, well, they are legally able to spam you. This is what you get when you deal with people who are business minded, instead of consumer minded, and have minimal interest in the consumer part of things.

So, how to combat spam? It is a growing, online adventure, and here are just a few tips that I have managed to put together to combat spam, both on the email level , and on the comment / commercial level.

• Use RBLs to verify your entries
• Check RDNS Entries (in email)
• Deny illegitimate traffic
• Create wrappers to your online applications

Over the next few days, maybe the next couple of weeks, I will walk through doing this, what options are good, what ones are bad, and how to get the most out of your applications and traps. Check back for more!