Friday 31 December 2010

Backdoor ways to reboot a Windows server

When you need to reboot a Windows server, you’ll occasionally encounter obstacles to making that happen. For instance, if remote desktop services aren’t working, how can you reboot the server? Here is a list of tricks I’ve collected over the years for rebooting or shutting down a system when I can’t simply go to the Start Menu in Windows.

The shutdown.exe command: This gem will send a remote (or local) shutdown command to a system. Entering shutdown /r /m \\servername /f /t 10 will send a remote reboot to a system. Shutdown.exe is current on all modern Windows systems; in older versions, it was located on the Resource Kit. For more details, read this Microsoft KB article on the shutdown.exe command.

PowerShell Restart-Computer: The equivalent of the command above in PowerShell is:

Start-Sleep 10

Restart-Computer -Force -ComputerName SERVERNAME

Hardware management device: If a device such as an HP iLO or Dell DRAC is in use, there is a virtual power button and remote screen console tool to show the system’s state regardless of the state of the operating system. If these devices are not configured with new servers, it’s a good idea to have them configured in case the mechanisms within the operating system are not available.

Virtual machine power button: If the system in question is a virtual machine, all hypervisors have a virtual power button to reset the system. In VMware vSphere, be sure to select the option to Shut Down The Guest Operating System instead of the Power Off; this will make the call to VMware Tools to make it a clean shutdown. If that fails, the Power Off button will be the next logical step.

Console walkthrough: In the situation where the server administrator does not have physical access to the system, walking someone through the process may be effective. For security reasons, basically a single user (domain or locally) can be created with the sole permission of rebooting the server. That person could log on as this temporary user, and then it is immediately destroyed after the local shutdown command is issued. Further, that temporary user could be created with a profile to run the reboot script on their logon to not have any interaction by the person assisting the server administrator.

Configure a scheduled task through Group Policy: If you can’t access the system in any other mainstream way — perhaps the Windows Firewall is turned on and you can’t get in to turn it off — set a GPO to reconfigure the firewall state and slip in a reboot command in the form of the shutdown.exe command executing locally (removing the /m parameter from above). The hard part will be getting the GPO to deploy quickly.

Enterprise system management packages: Packages such as Symantec’s Altiris and Microsoft System Center agents communicate to the management server and can receive a command to reboot the server.

Pull the plug: This is definitely not an ideal approach, but it is effective. For physical servers, if a managed power strip with port control is available, a single system can have its power removed and restored.

What other backdoor ways have you used to reboot a Windows server? Share your comments in the discussion.

Ref: http://blogs.techrepublic.com.com/datacenter/?p=3562&tag=nl.e071

Thursday 9 December 2010

10 Sysinternals tools you shouldn't be without

Sysinternals has been around for quite some time and was acquired by Microsoft in 2006. These are great little tools for getting some heavy-hitting Windows things done and sometimes done better than when using the built-in tools for a task. The entire suite of products is available for download. While this is the easiest way to get the tools because they are bundled together, there are some tools that I find myself using far more than others. Here’s a look at my favorite tools in the Sysinternals collection (or the ones that I use the most).

Note: This article is also available as a TechRepublic photo gallery.

1: PsList and PsKill

I listed these together because I typically use them in this order. The goal here is to see processes on a machine — with PsList, I find the process ID, and then use PsKill to terminate the process.

There are quite a few ways to return information with PsList, and the best part is that it works on local and remote machines. PsKill works similarly to PsList except it is used to terminate processes by process ID.

2: Process Explorer

Process Explorer is a great tool for digging into open files or resources. Trying to open a file, but getting a notification that it’s already open? Process Explorer can help determine which application or process has the file open. It is a GUI-based utility and can be used as a Task Manager replacement. The utility has two panes of information. The top pane shows currently active processes on your system and includes information about the name, the account that owns the process, and the CPU usage of the process.

The bottom pane has two modes of operation, handle mode and DLL mode. When handle mode is enabled, selecting a process in the top portion of the window will show you the handles that the process has open. In DLL mode, the pane displays the DLLs and memory-mapped files loaded by the selected process.

3: ZoomIt

ZoomIt is a utility for the public speaker in all of us. When presenting information, sometimes it is helpful to show a certain area of the screen, magnified to call attention to a dialog box or other item. This is what ZoomIt does. When configured, it will integrate with PowerPoint to allow macro keys to trigger functions during a presentation.

4: PsLoggedOn

PsLoggedOn uses a registry scan to look through the HKEY_USERS key to see which profiles are loaded. Looking at the keys with a user ID SID, PsLoggedOn looks up the username of the SID and displays it. This shows you who is logged on in any session to a PC. When querying remote systems, your userid will be found as a connected user session as well. The remote and local users are returned separately to help distinguish logon types.

5: Autoruns

You know how malware likes to invade the startup folder and other locations on infected systems? Seems that these are the hardest things to find and get rid of when trying to clean up spyware/malware/ infections. Autoruns can help with that. It looks through all possible locations where applications can be listed to automatically launch when Windows starts. Then, it displays them in a tabbed, easy-to-follow GUI. You can hide Microsoft-signed entries to eliminate the good items from the list of things that start up on your system.

6: Contig

Some files have trouble with disk defragmenting applications and for one reason or another, can’t be corrected. This is where you might use Contig. It is a single file defrag utility, which can be helpful if you use a file often and suspect it might be suffering from performance issues due to fragmentation.

7: Disk2vhd

Disk2vhd creates a virtual hard disk file from a physical system for use with Hyper-V or even with Windows 7 or Server 2008 R2. Disk2vhd supports Windows XP SP2 and Windows Server 2003 SP1 and higher, including 64-bit versions of these systems.

A great use of this utility might be to create a snapshot of an entire disk for backup purposes. There are also options that allow Disk2vhd to be run at the command line. You can use these options to script vhd creation. Using the utility in this way would allow you to use Task Scheduler and Disk2vhd to create a snapshot of your PC at scheduled intervals with no user intervention. One caveat: When creating vhds, be sure not to attach them to the same system you created them from if you are going to boot from the vhd.

8: MoveFile

As we all know, there are times when files need to be moved or deleted to help get things cleaned off a PC (malware/bots/viruses). Sometimes, this can’t be done because files are in use, which prevents actions on the files until they are closed or the computer is rebooted. MoveFile provides an API that marks files for move/rename/delete at the next restart of the Windows system. Doing this allows the file to be acted on before it is referenced by the system.

9: PSFile

The PStools utilities are all popular and useful, but one that I recently discovered is PSFile. This utility shows files on a system that are open by remote systems by default but that can be passed parameters to return information about remote systems as well. This tool is a good way to check for open files on file servers when users might report read-only issues or have problems getting files to open properly.

10: Sync

This utility was created to mirror a UNIX utility that will allow you to flush cached file system data to disk. Doing this can help prevent problems with lost system information in the event of a system failure and helps to ensure live system information is getting written to disk.

The way I see this being useful depends on how stable your system is. If your computer tends to crash more than you would like (or if you are testing some scenarios), you might create a scheduled task to ensure that the system info is flushed back to disk once per hour or some other predefined timeframe. Another cool thing about this sync utility is that USB or ZIP drives or other removable drives can be flushed. You will need administrative privileges to use Sync.

Sunday 5 December 2010

Install Firesheep on Ubuntu 10.04 or 10.10

This morning I had a little bit of free time so I thought I’d (finally) check out the Firefox extension Firesheep. The main website mentions that it isn’t supported for Linux, but the source code is available and as it turns out very easy to compile. Below are instructions for downloading, compiling and installing the Firesheep security plugin for Firefox.

Get the Source

You’ll need to download the source code from github, which can be done using the following two commands:

git clone https://github.com/codebutler/firesheep.git
cd firesheep
git submodule update --init

These two commands will download the code required to compile Firesheep, putting the source into a new directory called “firesheep”.

Build Tools

To compile Firesheep on Ubuntu 10.04 or 10.10 you’ll need the following development packages installed. Simply copy-paste the following list of packages into your terminal:

sudo apt-get install autoconf libtool libpcap-dev libboost-all-dev libhal-dev xulrunner-1.9.2-dev

On my machine this installed quite a few packages, and while the main Firesheep website lists 10.10 specifically, I had no problems on my 10.04 installation.

Build Firesheep

You’re now ready to compile Firesheep. Run the following command and hopefully you’ll be able to build it without error:

./autogen.sh && make

Install the Plugin

If all is well you should find a new file called ‘firesheep.xpi’ in a subdirectory called build (ie; firesheep/build/). Simply drag-and-drop that file into your Addons dialog box, restart Firefox and you should be set.

I’ve been having some issues in actually capturing data on my Dell D630 with an Intel Pro/Wireless 3945ABG card. It looks like this tool is often hardware specific, so your mileage may vary. I’d be interested in anyone offering suggestions on getting it to capture properly on OS X 10.6 (macbook) or Ubuntu 10.04+.

Sunday 21 November 2010

Westerners Vs Asians

Blue -->

Westerners

Red -->

Asians

(1) Opinion

Westerners: Talk to the point

Asians: Talk around the circle, especially if opinions are different

(2) Way of Life

Westerners: individualism, think of himself or herself.

Asians: enjoy gathering with family and friends, solving their problems, and know each other's business.

(3) Punctuality

Westerners: on time.

Asians: in time.

(4) Contacts

Westerners: Contact to related person only

.

Asians: Contact everyone everywhere, business very successful.

(5) Anger

Westerners:

S

how that I am angry.

Asians: I am angry, but still smiling... (Beware!)

(6) Queue when Waiting

Westerners: Queuing in an orderly manner

.

Asians: Queuing?! What's that?

(7) Sundays on the Road

Westerners: Enjoy weekend relaxing peacefully.

Asians: Enjoy weekend in crowded places, like going to the mall.

(8) Party

Westerners: Only gather with their own group.

Asians: All focus on the one activity that is hosted by the CEO.

(9) In the restaurant

Westerners: Talk softly and gently in the restaurant.

Asians: Talk and laugh loudly like they own the restaurant.

(10) Travelling

Westerners: Love sightseeing and enjoy the scenery.

Asians: Taking picture is the most important; scenery is just for the background.

(11) Handling of Problems

Westerners: Take any steps to solve the problems.

Asians: Try to avoid conflicts, and if can, don't leave any trail.

(12) Three meals a day

Westerners: Good meal for once a day is sufficed.

Asians: At least 3 good meals a day.

(13) Transportation

Westerners: Before drove cars, now cycling for environmental protection.

Asians: Before no money and rode a bike, now got money and drive a car

(14) Elderly in day-to-day life

Westerners: When old, there is snoopy for companionship.

Asians: When old, guarantee will not be lonely, as long as willing to babysit grandkids.

(15) Moods and Weather

Westerners: The logic is

:

rain is pain.

Asians: More rain, more prosperity

(16) The Boss

Westerners: The boss is part of the team.

Asians: The boss is a fierce god.

(17) What's Trendy

Westerners: Eat healthy Asian cuisine.

Asians: Eat expensive Western cuisine.

(18) The Child

Westerners: The kid is going to be independent and make his/her own living.

Asians: Slog whole life for the kids, the centre of your life.

Thursday 4 November 2010

Any Video Converter 影片轉檔、切割、畫面翻轉編修工具

Free Video Converter是個操作簡單、速度也算快的影片檔轉檔軟體，主要功能就是讓我們將各種格式的影片檔轉成其他你要用的影片格式。在轉檔、輸出時，我們可以在輸出格式選單中依照影片檔、音樂檔、手機專用格式與光碟燒錄等分類，選擇你要用的格式。除了輸出成其他格式的影片之外，還可直接輸出成MP3、WAM、 agg等格式的音樂檔，或轉成一般手機用的MPEG-4檔案。可支援的影片格式有：

輸入格式：avi, asf, mov, rm, rmvb, flv, mkv, mpg, 3gp, m4v, vob, YouTube videos
輸出格式：avi, mp4, wmv, swf, flv, mkv, MPEG-1 and MPEG-2, mpg (PAL or NTSC), asf, m2ts, mp3, wma, ogg, aac, wave, m4a

除了提供包括繁體中文在內的多國語言介面之外，Free Video Converter可支援批次轉檔功能，只要先選取好檔案、調整好轉檔設定，按一下即可自動處理到好。除此之外還可支援從Google Video或Youtube下載影片、直接轉檔功能。

而Any Video Converter也提供了一個相當簡單實用的影片裁剪功能，可以讓我們把影片中不要的片段剪掉，也可支援影片合併輸出功能，將多個影片檔合併成一個。另外還有畫面切割、亮度/對比/飽和度調整等功能，還可將影片上下翻轉、鏡像翻轉、左右旋轉90度或加入雜訊、影片銳化...等等特效，相當實用。

▇ 軟體小檔案 ▇ (錯誤、版本更新回報)

軟體名稱：Any Video Converter
軟體版本：3.1.0
軟體語言：繁體中文（內建20國語言介面）
軟體性質：免費軟體（另有功能更完整的Pro付費版）
檔案大小：22.1MB
系統支援：Windows 2000/XP/2003/Vista/Win7
官方網站：http://www.any-video-converter.com/products/for_video_free/

軟體下載：按這裡

使用方法：

第1步 開啟Any Video Converter軟體之後，直接按一下左上角的「添加視訊」按鈕，將你要轉檔、修改的影片檔拉到軟體視窗中。

第2步 接著從右上角的「輸出格式」選單點選影片輸出格式，再按一下「編碼」按鈕，即可開始轉檔。

第3步 另外Any Video Converter提供YouTube、Google Video與NicoVideo...等網站的影片下載功能，下載完可直接轉成你要用的格式。

第4步 選取影片後，可以在右邊的預覽視窗下方按「Clipping Video」或「Video Crop_Effect」等按鈕，執行影片裁剪、翻轉或套用視覺特效...等功能。

第5步 這是影片裁剪功能，我們可以自行設定啟動與終點，把你要的部份保留下來，其他的剪掉。

第6步 這是影片畫面裁切功能，可以只保留畫面中我們要的區域，使用方法很簡單，先設定「Crop Area Size」的尺寸，然後移動右邊預覽畫面中的方框，對準你要保留的部份即可，其他沒被框選住的部分則會被剪掉。

第7步 這是影片特效設定頁面，除了可以調整影片的亮度、對比與飽和度之外，還可將影片上下顛倒、鏡面翻轉或左右90度翻轉，還可加入雜訊特效、銳化特效..等等。

裁剪好影片或設定好特效之後，記得回主視窗時要再按一下「編碼」按鈕，將你調整好的影片另外編碼、輸出，轉檔完成即可使用。

Exchange 2010: How to redirect non-SSL Outlook Web App traffic to SSL

With Outlook Web App being an outwardly facing service that relies on the use of your organization’s internal credentials, it’s important to make sure that miscreants don’t get access to your security jewels — individual usernames and passwords. Using SSL for this traffic protects your organization and your users.

In this Exchange 2010 tutorial, I focus on how to make sure that users who visit http://webmail.yourorg.com are automatically redirected to https://webmail.yourorg.com/owa. I will not be covering the SSL certificate provisioning and installation process.

Step-by-step instructions

1. Log into your Exchange 2010 server with a user account that has administrative rights on the server.

2. Go to Start | Administrative Tools | Internet Information Services (IIS) Manager. This opens the IIS7 manager, which is used by Exchange’s Client Access Server role.

3. Once you’re in the IIS Manager tool, expand your computer link, choose Sites, and then select the Default Web Site option.

4. From the Features View, choose the HTTP Redirect option (Figure A).

Figure A

Choose the HTTP Redirect option

5. When you get to the HTTP Redirect page, do the following:

Select the checkbox next to Redirect Requests To This Destination heading.

In the box below, type in the full address - including HTTPS - for the site to which you’d like to redirect traffic. This would be the format: https://webmail.yourorg.com/owa.

Make sure you also select the checkbox next to Only Redirect Requests To content In This Directory (Not Subdirectories). If you fail to do this, you’ll break some other functionality.

In the Actions pane, click the Apply link to save your changes.

Your HTTP Redirect window should look like the screen in Figure B.

Figure B

The HTTP Redirect options page

This step alone, however, isn’t enough. In fact, let’s try it. Browse to http://webmail.yourorg.com. You’ll get a message indicating that access is denied. The reason: SSL is currently required for the top level directory (Figure C).

Figure C

The SSL redirect isn’t working.

In order for the redirect to work, the top level directory needs to be accessible without using SSL. In other words, it needs to be accessible via HTTP. To make that happen, you need to disable the SSL requirement on that directory. Once you do, the top-level directory is fully accessible via HTTP and then IIS can properly intercept your HTTP request and redirect you to the page that you specified earlier.

Now, follow these steps:

1. Select the top level directory - probably called Default Web Site - and browse to SSL Settings (Figure D).

Figure D

Choose the SSL Settings option

2. Double-click SSL Settings.

3. Deselect the checkbox next to Require SSL (Figure E).

4. In the Actions pane, click the Apply link to save your changes.

Figure E

Disable SSL on the top level directory

For the remaining important subdirectories, make sure that the settings are as follows.

	SSL	Redirect
aspnet_client	Enable SSL	Uncheck redirect
Autodiscover	Enable SSL	Uncheck redirect
ecp	Enable SSL	Uncheck redirect
EWS	Enable SSL	Uncheck redirect
Microsoft-Server-ActiveSync	Enable SSL	Uncheck redirect
OAB	Enable SSL	Uncheck redirect
PowerShell	Enable SSL	Uncheck redirect
Rpc	Enable SSL	Uncheck redirect

You need to make sure that you run through each of the directory settings since some of the changes you made earlier will have propagated down through the folder structure. Figure F gives you a look at one of the settings you’ll need to change.

Figure F

Set SSL and Redirect settings on each of the folders listed above

Once you’re finished, test your new settings. As you can see in Figure G, success!

Figure G

The HTTPS redirect is working now.

Now, users can just remember webmail.yourorg.com, and you can do the heavy lifting behind the scenes to both protect them (SSL) and make their lives easier (automatic redirection).

HWM BlackBox 電腦硬體效能評比、檢測工具（繁體中文版）

HWM BlackBox是個電腦硬體資訊的檢測工具，跟之前介紹過的EVEREST、Speccy與HWiNFO32…等軟體相當類似。它可以幫我們列出電腦中的CPU、記憶體、顯示卡、主機板…等等主要硬體配備的廠牌、型號與運作效能，包括時脈、倍頻、電壓與目前溫度…等等資訊，以及各種專業玩家才會用到的詳細硬體運作數據..等等。

除此之外，HWM BlackBox還內建了一個效能評比工具，測試出來的效能評比數據還可上傳到Top10hardware網站上跟其他人比大小，包含CPU、記憶體、顯示卡、影片編碼效能、3D遊戲效能與硬碟讀寫效能…等等的綜合評分，讓我們透過更具體、更精確的數據來測試不同電腦規格、不同平台間的硬體效能好壞。

▇ 軟體小檔案 ▇ (錯誤、版本更新回報)

軟體名稱：HWM BlackBox

軟體版本：2.1

軟體語言：繁體中文（內建多國語系）

軟體性質：免費軟體

檔案大小：1.60MB

系統支援：Windows 2000/XP/2003/Vista/Win7（支援32/64位元）

官方網站：http://blackbox.hardwaremania.com/

軟體下載：按這裡

軟體操作介面：

第1步 將HWM BlackBox程式下載回來之後，不用安裝直接執行「BlackBox21.exe」程式即可開始使用。「處理器」頁面會列出CPU相關資訊。

第2步 這是「記憶體」相關資訊的頁面。

第3步 這是顯示卡相關資訊的頁面。

第4步 這是主機板與光碟機、硬碟機及網路卡的相關資訊。

第5步 「效能」頁面提供了一個相當簡單、實用的硬體效能評比工具，按一下「效能評估分」按鈕即可開始測試。

Friday 29 October 2010

绿雨一气呵成 iPad 3.2.2固件越狱不求人

从来没有像iOS 4.1、iOS 3.2.2越狱这样一波三折——久负盛名的DEV-Team早在一个月前就宣布要放出基于SHAtter漏洞的绿毒（GreenPis0n），并在一周前确认发布时间为2010年10月10日10点10分。可就在发布前夕，神奇小子Geohot突然发力，直接拿出了Limera1n，轻松解决了iPad iOS 3.2.2、iPhone iOS 4.1越狱，让DEV Team被迫推迟绿毒发布。与此同时，Geohot也在不断修正Limera1n程序。截至发稿前，Limera1n最新版本为Beta 4。

在绿雨LimeRa1n发布不久，我们就为大家准备好了苹果iPhone iOS 4.1的越狱教程。接下来当然是要搞定iPad iOS 3.2.2越狱，事实上iOS 3.2.2越狱和iOS 4.1越狱大致相当，只要胆大心细谁都能不求人轻松搞定。

iPad 3.2.2越狱不求人准备篇

和之前神奇小子Geohot发布的所有越狱工具一样，Limera1n也无需重刷iOS系统。只是相比以往，由于Cydia撞墙，所以完成越狱后我们必须使用VPN或者代理服务器才能成功加载。

与此同时，我们还需要把iTunes升级到最新的iTunes 10版本，并确保iTunes能和iPad正常同步。最后当然是要猛击此处下载最新的Limera1n Beta 4(解压密码：www.evolife.cn)，顺带通过iTunes做好备份。

iPad 3.2.2越狱不求人实战篇

完成准备功夫之后，自然就开始实战iPad 3.2.2固件越狱了。我们首先确保iPad和iTunes正常连接，关闭所有的杀毒软件防火墙。然后找到下载来解压缩后的limera1n.exe文件，点击右键“以管理员身份运行”。

此时会弹出Limera1n的提示界面。我们点击make it ra1n。iPad就会自动重启进入恢复模式，iTunes也会提示找到一个处于恢复状态的设备。

然后我们根据limera1n提示同时按住Home键和电源键，一直到出现提示“Release Power Button”后保持按住Home键，然后松开电源键大约10秒。此时limera1n就会提示Entering the DFU Mode——此时我们就可以松开所有按键，等待Limera1n自动搞定剩下的工作。

完成上述所有工作后，你的iPad会显示出一个绿色雨滴Logo，随即自动关机——随着屏幕上Limera1n提示Done，iPad 3.2.2/3.2.1固件的越狱就此完成！接下来我们要再度打开iPad，开始安装Cydia和AppSync补丁了！

iPad 3.2.2越狱不求人安装篇

完成了越狱后，iPad程序中会出现Limera1n图标，由于在国内因为众所周知的原因无法连接到Limera1n网站和Cydia，所以这个图标暂时是白色的。此时我们配置好VPN或者代理服务器，确保可以访问Limera1n.com网站的情况下，点击该白色图标，然后在弹出界面中选择Install Cydia。Limera1n就会开始下载Cydia到你的iPad中。整个过程大约耗时5分钟。

完成下载后，Cydia会自动运行——如果没有，在主界面中运行也没问题。首次运行Cydia，Cydia会自动加载配置程序，完成后自动退出Cydia。我们此时要确保网络、代理服务器或者VPN正常运行，然后慢慢等待Cydia完成配置——整个配置过程大概需要5分钟。

完成配置后，Cydia和Limera1n的图标就不再是一片惨白。我们再点击Cydia运行，Cydia将会提示以什么样的用户身份进行配置。如果不需要命令行，我们点User即可。随后Cydia还会自动进行在线更新，我们强力建议大家不要嫌麻烦，点击Compelety Upgrade，完成所有更新后再进入下一步。更新过程中Cydia还可能重启或自行关闭。

更新完成后我们再度进入Cydia，选择下方的Manage，然后找到Source，点击右上角Add，然后添加一个新源：http://cydia.hackulo.us。注意该源同样需要代理服务器或VPN链接才能正确下载。

完成添加后，在该源提供的软件中找到AppSync for OS 3.2进行安装。然后退出Cydia，重新启动iPad就完成了所有越狱破解动作——此时你安装任何APP都将不受限制。必须注意的是，iPad 3.2.2/3.2.1越狱只能安装AppSync for OS 3.2补丁，除此以外安装其他任何版本的补丁都将直接导致白苹果系统崩溃。

Thursday 28 October 2010

Prevent DOS with iptables

After a recent conversation on the Ubuntu Forums I wanted to post an example of using iptables.

Of course there are several types of DOS attacks , in this post I will demonstrating the use if iptables to limit the traffic on port 80.

The goal is to keep your web server “responsive” to legitimate traffic, but to throttle back on excessive (potential DOS) traffic.

In this demonstration iptables is configured :

The default policy is ACCEPT (to prevent lockout in the event of flushing the rules with iptables -F).

“Legitimate” traffic is then allowed. In this example I am allowing traffic only on port 80.

All other traffic is then blocked at the end of the INPUT chain (the final rule in the INPUT chain is to DROP all traffic).

The rules I will demonstrate are as follows:

First rule : Limit NEW traffic on port 80

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

Lets break that rule down into intelligible chunks.

-p tcp --dport 80 => Specifies traffic on port 80 (Normally Apache, but as you can see here I am using nginx).

-m state NEW => This rule applies to NEW connections.

-m limit --limit 50/minute --limit-burst 200 -j ACCEPT =>This is the essence of preventing DOS.

“--limit-burst” is a bit confusing, but in a nutshell 200 new connections (packets really) are allowed before the limit of 50 NEW connections (packets) per minute is applied.

For a more technical review of this rule, see this netfilet page. Scroll down to a bit to the “limit” section.

Second rule – Limit established traffic

This rule applies to RELATED and ESTABLISHED all traffic on all ports, but is very liberal (and thus should not affect traffic on port 22 or DNS).

If you understood the above rule, you should understand this one as well.

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT

In summary, 50 ESTABLISHED (and/or RELATED) connections (packets really) are allowed before the limit of 50 ESTABLISHED (and/or RELATED) connections (packets) per second is applied.

Do not let that rule fool you, although it seems very open, it does put some limits on your connections.

Test it for yourself, try using the first rule with and without the second rule.

Full set of rules

After the above commands, here is the complete set of rules I am testing:


iptables-save
# Generated by iptables-save v1.4.4 on --
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on --
# Generated by iptables-save --
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on --
# Generated by iptables-save v1.4.4 on --

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/sec --limit-burst 50 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m limit --limit 50/min --limit-burst 200 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on --

This rule set is for demonstration only and is NOT a complete set of rules for a web server. Do no use this rule set unmodified on a production server.

Testing the rule set

Human interaction

Open Firefox, point it to your web page. The web page should load nice and fast.

Hit F5 repetitively, load the page as fast as you can. Your web site should remain nice and responsive.

So far, so good, we want our site to remain responsive.

Simulated DOS

Actual DOS attacks are many times faster then humans, here I will use ab.

See this link or the Apache documentation for information of ab.

Baseline, without the above 2 rules

ab -n 100 -c 10 http://bodhi's_test_server.com/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking bodhi's_test_server.com (be patient).....done

Server Software:        nginx
Server Hostname:       bodhi's_test_server.com
Server Port:            80

Document Path:          /
Document Length:        59786 bytes

Concurrency Level:      10
Time taken for tests:   13.174 seconds
Complete requests:      100
Failed requests:        0
Write errors:           0
Total transferred:      6002700 bytes
HTML transferred:       5978600 bytes
Requests per second:    7.59 [#/sec] (mean)
Time per request:       1317.369 [ms] (mean)
Time per request:       131.737 [ms] (mean, across all concurrent requests)
Transfer rate:          444.98 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:      122  129   2.2    128     134
Processing:  1151 1182  19.1   1177    1260
Waiting:      125  132   8.2    128     170
Total:       1280 1310  19.3   1305    1390

Percentage of the requests served within a certain time (ms)
  50%   1305
  66%   1313
  75%   1316
  80%   1321
  90%   1328
  95%   1354
  98%   1386
  99%   1390
 100%   1390 (longest request)

Notice:

Requests per second: 7.59 [#/sec] .

Total time for requests: 13 seconds .

(Data) Transfer rate: 444.98 [Kbytes/sec] .

With the above rules

First attempt:


ab -n 100 -c 10 http://bodhi's_test_server.com/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking bodhi's_test_server.com (be patient)...apr_poll: The timeout specified has expired (70007)
Total of 99 requests completed

Oh no ! timed out, LOL

Second attempt (I reduced the number of requests to 90):


ab -n 90 -c 10 http://bodhi's_test_server.com/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking bodhi's_test_server.com (be patient).....done

Server Software:        nginx
Server Hostname:       bodhi's_test_server.com
Server Port:            80

Document Path:          /
Document Length:        59786 bytes

Concurrency Level:      10
Time taken for tests:   69.684 seconds
Complete requests:      90
Failed requests:        0
Write errors:           0
Total transferred:      5402430 bytes
HTML transferred:       5380740 bytes
Requests per second:    1.29 [#/sec] (mean)
Time per request:       7742.658 [ms] (mean)
Time per request:       774.266 [ms] (mean, across all concurrent requests)
Transfer rate:          75.71 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:      123  128   4.3    127     155
Processing:  1036 6269 10081.4   1921   51059
Waiting:      125 1240 5908.7    128   49656
Total:       1159 6396 10081.1   2044   51186

Percentage of the requests served within a certain time (ms)
  50%   2044
  66%   2981
  75%   5478
  80%   7047
  90%  20358
  95%  27356
  98%  48218
  99%  51186
 100%  51186 (longest request)

Notice :

Requests per second: 1.29 [#/sec] (mean)

Total time for requests: 69 seconds.

(Data) Transfer rate: 75.71 [Kbytes/sec] [Kbytes/sec].

For those unfamiliar with ab, that is a “minor” DOS

For comparison, here is what ab can do to the server (iptables was flushed [disabled]):

ab -n 1000 -c 100 http://bodhi's_test_server.com/
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking bodhi's_test_server.com (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests

Server Software:        nginx
Server Hostname:       bodhi's_test_server.com
Server Port:               80

Document Path:          /
Document Length:        58708 bytes

Concurrency Level:      100
Time taken for tests:   59.324 seconds
Complete requests:      1000
Failed requests:        945
   (Connect: 0, Receive: 0, Length: 945, Exceptions: 0)
Write errors:           0
Total transferred:      59190450 bytes
HTML transferred:       58945935 bytes
Requests per second:    16.86 [#/sec] (mean)
Time per request:       5932.368 [ms] (mean)
Time per request:       59.324 [ms] (mean, across all concurrent requests)
Transfer rate:          974.37 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:      127  908 817.9    788    8016
Processing:   735 4779 1805.2   4368   15707
Waiting:      128  981 827.2    811   12143
Total:       1058 5687 1880.8   5269   17450

Percentage of the requests served within a certain time (ms)
  50%   5269
  66%   5899
  75%   6340
  80%   6863
  90%   8078
  95%   9001
  98%  10937
  99%  11730
 100%  17450 (longest request)

Notice :

Requests per second: 16.86 [#/sec]

Total time for requests: 69 seconds.

(Data) Transfer rate: 974.37 [Kbytes/sec] .

As you can see, the server has no problem dishing out 974.37 [Kbytes/sec] !!!

Closing remarks

Hopefully you now understand this “simple” example limiting a DOS on port 80.

With these rules your web site remains responsive to human interaction in firefox. Go ahead, hit F5 (refresh the page) as fast as you can, see if you can get your web page to slow down =) .

The difference is that as with a DOS attack, ab is hitting the server faster then you can with F5 , so your site is responsive to “normal” activity, but blocks DOS.

Obviously this is but one example and there are several types of DOS attacks. The goal is to demonstrate the use of iptables using a few “simple” rules.

You task is to take this knowledge and apply it to you own server.

Pandoc is a Swiss Army knife text conversion utility

by Erez Zukerman (RSS feed) Oct 27th 2010 at 10:00AM

I love Markdown. If you write any sort of content for the Web, you really should try it; it's a simple notation system for making text bold or italic, creating headlines and bulleted lists, and more. To make text bold, for example, you just need to surround it with asterisks.

Converting Markdown into valid HTML is a fairly common task, and there's no dearth of tools that do this. But Pandoc caught my eye because it can do this and a whole lot more. Plus it's free, open source, and cross-platform.

Pandoc understands Markdown, HTML, and several other formats, and it can output:

plain text – i.e., strip all HTML and give you just the text

Markdown – so you can convert HTML back into Markdown for editing

And a whole list of other formats, including HTML, LaTeX, ConTeXt, PDF, RTF, DocBook XML, OpenDocument XML, ODT, GNU Texinfo, MediaWiki markup, groff man pages, EPUB ebooks, and S5 and Slidy HTML slide shows

It even supports PDF output using a helper utility. So yes, it can convert Markdown to HTML (and vice versa), but it can do so much more, too. It's definitely one for the toolbox!

Defend against Firesheep by surfing securely with HTTPS

by Sebastian Anthony (RSS feed) Oct 27th 2010 at 11:00AM

Firesheep Sucks, DeviantArt user MyBlackSheep

The last couple of days have seen the launch and explosive proliferation of a Firefox add-on called Firesheep. It's an incredibly simple program that snoops unsecured Wi-Fi packets to grant you one-click masquerading of other users: if you log into Facebook at the local coffee shop, someone can use Firesheep to become you. Seriously, you can go along to any location with an unsecured Wi-Fi network and steal other users' accounts.

Firesheep does this by 'scooping' cookies out of the air. Whenever you log into a website your name and password is only sent once -- afterwards, a stored authorization token is used. This means that if someone has your cookie they can pretend to be you -- and with unsecured wireless networks, anyone can grab your cookie.

This is a huge issue, and you have every right to be concerned -- but there is a solution!

Hopefully you've all heard about SSL and HTTPS, the encryption techniques used to secure Internet communications. The 'secure padlock' icon in your browser is most commonly found when buying things online, but most major sites also use it to secure login and registration. If you see this padlock, you are safe. If you could browse the entire Internet with that secure padlock in place then I wouldn't be writing this post.

Unfortunately, many sites redirect you to an unsecured page after you log in. Yes, your password remains secret -- but what good is that if your exposed cookie can be stolen by anyone on the same unsecured Wi-Fi network?

Fortunately, there are a few solutions for Firefox, and at least one good solution for every other browser.

The key to staying safe is by forcing every connection to use HTTPS, or to go via another connection that encrypts your communication. Almost every website has HTTPS capabilities, but because of the increased overhead that encrypted communication requires, it's often only used for logins and registering. Years ago this might not even have become an issue, but with everyone storing more and more personal information on services like Facebook and Google, and with Wi-Fi blanketing our streets and coffee shops, encryption really is required.

If you use Firefox, these add-ons should do the trick:

HTTPS Everywhere -- this gem from the Electronic Frontier Foundation is about as good as it gets. By default it forces most popular websites to use HTTPS, and you can add your own rules for other sites. This is one of the few add-ons that I use everywhere

Torbutton -- this solution is slightly more involved (it's for power-users), but if you want to be really secure and anonymous, the Tor network is a fantastic solution

Force-TLS -- this is like HTTPS Everywhere, but doesn't come with a built-in dictionary of secure sites. Adding them is very easy, though

Chrome users, due to a limitation of the browser, aren't quite so lucky. There is no way to force HTTPS with an extension. You may have read elsewhere that KB SSL will help you, but it won't. Instead you need to use a secure SOCKS proxy. This isn't particularly hard, it does involve a bit of work.

A guide for Windows users, using SpoonProxy

A guide for Mac users, using Meerkat -- our sister site TUAW has a guide that might help, too

Opera and Internet Explorer users: you too will need to use a SOCKS proxy; just follow one of the guides above.

Ultimately, though, if you use unsecured Wi-Fi networks you will leave yourself exposed. The best solution might not be to install add-ons, but to ask your local coffee shop owner to secure his network with WPA2. The entire problem would go away if big-name websites used HTTPS across the board, too.