Business or not a business entity, in the mostly globalized world it is almost inevitable to go on at least monthly basis without a need for some kind of currency convertion. Of course there are plenty of websites allowing Free Money Convertion services out there. However as I'm not a big fan of the Software as a Service (SAS). I don't like other people to be able to sniff what kind of money, amounts I'm intending to convert as well as I don't like google or other search engine to profile me how frequently I'm converting or intending to convert money. Thus today I did a quick research what kind of Free and Open Source Software FOSS is available to do the money convertion operation custom on my own webserver or my desktop PC. Though It was not exactly what I was looking for I found a Windows Desktop Software -CConverter which is capable of convertions between mostly if not all Currencies around the world. I'm not a m$ Windows user myself, but I was glad to know a Free Software exists for the task. CConverter is definitely a piece of soft useful for Businesses and People. In future if I do my own business it would be nice to know of this little handy soft existence and I will put it in action (to save costs) and add confidentiality to my business money transaction / convertions. Below is the two screenshots of CConverter I found on the project's sourceforge website:
First thing I did as usual is to send a test e-mail from Gmail to my Mailboxes on the mail server, the test mail was not received and in Gmail a failure to delivery notice was returned, I paste the TXT content of it as taken from Gmail's webmail -> Show Original menu:
Received: by 10.112.27.135 with SMTP id t7csp91961lbg;
Mon, 29 Oct 2012 11:08:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of designates 10.60.171.72 as permitted sender) client-ip=10.60.171.72
Authentication-Results: mr.google.com; spf=pass (google.com: domain of designates 10.60.171.72 as permitted sender) smtp.mail=; dkim=pass header.i=
Received: from mr.google.com ([10.60.171.72])
by 10.60.171.72 with SMTP id as8mr17839903oec.140.1351534106946 (num_hops = 1);
Mon, 29 Oct 2012 11:08:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
Received: by 10.60.171.72 with SMTP id as8mr17839903oec.140.1351534106944;
Mon, 29 Oct 2012 11:08:26 -0700 (PDT)
Received: by 10.60.171.72 with SMTP id as8mr20755231oec.140; Mon, 29 Oct 2012
11:08:26 -0700 (PDT)
From: Mail Delivery Subsystem <email@example.com>
Subject: Delivery Status Notification (Failure)
Date: Mon, 29 Oct 2012 18:08:26 +0000
Content-Type: text/plain; charset=ISO-8859-1
Delivery to the following recipient failed permanently:
Technical details of permanent failure:=20
Google tried to deliver your message, but it was rejected by the recipient =
domain. We recommend contacting the other email provider for further inform=
ation about the cause of this error. The error that the other server return=
ed was: 451 451 qq temporary problem (#4.3.0) (state 17).
----- Original message -----
DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/relaxed;
Received: by 10.60.171.72 with SMTP id as8mr10945566oec.140.1351262651282;
Fri, 26 Oct 2012 07:44:11 -0700 (PDT)
Received: by 10.182.41.232 with HTTP; Fri, 26 Oct 2012 07:44:11 -0700 (PDT)
Date: Fri, 26 Oct 2012 16:44:11 +0200
From: Georgi Georgiev <firstname.lastname@example.org>
Content-Type: multipart/alternative; boundary=3Dbcaec54edff653f66804ccf75ab=
After evaluating on qmail logs and various qmail components and basic qmail configurations, noticed the spamassassin spamd process is not running on the host. I've figured it out from qscanner-scanner.pl in /var/log/qscan/qmail-queue.log, there were records saying, qmail-scanner can't pass incoming scanned mail to spand and thus failing
I onwards check in proclist to make sure qmail-queue.log suggestion is right, i.e.:
It is also generally good idea to check the content of scripts spamd/run and spamd/log/run, a common problem with those scripts is spamassassin might be custom installed in /usr/local/bin/spamd and not in the usual /usr/bin/spamd – spamd location is defined in spamd/run; as well as location of daemontools logging tool multilog might be not /usr/bin/multilog but in /usr/local/bin/multilog – depending on what kind of Qmail guide was used on qmail install time.
Finally, to make daemontools schedule for monitoring spamd service link it in /service dir:
qmail:~# ln -sf /var/supervise/qmail/ /service/qmail
qmail:~# ls -al /service/spamd lrwxrwxrwx 1 root root 27 Nov 8 14:38 spamd -> /var/qmail/supervise/spamd//
To check whether daemontools, started and watch over spamd check what is in /var/log/spamd/current and check the status of daemontools:
Of course if spamd is crashing due to some newly included anti-spam rule, which prevents spamassassin from starting, suggested fixes and even daemontools will be unable to "respawn" spamd. In most cases however, implementing any of above "fixes" will assure you a peaceful sleep.
I'm currently once again on a pilgrimage in Pomorie Monastery St. George (Bulgaria) – EU as you should read in my previous day post. The brotherhood here is very hospital, since our coming (with Kliment), we were treated like being a part of the monks community. We're given food and allowed to eat together with the monks on one table and even we can enter into some of the interesting discussions after food :). The life in a monastery is actually quite fascinating, though on the outside it seems boring.
As a general rule monks eat a meal twice a day. On Monday, Wednesday and Friday, the meals are cooked and served usually without oil (except if the Abbot didn't bless differently). The abbot in the Monastery is like a King. The order in the whole monastery resides very much a Kingdom, where the abbot is king some of the monks are his (left and right hand and counselors) etc.
Just like in kingdoms, there are workers who help the kingdom to flourish. With the case with the monastery workers are (mostly believing people) hired (with a wage) to help with the monastery works.
The kitchen "district" has a (chef) cook lady, person/s (usually believing Christians) who help with cooking cutting and vegetables and various meal preparations etc. and serving the brotherhood and workers dinner and lunch. Oh yes I almost forgot, monks didn't eat breakfast. Their usual first meal is like 12 or 12:30 as a straight dinner.
As in Other Orthodox monasteries, here in Pomorie Monastery the monastery is named after the heavenly protector of the place Saint Martyr George.
The brotherhood life here is not as tough as the monasteries located in desert destinations, though just like in other mountain situated Orthodox Christian monasteries the monks has an established everyday Morning and Evening Church Service.
The morning Church service usually starts around 06:00 or 06:30, while on a feast days like Sunday (The Day of Resurrection of Jesus Christ) the service starts a bit later in 07:00 or at very special occasions in 07:30 …
The Evening Services usually start around 04:30 or 05:00 o'clock and continue (depending on Church calendar feast day (saint)) from 30 to 40 minutes up to 2, 3 hours (in biggest feasts or fasting periods). All the monks should be present on Morning and Evening service, where a bell is rang whether the monks has to gather together for a Church service prayer.
As of time of writting officially Pomorie monastery has 4 monk brothers. One is the Abbot, the abbot's left hand, one other hiero-monk who sometimes is serving the Holy Liturgy church services and another monk who is in his 70s and is mostly doing Church book readings. Occasionally the brotherhood accepts a novice pupils who want to enter the monastic life, but as long as my observations goes (during the few years I came as a pilgrim here) many of the novices find the monastic life for them and quit after a few months or a year time.
Just a year earlier the brotherhood, here had 6 monks. Unfortunately the oldest monk Father Tikhon who lived inside the monastery more than half of his life (40 years in the monastery W0W!) passed away after a short sickness and hospitalization. Another one of the monks (Father Joanikius) was transferred by the Sliven's Metropolitan (named also father Joanikius) to serve his monkship (obedience) in our Bulgarian Monastery situation in Holy Mount Athos (Greece) , e.g. to Zographus monastery.
The Abbot of the monastery (Father Yierotej) is a young and energetic person (35 years old) with a good sense of humour and a great God given wisdom grace and joyful temper.
Besides the core monks brothrehood currently the monastery has 5 workers and about 5 to 10 persons (people who are in hardships and have no place to stay) and were accepted to get a healing and a life stabilization while living for a while in the monastery. Some of those people are almost full time living inside the monsatic walls helping with their knowledge and talents to the brotherhood The overall number of people who inhibit the monastery is about rawly 15 people. All this people are given free meals 2 times daily and eat together often either in the monastic kitchen or the dining-room (which is also serving as a guest room).
Before and after each meal intake the people gathered together in the dinner-room pray together asking Jesus Christ to bless their food and drink. Usually the Abbot whenever on the table is the one to ask God for a food blessing. After the meal is complete the Abbot or some of the monks says a thanksful prayer thanking Jesus for giving the daily bread and asking God to give us also the heavenly spiritual food.
The most common food eaten here is vegetables and fruits and in non-fasting days they eat some youghurt, cheese or fish. Eating meat however is un-common and most of the food consumed is fasting food (meat is considered inappropriate food for Orth Christian Monks). The monastery is surrounded by a around a meter monastic walls. In the middle of the monastery is located the Monastic Church Saint Martyr George whichs basic walls dates back to the distant XIX century.
Facing the church about 40 meters from the Chuch are located the monks dwelling rooms also in monastic language called (cells). The monk's cell is full of icon and holy water, crucific crosses and all kind of faith related books so in a sense the monks room looks like a tiny Church.
Right in the middle of Pomorie Monsatery there is a holy spring – disease healing water which by God's providence healed the first Abbot and beneficient of the monastery (ironically the Turkish Abbot Salim Bey who converted from Islam to Christianity and donated all his land to the Bulgarian Orthodox Church in the 18 century when still Bulgaria was enslaved by Turkish).
The monastic yard is filled with green beautiful Peach and Plumb Trees. In the monastery yard they have sew of; potatoes, tomatoes, corn and few other "basic" self-grown. vegetables.
Along with the plants in one of the corners near the monastic wall there is a henhouse where some chickens and few turkeys are grown for getting fresh (natural) eggs.
In the old days the brotherhood was growing all their food by themselves as it was a tradition in the Monasteries, however with the changing times and the huge decrease of monks, growing all the monastic food on their-own became an impossible task ….
The monastery is mainly living on pilgrim or local believing people donations and the monastic land, as well as to sales of Orthodox icons and tiny faith related objects (crosses, holy bibles, church related books and literature) etc.
As I hear from some of the monks the harsh economic situation and severe world crisis that is plaguing the world also has a negative influence on the financial balance of the holy cloister too. A monk shared with me the financial expenses of the monastery tend to be "dangerously" growing lately as the amount of people whose the brotherhood is feeding and taking care (healing) daily along with the money for restoration works are raising and the monastery experiences a shortage of money. Still they're not discouraged but as I was told praying and hoping on God's grace to send them kind heart donators to help the monastery.
Most of the people who are in the monsatery not for a theraupetic reason (with a severe disease) work all day long. Though the work seems to be never ending here, one feels calm, relaxed and gracious. Even staying for few hours here, makes you filled-up with God's grace and gives you new energy and hope to continue the harsh daily stress filled life.
Besides the Monastery the town of Pomorie is also very beuatiful and have all the facilities and entertainment a tourist might like to have from a modern beach resort. Yesterday I went and had my first beach time here in Pomorie. Something interesting I noticed on the beach is the sand color which here in Pomorie is a bit blackish. The sea coast here near the beach is not big but feels cozy and there are bars near the beach shore, so anyone wanting to enjoy some of the world goods too can have a fanastic time here 🙂
r freedomYesterday silently with zero publicity, Bulgarian representatives ratified the ACTA (Trade agreement for fighting counterfeit.) The name sounds really good, but it has not much to do with what ACTA is about, when applied to digital medias and data sharing. The ACTA legislation has been ratified in Tokyo last week, where 22 of the European Union membership countries signed in favour of these "malicious" treaty.
The basic idea of ACTA looks tempting as it gives more freedoms to copyright holders, however if you look closely you will understand actually this copyright infringement clauses are not so in favour of us the users but mostly in favour of multinational corporations. For all those who have not heard about ACTA and SOPA in short this is anti freedom of speech treaty, which if put in action could lead to serious filtering of the internet. The ACTA 's controversial treaty has already raised an outcry from dozens of computer literated individuals who daily use the internet. Unfortunately, ACTA is less known among non-tech guys … and hence most people on the internet have no about its existence.
If ACTA is ratified and set to be valid as a legislation to Bulgaria, this could lead to total Internet censorship in BG (more or less like it is in china now). ACTA legislation will make sharing files via torrents and other P2P community file sharing networks a criminal activity. Another effect of ACTA is that practically free software which reads a proprietary formats like DVD becomes illegal in Europe (like it is currently in America) and I will become guilty for just reading the non-free format.. As a result of ACTA our ISP (Internet Service Providers) will be forced to log and keep all traffic flowing through their (Routering servers). Filters on a local ISP level that will be censoring free speech could also become totally lawful… Already there are plenty of ANTI-ACTA and ANTI-SOPA propaganda website which are trying to bring some more awareness to the public for the issue… Once an individual is suspected, to fraudulent activity or anything that breaks what is in ACTA is he is presumed to be guilty of crome … Just watch the two videos below and you will see how terrible the consequence could be if this legislation is integrated with todays Bulgarian government laws. If you're hearing for ACTA for a first time and you live in a country which has still not rafitied ACTA as a local country legislation, make sure you spread the word and let all your friends about the bad impact of this anti-human legislation. We have to really stand up and protest to retain our digital freedom !
The Internet can be censored if Protect IP ACT (PIPA) and Stop Online Piracy Act (SOPA) are put in action !
I had to make one old Samsung ML-2010P Laser Printer work on Xubuntu Linux . I've had some issues in installing it, I couldn't fine any step by step tutorial online, on how the printer can be made work fine on Linux. Therefore I took the time to experiment and see if I could make it work. Since the printer is old, not much people are interested any more in making the printer operational on Linux, hence I couldn't find too much relevant posts and sites on the net, anyways thanks God after a bit of pondering I finally succeeded to make the Samsung ML-2010P printer to print on Linux.This are the exact steps one has to follow to make this old bunch of hardware to play nice on Linux:
1. use lsusb to list the printer model
root@linux:~# lsusb |grep -i samsung
Bus 001 Device 003: ID 04e8:326c Samsung Electronics Co., Ltd ML-2010P Mono Laser Printer
You see the printer reports as Samsung Electronics Co., Ltd ML-2010P Mono Laser Printer
2. Install cups printing service required packages
P.S. Some of the packages I list might already have been installed as a dependency to another package, as I'm writting this article few days after I've succeeded installing the printer, I don't remember the exact install order.
5. Install splix (SPL Driver for Unix)
Here is a quote taken from Spix's project website:
"SpliX is a set of CUPS printer drivers for SPL (Samsung Printer Language) printers. If you have a such printer, you need to download and use SpliX. Moreover you will find documentation about this proprietary language. "
root@linux:~# apt-get install splix
For more information on splix, check on Splix SPL driver for UNIX website http://splix.ap2c.org/
You can check on the projects website the Samsung ML 2010 Printer is marked as Working Next step is to configure the Printer
6. Go to Cups interface on localhost in browser and Add the Samsung printer.
Use Firefox, SeaMonkey or any browser of choice to configure CUPS:
Type in the browser:
Next a password prompt will appear asking for a user/pass. The user/pass you have to use is the same as the password of the user account you're logged on with.
Click on the Add Printer button and choose to add the Samsung ML-2010.
Then restart the CUP Service (cupsd) to make it load the new settings:
root@linux:~# /etc/init.d/cups restart
Now give the printer a try in printing some page in SeaMonkey, Chrome or Firefox (the quickest way is through pressing CTRL + P )
Following this steps, I've managed to run the printer on Xubuntu Linux, though the same steps if followed should most probably make the Samsnung ML 2010 play nice with other Linux distributions with a little or no adjustments. I'll be glad to hear if someone succeeded in making the printer work on other distributions, if so please drop me a comment. That's all folks! Enjoy printing 😉
Once again, I experienced Skype microphone issues!!! Its getting really annoying, since almost randomly I get issues. Skype is a terrible program and depending on a proprietary thing like Skype is a real pain in the ass. This time it was totally strange as there was no way to record any voice inside Skype Call while testing with (Echo / Sound Test Service)
After a lot of puzzling and getting a bit angry I found this time the issues are caused by some settings which somehow changed in GNOME Sound Preferences microphone to mute:
You see on above screeshot that somehow the stupid thing get mutted 😐
After unmuting and restarting Skype, the microphone started working in Skype again …
I have never did a proper install of Windows XP on Debian before hand. Even though I experimented once long time ago. I had zero success with installing Windows XP Service Pack 2 . The only Windows I can make correctly working before hand on these early days on my Debian powered notebook with qemu virtual machine emulator was Windows 2000 .
I decided to give it another go today as I hoped the qemu has advanced and I’ve seen many reports online of people who were able to correctly make Windows XP SP2 work out.
As I’ve seen many blog posts online of people who succesfully run with qemu Windows XP SP2, in order to escape from repeating the other guys experience and conduct a fresh experiment, I decided to give qemu a try with Microsoft.Windows.XP.Professional.SP3.Integrated.June.2011.Corporate
Next step is to create an image file with dd or with qemu-img which will be holding the Virtual Machine Windows installation.
4. Create image file for Windows using dd
I decided to create a the image file to be with a size of 5 Gigabytes, this is of course custom so other people might prefer having it less or more the absolute minimum for a proper Windows XP SP3 install is 2000 Megabytes.
debian:~# su hipo -; cd windows;
debian:/home/hipo/windows$ dd of=hd.img bs=1024 seek=5000000 count=0
0+0 records in
0+0 records out
0 bytes (0 B) copied, 1.5505e-05 s, 0.0 kB/s
Notice here that the file dd will create will appear like 0 kb file until the Windows install from a BootCD is run with qemu.
5. Download an image of Microsoft.Windows.XP.Professional.SP3.Integrated.June.2011.Corporate from thepiratebay.org
Microsoft.Windows.XP.Professional.SP3.Integrated.June.2011.Corporate is currently available for download from the thepiratebay.org if in the times to come it is not available it will most likely be available from torrentz.net, isohunt.com etc. so I’ll skip more explanations with this step and let you use your favourite torrent program of choice to download the MS Windows iso. Just to make a note here I used transmission as this is my favourite torrent client. After downloading the iso I used K3B to burn the Image file as Bootable ISO. I’m naturally a GNOME user so to burn it as Image I just open it with K3B by using the GNOME menu and selecting Open with K3B
Next I instructed qemu to boot from the just burnt CD.
6. Boot windows Installation with Qemu from the Boot CD
debian:/home/hipo/windows$ qemu -boot d -cdrom /dev/cdrom -hda hd.img
Notice here that I’m running the qemu virtual machine emulator with a non-privileged reasons. This is important as qemu might have holes in the emulation of Windows Networking stack which if executed as root superuser. Can allow some malicious attacker to remotely compromise your GNU / Linux PC …
Qemu window will pop-up where one installs the Windows as it will install it using an ordinary PC. To switch qemu to fullscreen mode to have the complete feeling like installing Windows on an non-emulated PC ctrl + alt + f can be pressed.
The Windows installation took like 1 hour 20 minutes on my dual core 1.8 Ghz notebook with 2 GB of RAM. But I should say while installing I had multiple applications running; xmms, transmission, epiphany, icedove, evince etc. probably if I just run the Virtual Machine with no other applications to extra load my PC, probably the Windows install would have been done in max 50 minutes time.
After the installation is complete. To
7. Further run the installed Windowsdebian:/home/hipo/windows$ qemu -hda hd.img -boot c
As a next step its necessery to;
8. Bring up the tap0 interface and configure it for the user
I’m running my qemu emulator with my user hipo , so I run cmds:
debian:/home/hipo/windows$ su - root
debian:~# tunctl -u hipo
Set 'tap0' persistent and owned by uid 1000
9. Enable ip_forwarding and arp proxy and for wlan0 and tap0
10. Install the proper Network Drivers inside Windows
That’s just in case, if they’re not supported by the Windows default existing drivers. To do so, I downloaded my LAN drivers from the Vendor and put it on USB and sticked the USB drive to my laptop. In order to make the Kingston USB drive I used to transfer my LAN and Video drivers. I had to restart qemu with the parameter -usb -usbdevice host:0951:1625 , where I used lsusb to check and get the correct USB ID 0951:1625, like shown in the command below:
debian:~# lsusb |grep -i kingston
Bus 001 Device 006: ID 0951:1625 Kingston Technology DataTraveler 101 II
After on I booted again the Windows XP with the following command line in order to make qemu detect the USB Drive:
debian:/home/hipo/windows# sudo qemu -boot c -hda hd.img -usb -usbdevice host:0951:1625
One oddity here is that in order for qemu to detect the USB stick, I had to run it via sudo with super user privileges.Don’t ask me why this is the only way it worked … Next on used the Windows device manager from Control Panel -> System -> Device Manager to point my undetected hardware to the correct Win drivers.
For the GUI preferring user qemu has a nice GNOME GUI interface called qemu-launcher, if you like to use qemu via it instead of scripting the qemu launcher commands, you can install and use via:
One good module that helps in mitigating, very basic Denial of Service attacks against Apache 1.3.x 2.0.x and 2.2.x webserver is mod_evasive
I’ve noticed however many Apache administrators out there does forget to install it on new Apache installations or even some of them haven’t heard about of it. Therefore I wrote this small article to create some more awareness of the existence of the anti DoS module and hopefully thorugh it help some of my readers to strengthen their server security.
Here is a description on what exactly mod-evasive module does:
debian:~# apt-cache show libapache2-mod-evasive | grep -i description -A 7
Description: evasive module to minimize HTTP DoS or brute force attacks mod_evasive is an evasive maneuvers module for Apache to provide some protection in the event of an HTTP DoS or DDoS attack or brute force attack. . It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. . This module only works on Apache 2.x servers
How does mod-evasive anti DoS module works?
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address which matches the criterias:
Requesting the same page more than number of times per second
Making more than N (number) of concurrent requests on the same child per second
Making requests to Apache during the IP is temporarily blacklisted (in a blocking list – IP blacklist is removed after a time period))
These anti DDoS and DoS attack protection decreases the possibility that Apache gets DoSed by ana amateur DoS attack, however it still opens doors for attacks who has a large bot-nets of zoombie hosts (let’s say 10000) which will simultaneously request a page from the Apache server. The result in a scenario with a infected botnet running a DoS tool in most of the cases will be a quick exhaustion of system resources available (bandwidth, server memory and processor consumption). Thus mod-evasive just grants a DoS and DDoS security only on a basic, level where someone tries to DoS a webserver with only possessing access to few hosts. mod-evasive however in many cases mesaure to protect against DoS and does a great job if combined with Apache mod-security module discussed in one of my previous blog posts – Tightening PHP Security on Debian with Apache 2.2 with ModSecurity2 1. Install mod-evasive
Installing mod-evasive on Debian Lenny, Squeeze and even Wheezy is done in identical way straight using apt-get:
In case of the above configuration criterias are matched, mod-evasive instructs Apache to return a 403 (Forbidden by default) error page which will conserve bandwidth and system resources in case of DoS attack attempt, especially if the DoS attack targets multiple requests to let’s say a large downloadable file or a PHP,Perl,Python script which does a lot of computation and thus consumes large portion of server CPU time.
The meaning of the above three mod-evasive config vars are as follows:
DOSHashTableSize 3097 – Increasing the DoSHashTableSize will increase performance of mod-evasive but will consume more server memory, on a busy webserver this value however should be increased DOSPageCount 30 – Add IP in evasive temporary blacklist if a request for any IP that hits the same page 30 consequential times. DOSSiteCount 40 – Add IP to be be blacklisted if 40 requests are made to a one and the same URL location in 1 second time DOSBlockingPeriod 120 – Instructs the time in seconds for which an IP will get blacklisted (e.g. will get returned the 403 foribden page), this settings instructs mod-evasive to block every intruder which matches DOSPageCount 30 or DOSSiteCount 40 for 2 minutes time. DOSPageInterval 2 – Interval of 2 seconds for which DOSPageCount can be reached. DOSSiteInterval 1 – Interval of 1 second in which if DOSSiteCount of 40 is matched the matched IP will be blacklisted for configured period of time.
mod-evasive also supports IP whitelisting with its option DOSWhitelist , handy in cases if for example, you should allow access to a single webpage from office env consisting of hundred computers behind a NAT. Another handy configuration option is the module capability to notify, if a DoS is originating from a number of IP addresses using the option DOSEmailNotify Using the DOSSystemCommand in relation with iptables, could be configured to filter out any IP addresses which are found to be matching the configured mod-evasive rules. The module also supports custom logging, if you want to keep track on IPs which are found to be trying a DoS attack against the server place in above shown configuration DOSLogDir “/var/log/apache2/evasive” and create the /var/log/apache2/evasive directory, with: debian:~# mkdir /var/log/apache2/evasive
I decided not to log mod-evasive DoS IP matches as this will just add some extra load on the server, however in debugging some mistakenly blacklisted IPs logging is sure a must.
4. Restart Apache to load up mod-evasivedebian:~# /etc/init.d/apache2 restart
Finally a very good reading which sheds more light on how exactly mod-evasive works and some extra module configuration options are located in the documentation bundled with the deb package to read it, issue:
I'm tuning a Windows 2003 for better performance and securing it against DoS of service attacks. After applying all the changes I needed to restart the WebServer for the new configurations to take effect. As I'm not a GUI kind of guy I found it handy there is a fast command to restart the Microsoft Internet Information Server. The command to restart IIS is:
I’ve been hired, just recently by a company to make them a quick security audit analysis as they complain of having severe Denial of Service problems against an online e-store.
As a mean of securing the local network of the company, the old Linux server had to be replaced with a freshly installed one, which I had to configure to run smooth firewall and create DMZ zone. The company System Administrator has installed Debian Linux and brought up sshd to allow me to futher take the lead and secure the server After few hours, I’ve noticed unusual activities. For example processes like:
as well as processes like ./ssh 212
debian:~# ps axu|grep -i ./ssh|wc -l
On the server and after checking in /etc/shadow I found that users like admin, test had a password string assigned , interestingly even system users like postgresql and man was enabled and ready for login and had a password hash assigned in /etc/shadow
I’ve seen the ./ssh shit before and I know pretty well this is a famous romanian script kiddies tools which circulates in the wild for at least 5 years already.
A quick look up in the usual places, where script kiddies store their files, like: /var/tmp, /tmp, /proc, /sys and /var/run has helped me find the ssh brute forcer the kiddie has issues on the machine in my case it was located in /var/run/2012 inside I found of course the usual sk bad stuff:
root@debian:/var/run/2012# ls1 3 5 a data.conf find internet.txt pass_file screen ssh stricat.txt vuln.txt
2 4 64.37.find.22 atack derbedeu.txt full mfu.txt ronet13.txt ss start tefac.txt x
As well as an archive in /var/run/2012.tgz which was obviously quickly extracted and the brute force ssh tool was started to lookup for some more targets.
As I like keeping script kiddie stuff to expose and share with people, to help them get a better understanding what they can expect on their servers I made a copy of the 2012.tgz brute forcer tool, download the romanian ssh brute forcer shit is here if somebody wants to take a look, though I suggest to be very careful with it as some files might contain rootkits and other unwanted tool. If someone wants to give it a try be sure not to launch it as root.
Anyways, after finding the abuser I quickly removed all the active users, which were not supposed to be existent on the newly installed system from /etc/shadow changed the server root password, give a reinstall the openssh-server and openssh-client (as I was not if they had not been substituted with some rootkited version), e.g.:
Consequentially I killed all the active ./ssh and ./a processes to assure the script kiddie ssh brute forcer is no longer running on the server as well killed all connections to the ssh server manually with kill cmd to the unknown IPs.
Finally to make sure, the server is not rootkited or not backdoored I run some tests with chkrootkit, rkhunter and unhide :
On Debian the 3 tools are available as packages, so this saved me time and I proceeded installing like so:
In few seconds the tools were installed so I used them to check if the server is irreversably damaged or root kitted by the kiddie.
First I used unhide to make sure there are no hidden backdoor processes listening on the server:
for i in $(echo proc sys brute); do unhide $i; done
[*]Searching for Hidden processes through /proc scanning
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through comparison of results of system calls
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found: 1
[*]Starting scanning using brute force against PIDS with fork()
[*]Starting scanning using brute force against PIDS with Threads
The above command checks with unhide in /proc and /sys for hidden processes as well as next uses brute option to try to brute force all PIDs on the server attempting to locate listening backdoors processes.
There are 2 more unhide binaries that can be used to check for hidden backdoors, unhide-posix and unhide-tcp
For some reason unhide-posix sys detected the /usr/sbin/rsyslogd -c4 process as some kind of hidden process, which is most probably a false positive, though I can’t be one hundred sure until I try to scan completely the server remotely after mounting the filesystem via ssh and scan it with clamav chkrootkit and rkhunter and even maybe with drweb .
I assume the HIDDEN Processes Found: 1 bells the alarm, however even though I did profound look up on the server with lsof, netstat and fuser cmds I cannot find nothing suspicious any more.
2. chkrootkit scan
Next I used chkrootkit to check if some common rootkit is not installed on the server:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
The chkrootkit output displayed thanksfully failed to detect that the system is rootkitted.
Finally, tested with rkhunter to assure chkrootkit to expand the range of rootkits the system is scanned for:
debian:~# rkhunter --check
[ Rootkit Hunter version 1.3.6 ]
Checking system commands…
Performing ‘strings’ command checks Checking ‘strings’ command [ OK ]
Performing ‘shared libraries’ checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] …
After a long screen of consequential rootkit tests, each of which requires the user to press enter rkhunter was unable to detect any rootkits installed on host as well.
Finally to make sure for one more time there are no some backdoors left or some unwanted users still connected to the server I used netstat:
debian:~# netstat -tanp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7269/sshd
tcp 0 0 192.168.0.1:22 22.214.171.124:54913 ESTABLISHED 24545/1
tcp 0 0 192.168.0.1:22 126.96.36.199:50240 ESTABLISHED 7059/0
tcp6 0 0 :::22 :::* LISTEN 7269/sshd
As the output shows, I coulnd’t find anything suspiciou, still I can’t be 100% percent sure the system is clean and there is no something left from the cracker, probably the Debian server will be re-installed as it doesn’t matter since it’s newly installed Debian machine.
What is amazing is that the server was compromised immediately after it was installed. This means that either the very easy default root password the admin who installed the server was cracked, or his whole network has been compromised by the script kiddie. Tomorrow will have to investigate further to assure the security breach is closed hopefully once and for all.
☩ Walking in Light with Christ – Faith, Computing, Diary 2006-2020 Powered by: Pc Freak Solutions and Comments (RSS). Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.