The middle section of the below .htaccess file switches to https if the request URI begins with /dev and works.

The last section of the file works as well but does not work properly with the https redirect.

I basically want to be able to type http://www.namhuy.org/dev/some_sub_dir/ and be redirected to https://www.namhuy.org/dev/some_sub_dir/ and prompted for the http auth username and password.

What currently happens is if I go to http://www.namhuy.org/dev/some_sub_dir/ I get prompted for a username and password over port 80, and then immediately get prompted again over port 443. So my credentials are being sent twice, once in the clear, and once encrypted. Making the whole https url rewrite a little pointless.

The reason for doing this is so that I won’t be able to accidentally submit my user/pass over http; https will always be used to access the /dev directory.

Create a file /etc/httpd/conf.d/test.conf with:

<Directory “/var/www/html/dev”>
#
# force HTTPS
#
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

…and then adding the following inside /etc/httpd/conf.d/ssl.conf just above the </VirtualHost> tag:

<Directory “/var/www/html/dev”>
#
# require authentication
#
AuthType Basic
AuthName “Please Log In”
AuthUserFile /var/www/auth/passwords
Require valid-user
</Directory>

• Proper configuration
• Updates
• Reading materials
• Frequent penetration tests
• Monitoring and logging
• Experience with advanced configurations

Zone-h archives

All operating systems have vulnerabilities.  And yes Apple, Microsoft and Linux is only as safe as the end user.

This and Windows Live Safety are my first choices for a kid computer. K9 is a free product offered by Blue Coat Systems which make content filtering solutions for businesses. Giving away a free home client isn’t where they make their money so it’s nice they offer something for home users that utilizes their corporate filtering technologies. From what I’ve seen it is a free download, you can set up a parental password to override a blocked site, select from predefined site categories to block, set up email to audit what was visited, password protect the installation so someone can’t remote the app without knowing the password you used to secure the installation. Essentially everything I’d expect in a paid product.

Windows Live Safety

A part of the Windows Live Essentials pack. Free content filtering from Microsoft. This is on my list for the same reasons as the K9 Web filtering software above and I could see this being something a mom would put on her child’s computer. It’s a nice solution because it hooks into Windows well by leveraging features of Windows that we users tend to ignore, such as Windows Parental controls and whatnot.

OpenDNS

Kicking it up a notch we get to solutions that can either be used on a per computer basis or blanket a whole home. DNS stands for Domain Name Services. DNS servers are what your computer and network use to translate internet addresses to domain names. Example: go to your favorite web browser and paste 74.125.47.103 into it and you’ll be directed to google.com. By default your Internet provider has dynamically set you up to use their DNS servers. Unless you live in China you’re service provider doesn’t regulate what sites you go to but for the purposes of content filtering you can use 3rd party DNS servers which categorize content for you for easy filtering. All of these solutions are doing this same filtering but OpenDNS is one of the services that doesn’t necessarily require a client software install but can also be used by configuring your home router to use OpenDNS servers instead of your ISP’s to resolve domain names. The way their site works is you sign up and set up your content filters. You’d then either set up your child’s computer to point to their DNS servers or just plug them into your router’s setup instead of your ISP’s. Pretty easy if you take a moment to figure it out and they have pretty good instructions on how to do it since it sounds confusing.

Untangle

Kicking it up the extra notch. If you’re a bit more savvy with a computer this would be my last free solution. This product is a Ubuntu-based distribution (Linux) which clicks you through setting up a computer as a security appliance gateway on your network. Definitely a higher skillset than any other solution as you have to understand a bit more about networks but in the end it’s a network security appliance that rivals products a company might pay a chunk of change for. I suppose I won’t go into much details but this product bundles open source web content filtering, virus scanning, intrusion detection, firewall, protocol filtering, ad filtering… etc. Consider this if you are a geek that likes free stuff. You’d need an old computer with 2 network cards in it you can dedicate to running this product. A big gain for me is adblocking. You don’t know what it’s like to go from having programs that block ads on web pages to using a computer that doesn’t block ads.

In all we have 4 solutions that perform the same function of content filtering. Some client-side and some for whole network filtering. Some do just content filtering and others are bundled with much more. Any of these could be combined and work just fine though going to a website and having it filtered 4 times would make browsing slower. If I was setting this up for a child I’d pick a client-side program. When I think of OpenDNS I consider that my ISP’s DNS servers are likely closer to my network and would likely be a little quicker on resolving domain names but for whole network protection it’d be the easiest to set up. If I can afford using an old computer as an appliance I’d use Untangle, though I have to know how to set it up.

Rest assured you could set up K9 or Windows Family Safety in a matter of minutes.

Here’s another tools that, is useful. mtr. mtr can be seen as a combination of ping and traceroute. When started it runs as a ncurses program. And what make it interesting is that, it shows the result, live. To me it’s interesting. There is 2 version in the ubuntu repository, one is mtr, another is mtr-tiny. The version I use, is mtr-tiny, which do not have x11 support. to install it on ubuntu, is a matter of
sudo apt-get install mtr or sudo apt-get install mtr-tiny

To run in is a matter of

mtr destination(could be address or URL)

or to leave ncurses, useful if you want to redirect the output to a file.

mtr -r destination

or to run on certain cycle

mtr -c 10 destination

or you can combine it

mtr -c 10 -r destination

For example I tunnel all of my outbound E-mail traffic back to my personal server to avoid having to change SMTP servers, use SMTP-AUTH, etc. when I am behind firewalls. I find that hotel firewalls, wireless access points, and the other various NATing devices you end up behind while traveling often do not play nice.

To do this I use the following:

ssh -f user@personal-server.com -L 2000:personal-server.com:25 -N

The -f tells ssh to go into the background just before it executes the command. This is followed by the username and server you are logging into. The -L 2000:personal-server.com:25 is in the form of -L local-port:host:remote-port. Finally the -N instructs OpenSSH to not execute a command on the remote system.

This essentially forwards the local port 2000 to port 25 on personal-server.com over, with nice benefit of being encrypted. I then simply point my E-mail client to use localhost:2000 as the SMTP server and we’re off to the races.

Another useful feature of port forwarding is for getting around pesky firewall restrictions. For example, a firewall I was behind recently did not allow outbound Jabber protocol traffic to talk.google.com. With this command:

ssh -f -L 3000:talk.google.com:5222 home -N

I was able to send my Google Talk traffic encrypted through the firewall back to my server at home and then out to Google. All I had to do was reconfigure my Jabber client to use localhost as the server and the port 3000 that I had configured.

Affected versions include all Linux 2.4 and2.6 versions since May 2001. This spans 2.4.4 up to and including 2.4.37.4 in the 2.4 kernel and every iteration of 2.6 from 2.6.0 up to and including 2.6.30.4.

What is this vulnerability all about? Functions in certain kernel routines are left uninitialized, so pointers aren’t validated before dereferencing. This allows local execution of code (sample POC available in both articles linked above) which compromises the machine. Compromise? Yes, pwnt.

These are known affected modules according to Redhat’s bugzilla:
ipx.ko
irda.ko
x25.ko
ax25.ko
bluetooth.ko
sctp.ko
pppoe.ko
pppox.ko
appletalk.ko

That thread offers mitigation possibilities (and some commenters — see #32 and #48 — explain why those steps won’t work). According to post #27 in that thread, the exploit is already being used (as of about a week ago as I write this) to attack machines: “They entered the system through a web application exploit and then used the exploit to gain a root shell.”

This gets to the bigger problems of security. If you think of Linux as only the kernel or even the kernel plus the utilities that make it a functioning operating system, you’re seeing only one layer of vulnerability. Add another layer of complexity with various software and you’re adding more complexity and, accordingly exponentially more layers of vulnerability. If someone can get in through one door, he can often find “keys” to open other doors. That in a nutshell is what happens in cases like #27 in the Redhat bugzilla thread.

Fedora, Debian, and Ubuntu have reportedly already patched for this kernel issue.

Install the CVS server:
sudo apt-get install cvsd

When prompted in the cvsd installation process for Repository, type in “/cvsrepo”.

Now that the cvsd installation in complete goto /var/lib/cvsd
or seeking for a change(or if there is a new version of cvs updated):

sudo cvsd-buildroot /var/lib/cvsd
If the folder cvsrepo does not exist, then create it ..
sudo mkdir cvsrepo
sudo chown -R cvsd:cvsd cvsrepo

and then initilize the repository
sudo cvs -d /var/lib/cvsd/cvsrepo init
create a user and password
sudo cvsd-passwd /var/lib/cvsd/cvsrepo +username
sudo vi //var/lib/cvsd/cvsrepo/CVSROOT/config
Change “SystemAuto=no”

Test

cvs -d :pserver:username@localhost:/cvsrepo login

cvs -d :pserver:username@localhost:/cvsrepo checkout .

Ipkungfu is available a the Ubuntu repositories. To install ubuntu,

# aptitude install ipkungfu

Ipkungfu should now be working.

After installing ipkungfu, type

# ipkungfu

to configure ipkungfu and answer “yes” if you are prompted.

At this point, if you connecting remotely via ssh, make sure you are not disconnected because by default, ipkungfu is blocking all incoming connections. If you are working directly at the terminal, then there’s no problem. Open the file /etc/ipkungfu/services.conf

and append ACCEPT beside the port that you want to open.

# Service Names and Protocols are lowercase, Targets are UPPERCASE.
#
# Example:
# ssh:22:tcp:ACCEPT
ftp-data:20:tcp
ftp:21:tcp
ssh:22:tcp:ACCEPT
telnet:23:tcp
smtp:25:tcp
domain:53:tcp
bootps:63:tcp
http:80:tcp:ACCEPT
pop3:110:tcp
auth:113:tcp
ntp:123:tcp
imap:143:tcp
https:443:tcp
imaps:993:tcp
pop3s:995:tcp
socks:1080:tcp
# Add your services below. The rule is:
# ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)] # extra comments
#

The, save the file. In the example, I have allowed connection for ports 22 (SSH) and 80 (HTTP). Open the file

/etc/ipkungfu/ipkungfu.conf

and configure it based on your server’s setting and your preferred setting.

# =========================================================================
# $Id: ipkungfu.conf 57 2005-11-02 17:04:20Z s0undt3ch $
# =========================================================================
# Please read the README and FAQ for more information
# Some distros (most notably Redhat) don’t have
# everything we need in $PATH so we specify it here.
# Make sure modprobe, iptables, and route are here,
# as well as ordinary items such as echo and grep.

# Default is as shown in the example below.
#PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin

# Set the path to ipkungfu’s runtime error log.
# Default: /var/log/ipkungfu.log
#IPKUNGFU_LOG=

# Your external interface
# This is the one that connects to the internet.
# Ipkungfu will detect this if you don’t specify.
EXT_NET=”eth0″
#EXT_NET=”eth1″
#EXT_NET=”ppp0″

# Your internal interfaces, if any. If you have more
# than 1 internal interface, separate them with
# spaces. If you only have one interface, put “lo”
# here. Default is auto-detected.
#INT_NET=”eth0″
#INT_NET=”eth1″
#INT_NET=”lo”

# IP Range of your internal network. Use “127.0.0.1″
# for a standalone machine. Default is a reasonable
# guess. Separate multiple ranges with spaces.
#LOCAL_NET=”192.168.0.0/255.255.0.0 10.0.0.0/255.0.0.0″

# Set this to 0 for a standalone machine, or 1 for
# a gateway device to share an Internet connection.
# Default is 1.
GATEWAY=0

# TCP ports you want to allow for incoming traffic
# Don’t add ports here that you intend to forward.
# This should be a list of tcp ports that have
# servers listening on them on THIS machine,
# separated by spaces. You can add port ranges
# delimited by hyphens, such as “20-22″. Default
# is none.
#ALLOWED_TCP_IN=”22 80″

# UDP ports to allow for incoming traffic
# See the comments above for ALLOWED_TCP_IN
#ALLOWED_UDP_IN=”"

# Temporarily block future connection attempts from an
# IP that hits these ports (If module is present)
# Hits to these ports will be logged as “BADGUY” hits
# regardless of log.conf settings.
FORBIDDEN_PORTS=”135 137 139″

# Drop all ping packets?
# Set to 1 for yes, 0 for no. Default is no.
BLOCK_PINGS=0

# Possible values here are “DROP”, “REJECT”, or “MIRROR”
#
# “DROP” means your computer will not respond at all. “Stealth mode”
#
# “REJECT” means your computer will respond with a
# message that the packet was rejected.
#
# “MIRROR”, if your kernel supports it, will swap the source and
# destination IP addresses, and send the offending packet back
# where it came from. USE WITH EXTREME CAUTION! Only use this if you fully
# understand the consequences.
#
# The safest option, and the default in each case,, is “DROP”. Don’t change
# unless you fully understand this.
# What to do with ‘probably malicious’ packets
#SUSPECT=”REJECT”
SUSPECT=”DROP”

# What to do with obviously invalid traffic
# This is also the action for FORBIDDEN_PORTS
#KNOWN_BAD=”REJECT”
KNOWN_BAD=”DROP”

# What to do with port scans
#PORT_SCAN=”REJECT”
PORT_SCAN=”DROP”

# How should ipkungfu determine your IP address? The default
# answer, “NONE”, will cause ipkungfu to not use the few
# features that require it to know your external IP address.
# This option is good for dialup users who run ipkungfu on
# bootup, since dialup users rarely use the features that
# require this, and the IP address for a dialup connection
# generally isn’t known at bootup. “AUTO” will cause
# ipkungfu to automatically determine the IP address of
# $EXT_NET when it is started. If you have a static IP
# address you can simply enter your IP address here.
# If you do port forwarding and your ISP changes your IP
# address, choose NONE here, or your port forwarding
# will break when your IP address changes. Default is
# “NONE”.
#GET_IP=”NONE”
#GET_IP=”AUTO”
GET_IP=”202.92.148.101″

# If the target for identd (113/tcp) is DROP, it can take
# a long time to connect to some IRC servers. Set this to
# 1 to speed up these connections with a negligible cost
# to security. Identd probes will be rejected with the
# ‘reject-with-tcp-reset’ option to close the connection
# gracefully. If you want to actually allow ident probes,
# and you’re running an identd, and you’ve allowed port
# 113 in ALLOWED_TCP_IN, set this to 0. Default is 0.
#DONT_DROP_IDENTD=0
# Set this to 0 if you’re running ipkungfu on a machine
# inside your LAN. This will cause private IP addresses
# coming in on $EXT_NET to be identified as a spoof,
# which would be inaccurate on intra-LAN traffic
# This will cause private IP addresses coming in on
# $EXT_NET to be identified as a spoof. Default is 1.
#DISALLOW_PRIVATE=1

# For reasons unknown to me, ipkungfu sometimes causes
# kernel panics when run at init time. This is my
# attempt to work around that. Ipkungfu will wait
# the specified number of seconds before starting, to
# let userspace/kernel traffic catch up before executing.
# Default is 0.
#WAIT_SECONDS=5

# This option, if enabled, will cause ipkungfu to set
# the default policy on all builtin chains in the filter
# table to ACCEPT in the event of a failure. This is
# intended for remote administrators who may be locked
# out of the firewall if ipkungfu fails. A warning to
# this effect will be echoed so that the situation can be
# rectified quickly. This is the same as running
# ipkungfu with –failsafe. Default is 0.
#FAILSAFE=0

# Configurable list of kernel modules to load at runtime.
# If no list is provided, the default and needed ones,
# ip_nat_irc, ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc,
# will still be loaded.
#MODULES_LIST=”"

The

EXT_NET=”eth0″

is you the active network interface.

GATEWAY=0

because I’m configuring a standalone server. I have also set the forbidden ports

FORBIDDEN_PORTS=”135 137 139″

I don’t block pings

BLOCK_PINGS=0

because the ping tool is an effective use to test for the connectivity of the server.
For suspected, bad ports and port scan, I drop the packets.

SUSPECT=”DROP”
KNOWN_BAD=”DROP”
PORT_SCAN=”DROP”

If you have a static IP address, set GET_IP to your IP address.

GET_IP=”202.92.148.101″

The save the file. Restart by ipkungfu

/etc/init.d/ipkungfu restart

open a terminal and enter:

apt-get install nmap

how to use nmap:

sudo nmap domainname (or IP address) is the most simple syntax to scan the open ports on the remote system. The other switches are used for more selective scans.

Command Line
How to use it

Nmap has lots of options, so we are going to focus on only some of them.

sudo nmap -sS -O 127.0.0.1
-sS
TCP SYN scan
-O
Enable Operating System detection

sudo nmap -sU 127.0.0.1
-sU
UDP ports scan

sudo nmap -sS -O -p 20-25 127.0.0.1
-sS
TCP SYN scan
-p 20-25
Scan on ports 20 to 25

sudo nmap -sS -F 127.0.0.1
-sS
TCP SYN scan
-F
Fast (limited port) scan

you can check the long nmap man page

Find: root ALL= (ALL) ALL

Replace with: root ALL=(ALL) NOPASSWD: ALL

Save that file.