HowtoForge - Linux Howtos and Tutorials - Security

Samba + Clamd + Samba-Vscan On CentOS 5.2

Fri, 28 Nov 2008 17:01:49 +0100

Samba + Clamd + Samba-Vscan On CentOS 5.2

This is a howto on getting samba + clamav + samba-vscan to work on a CentOS 5.2 system.

Setting Up ProFTPd + TLS On Ubuntu 8.10 (Intrepid Ibex)

Sun, 16 Nov 2008 19:23:24 +0100

Setting Up ProFTPd + TLS On Ubuntu 8.10 (Intrepid Ibex)

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on an Ubuntu 8.10 server.

Installing ISP-fw (Firewall) On Linux

Tue, 28 Oct 2008 12:05:48 +0100

Installing ISP-fw (Firewall) On Linux

ISP-fW is a firewall script that provides port forwarding, packet filtering, stateful packet inspection, port redirection, masquerading, SNAT/ DNAT, TOS, and never the last it generates htb rules for bandwidth management. With ISP-fw, you can turn a PC into a gateway with shaping capabilities.

Preventing MySQL Injection Attacks With GreenSQL On Debian Etch

Sun, 26 Oct 2008 19:10:16 +0100

Preventing MySQL Injection Attacks With GreenSQL On Debian Etch

GreenSQL (or greensql-fw) is a firewall for MySQL databases that filters SQL injection attacks. It works as a reverse proxy, i.e., it takes the SQL queries, checks them, passes them on to the MySQL database and delivers back the result from the MySQL database. It comes with a web interface (called greensql-console) so that you can manage GreenSQL through a web browser. This guide shows how you can install GreenSQL and its web interface on a Debian Etch server.

Ultimate Security Proxy With Tor

Fri, 24 Oct 2008 13:21:30 +0200

Ultimate Security Proxy With Tor

Nowadays, within the growing web 2.0 environment you may want to have some anonymity, and use other IP addresses than your own IP. Or, for some special purposes - a few IPs or more, frequently changed. So no one will be able to track you. A solution exists, and it is called Tor Project, or simply tor. There are a lot of articles and howtos giving you the idea of how it works, I'm not going to describe here onion routing and its principles, I'll rather tell you how practically pull out the maximum out of it.

Firewall Management With Gufw On Ubuntu 8.04

Thu, 23 Oct 2008 19:20:25 +0200

Firewall Management With Gufw On Ubuntu 8.04

Gufw is a graphical frontend for managing an iptables firewall on an Ubuntu 8.04 desktop. It is based on ufw and enables you to allow or block pre-configured, common p2p, or individual ports. This guide shows how you can install and use Gufw on Ubuntu 8.04.

Secure SSH Using WiKID Two-Factor Authentication And TACACS+

Thu, 16 Oct 2008 13:26:26 +0200

Secure SSH Using WiKID Two-Factor Authentication And TACACS+

These instructions are designed to help you configure and test using the WiKID TACACS+ protocol module via Linux PAM on Red Hat. This document has been updated to cover pam .99 and higher. We assume that you have already installed the open-source WiKID Strong Authentication Server Community Edition.

How To Enforce Google SafeSearch With SafeSquid Proxy Server

Mon, 15 Sep 2008 19:56:24 +0200

How To Enforce Google SafeSearch With SafeSquid Proxy Server

Google offers users with an option to filter out results that contain explicit sexual content, called SafeSearch. It also displays a warning message with search results identified as sites that may install malicious software on your computer. You can enforce Google SafeSearch with SafeSquid Proxy, so that it overrides the user preferences, and displays only SafeSearch results.

Spam Blocking And Web Filtering With The Untangle 5.3 Network Gateway

Tue, 02 Sep 2008 17:19:07 +0200

Spam Blocking And Web Filtering With The Untangle 5.3 Network Gateway

Untangle bundles common open-source applications for blocking spam, spyware, viruses, adware and unwanted content on the network in one single Linux distribution. It can be integrated into existing networks either as a router or as a transparent bridge (directly behind the router, but before the switch that connects the client PCs with the router). The best thing about Untangle is that you don't have to reconfigure the client PCs - Untangle works out of the box.

Preventing Brute Force Attacks With Fail2ban On Mandriva 2008.1

Fri, 29 Aug 2008 15:34:25 +0200

Preventing Brute Force Attacks With Fail2ban On Mandriva 2008.1

In this article I will show how to install and configure fail2ban on a Mandriva 2008.1 system. Fail2ban is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with an iptables firewall rule.

Preventing Brute Force Attacks With Fail2ban On Fedora 9

Mon, 25 Aug 2008 17:54:51 +0200

Preventing Brute Force Attacks With Fail2ban On Fedora 9

In this article I will show how to install and configure fail2ban on a Fedora 9 system. Fail2ban is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with an iptables firewall rule.

Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-peruser On Debian Etch

Thu, 21 Aug 2008 18:38:18 +0200

Running Vhosts Under Separate UIDs/GIDs With Apache2 mpm-peruser On Debian Etch

This article explains how you can install and configure apache2-mpm-peruser on a Debian Etch server. apache2-mpm-peruser is an MPM (Multi-Processing Module) for the Apache 2 web server, very similar to apache2-mpm-itk, but faster (almost as fast as apache2-mpm-prefork). mpm-peruser allows you to run each of your vhosts under a separate UID and GID - in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts. It is based on metuxmpm, a working implementation of the perchild MPM. The result is a sane and secure web server environment for your users, without kludges like PHP's safe_mode.

How To Block Porn Pictures And Images With SafeSquid Proxy Server

Tue, 19 Aug 2008 14:40:33 +0200

How To Block Porn Pictures And Images With SafeSquid Proxy Server

Administrators can use various methods to block access to websites that are pornographic in nature, like URL Filter, URL Blacklist, Keyword Filter, etc. But many porn sites allow users to register their email IDs on their website and deliver the latest images and pictures to their personal emails. So if a user is allowed access to his personal mail, he can enjoy himself without having to access any porn site. Such images are also regularly displayed as ads and banners on other web pages, that might not be pornographic in nature. Pornographic Image Filter can analyze an image in real-time, and identify the ones that are pornographic in nature. It analyzes the graphical content like skin tone, contour, etc. to identify a pornographic image. It is a commercially distributed add-on plug-in and can be used with SafeSquid to block pornographic images. Although it is about 85%-90% accurate, it acts as a good deterrent.

How To Control Or Block Instant Messengers With SafeSquid Proxy Server

Tue, 29 Jul 2008 15:11:53 +0200

How To Control Or Block Instant Messengers With SafeSquid Proxy Server

In this tutorial I will explain how you can control or completely block access to a few instant messengers with SafeSquid, like Google Talk, Google chat within Gmail, MSN Messenger, Yahoo Messenger and Skype. Once you are familiar with the method of blocking these messengers, you should be able to block other messengers. Please note that these methods will only be effective, if you block all direct access to the router and firewall, except required ports like 25 & 110, so that users are able to access the net only through the proxy server. When all higher ports are blocked, most messenger try to communicate on port 80 and 443, which will have to go through the proxy, and thus allow you to control them. Most messengers also allow you to define proxy settings and username / password for authenticating Proxies.

How To Patch BIND9 Against DNS Cache Poisoning On Debian Etch

Mon, 28 Jul 2008 16:17:45 +0200

How To Patch BIND9 Against DNS Cache Poisoning On Debian Etch

This article explains how you can fix a BIND9 nameserver on a Debian Etch system so that it is not vulnerable anymore to DNS cache poisoning.