Archive for September, 2009

HowTo: ModSecurity on Debian

Sep 25, 2009 Security Tutorial

Here is a nice HowTo about installing and configuring ModSecurity on Debian.  What is ModSecurity you ask?

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
It is also an open source project that aims to make the web application firewall technology available to everyone.

You can read the instructions here.

OSSEC v2.2 Released

Sep 15, 2009 Security News

My favorite cross-platform HIDS has been updated:

We are pleased to announce the general availability of OSSEC version 2.2.
This is a stability release, with heavy focus on bug fixes, code cleanup and a few new features. The most notable changes are:

  • Trend OSCE (Office scan) support – We added rules to properly monitor and analyze Trend logs
  • WordPress MonitoringWordPress is a popular blogging platform with very little logging by default. We create a plugin to extend its logging capabilities and created rules on OSSEC to monitor it.
  • More Logging support – We added support for vpopmail, roundcube, Netscreen IDS and a few more log formats.

And much more… Check out the changelog to see all changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

If you don’t know about OSSEC, here is a nice summary of the benefits.

09-09-2009.org

Sep 9, 2009 Security News

The online group known as “Anonymous” has setup a web site at 09-09-2009.org to make known their dislike with Australia’s Internet Censorship initiative.  They are asking for the abolishment of the censorship initiative and the resignation of Stephen Conroy, the Minister for Broadband, Communications and the Digital Economy in the Rudd Labor Government.  The SANS Internet Storm Center suggests that a massive DDoS, or other attacks, may take place today.

Stay tuned.

How to Keep WordPress Secure

Sep 7, 2009 Security News

An active worm has been attacking WordPress installations that have not been updated to at least version 2.8.3 or 2.8.4:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.

See the whole post here.