Friday, February 26, 2016

The most reliable hard drives in 2015, according to Backblaze

Backblaze, a cloud storage company, records the reliability of different hard drives from different suppliers. The 2015 numbers reveal the success of the 4TB Seagate ST4000DM000, of which Backblaze now owns almost 30,000.
 Backblaze barchart of drive failures by manufacturer
Here's a surprise: Seagate hard drives may now be more reliable than Western Digital models, according to Backblaze's Hard Drive Reliability Review for 2015. The failure rates in the bar chart above are cumulative from April 2013 to the end of 2015, by which time the company had 56,224 hard drives containing customer data in 1,249 Backblaze Storage Pods.
Backblaze added around 65 petabytes of storage last year. The company says: "nearly all of the 16,000+ drives purchased in 2015 have been Seagate drives." Of those, "over 85 percent were 4TB Seagate drives."
Previously, some Seagate hard drives exhibited high failure rates, with almost a third of Backblaze's 3TB Seagate drives (ST3000DM001) failing in 2012. In September 2014, I reported that "the three least reliable drives tested are all Seagate Barracuda models. The Seagate Barracuda 7200.11 has had an annual failure rate of 24.9 percent, the 3TB 7200.14 of 15.7 percent, and the 1.5TB Barracuda LP of 9.6 percent." (See Who makes the most reliable hard disk drives? Backblaze has updated its stats)
As Robin Harris reported here in April, Backblaze eventually pulled the 3TB Seagate drives out of service.
Historically, HGST (formerly Hitachi Global Storage Technologies, but now owned by Western Digital) hard drives have been by far the most reliable, but in 2015, Backblaze still went for Seagate. The company explains that "the HGST 4TB drives, while showing exceptionally low failure rates, are no longer available having been replaced with higher priced, higher performing models. The readily available and highly competitive price of the Seagate 4TB drives, along with their solid performance and respectable failure rates, have made them our drive of choice."
Backblaze now reports that the Seagate 4TB hard drives had a failure rate of just under 3 percent, which was only a little higher than the 4TB WD models (barchart below).
There's an obvious reason for the improvement in Seagate hard drive reliability at Backblaze. By the end of the year, the company had removed all its 1TB, 2TB and 3TB Seagate drives and replaced them with 4TB and 6TB models.
Further good news is that the Seagate 6TB drives are performing "even better than the 4TB Seagate drives". However, the cost per terabyte is higher, and it's hard to buy them in large volumes. Also, they use 60 percent more power: 9.0W vs 5.6W.
"Today, we mix 6TB filled Storage Pods and 4TB filled Storage Pods in the same rack to optimize both power consumption and the storage space per square foot," says Backblaze.
The extraordinary reliability of Backblaze's 2TB HGST drives means the company is still running 4,500 of them. Backblaze says: "Their average age is nearly 5 years (58.6 months) and their cumulative failure rate is a meager 1.55 percent. At some point we will want to upgrade the 100 Storage Pods they occupy to 4- or 6TB drives, but for now the 2TB HSGT drives are performing very well."
It looks as though the 4TB and 6TB drives are sweet spots for high volume data storage, pending the arrival of high volumes of affordable 8TB drives. And while HGST drives may be more reliable, the 4TB and 6TB Seagates are reliable enough to be cost effective in Backblaze Storage Pods.
Backblaze barchart of 4TB drive failures


Monday, February 22, 2016

Apache Web Server Hardening & Security Guide

Secure Apache Web Server – Practical Guide

1       Introduction

The Web Server is a crucial part of web-based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack. Having default configuration supply many sensitive information which may help hacker to prepare for an attack the web server.
The majority of web application attacks are through XSS, Info Leakage, Session Management and PHP Injection attacks which is due to weak programming code and failure to sanitize web application infrastructure. According to the security vendor Cenzic, 96% of tested applications have vulnerabilities. Below chart from Cenzic shows the vulnerability trend report of 2013.

This practical guide provides you the necessary skill set to secure Apache Web Server.  In this course, we will talk about how to Harden & Secure Apache Web Server on Unix platform. Following are tested on Apache 2.4.x and I don’t see any reason it won’t work with Apache 2.2.x.
  1. This assumes you have installed Apache on UNIX platform. If not, you can go through Installation guide. You can also refer very free video about how to Install Apache, MySQL & PHP.
  2. We will call Apache installation directory /opt/apache as $Web_Server throughout this course.
  3. You are advised to take a backup of existing configuration file before any modification.

1.1  Audience

This is designed for Middleware Administrator, Application Support, System Analyst, or anyone working or eager to learn Hardening & Security guidelines. Fair knowledge of Apache Web Server & UNIX command is mandatory. This is seven page guide, click on Next to proceed. You may navigate through table of contents at right hand side.
BONUS (Download in PDF Format): Apache HTTP Security & Hardening Guide

2       Information Leakage

In default Apache configuration you would have many sensitive information disclosure, which can be used to prepare for an attack. It’s one of the most critical tasks for administrator to understand and secure them. As per report by Cenzic, 16% of vulnerability is found in Info leakage. We require some tool to examine HTTP Headers for verification. Let’s do this by install firebug add-on in Firefox.

  •  Click on Install Now
  • Restart Firefox
  •  You can see firebug icon at right top bar

We will use this icon to open firebug console to view HTTP Headers information. There are many online tools also available which helps to check in HTTP header information. Below are some of them you can try out. http://tools.geekflare.com/seo/tool.php?id=check-headers

2.1  Remove Server Version Banner

I would say this is one of the first things to consider, as you don’t want to expose what web server version you are using. Exposing version means you are helping hacker to speedy the reconnaissance process. Default configuration will expose Apache Version and OS type as shown below.
Implementation:
  • Go to $Web_Server/conf folder
  • Modify httpd.conf by using vi editor
  • Add following directive and save the httpd.conf
ServerTokens Prod
ServerSignature Off
  • Restart apache
ServerSignature will remove the version information from the page generated like 403, 404, 502, etc. by apache web server. ServerTokens will change Header to production only, i.e. Apache
Verification:
  • Open Firefox
  •  Activate firebug by clicking firebug icon at top right side
  •  Click on Net tab

  • Hit the URL in address bar
  • Expand the GET request and you could see Server directive is just showing Apache, which is much better than exposing version and OS type.

2.2  Disable directory browser listing

Disable directory listing in browser so visitor doesn’t see what all file and folders you have under root or sub-directory. Let’s test how does it look like in default settings.
  • Go to $Web_Server/htdocs directory
  • Create a folder and few files inside that
# mkdir test
# touch hi
# touch hello
Now, let’s try to access Apache by http://localhost/test
As you could see it reveals what all file/folders you have which is certainly you don’t want to expose.
Implementation:
  • Go to $Web_Server/conf directory
  •  Open httpd.conf using vi
  •  Search for Directory and change Options directive to None or –Indexes
<Directory /opt/apache/htdocs>
Options None
Order allow,deny
Allow from all
</Directory>
(or)
<Directory /opt/apache/htdocs>
Options -Indexes
Order allow,deny
Allow from all
</Directory>
  • Restart Apache
Note: if you have multiple Directory directives in your environment, you should consider doing the same for all.
Verification:
Now, let’s try to access Apache by http://localhost/test
As you could see, it displays forbidden error instead showing test folder listing.

2.3  Etag

It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary and child process through Etag header. To prevent this vulnerability, let’s implement it as below. This is required to fix for PCI compliance.
Implementation:
  • Go to $Web_Server/conf directory
  • Add following directive and save the httpd.conf
FileETag None
  • Restart apache
Verification:
  • Open Firefox and access your application
  • Check HTTP response headers in firebug, you should not see Etag at all.

3       Authorization

3.1  Run Apache from non-privileged account

Default apache configuration is to run as nobody or daemon. It’s good to use a separate non-privileged user for Apache. The idea here is to protect other services running in case of any security hole.  
Implementation:
  • Create a user and group called apache
#groupadd apache
# useradd –G apache apache
  • Change apache installation directory ownership to newly created non-privileged user
 # chown –R apache:apache /opt/apache
  •  Go to $Web_Server/conf
  •  Modify httpd.conf using vi
  •  Search for User & Group Directive and change as non-privileged account apache
User apache 
Group apache
  •  Save the httpd.conf
  •  Restart Apache
Verification:
grep for running http process and ensure it’s running with apache user
# ps –ef |grep http
Note: You could see one process is running with root. That’s because Apache is listening on port 80 and it has to be started with root. We will talk about how to change port number later in this course.

3.2  Protect binary and configuration directory permission

By default, permission for binary and configuration is 755 that mean any user on server can view the configuration. You can disallow other user to get into conf and bin folder.
Implementation:
  • Go to $Web_Server directory
  • Change permission of bin and conf folder
 # chown –R 750 bin conf
Verification:  

3.3  System Settings Protection

In default installation, users can override apache configuration using .htaccess. if you want to stop users changing your apache server settings, you can add AllowOverride to None as shown below. This must be done at root level.
Implementation:
  • Go to $Web_Server/conf directory
  •  Open httpd.conf using vi
  •  Search for Directory at root level
<Directory /> 
Options -Indexes 
AllowOverride None
</Directory>
  •  Save the httpd.conf
  •  Restart Apache

3.4  HTTP Request Methods

HTTP 1.1 protocol support many request methods which may not be required and some of them are having potential risk. Typically you may just need GET, HEAD, POST request methods in web application, which can be configured in respective Directory directive. Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.
Implementation:
  •  Go to $Web_Server/conf directory
  •  Open httpd.conf using vi
  • Search for Directory and add following
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

 4       Web Application Security

Apache web server misconfiguration or not hardened properly can exploit web application. It’s critical to harden your web server configuration.

4.1  Cookies

 4.1.1            Disable Trace HTTP Request

By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to hacker to steal cookie information. Let’s see how it looks like in default configuration.
  •  Do a telnet web server IP with listen port
  •  Make a TRACE request as shown below
#telnet localhost 80 
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 Host: test
HTTP/1.1 200 OK
Date: Sat, 31 Aug 2013 02:13:24 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http 20
TRACE / HTTP/1.1
Host: test 0
Connection closed by foreign host.
#
As you could see in above TRACE request it has responded my query. Let’s disable it and test it.
Implementation:
  •  Go to $Web_Server/conf directory
  • Add following directive and save the httpd.conf
 TraceEnable off
  •  Restart apache
Verification:
  • Do a telnet web server IP with listen port and make a TRACE request as shown below
#telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 Host: test
HTTP/1.1 405 Method Not Allowed
Date: Sat, 31 Aug 2013 02:18:27 GMT
Server: Apache Allow:
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p> </body></html>
Connection closed by foreign host.
#
As you could see in above TRACE request it has blocked my request with HTTP 405 Method Not Allowed. Now, this web server doesn’t allow TRACE request and help in blocking Cross Site Tracing attack.

4.1.2            Set cookie with HttpOnly and Secure flag

You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous.
Implementation:
  •  Ensure mod_headers.so is enabled in your httpd.conf
  •  Go to $Web_Server/conf directory
  •  Add following directive and save the httpd.conf
 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
  •  Restart apache
Verification:
  • Open Firefox and access your application
  • Check HTTP response headers in firebug, you should see Set-Cookie is flagged with HttpOnly and Secure as shown below.

4.2  Clickjacking Attack

Clickjacking is well known web application vulnerabilities. You can refer my previous post Secure Your Web Site from Clickjacking Attack.
Implementation:
  •  Ensure mod_headers.so is enabled in your httpd.conf
  •  Go to $Web_Server/conf directory
  •  Add following directive and save the httpd.conf
 Header always append X-Frame-Options SAMEORIGIN
  •  Restart apache
Verification:
  • Open Firefox and access your application
  • Check HTTP response headers in firebug, you should see X-Frame-Options as shown below.

4.3  Server Side Include

Server Side Include (SSI) has a risk in increasing load on the server. If you have shared environment and heavy traffic web applications you should consider disable SSI by adding Includes in Options directive. SSI attack allows the exploitation of a web application by injecting scripts in HTML pages or executing codes remotely.
Implementation:
  • Go to $Web_Server/conf directory
  •  Open httpd.conf using vi
  •  Search for Directory and add Includes in Options directive
<Directory /opt/apache/htdocs>
Options –Indexes -Includes
Order allow,deny
Allow from all
</Directory>
  • Restart Apache
Note: if you have multiple Directory directives in your environment, you should consider doing the same for all.

4.4  X-XSS Protection

Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can force apply this protection for web application if it was disabled by the user. This is used by majority of giant web companies like Facebook, twitter, Google, etc.
Implementation:
  • Go to $Web_Server/conf directory
  • Open httpd.conf using vi and add following Header directive
 Header set X-XSS-Protection “1; mode=block”
  •  Restart Apache
Verification:
  •  Open Firefox and access your application
  •  Check HTTP response headers in firebug, you should see XSS Protection is enabled and mode is blocked.

4.5  Disable HTTP 1.0 Protocol

When we talk about security, we should protect as much we can. So why do we use older HTTP version of protocol, let’s disable them as well. HTTP 1.0 has security weakness related to session hijacking. We can disable this by using mod_rewrite module.
Implementation:
  • Ensure to load mod_rewrite module in httpd.conf file
  •  Enable RewriteEngine directive as following and add Rewrite condition to allow only HTTP 1.1
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

 4.6  Timeout value configuration

By default Apache timed-out value is 300 seconds, which can be victim of Slow Loris attack and DoS. To mitigate this you can lower the timeout value to maybe 60 seconds.
Implementation:
  • Go to $Web_Server/conf directory
  • Open httpd.conf using vi
  •  Add following in httpd.conf
 Timeout 60

5       SSL

Having SSL is additional layer of security you are adding into Web Application. However, default SSL configuration leads to certain vulnerabilities and you should consider tweaking those configurations. We require some tool to verify SSL settings. There are many available however, I would use SSL-Scan free tool. You can download from http://sourceforge.net/projects/sslscan/

5.1  SSL Key

Breaching SSL key is hard, but not impossible. Its just matter of computational power and time. As you might know using a 2009-era PC cracking away for around 73 days you can reverse engineer a 512-bit key. So the higher key length you have, the more complex it becomes to break SSL key. Majority of giant Web Companies use 2048 bit key, as below so why don’t we?
  •  Outlook.com
  •  Microsoft.com
  •   Live.com
  •  Skype.com
  •  Apple.com
  •  Yahoo.com
  •  Bing.com
  •  Hotmail.com
  •  Twitter.com
Implementation:
  •  You can use openssl to generate CSR with 2048 bit as below.
  •  Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt
  •  Generate new CSR and private key
openssl req -out localhost.csr -new -newkey rsa:2048 -nodes -keyout localhost.key
  •  Add Personal Cert, Signer Cert and Key file in httpd-ssl.conf file under below directive
SSLCertificateFile # Personal Certificate
SSLCertificateKeyFile # Key File
SSLCACertificateFile # Signer Cert file
Verification:
Execute sslscan utility with following parameter. Change localhost to your actual domain name.
 sslscan localhost | grep –i key

  • As you can see current ssl key is 2048 bit, which is stronger.

5.2  SSL Cipher

SSL Cipher is an encryption algorithm, which is used as a key between two computers over the Internet. Data encryption is the process of converting plain text into secret ciphered codes. It’s based on your web server SSL Cipher configuration the data encryption will take place. So it’s important to configure SSL Cipher, which is stronger and not vulnerable. Let’s validate the Cipher accepted in current SSL configuration. We will use sslscan utility to validate as below command. Change localhost to your actual domain name.
sslscan –no-failed localhost
As you could see above, in current configuration DHE, AES, EDH, RC4 cipher is accepted. Now if you are performing penetration test or PCI compliance test, your report will say RC4 Cipher detected. Lately, it was found that RC4 is weak cipher and to pass certain security test, you must not accept RC4 or any weak cipher. You should also ensure not to accept any cipher, which is less than 128 bits.
Implementation:
  • Go to $Web_Server/conf/extra folder
  •  Modify SSLCipherSuite directive in httpd-ssl.conf as below to reject RC4
 SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4
  •  Save the configuration file and restart apache server
Note: if you have many weak cipher in your SSL auditing report, you can easily reject them adding ! at beginning. For ex – to reject RC4: !RC4 Verification: Again, we will use sslscan utility to validate as below command. Change localhost to your actual domain name.
sslscan –no-failed localhost
So now we don’t see RC4 anymore as accepted Cipher. It’s good to reject any low, medium, null or vulnerable cipher to keep yourself tension free from getting attacked. You can also scan your domain against Qualys SSL Labs to check if you have weak or vulnerable cipher in your environment.

5.3  Disable SSL v2

SSL v2 has many security flaws and if you are working towards penetration test or PCI compliance then you are expected to close security finding to disable SSL v2. Any SSL v2 communication may be vulnerable to Man-in-The-Middle attack that could allow data tempering or disclosure. Let’s implement apache web server to accept only latest SSL v3 and reject SSL v2 connection request.
Implementation:
  • Go to $Web_Server/conf/extra folder
  • Modify SSLProtocol directive in httpd-ssl.conf as below to accept only SSL v3 and TLS v1
 SSLProtocol –ALL +SSLv3 +TLSv1
Verification:
Let’s use sslscan utility to validate as below command. Change localhost to your actual domain name.
sslscan –no-failed localhost
As you could see above, accepted is only SSLv3 and TLSv1, which is safe from SSLv2 vulnerabilities.

6       Mod Security

Mod Security is an open-source Web Application Firewall, which you can use with Apache. It comes as a module which you have to compile and install. If you can’t afford commercial web application firewall, this would be good choice to go for it. Mod Security says: In order to provide generic web applications protection, the Core Rules use the following techniques:
  • HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy
  • Real-time Blacklist Lookups – utilizes 3rd Party IP Reputation
  • Web-based Malware Detection – identifies malicious web content by check against the Google Safe Browsing API.
  • HTTP Denial of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
  • Common Web Attacks Protection – detecting common web application security attack
  • Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity
  • Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
  • Tracking Sensitive Data – Tracks Credit Card usage and blocks leakages.
  • Trojan Protection – Detecting access to Trojans horses.
  • Identification of Application Defects – alerts on application misconfigurations.
  • Error Detection and Hiding – Disguising error messages sent by the server.

 6.1  Download & Installation

Following prerequisites must be installed on server where you wish to use Mod Security with Apache. If any one of these doesn’t exist then Mod Security compilation will fail. You may use yum install on Linux or Centos to install these packages.
  • apache 2.x or higher
  • libpcre package
  •  libxml2 package
  • liblua package
  • libcurl package
  •  libapr and libapr-util package
  •  mod_unique_id module bundled with Apache web server
Now, let’s download the latest stable version of Mod Security 2.7.5 from http://www.modsecurity.org/download/
  • Transfer downloaded file to /opt/apache

  • Extract modsecurity-apache_2.7.5.tar.gz
# gunzip –c modsecurity-apache_2.7.5.tar.gz | tar xvf –
  • Go to extracted folder modsecurity-apache_2.7.5
# cd modsecurity-apache_2.7.5
  • Run the configure script including apxs path to existing Apache
# ./configure –with-apxs=/opt/apache/bin/apxs
  • Compile & install with make script
# make
#make install
  • Once installation is done, you would see mod_security2.so in modules folder under /opt/apache as shown below
Now this concludes, you have installed Mod Security module in existing Apache web server.

6.2  Configuration

In order to use Mod security feature with Apache, we have to load mod security module in httpd.conf. mod_unique_id module is pre-requisite for Mod Security. This module provides an environment variable with a unique identifier for each request, which is tracked and used by Mod Security.
  • Add following line to load module for Mod Security in httpd.conf and save the configuration file
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
  •  Restart apache web server
Mod Security is now installed! Next thing you have to do is to install Mod Security core rule to take a full advantage of its feature. Latest Core Rule can be downloaded from following link, which is free. https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master
  • Copy downloaded core rule zip to /opt/apache/conf folder
  • Unzip core rule file, you should see the extracted folder as shown below

  • You may wish to rename the folder to something short and easy to remember. In this example, I will rename to crs.

  •  Go to crs folder and rename modsecurity_crs10_setup.conf.example to modsecurity_crs10_setup.conf
Now, let’s enable these rules to get it working with Apache web server.
  •  Add following in httpd.conf
<IfModule security2_module>
Include conf/crs/modsecurity_crs_10_setup.conf
Include conf/crs/base_rules/*.conf
</IfModule>
In above configuration, we are loading Mod Security main configuration file modsecurity_crs_10_setup.conf and base rules base_rules/*.conf provided by Mod Security Core Rules to protect web applications.
  •  Restart apache web server
You have successfully configured Mod Security with Apache! Well done. Now, Apache Web server is protected with Mod Security web application firewall.

6.3  Getting Started

Lets get it started with some of the important configuration in Mod Security to harden & secure web applications. In this section, we will do all configuration modification in /opt/apache/conf/crs/modsecurity_crs_10_setup.conf We will refer /opt/apache/conf/crs/modsecurity_crs_10_setup.conf as setup.conf in this section for example purpose. It’s important to understand what are the OWASP rules are provided in free. There are two types of rules provided by OWASP.
Base Rules – these rules are heavily tested and probably false alarm ratio is less.
Experimental Rules – these rules are for experimental purpose and you may have high false alarm. It’s important to configure, test and implement in UAT before using these in production environment.  
Optional Rules – these optional rules may not be suitable for the entire environment. Based on your requirement you may use them. If you are looking for CSRF, User tracking, Session hijacking, etc. protection then you may consider using optional rules. We have base, optional and experimental rules after extracting downloaded crs zip file from OWASP download page. These rules configuration file is available in crs/base_rules, crs/optional_rules and crs/experimental_rules folder. Let’s get familiar with some of the base rules.
  • modsecurity_crs_20_protocol_violations.conf:This rule is protecting from Protocol vulnerabilities like response splitting, request smuggling, using non-allowed protocol (HTTP 1.0).
  • modsecurity_crs_21_protocol_anomalies.conf:This is to protect from request, which is missing with Host, Accept, User-Agent in header.
  • modsecurity_crs_23_request_limits.conf:This rule has dependency on application specific like request size, upload size, length of parameter, etc.
  • modsecurity_crs_30_http_policy.conf:This is to configure and protect allowed or disallowed method like CONNECT, TRACE, PUT, DELETE, etc.
  • modsecurity_crs_35_bad_robots.conf:Detect malicious robots
  • modsecurity_crs_40_generic_attacks.conf:This is to protect from OS command injection, remote file inclusion, etc.
  • modsecurity_crs_41_sql_injection_attacks.conf:This rule to protect SQL and blind SQL inject request.
  • modsecurity_crs_41_xss_attacks.conf:Protection from Cross Site Scripting request.
  • modsecurity_crs_42_tight_security.conf:Directory traversal detection and protection.
  • modsecurity_crs_45_trojans.conf:This rule to detect generic file management output, uploading of http backdoor page, known signature.
  • modsecurity_crs_47_common_exceptions.conf:This is used as an exception mechanism to remove common false positives that may be encountered suck as Apache internal dummy connection, SSL pinger, etc.

6.3.1            Logging

Logging is one of the first things to configure so you can have logs created for what Mod Security is doing. There are two types of logging available; Debug & Audit log.
Debug Log: this is to duplicate the Apache error, warning and notice messages from the error log.
Audit Log: this is to write the transaction logs that are marked by Mod Security rule Mod Security gives you flexibility to configure Audit, Debug or both logging. By default configuration will write both logs. However, you can change based on your requirement. Log is controlled in SecDefaultAction directive. Let’s look at default logging configuration in setup.conf
SecDefaultAction “phase:1,deny,log”
To log Debug, Audit log – use “log” To log only audit log – use “nolog,auditlog” To log only debug log – use “log,noauditlog” You can specify the Audit Log location to be stored which is controlled by SecAuditLog directive. Let’s write audit log into /opt/apache/logs/modsec_audit.log by adding as shown below.
Implementation:
  • Add SecAuditLog directive in setup.conf and restart Apache Web Server
 SecAuditLog /opt/apache/logs/modsec_audit.log
  • After restart, you should see modsec_audit.log getting generated as shown below.

6.3.2            Enable Rule Engine

By default Engine Rule is Off that means if you don’t enable Rule Engine you are not utilizing all the advantages of Mod Security. Rule Engine enabling or disabling is controlled by SecRuleEngine directive.
Implementation:
  • Add SecRuleEngine directive in setup.conf and restart Apache Web Server
 SecRuleEngine On
There are three values for SecRuleEngine:
  • On – to enable Rule Engine
  • Off – to disable Rule Engine
  • DetectionOnly – enable Rule Engine but never executes any actions like block, deny, drop, allow, proxy or redirect
Once Rule Engine is on – Mod Security is ready to protect with some of the common attack types.

6.3.3            Common Attack Type Protection

Now web server is ready to protect with common attack types like XSS, SQL Injection, Protocol Violation, etc. as we have installed Core Rule and turned on Rule Engine. Let’s test few of them.
XSS Attack:-
  •  Open Firefox and access your application and put <script> tag at the end or URL as shown below
  •  Monitor the modsec_audit.log in apache/logs folder
As you can see Mod Security blocks request as it contains <script> tag which is the root of XSS attack.
Directory Traversal Attack:- Directory traversal attacks can create lot of damage by taking advantage of this vulnerabilities and access system related file. Ex – /etc/passwd, .htaccess, etc.
  •  Open Firefox and access your application with directory traversal
  •  Monitor the modsec_audit.log in apache/logs folder
    http://localhost/?../.../boot

  • As you can see Mod Security blocks request as it contains directory traversal.

6.3.4            Change Server Banner

Earlier in this guide, you learnt how to remove Apache and OS type, version help of ServerTokens directive. Let’s go one step ahead, how about keeping server name whatever you wish? It’s possible with SecServerSignature directive in Mod Security. You see it’s an interesting.
Note: in order to use Mod Security to manipulate Server Banner from header, you must set ServerTokesn to Full in httpd.conf of Apache web server.  
Implementation:
  • Add SecServerSignature directive with your desired server name in setup.conf and restart Apache Web Server
 SecServerSignature YourServerName
Ex:
[/opt/apache/conf/crs] #grep SecServer modsecurity_crs_10_setup.conf
SecServerSignature chandank.com
[/opt/apache/conf/crs] #
Verification:
  •  Open Firefox and access your application
  •  Check HTTP response headers in firebug, you should see Server banner is changed now as shown below.

7       General Configuration

We will talk about some of the general configuration as best practice.

7.1  Configure Listen

When you have multiple interface and IP’s on single server, it’s recommended to have Listen directive configured with absolute IP and Port number. When you leave apache configuration to Listen on all IP’s with some port number, it may create problem in forwarding HTTP request to some other web server. This is quite common in shared environment.
Implementation:
  • Configure Listen directive in httpd.conf with absolute IP and port as shown example below
 Listen 10.10.10.1:80

 7.2  Access Logging

It’s essential to configure access log properly in your web server. Some of the important parameter to capture in log would be the time taken to serve the request, SESSION ID. By default apache is not configured to capture these data. You got to configure them manually as following.
Implementation:
  • To capture time taken to serve the request and SESSION ID in access log
  •  Add %T & %sessionID in httpd.conf under LogFormat directive
 LogFormat "%h %l %u %t "%{sessionID}C" "%r" %>s %b %T" common
You can refer http://httpd.apache.org/docs/2.2/mod/mod_log_config.html for complete list of parameter supported in LogFormat directive in Apache Web Server.

7.3  Disable Loading unwanted modules

If you have compiled and installed with all modules then there are high chances you will have many modules loaded in Apache, which may not be required. Best practice is to configure Apache with required modules in your web applications. Following modules are having security concerns and you might be interested to disable in httpd.conf of Apache Web Server. WebDAV (Web-based Distributed Authoring and Versioning) This module allows remote clients to manipulate files on the server and subject to various denial-of-service attacks. To disable comment following in httpd.conf
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#Include conf/extra/httpd-dav.conf
Info Module The mod_info module can leak sensitive information using .htaccess once this module is loaded. To disable comment following in httpd.conf
#LoadModule info_module modules/mod_info.so
Reference: This wouldn’t be possible without guidance from following link:
I hope this practical guide has helped you in securing your Apache Web Server. If you liked this, please help to share with your friends.

Monitoring logfiles with logsentry

Monitoring logfiles with logsentry

I manage a fair number of servers, and use several tools to monitor the health of my systems. One such tool is logsentry (formerly known as logcheck), which is a shell script that can be used to monitor logfiles for anomalies. Logsentry consists of a single shell script and one or more violation files, and installing it as simple as extracting the package and modifying the paths in the shell script. If your using OpenBSD, you can use the pkg_add utility to add the logsenty package to your system:
$ export PKG_PATH=”ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/”
$ pkg_add logsentry

logsentry-1.1.1p2: complete

--- logsentry-1.1.1p2 -------------------
The logsentry configuration files have been installed at
/etc/logsentry.
Please view these files and change the configuration to meet your needs.
Currently logsentry will check the following files:
/var/log/messages
/var/log/maillog
/var/log/authlog
/var/log/secure
/var/log/daemon
/var/log/xferlog
Edit /etc/logsentry/logsentry.sh
if you want to add more files.
Be sure to configure your crontab as indicated by
/usr/local/share/doc/logsentry/INSTALL
so that logsentry is run regularly.

After logsentry is installed, you can add a cron job similar to the following to enable it:
$ echo ”
# Check system logfiles
0 * * * * /bin/sh /etc/logsentry/logsentry.sh” >> /var/spool/cron/crontabs/root
Once logsentry is enabled, you will get email similar to the following each time an anomaly is detected:
from      Charlie Root
to        root
date  Nov 25, 2006 1:00 PM  
subject  yappy 11/25/06:13.00 system check  

Security Violations
=-=-=-=-=-=-=-=-=-=
Nov 25 16:25:57 yappy su: matty to root on /dev/ttyp0
Nov 26 05:18:40 yappy su: matty to root on /dev/ttyp0
Nov 26 05:22:10 yappy su: BAD SU matty to root on /dev/ttyp0
Nov 26 05:22:14 yappy su: matty to root on /dev/ttyp0
If logsentry emails you about an anomaly that your not interested in, you can add a string that matches the error to logsentry.ignore (this is used to filter out messages from the Unusual system events section) or logsentry.violations.ignore (this is used to filter out events from the security section). Logsentry works pretty well, and once the ignore files are adjusted to match the personality of the server, it can be a life saver (I like the fact that logsentry will send an email notifications when a hardware error is written to the system logfiles)

Converting OVA to QCOW2 for use with QEMU/KVM

Converting OVA to QCOW2 for use with QEMU/KVM


Extract the .ova file
 $ tar -xvf file.ova
 
Convert the .vmdk to .qcow2
$ qemu-img convert -O qcow2 file.vmdk file.qcow2
 
Reference:
http://edoceo.com/notabene/ova-to-vmdk-to-qcow2


Monday, February 15, 2016

CIO

CHIEF INFORMATION OFFICER


The Chief Information Officer (CIO) will provide vision and leadership in developing and achieving a long-term technology strategy for the company that aligns with company business goals and objectives. The CIO will directly supervise all Informatics Department personnel and will be responsible for all computer hardware, software and data. 
Position requirements:
  • Masters degree required with a Doctorate Degree in Computer Science, Computer Information Systems, Management Information Systems, Business Administration or a related field preferred.
  • Minimum of seven years’ experience managing and/or directing an IT operation.
  • Knowledge and minimum of five years of experience working in healthcare or biotechnology informatics.
  • Basic knowledge of genetics is preferred.
Responsibilities:
  • Work with department heads and senior company leadership to devise and prioritize annual and multi-year informatics goals. 
  • Achieve these goals while meeting project milestones and deadlines by utilizing appropriate project management techniques and tools including:
  • Directing and coordinating the daily activities of team members.
  • Ensuring user needs are understood regarding all projects.
  • Ensuring proper testing has been completed prior to implementation.
  • Recruit, retain, supervise and motivate all Informatics Department personnel.
  • Guide the development, implementation, support, maintenance, enhancement, and integration of high quality internally-written software. 
  • Investigate, purchase, install and integrate appropriate externally-developed software.
  • Build, maintain and secure databases that will store critical externally and internally-derived data. 
  • Research, plan, purchase and install new computer hardware as necessary and appropriate.
  • Develop, review, and certify all back-up and disaster recovery procedures and plans.
  • Ensure the security of the information systems, communication lines, and equipment.
  • Stay abreast of the human genetics and biotechnology industries to ensure the most up-to-date and cutting edge software, hardware, and technologies are in place.
  • Develop, implement and maintain user training programs. Provide directly or arrange new user training and advanced training for existing users.
Benefits:
  • Excellent compensation
  • Compressive health, dental, disability and life insurance
  • 401k and profit-sharing plan
  • Paid vacation and holidays
  • An employee fitness incentive plan
Environment: 
  • Marshfield, Wisconsin -- ranked fifth best place to live and raise a family in America. (2010-Forbes.com)
  • Outstanding public schools and continuous educational opportunities.
  • Affordable housing and world-class health care facilities: St. Joseph’s Hospital, Marshfield Medical Research Foundation and Marshfield Clinic.
To Apply:  Submit our online employment application located in the Careers tab on our website, www.preventiongenetics.com and attach a brief cover letter, resume, and official college transcripts.

PreventionGenetics
Human Resources
3800 S. Business Park Ave.
Marshfield, WI  54449
Phone:  715-387-0484 (ext. 162 or 115)
Email:  hr@preventiongenetics.com

PreventionGenetics is an Equal Opportunity Employer

Friday, February 12, 2016

PackStack, Foreman/Staypuft, Triple-O: Installation Tools for OpenStack

-----------------------------------

PackStack

-----------------------------------

 

Packstack is a utility that uses Puppet modules to deploy various parts of OpenStack on multiple pre-installed servers over SSH automatically. Currently only Fedora, Red Hat Enterprise Linux (RHEL) and compatible derivatives of both are supported.

Example Usage
All in One
$ packstack --allinone
 
Shorthand for:
$ packstack --install-hosts=<local ipaddr> \
            --novanetwork-pubif=<dev>  \
            --novacompute-privif=lo \
            --novanetwork-privif=lo \
            --os-swift-install=y  \ 
            --nagios-install=y
 
This option can be used to install an all in one OpenStack on this host.

-----------------------------------

Foreman

-----------------------------------

 What is Foreman?

Foreman is an open source project that helps system administrators manage servers throughout their lifecycle, from provisioning and configuration to orchestration and monitoring. Using Puppet, Chef, Salt, and Foreman's smart proxy architecture, you can easily automate repetitive tasks, quickly deploy applications, and proactively manage change, both on-premise with VMs and bare-metal or in the cloud.
Foreman provides comprehensive, interaction facilities including a web frontend, CLI and RESTful API which enables you to build higher level business logic on top of a solid foundation.
Foreman is 5+ years old, and deployed in many organizations, managing from 10s to 10,000s of servers.
It is used in distributions such as RDO and RHOS (Red Hat OpenStack distribution) and has an extensive library of plugins.
With Foreman you can:
  • Discover, provision and upgrade your entire bare-metal infrastructure
  • Create and manage instances across private and public clouds
  • Group your hosts and manage them in bulk, regardless of location
  • Review historical changes for auditing or troubleshooting
  • Extend as needed via a robust plugin architecture
  • Automatically build images (on each platform) per system definition to optimize deployment

-----------------------------------

Staypuft

-----------------------------------

 

This is a plugin for foreman-installer to help with Staypuft installation. Staypuft is a Foreman plugin which allows user to install OpenStack.

How do I use it?

First you must install RPM package named foreman-installer-staypuft. It can be downloaded from foreman plugin repositores, currently only from nightlies. You should add the whole repository because of other dependencies. You easily do this by installing repo rpm by running
yum install http://yum.theforeman.org/releases/latest/el6/x86_64/foreman-release.rpm
yum install foreman-installer-staypuft
Now you can run staypuft-installer. It will automatically run the wizard that asks few questions specific to your environment. The result is Foreman with provisioning correctly configured and Staypuft plugin enabled. Without any further effort you should be able to create your OpenStack deployment.
To provision on baremetals we use foreman_discovery plugin which requires you to download images used to discover all machines. If you want installer to download images for you (recommended), you can run it like this
staypuft-installer --foreman-plugin-discovery-install-images=true
Note that downloading will take some time, images are ~200MB. You can download images manually from here, but you have to copy and name them correctly yourself.


-----------------------------------

Triple-O

-----------------------------------

 

TripleO - OpenStack on OpenStack

TripleO is a program aimed at installing, upgrading and operating OpenStack clouds using OpenStack's own cloud facilities as the foundations - building on nova, neutron and heat to automate fleet management at datacentre scale (and scaling down to as few as 2 machines).
We gave a presentation at the Portland 2013 summit about TripleO.
TripleO is raw but usable today - see our tripleo-incubator for deployment instructions.

How to reset Windows 7 password without reset disk


When you forgot or lost Windows 7 password, there was no password reset disk available. Could you discover any way to reset Windows 7 password instantly? Believe some people can do that. But not everyone could get such way so easily.
Naturally, the easiest and simplest way to reset win 7 password is reset it with win 7 password reset disk or use the net user command to reset it. So you should check whether you have a pre-created windows 7 password reset disk, or have another available account who has administrator privilege before you try other solutions to solve this problem.
forgot Windows 7 password without disk
1. If you have a win 7 password reset disk, you can follow the step-by-step guide to fix the problem easily.
See Reset your Windows password with disk.
2. If you have another available admin account, you can solve the problem with a few steps:
  • Run cmd.exe as administrator.
  • Type in: net user <user name> <new password>to set a new password to account <user name>.
If the solutions above cannot be carried out, the software mentioned below will help you fix the problem.

Two kinds of software help to reset Windows password without disk:

  1. Reset Windows 7 Password with Chntpw
  2. Windows 7 Password Reset with Windows Password Genius

Option 1: Reset Windows 7 Password with Chntpw

reset win 7 password with chntpw
Step 1: Grab Universal USB Installer and download Ubuntu 10.10.
Step 2: Create a Bootable  Ubuntu Live USB.
  • 2-1: Run the Universal USB Installer and select Ubuntu 10.10.
  • 2-2: Click Browse to select the Ubuntu ISO file.
  • 2-3: Select the USB drive and set the persistent file size. Once all settings are in place, click Create to begin creating a bootable Ubuntu Live USB.
Step 3: Boot Computer from Ubuntu Live USB.
  • 3-1: Press ESC, F2, F10, F9 etc. to reboot PC and enter computer BIOS.
  • 3-2: Set USB/Removable Hard disk as first boot option in the BIOS settings.
  • 3-3: Save the changes and reboot the system from Ubuntu Live USB.
Step 4: Install Chntpw.
  • 4-1: Press Ctrl + Alt + T to open a Terminal window.
  • 4-2: Type sudo apt-get install chntpw and click Enter.
The process of download and installation would go on without further assistance. Once it’s finished and your back at the regular prompt, simply type exit and hit Enter.
Step 5: Reset Windows 7 Password.
  • 5-1: Mount the hard disk partition where Windows is installed in according to access all the removable drives and hard disk partitions from Places menu.
  • 5-2: Mount the drive with Windows folder.
    Open all partitions to find the drive with Windows folder. When you find it, make a note of the drive’s label that appears in the menu bar of the file browser.
  • 5-3: Open Applications menu from panel, and select Terminal from Accessories menu.
    In Terminal window, enter cd /media command, and then list all mounted media drives with ls command.
  • 5-4: Navigate to drive that contains Windows folder.
  • Type: 
    cd <hard drive label>

    cd Windows/System32/config
    Pourpose: Open config folder and then you can make changes to Security Accounts Manager (SAM).
  • 5-5: Read Windows user account credentials and make changes to saved passwords with running chntpw tool.
  • sudo chntpw SAM
The sudo chntpw SAM command can only make changes to Windows admin account password. If you want to change standard user’s password, use the switch –u followed by correct user account name.
sudo chntpw –u <user account name> SAM
If you’ve changed the user account password, reboot your system, and exit Ubuntu Live USB. If you’ve just reset the admin password, Windows will not prompt you to enter the password. However, if you changed the password, please log in to Windows with new password.

Option 2: Reset Windows 7 password with Windows Password Genius

What about the Chntpw introduced above? Is it easy or a little difficult for you? No matter how, a more easier and convenient software is available now - iSunshare Windows Password Genius.
Only two steps are needed to reset Windows 7 password without disk:
  1. First step: Create a password reset disk.
  2. Second step: Reset Windows 7 password.
Step 1: Create a Windows 7 Password Reset Disk with USB or CD/DVD
  • Download and install Windows Password Genius on an accessible computer.
  • Insert a writable USB or CD/DVD drive into computer and select the device you have inserted into computer.
  • Click Begin burning to create a Windows 7 password reset disk.
    Until successfully burning message pops up, we finish burning a password reset disk.
create password reset disk
Step 2: Reset Windows 7 password
  • Insert burnable USB or CD/DVD into locked computer, and make computer boot from these devices.
  • Select Windows 7 and user account that you wish to reset password.
  • Click Reset password to wait for removing Windows 7 password, and then Reboot.
reset windows 7 password
Related Articles: