gmane.user-groups.linux.kansascity

Invitation to connect on LinkedIn

Brandon Holtsclaw — 2013-04-01T23:57:22

LinkedIn
------------



I'd like to add you to my professional network on LinkedIn.

- Brandon

Brandon Holtsclaw
PHP Drupal Development at Freelance
Kansas City, Missouri Area

Confirm that you know Brandon Holtsclaw:
https://www.linkedin.com/e/k4llky-hf0asc2f-3j/isd/12107134766/VFK-J-37/?hs=false&tok=0wYEAcoiwt6BI1

--
You are receiving Invitation to Connect emails. Click to unsubscribe:
http://www.linkedin.com/e/k4llky-hf0asc2f-3j/qb68emPbaSzyPvT9-5avWe9IWm/goo/kclug%40kclug%2Eorg/20061/I4012876816_1/?hs=false&tok=2Dr3aUfAMt6BI1

(c) 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.


  
_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Job Openings

Jonathan Hutchins — 2013-03-26T18:10:15

We have a couple of job openings where I work that haven't been officially
announced yet, so I don't have formal details.  One position is a Linux
Administrator here in Kansas City.  Currently at the Bannister complex,
due to move else somewhere in the city by 2014.  Oracle knowledge is a big
plus.  This is not Windows with a little Linux on the side, it's straight
Linux.

The other position we're going to try to fill in Fort Worth first, and if
we don't get the right guy there we'll consider placing someone here. 
Windows administrator with good knowledge of Citrix.

You'll need to go through Tek Systems on contract-to-hire for 3-6 months,
but if you want early consideration go ahead and send me a resume.  I
don't have any salary information yet, but we won't be above current
averages.

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: DOS prevention

Billy Crook — 2013-03-18T23:41:54

Fail2ban does not require a lot of work.  I installed it from the EPEL
repo.  If you don't have EPEL enabled, you could add EPEL, or download
directly from http://dl.fedoraproject.org/pub/epel/5/x86_64/repoview/fail2ban.html

I did the hard work already with the filters I posted.  Paste in,
adjust the thresholds as you like.  The apache-dbags filter, I built
over the course of a year of reviewing stupid things with which
skiddies/bots would waste diskspace in my errorlogs.

Fail2ban is an invaluable tool that is well worth any admin's time to
become acquainted.  Consider this one targeted server to be your
opportunity to learn the basics of fail2ban.  You might be able to
solve the problem with your iptables rule.  But what do you think that
rule will do when legitimate customers access a page with more than a
ten embeded objects like JPGs,. swf files, javascript, etc.  And What
do you expect your iptables rule to do when multiple legitimate
customers are behind nat?

It's good to get clever with iptables.

Re: DOS prevention

J. Wade Michaelis — 2013-03-18T21:49:38

I really think that I want to go with a simple set of IPTABLES rules, and
here is why:

The only two occasions that the server has hung up were due to DOS attacks
averaging around 8 or 10 requests per second for a minute or more.  Also,
hosting this server is not profitable enough to do a lot of work installing
additional packages and configuring and testing them, or subscribing to
additional third-party services.

It appears that limiting the number of connections accepted from a single
IP in 10 seconds (or similar) could have prevented the two attacks I have
seen from bring down the server.

So, that brings me to the following questions:

I found this pair of rules at
http://blog.bodhizazen.net/linux/prevent-dos-with-iptables/comment-page-1/#comment-4524
iptables -v -A INPUT -i eth0 -p tcp –syn –match multiport –dports 80 -m
recent –rcheck –seconds 5 –hitcount 10 –name HTTP -j LOG –log-prefix “HTTP
Rate Limit: ”
iptables -v -A INPUT -i eth0 -p tcp –syn –dport 80 -m recent –update

Re: DOS prevention

Nathan Cerny — 2013-03-18T21:33:09

Obviously you want to address the attacks, but you could also look into a
more efficient web server.

Apache is great for the feature-list, but I've had much better performance
using nginx.
Granted, my experience is much smaller scale - 5-10 users on a highly
intensive website.

http://en.wikipedia.org/wiki/Nginx


On Mon, Mar 18, 2013 at 4:22 PM, Billy Crook <billycrook-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

Re: DOS prevention

Billy Crook — 2013-03-18T21:22:35

It's easy to /say/ that any modern server should be able to handle a
few thousand GET requests.

The reality is that a single URI may affect dozens of scripts that you
didn't write, which might hit some database as many times, and you
can't change them for business or political reasons; even if you are
entirely qualified to fix bugs and do performance tuning.

When an aggressor, or just some well-intentioned runaway script harps
on one of these URIs, your options as an admin are limited.

You can throw more hardware at it, put (and maintain) some caching
proxy infront of it; or you can throttle the aggressor   Fail2ban will
help you do the latter, and much more.  For instance, it becomes
realistic to run ssh on its official port (gasp!) if you use fail2ban
to cut down on riff raff.

As fail2ban starts blocking the sources of the floods, look over the
list of addresses, and see if you can identify a business partner.  If
you can get them to fix their script, all the better.

On Mon, Mar 18, 2013 at 3:45 PM, J

Re: DOS prevention

J. Wade Michaelis — 2013-03-18T20:45:48


I've gone over my access logs again, and here are the particulars on the
two attacks that caused the server to hang:

On March 6th, between 4:29:11 and 4:31:40, there were 1453 requests from a
single IP, and all were 'GET' requests for a single page (one that *does*exist).

On March 14th, between 15:15:19 and 15:16:29, there were 575 requests from
the one IP address.  These were all different GET requests, nearly all
resulting in 404 errors.  Some appear to be WordPress URLs.  (The website
on my server is a Magento commerce site.)

Here are some other example requests from the attack:

   - GET /?_SERVER[DOCUMENT_ROOT]=http://google.com/humans.txt? HTTP/1.1
   -
   - GET /?npage=1&content_dir=http://google.com/humans.txt%00&cmd=lsHTTP/1.1
   - GET /A-Blog/navigation/links.php?navigation_start=
   http://google.com/humans.txt? HTTP/1.1
   - GET /Administration/Includes/deleteUser.php?path_prefix=
   http://google.com/humans.txt HTTP/1.1
   -
   - GET /BetaBlockModules//Module/Module.php?path_prefix=
   http

Re: DOS prevention

Billy Crook — 2013-03-18T20:14:01

On Mon, Mar 18, 2013 at 2:55 PM, J. Wade Michaelis
<jwade-25CUbZXYEmngKjOAwNV7+uTW4wlIGRCZ< at >public.gmane.org> wrote:

This demonstrates that your DoS was almost certainly not caused by
bandwidth exhaustion.  Thus is will work fine to address it on the
attacked server.


That is a big assumption.  DoS is a fuzzy thing, and few Colos are
going to risk stepping on legitimate traffic with some algorithm that
can't be perfect.


I have my server tuned rather aggressively   More than three
aggressions in a five minute window, and you're banned for a year.
You may want to re-tune those intervals.

That said, Fail2Ban has 'filters', 'actions', and 'jails'.
Filters specify logfiles to watch, what to watch FOR, and how to
identify the aggressor in the log files.  I have attached my filters
to this message.
Actions are things you want fail2ban to DO in response to finding a match.
Jails specify a filter, action, and timing parameters.  My Jail
configuration is below:

[apache-401s]
enabled  = true
filter   = apache-401s

Re: DOS prevention

Andrew Beals — 2013-03-18T20:12:43

If you expose a WordPress or a Windows server in their default settings to
the 'net and don't keep on top of every single patch offered that's
relevant to what you expose, you're asking to be descended upon.

Sophos is claiming that White Hat researchers are keeping the Script
Kiddies in the game:
http://nakedsecurity.sophos.com/2012/12/05/web-exploit-kits-whitehat/


On Mon, Mar 18, 2013 at 3:07 PM, Mark Hutchings <mark.hutchings-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>wrote:

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: DOS prevention

Mark Hutchings — 2013-03-18T20:07:15

Speaking of which, if you're running any kind of script on your site 
(WordPress, etc) make sure it is up to date.  If there is a 0-day 
exploit out for it, the script kiddies are going down the list on Google 
searching for "Powered by WordPress" and seeing if your server is open 
to exploits.  Most of the time this isnt caused by a single IP address, 
it's usually a botnet from around the world, but sometimes it can be.

Any way you could post some of the logs?  Like show what kind of http 
request they were making?

On 3/18/2013 3:01 PM, Andrew Beals wrote:

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: DOS prevention

Andrew Beals — 2013-03-18T20:01:39

It his pipe is full, then he has bigger problems than that which J. Random
Unix Jock can explain over a mass e-mail.  Especially when yum knows not of
fail2ban.

Serving 404 pages to script kiddies shouldn't Bork a server. It shouldn't
even put an appreciable load on it. Script kiddies are here to stay, thanks
to the fringe members of the "information should be free" crowd.  (Just as
an example, there appear to be about 1.6k copies of The Anarchist Cookbook
out there, ready for downloading.)

Andy
Ps. There are too many kittens - please spay/neuter your pets.

Any typos are the direct result of Swiftkey X's autocorrect function.
On Mar 18, 2013 2:40 PM, "Billy Crook" <billycrook-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: DOS prevention

Mark Hutchings — 2013-03-18T19:58:18

You sure it was just a http attack? Several hundred requests in a few 
minutes shouldnt really put it on it's knees, unless the server is a VPS 
with low memory/CPU usage limits, or the server itself is low on resources.

If you're using Apache, you should check into several modules to lock 
down your server.  In this case, check out mod_evasive.

Server firewall wise:
I also suggest fail2ban and also CSF
http://configserver.com/cp/csf.html

Also you could try CloudFlare, but I've seen that cause a lot of 
problems at the same time.  If you have a low traffic web site, I would 
suggest it.  But if you ever expect a surge of traffic, CloudFlare could 
cause you headaches.

Another idea is that if you're server is at a datacenter, they can help 
on their end also.

On 3/18/2013 2:19 PM, J. Wade Michaelis wrote:

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: DOS prevention

J. Wade Michaelis — 2013-03-18T19:55:08

The SonicWall I mentioned is in front of a lot of servers, and none of the
other services suffered any interruptions when the attacks occurred.  They
are hosted in a datacenter, and we have nice healthy bandwidth there.
 Also, I would presume they have their own DOS prevention in place on their
routers.

The only server that had problems with these attacks was the CentOS
webserver.

Fail2ban looks interesting.  I hadn't heard of it before.  What settings
would you recommend to prevent DOS attacks while allowing "normal" access
for legitimate traffic?  (I can provide additional data on "normal" usage
if required.)

Thanks,
~ j.
jwade-25CUbZXYEmngKjOAwNV7+uTW4wlIGRCZ< at >public.gmane.org


On Mon, Mar 18, 2013 at 2:39 PM, Billy Crook <billycrook-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org> wrote:

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: DOS prevention

Billy Crook — 2013-03-18T19:39:40

Every time you use a route table as a firewall, God kills a kitten.

If you want a firewall, use..... a firewall.  iptables is the command.

If you want something that scales, and won't require your time to
maintain a shitlist of IPs; use fail2ban, and it will manage the list
per your specifications.

Most likely, your DoS is apache-local.  i.e. they aren't actually
flooding your entire pipe.  If you use fail2ban/iptables, this should
fix you right up.

If they are flooding your actual pipe, you need to apply the filter on
the far end of your pipe.  i.e. Get your ISP (or a new isp) that will
let you administer an ACL on the router on THEIR side of your line.
Or get a DDoS prevention service.  Blocking on the sonic wall will
have NO affect on a flood if the sonic wall is at the same site as the
targeted server.

Fail2ban can integrate with this remote filtering too.  You simply
modify fail2ban's 'action' to call a script that adds the IP upstream.

On Mon, Mar 18, 2013 at 2:27 PM, Andrew Beals <andrew.beals-R

Re: DOS prevention

Jeremy Fowler — 2013-03-18T19:32:50

I would pay an outside service to handle the heavy lifting...
http://www.incapsula.com/ddos-protection-plan


On Mon, Mar 18, 2013 at 2:19 PM, J. Wade Michaelis <
jwade-25CUbZXYEmngKjOAwNV7+uTW4wlIGRCZ< at >public.gmane.org> wrote:

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: DOS prevention

Billy Crook — 2013-03-18T19:27:29

Have you looked at fail2ban?  I use it to block IPs that create excessive
err log entries for x minutes.  I also watch for specific naughty requests
like phpmyadmin and block forever.

Sonicwall is exceptionally poor.
On Mar 18, 2013 2:20 PM, "J. Wade Michaelis" <jwade-25CUbZXYEmngKjOAwNV7+uTW4wlIGRCZ< at >public.gmane.org>
wrote:

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: DOS prevention

Andrew Beals — 2013-03-18T19:27:14

If they're coming from just the single IP, then black-hole'ing their IP is
easier.  If the address they're coming from is 128.115.1.1, then simply
paste this at a shell prompt and give it your password when sudo asks for
it:

sudo route add 128.115.1.1 gw 127.0.0.1 lo

This will cause all packets destined to go back to them to get dropped on
the floor and should be sufficient.  You'd really prefer to do this (or
just add them to the naughty list which is something that I believe the SW
can do, even with ancient builds of their SW) on your SonicWall box, but
you can get away with doing it on your server.

Adding an IP tables (again, if you can't convince your SW to just drop
packets from them) is more efficient, of course, but it's hairier to set up.


On Mon, Mar 18, 2013 at 2:19 PM, J. Wade Michaelis <
jwade-25CUbZXYEmngKjOAwNV7+uTW4wlIGRCZ< at >public.gmane.org> wrote:

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listi

DOS prevention

J. Wade Michaelis — 2013-03-18T19:19:49

I have a CentOS web server that has recently been brought to a halt on two
separate occasions.  Checking the access.log, it appears that it was a
Denial of Service (DOS) attack (hundreds of HTTP requests in a very short
time, all from a single IP address).

I want to prevent these types of attacks from bringing the server to its
knees.  We have a hardware firewall (SonicWall) in place, but it isn't
quite new enough to run the firmware that allows rate-limiting.

I have found a number of tutorials that show how to do this type of thing
with IPTABLES.  Is there a better solution?

Supposing I go with IPTABLES, do I need to include rules to allow FTP and
SSH (the only other services on the server)?

Would any of you be willing to assist me with this?

Thanks,
~ j.
jwade-25CUbZXYEmngKjOAwNV7+uTW4wlIGRCZ< at >public.gmane.org
_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: invite to topeka for technical talks and workshops

Nick Anderson — 2013-02-27T17:30:59

The KULUA list is a lot of Lawrence people.
https://groups.google.com/forum/?fromgroups#!forum/kulua-l
_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtjvyW6yDsg< at >public.gmane.org
http://kclug.org/mailman/listinfo/kclug

Re: invite to topeka for technical talks and workshops

Mark Hutchings — 2013-02-27T17:06:37

Hi Mike,

     Have you checked around Lawrence?  I know back around 7 years ago, 
there was a group of KU students (20+ at times) that would meet up once 
in a while for a linux meetup.  Though it was on the KU campus, it wasnt 
limited to just KU students.   This doesnt quite answer your original 
question, but Lawrence is right around the corner from Topeka and might 
be a lot easier for you to travel to.

     I cant find a web page on this meetup, but maybe one of these guys 
in this group could help you.  http://www.ittc.ku.edu/kurt/ (KUSP: 
Kernel/User Systems Programming).  And then there's FudCon that was held 
back last month, which you might want to plan to attend next year if 
they have another one. https://fedoraproject.org/wiki/FUDCon:Lawrence_2013

     Another tip is LinuxPro Magazine is published from Lawrence, KS.  
Maybe one of the guys there could point you to a group closer that 
you're not aware of.

_______________________________________________
KCLUG mailing list
KCLUG-3DadQFcgQnvYtj

invite to topeka for technical talks and workshops

2013-02-16T17:18:30

Hi all,

have resubscribed using a new mail to free up my gmail from mailing
lists.

we have moved to topeka and am now working on linux systems at payless
here. In my free time I am working on promoting open source software
and open knowlege.
We dont have a car by choice, so my transportation is limited to
public transportation which is almost non existent here in topeka,
there is only one train to KC at 5am in the morning.

There are many user groups in KC like java user groups and groups in
lawrence, but it is very hard to find people to go there with me who
have cars.

have been attending the http://www.adastralabs.org/ meetings on
thursday and we discussed there the options of making bigger events. 

So, we would like invite speakers from the list to come to topeka to
hold talks and workshops, is possible we would create an event here at
the library, university or at some office (like pc911), 
Ideally we would have 2-3 advance notice and would promote the event
locally. 

For travel expenses we will hav