The Acumen IT Support blog provides you with helpful articles about security topics.
Technology threats are a pervasive business problem. We know exactly how to protect your business from a security disaster. Some of our best practices include firewalls and anti-virus programs, Unified Threat Management, mobile and wireless security, VPN and passwords.
This web site provides a good overview.
mod_evasive doesn’t work with current Apache
Starting with Apache 2.4.1, mod_evasive stores the violation counts PER CHILD. Attackers don’t hit the same child enough times in the time interval to trip the system.
If you have 100 child threads, then you are diluted 1/100 for the time interval
DO NOT USE mod_evasive.
You can slightly improve the performance by editing httpd.conf:
KeepAlive On
MaxRequestsPerChild 0
MinSpareServers somelowvalue
MaxSpareServer somelowvalue
You could use mod_security instead
but it won’t ban IP addresses
yum install mod_security (install mod_security)
yum install mod-security_crs (install OWASP security rules for mod_security)
After installing mod_security, you may get a FAILED message at service httpd restart
You’ll find a similar message in /var/log/httpd/error_log
[alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of “myserver.mydomain.local”
BE CERTAIN that the HOSTNAME value in /etc/syscconfig/network is also a 127.0.0.1 record in /etc/hosts
Use fail2ban
yum install fail2ban
vi /etc/fail2ban/jail.local
[apache-banhermes]
enabled = true
filter = apache-banhermes
logpath = /var/log/httpd/access_log
maxretry = 1
bantime = 60000
action = iptables-multiport[name=banhermes, port=”http,https”]
backend = polling
vi /etc/fail2ban/filter.d/apache-banhermes.conf
[Definition]
failregex = ^<HOST> -.*”(GET|POST) \/hermes\/
ignoreregex =
service start fail2ban
For information about how Acumen can service your business, visit our About page.
For more information on Apache, visit their Official Site by clicking the link below:
HOWTO: Update WP Plugins without File Transfer Protocal
In the interest of security we moved many of our websites to a new server and found that plugins suddenly refused to update without File Transfer Protocal credentials. This was obviously fine when wanted to do the updates and knew the FTP credentials but presented a problem because we like to encourage our clients to perform routine maintenance to keep their sites up to date. Obviously they are not going to know the FTP information.
This server happens to use setfacl to further control user access to the site folders. We don’t believe this is the problem.
WordPress does attempts to write a file to wp-content as a test for directory access. For some reason this test seemed to be failing.
We bypassed the test by adding the following line to wp-config.php:
define(‘FS_METHOD’, ‘direct’);
When the file write test was bypassed, the plugin installed without requiring the File Transfer Protocal credentials.
We hope this helps you as well!
For more information about what Acumen can do for your business, visit our Contact page.
For more information about FTP Credentials for WordPress, click on the link below:
Heartbleed Exploit
HeartBleed is a newly found OpenSSL exploit. It has been getting a lot of attention in the last few weeks because it leaves a large security hole on the majority of encrypted websites on the internet.
When accessing a secure Server that is using OpenSSL your computer will request a “Heart beat” to verify that there is a active connection to the server. This is accomplished by sending a piece of data of a specific size to the server to which you are connected and requesting that it be sent back to your computer.
The problem is that with this vulnerability someone can send a heartbeat request to a server but claim that the heart beat request is much longer than it actually is. The server will just assume that the the size of the request is accurate. And instead of sending back just the response, it will send back the response along with more information that is currently stored in the Servers buffer until it is the size that the original message claimed to be.
This is a very dangerous exploit that allows a attacker a look into the the servers buffer and see possible usernames and passwords among other things. Luckily the majority of Large companies like Google, Facebook, or banks had this patched as soon as this issue went public. It is very important that servers that send information over the internet have this exploit patched, because if they do not secure information on the server could be compromised.
We recommend you change your passwords for any important account, like for your bank or email. And verify that any server you own is patched as soon as possible.
Here is an Excellent video on the subject
Please contact our Network Support Team or call today at 314.333.3330 if you need help.
No DNS/DHCP After Virus Removal
Recently, after removing a virus from a customer’s PC I encountered a problem while trying to get the PC back on the network. I tested the drop with another computer and it worked fine. The PC would not pull a DHCP address. I then gave the PC a static IP/DNS settings and the PC was able to ping 8.8.8.8 (which means it had access to the internet) but could not resolve google.com with multiple DNS settings.
I finally found my answer here This solution works perfectly but I’ll condense it below if you don’t want to follow the link.
The user ILS mentions that these symptoms are caused by a corrupted afd.sys file which is located at c:windowssystem32drivers. Either it is missing or infected.
A tool called Farbar System Scanner can be run on your Internet Services to verify the problem although you do not need to do this to try the fix.
Scan your system for another version of afd.sys and simply copy it over to the one in your driver folder
Next you need to modify the registry. Instructions are detailed in a post written by Broni here.
The easiest solution is to copy the Registry Entry from another PC that is working
If you get a permission problem when merging the Legacy_AFD, make sure you read Broni’s instructions on how to allow your user to change the permissions. For Windows 7, I used the following Broni written instructions:
- Start=>Run (alternatively use Windows key+R), type regedit and click OK.
- Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
- Right-Click Root and select Permissions…
- Click Advanced.
- Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PCFarbar)
- Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
- Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
- Click Apply and OK.
As stated by the author of the post, after doing the above you will be able to merge Legacy_AFD.
Even though that post is old, it works like a charm, we were able to fix 5 computers today, all of them were Windows 7.
Following those instructions I was able to get the computer back on the network and the user back to work.
If you need help with your computer or your network give us a call at 314.333.3330 and take a look at our IT Support page for more information.
Exclude Print Devices in Symantec Endpoint Protection Manager
Exclude Print Devices in Symantec Endpoint Protection Manager
Problem:
The protection manager was interfering with communication between:
Our Cannon printers and PCs.
To disable this globally, you must log into the Endpoint Protection Management Console and do the following:
Symantec Solution:
- Click Policies, then click Application and Device Control.
- Double-click the application and device control policy that is in use by affected clients.
- Click on Device Control.
- Under Devices Excluded From Blocking, click Add…
- Click Printing Devices, then click OK.
This solved a huge problem.
The Network Threat Protection aspect of this Endpoint Security was interfering with the PCs being able to print.
See our IT Services page for more ways we can help you!
For more information about Endpoint Security, visit the site below: