Dangerous coding errors revealed

The US National Security Agency has helped put together a list of the world’s most dangerous coding mistakes.

The 25 entry list contains errors that can lead to security holes or vulnerable areas that can be targeted by cyber criminals.

Experts say many of these errors are not well understood by programmers.

According to the SANS Institute in Maryland, just two of the errors led to more than 1.5m web site security breaches during 2008.

Read more on news.bbc.co.uk

Advertisement

Restricting users to send mails to certain domains in Zimbra

This document describes how to restrict a list of users for sending emails to limited domains. Other users can send mails anywhere. Everything I am doing here as Zimbra user.

Read more on Zimbra Wiki

Restrict Postfix Recipients in Zimbra

• This will show how you can modify postfix to restrict who can send to certain addresses in your domain such as distribution lists like all@mydomain.com
• These changes will most likely not persist between upgrades! (UPDATE: Just updated to 4.0.4 and the only thing that was wiped out was the change to /opt/zimbra/conf/postfix_recipient_restrictions.cf. Also, permissions on files created in /opt/zimbra/postfix/conf got changed.)
• This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn’t foolproof, but it works for basic needs.

Read more on Zimbra Wiki

Host Integrity Monitoring: Best Practices for Deployment

Brian Wotring 2004-03-31

Introduction

There are now a number of commercial and open source solutions that can be used to effectively monitor the integrity of host environments. When understood and used correctly, these applications can be very helpful with detecting unauthorized change, conducting damage assessment, and preventing future attacks. With all that is involved in deploying such a system, there are some very important concepts that are often neglected, not understood, or not expressed in the documentation.

The purpose of this article is to highlight the important steps and concepts involved in deploying a host integrity monitoring system. Being aware of these concepts can mean the difference between a useful deployment, and one that is rendered ineffective or more trouble than it is worth.

This article is written with the open source host integrity applications Osiris and Samhain in mind, however the material presented is certainly not unique to these applications.

Read more on www.securityfocus.com

Installing ISP-fw (Firewall) On Linux

ISP-fW is a firewall script that provides port forwarding, packet filtering, stateful packet inspection, port redirection, masquerading, SNAT/ DNAT, TOS, and never the last it generates htb rules for bandwidth management. With ISP-fw, you can turn a PC into a gateway with shaping capabilities.

Let’s begin:

I will assume that you have installed Linux on your box. I use a Debian machine so this tutorial will be for Debian Linux but should not differ much from the rest of the distros.

Read more on Howtoforge.com

Preventing Brute Force Attacks With Fail2ban On Fedora 9

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 08/08/2008

In this article I will show how to install and configure fail2ban on a Fedora 9 system. Fail2ban is a tool that observes login attempts to various services, e.g. SSH, FTP, SMTP, Apache, etc., and if it finds failed login attempts again and again from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with an iptables firewall rule.

Read more on Howtoforge.com

Linux-AD Integration, Version 4

by slowe

This procedure allows Linux-based systems to authenticate against Active Directory.  We use Kerberos for authentication, LDAP for account information, and Samba to help automate the process along the way.  When this process is complete, AD users can be enabled for use on Linux systems on the network and login to those Linux systems using the same username and password as throughout the rest of Active Directory.

These instructions are designed for use with Windows Server 2003 R2.  If you are looking for information on using Linux with a previous version of Windows, please refer back to this article.  The only significant changes in the process involve the mapping of the LDAP attributes; otherwise, the procedure is very similar between the two versions of Windows.

Read more on blog.scottlowe.org

Configuring a Squid Server to authenticate off Active Directory

By Adrian Chadd

Warning: Any example presented here is provided “as-is” with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Contents

1. Configuring a Squid Server to authenticate off Active Directory
   1. Basic Concepts
   2. Environment
   3. Packages to install
   4. Files to modify
      1. /etc/krb5.conf
      2. /etc/samba.smb.conf
      3. /var/kerberos/krb5kdc/kdc.conf
      4. /var/kerberos/krb5kdc/kadm5.acl
   5. Configure NTP time synchronisation
   6. Joining the server to the AD domain
   7. Fix Ownership
   8. Configuring Squid to use the Samba 3 ntlm_auth program for authentication

Basic Concepts

In this example, a Squid installation will use the Samba ntlm_auth helper to authenticate against an Windows Active Directory. The server will be joined to the Active Directory domain and other services can use the ntlm_auth helper to authenticate users (but be out of the scope of this document.)

Environment

• Windows Server 2003 AD
• Ubuntu Dapper installation
• Squid-2.6
• Kerberos 5
• Samba + Winbind
• NTP server running on AD controller

Packages to install

• samba (3)
• ntp-server (Kerberos requires time-synchronised machines)
• krb5-doc, krb5-config, krb5-user, libkerb53, libkadm55 (Kerberos related user libraries)
• winbind

Read more on wiki.squid-cache.org

CentOS Directory Server On CentOS 5.2

he enterprise-class Open Source LDAP server for Linux. It is hardened by real-world use, is full-featured, supports multi-master replication, and already handles many of the largest LDAP deployments in the world. The Centos Directory Server (based on Fedora Directory Server) can be downloaded for free and set up in less than half an hour.

OS Installation

• Install a minimal server plus the xserver.
• Important: Set an FQDN of your server (/etc/hosts)

Reed more on Howtoforge.com

Using Rsync and SSH

This document covers using cron, ssh, and rsync to backup files over a local network or the Internet. Part of my goal is to ensure no user intervention is required when the computer is restarted (for passwords, keys, or key managers).

I like to backup some logging, mail, and configuration information sometimes on hosts across the network and Internet, and here is a way I have found to do it. You’ll need these packages installed:

• rsync
• openssh
• cron (or vixie-cron)

Please note these instructions may be specific to Red Hat Linux versions 7.3, 9, and Fedora Core 3, but I hope they won’t be too hard to adapt to almost any *NIX type OS. The man pages for ‘ssh’ and ‘rsync’ should be helpful to you if you need to change some things (use the “man ssh” and “man rsync” commands).

Read more on troy.jdmz.net