Spammers and hackers can cause all sorts of problems, so here is how to block visitors by their referrer using Apache.

Rfc1394-2-Barricades-barriers

The other day, I was investigating some 500 errors on a WordPress site. Even if you are not a webmaster, you might realize that 500 errors are never a good thing. Upon closer inspection, I noticed that the errors were coming from different IP addresses, but they shared one of two common referrers.
Continue reading “How To Block Web Traffic by Referrer in Apache”

flash-logo

I keep waiting for the day when Adobe Flash is a thing of the past. Unfortunately, there are a lot, and I mean a lot, of older sites out there that use it. So, if you find yourself having to use it, at least add a layer of protection where it will prompt you as to whether or not it will run.

Old Goat Guide recently posted “Using Adobe Flash Player Responsibly” that gives instructions on how to set Internet Explorer so that you have to click to run Flash. Thankfully, Firefox now has this setting as the default, although it is called “Ask to activate”. If you are running Chrome, I suggest using the built-in PepperFlash (also available for Chromium, usually as a separate download), as I have found it more stable and less of a target for hackers.

A very uninformative error message.
A very uninformative error message.

I recently was working with a group of computers running Windows 7 Enterprise (32 bit version) that were having issues with complaining that “This copy of Windows is not genuine”.  The really weird part about it is that in most cases the product was activated! How can it activate if it isn’t genuine?  I have no idea!
Continue reading “This Copy of Windows Is Not Genuine Plus Error 0x80092026 Cryptographic Operation”

Tired of getting probed? Here is one way to automatically add probing sites to ufw.

tone_and_probe

It sometimes seems that there isn’t a range of IP addresses that isn’t filled with idiots who have no life. They are sleaze who won’t go out and earn an honest living. Running a website requires vigilance, and I’ve learned the hard way that you cannot outsource this to some company that throws up some hardware but won’t lift a finger to help you resolve real issues. However, being vigilant shouldn’t mean that you don’t have any more of a life than the idiots who are out causing problems.

Logwatch is a very useful utility for summarizing, analyzing and reporting issues found in various logs on the system. It simplifies everything because you would otherwise be sifting through dozens, literally, of log files on the system looking for problems.

One of the useful features is that it looks for website probing. It doesn’t seem to catch everything, but it catches enough that if it reports on it, you should act on it and not delay. You could, of course, manually block the IP addresses it reports as a probe, and I did that for some time, but it is a continuous process.  Continuous, monotonous tasks are exactly the sort of thing computers were made for, so why not automate as much as is reasonable and leave only the more difficult things in the log for human eyes?  After all, if it is reporting on it, it is egregious enough of an activity to block the IP either individually or within a given range.

So, I wrote a script that could parse the input and email the resulting file. Instead of calling sendmail, then, you tell logwatch to “email” the output through this script, which I called logwatchproc.bash, which will take care of the rest.

I should mention that if you follow DigitalOcean’s instructions in the Logwatch link above, make a note of a couple of things:

It is bad form to ever modify distributed config files. They have a tendency to get overwritten. Furthermore, it turns out it won’t even have the expected behavior. Be sure to:

  1. mkdir /var/cache/logwatch
    cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

    Then, you can edit the file in /etc/logwatch/conf comfortably.

  2. Change the line:
    mailer = "/usr/sbin/sendmail -t"

    to

    mailer = "/usr/bin/logwatchproc"

Next, you will want to create the file. I recommend putting it in the home directory of an account used for maintenance (which means not in root’s home), and then linking the file into /usr/bin.

Use your favorite linux (not DOS/Windows, unless you want problems) editor and paste this into it:

#!/bin/bash

[ $# -ge 1 -a -f "$1" ] && input="$1" || input="-"
MYBASE="/home/NameOfUser" # Preferably, whatever user you use for maintenance
LOGMAIL="${MYBASE}/logwatchmail.tmp"
LOGLOG="${MYBASE}/logwatchproc.log"
PROBEFILE="${MYBASE}/probesites.txt"
TODAY=$(date)
echo "=========" >> "${LOGLOG}"
echo "${TODAY}" >> "${LOGLOG}"
# Save it first
cat $input > "${LOGMAIL}"
# Email it before something happens
cat "${LOGMAIL}" | sendmail -t
sleep 30
NUMSITES="$(grep probed ${LOGMAIL} | cut -d' ' -f5 )"
echo "NUMSITES = ${NUMSITES}" | tee -a "${LOGLOG}"
if [ "${NUMSITES}." = "." ]
then
	NUMSITES=0
fi
if [ ${NUMSITES} -gt 0 ]
then
	grep probed -A "$NUMSITES" "${LOGMAIL}" | tail -"$NUMSITES" > "${PROBEFILE}"

	for II in $(cat "${PROBEFILE}")
	do
		echo "$II" >> "${LOGLOG}"
		ufw insert 3 deny from "$II"  >> "${LOGLOG}"
	done
else
	echo "No further actions needed." >> "${LOGLOG}"
fi

Be sure to change “NameOfUser” to the maintenance account login name, and save it in a convenient location in that accou nt’s home directory, ex: /home/NameOfUser/bin, for testing. Notice as well that I use “ufw insert 3” to keep it near the top (so it doesn’t interfere with later ALLOW commands). If you have any allows at the top you don’t want to overwrite, be sure to adjust this as necessary.

Next, make a symbolic link to it:

ln -s /home/NameOfUser/bin/logwatchproc.bash /usr/bin/logwatchproc

You can test it manually by calling /etc/cron.daily/00logwatch as root. Initially, you might want to test using the sudo command, but it is better to do an “su -” and change to root for final testing, as environment variables can really affect bash significantly.

That’s it!

LastPass gets breached, but I’m not all that concerned.

LastPass logo
LastPass logo

The web is abuzz today about the reported breach at LastPass, and there is way too much FUD being spread. I’m not concerned. There are multiple reasons to not be, but that does not mean I won’t go and change my password. I just won’t be running around with my hair on fire predicting doom and gloom. Continue reading “LastPass Breach Shows 2-Factor Authentication Is Important”