As a result of it’s ease of customisations, the developer Daniel B. Cid, with a little bit of help from myself, have implemented supported rule-sets for my former employers’ products: Zeus WebServer and ZXTM. Both products are widely deployed across many enterprise environments; adding specific rulesets for their software is one which I hope assists all fellow sysadmins tasked with running infrastructure using Zeus software.

Download

You can download the latest snapshot of OSSEC from this page.

Implementation

After running install.sh you can add the Zeus rulesets as you would any other supported rule set.

Example:

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/zeus/zxtm/zxtm/log/errors</location>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/zeus/zws/web/log</location>

Alerts

Below you can clearly see the ruleset alerting you, quickly and efficiently, to a failure.
 

Help..

Any questions, just ask!

Considerations

• Backup, backup, backup! We must make sure that our backups are held securely and cannot be corrupted. This database is small enough to use mysqldump, but incremental backups of the SQL binaries is a serious consideration in large scale enterprises
• Gallery is clustered across two Apache webservers: Any changes to my document root, will be quickly replicated across to the other webserver. This must not be allowed to happen until regression testing has taken place across one production server.
• MySQL replication: any code changes rolled out will immediately be replicated across the MySQL cluster. If the application upgrade fails, it will be a lot easier to roll back only one database. We must be careful to not push this change across our databases until regression tested across one production box.
• What role does our Load Balancer play? What rules do we need to implement to make sure traffic is directed accordingly…
• For file replication, this site uses rsync. To ensure code consistency during the maintenance window, this replication must be disabled.

Maintenance Actions

1. Perform a full backup of both the original Gallery code and the MySQL DB Binaries
2. Stop the replication slave running on Webserver 02. The code change will be rolled out across Webserver 01, so it’s important no changes are replicated within our maintenance window.
3. How to deal with our traffic across our load balancers? This will be covered in the next section. Ultimately, we want all requests that do not contain /gallery/ in the path to be spread across all webservers; all requests for /gallery/ must be directed across the node not under maintenance (webserver 02)
4. Stop the rsync file replication process on both servers.

Load Balancer specifics

• Create a rule that distributes requests for all requests that do not equal /gallery/ across all available webservers

if( ! string.contains( $path, "gallery" ) ) break;

• Make sure that my IP address can reach the maintenance pool

   if ( ! string.ipmaskmatch( $ip, "my.ip.address/32" ) ) {
        pool.use( "Sticky Pool" );
}     else {
        pool.use( "Maintenance" ); }

This ensures that my IP address reaches a pool containing one specific node – webserver01. All other requests are load-balanced to the ‘Sticky Pool’ which includes two nodes – webserver01 & 02, however 01 is put in a draining node (no further connections being sent to it).

So, both quickly and easily, using ZXTM’s trafficscript we’re able to create rules to efficiently distribute traffic appropriately.

End Result: All requests are still load-balanced across both webservers, with the exception of requests for $path == /gallery/. These requests are sent to one specific node (not under maintenance). This allows the webmaster (me!) to upgrade the code base, and regression test, across webserver 01.

Code Upgrade

Load Balancer rules enabled, we can safely proceed with our code upgrade. This is simply a matter of uploading the new codebase across the existing one. We can then proceed to the Gallery site knowing that we will go to webserver 01; able to both test and perform the application upgrade as applicable. This completed, and tested, we can now restart our rsync daemons, and allow the MySQL slave to start again on webserver 02. Within seconds the code change has been pushed out across the remaining webserver.

End Result: A complete success.

Firstly, I already run postfix on the recommended MUA/MTA submission port (587), then make entries for trusted static IPs in postfix’s $mynetworks variable. However, the time has come to push smtp-auth via username & password, and to remove the ever-growing $mynetworks entry.

Tech Philosophy

So, why do I run postfix on port 587? What is special about this port? RFC 2476 states. . .

1. Abstract

SMTP was defined as a message *transfer* protocol, that is, a means to route (if needed) and deliver finished (complete) messages. Message Transfer Agents (MTAs) are not supposed to alter the message text, except to add ‘Received’, ‘Return-Path’, and other header fields as required by [SMTP-MTA].

However, SMTP is now also widely used as a message *submission* protocol, that is, a means for message user agents (MUAs) to introduce new messages into the MTA routing network. The process which accepts message submissions from MUAs is termed a Message Submission Agent (MSA).

3.1. Submission
Port 587 is reserved for email message submission as specified this document. Messages received on this port are defined to submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions as specified here.

Essentially, the RFC informs us that if you wish to perform SMTP submissions (ie, direct interaction between an MUA and an MTA in submitting e-mail) you should perform it via port 587. GMail, for instance, defaults to SMTP-AUTH via port 587

Implementation

Ok, technical philosophy out of the way, let’s move onto quickly and easily setting up your MTA correctly. My MTA of choice, as I’ve written about quite a lot on this blog, is Postfix.

According to the Postfix FAQ you can instruct Postfix to run on a port that ! == 25.

This is performed by editing master.cf and appending:

# service type  private unpriv  chroot  wakeup  maxproc command + args
#                  (yes)   (yes)   (yes)   (never) (100)
# ==========================================================
  587       inet     n      -       n         -       -       smtpd

So far, this will allow you to submit a message to the MTA as long as your IP is contained within $mynetworks. Well, this was my first problem – I wanted to move away from this way of doing things. Whenever I tried to perform an smtp-auth, utilising saslauthd, I saw this in my syslog:

postfix/smtpd[15281]: warning: SASL authentication failure:
cannot connect to saslauthd server: No such file or directory
postfix/smtpd[15281]: warning: SASL authentication failure:Password verification failed
postfix/smtpd[15281]: warning: foo.bar (x.x.x.x): SASL PLAIN authentication failed: generic failure

This just didn’t make any sense – port 25 accepted smtp-auth with no problems. Just what was different? I had to perform some research…

After much searching, I found the answer! It’s frustratingly simple. By default, debian runs postfix in a chroot, this is for increased security. However, due to the issues raised here with regards to Postfix Before-Queue Content Filter…

The before-filter Postfix SMTP server forwards the MAIL FROM, RCPT TO and DATA commands that it has approved, but it does not forward other commands such as TLS or SASL commands. It can therefore not be transparent.

The answer to this? Simply enter back into the chroot. I still am unsure why the postfix faq recommends that you break-out of the chroot to accept mail on an alternative port – could someone perhaps enlighten me?

So, I changed our master.cf to reflect these changes…

# service type  private unpriv  chroot  wakeup  maxproc command + args
#                  (yes)   (yes)   (yes)   (never) (100)
# ==========================================================
  587       inet     n      -       -         -       -       smtpd

…I now have a fully clustered, smtp-auth (via sasl) postfix server running on the appropriate RFC designated ports.

Result!

In the minority who will be more concerned about what they claim are civil liberties intrusions. But the vast majority of people find that their life is more upset by people who make their life a misery in the inner cities because they can’t go out and feel safe and secure in a healthy, clean environment because of a minority of people.

Britain now has more CCTV surveillance cameras than any other nation on earth – yes, even more than China and N. Korea. Well, i don’t know about anyone else, but i’m scared. This is how democracies fall into autocracies; through the subversion of democracy by the democratically-elected political ruling elite.

Please, people of the UK, vote this government out at the next election. To not do so would be a reckless injustice to what little is left of Britain’s democratic process. Already the government is re-drawing political boundaries to give their candidates unfair advantage, after having spent years trying to (misguidedly) re-haul the House Of Lords (the voice of sanity recently).

Enough is enough! You have a vote on May 2nd – use it.

This doesn’t appear to be an April Fool’s…
Interstingly, this isn’t a wordpress hack, but appears to be an exploit in the version of Apache (1.3.37) Matt’s webhost were running (note: Matt’s site is not hosted by Google).

Rule number 1 in security: never make your webservers directly publically accessible. Always reverse-proxy to them. You can then inspect silly hack attempts like this and stop them before the client request reaches your webserver.

The team responsible for the defacement have written this to Matt:

Dear Matt,

Sorry it falls on you! We at DarkSeoteam appreciate your blog, respect your work… and you look like a nice guy. But your blog looked like the perfect target. First because you don’t rely on it for income, second because, on the internet, there is no better proof than a punchy example.

As many fellow webmasters, we have been reading the endless threads at webmasterworld, where site owners were complaining for having their websites “Googlewashed”, and income hurt by unscrupulous competitors.

As many fellow webmasters, we were shocked that Google and GoogleGuy did not even dare to comment.

Matt ! Google doesn’t have to feel ashamed for the bugs. Everyone involved in software and algorithms can understand what bug means for real. We all had bugs. The only thing we can’t understand is that Google doesn’t say it’s going to fix it asap.

We won’t make public the way we ranked on “bacon polenta”because we don’t want the technic used spreading on the web. However, it seems that many posters at webmasterworld and threadwatch understood the whole thing. But that’s not the point.

The point is:

Anyone can use Google’s duplicate content filters to ruin a competitor’s website, and steal his ranking and traffic.

Moreover, Matt, the webmasters’ community does not need an immediate fix, but it needs Google to admit that it is not able to differentiate between the original contents and the duplicate one, and it needs to hear that Google is working hard on fixing this severe issue.

Last thing Matt. You said at threadwatch that you were not going to do anything special for your blog. It honors you, but beware that the whole thing could worsen in the next days. Not that we are going to do anything else about it, but our test is very recent. It was just set-up on September 25 (yeah, less than 10 days to get a visit from GoogleGuy, we’re proud lol), and Googlebot has not finished his job yet.

As we said Matt, we’re leaving the test “as it is”. Hopefully you guys in the Googleplex can use it as a “cobaye” to fix your algo. After all, our site is just a lab, and you’re welcome to use it.

The DarkSeoTeam

I’ve just read that the guys at Unofficial SEO Blog believe that ‘Matt’s upgrade of WordPress installation from 2.0.x to 2.1.x might have helped Dark SEO Team to hack it.’ This does not appear to be a wordpress hack, but rather an Apache exploit. It will be interesting if the precise exploit is ever detailed. All this demonstrates is why every enterprise site must use some form of application firewall.

All these options are excellent ideas, however, has the option of using your firewall’s strategic capabilities been considered? Let’s take a look.

Within iptables you can essentially add IP addresses to a list, which are then checked against by all future matched incoming connections. This allows a sysadmin to limit the number of connections against either a number of seconds, or connection attempts.

The following two rules will limit incoming connections to port 22 to no more than 5 attemps in a minute – any more than that will be dropped:

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW \
-m recent –set
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW \
-m recent –update –seconds 60 –hitcount 5 -j DROP

This rule firstly records all new incoming connections, the second rule is where the clever stuff is done..
Ultimately, these rules means that:

• The IP address which initiated the connection has previously been added to the list and
• The IP address has sent a logged packet in the past 60 seconds and
• The IP address has sent >=5 packets in total.

 
With this rule implemented you can protect yourself safely, efficiently and securely against dictionary attacks.

The answer is to allow your desktop index to reside on an encrypted drive. However, google does not allow you to directly change your index location. Here’s how you over-come this…

Load up “regedit”, then navigate to:
HKEY_CURRENT_USER\SOFTWARE\Google\Google Desktop\

Change the file data_dir to your new, custom, location:

Exit regedit, restart GDS.

Done!

The third aspect to consider when considering defining terrorism, seeks to include the mechanism by which those who engage in violence seek to influence the actions and attitudes of their intended audiences. Terrorists seek to attract attention to their cause by employing, or directly threatening, sensational acts of violence that seize the attention of the media, serving to terrorise populations. One academic characterised terrorism as ‘propaganda by deed’. Dershowitz seeks to further elaborate this as ‘by violent and deadly deeds, often against the vulnerable and innocent of victims, and often only as an initial step in a multifaceted program of violence’. As Clausewitz once commented, if ‘war is a mere continuation of policy of other means’ then terrorism is war by other means. Criminal organisations have a history of employing the technique of terror. However, in this case their objectives are financial rather than military, religious or nationalistic.

Consequently, and not surprisingly, there is very little established agreement on the meaning of the word ‘terrorism’. It is regarded as an extraordinary and extreme form of political behaviour; its historical, political, economic, religious and social causes far from clear. Terrorism is extremely diffuse, indeed an explicit definition is often not even attempted, and when the matter is broached, it is routinely admitted that there is ‘no single universally accepted definition of the term’. Even the various agencies of the U.S. government are not united, offering very different definitions of terrorism. The U.S. State Department, for example, uses the definition of terrorism contained in Title 22 of the United States Code, Section 2656(d):

. . .premeditated, politically motivated violence perpetrated against non-combatant targets by sub-national groups or clandestine agents, usually intended to influence an audience

The U.S Federal Bureau of Investigation defines terrorism as

. . . the unlawful use of force or violence against persons or property to intimidate or coerce a Government, the civilian population, or any segment thereof, in furtherance of political or social objectives,

whereas the U.S. Department of Defence defines it as

. . .the unlawful use of – or threatened use of – force or violence against individuals or property to coerce or intimidate governments or societies, often to achieve political, religious, or ideological objectives.

Bruce Hoffman concedes that ‘not surprisingly, each of the above definitions reflects the priorities and particular interests of the specific agency involved’. The State Department’s emphasis is on the premeditated and planned, or calculated, nature of terrorism in direct contrast to more spontaneous acts of political violence. Its definition is also the only one of the three to place emphasis on both the ineluctably political nature of terrorism and the perpetrators’ fundamental ‘sub-national’ characteristic. Notably, the State Department’s definition is sufficiently lacking when it comes to considering the psychological dimension of terrorism. Hoffman believes Terrorism to be as much ‘about the threat of violence as the violent act itself, and accordingly, is deliberately conceived to have far reaching psychological repercussions beyond the actual target of the act among a wider, watching, ‘target’ audience’. As Brian Jenkins carefully noted just over two decades ago, ‘terrorism is theatre’. Quite simply, the terrorist prefers a lot of people watching rather than a lot of people dead.

The Department of Defence’s definition is arguably the most complete of the above definitions. As Hoffman notes, their definition seeks to highlight the threat of the terrorist equally as much as the actual act of violence, focusing on terrorism’s targeting of whole societies as well as governments and state apparatus. Notably, the Department of Defence cites the religious and ideological aims of terrorism alongside its fundamental political objectives – however, omits the crucial social dimensions founds in the FBI’s definition.

So, just why is the word ‘terrorism’ seemingly so difficult to define? Hoffman observes that ‘as the meaning and usage of the word have changed over time to accommodate the political vernacular and discourse of each successive era, terrorism has proved increasingly elusive in the face of attempts to construct one consistent definition’. Indeed, earlier terrorist practitioners were far more willing to co-operate in this endeavour than their contemporaries. Early terrorists didn’t suppress their terrorist desires or hide behind such semantics such as ‘freedom fighter’ or ‘urban guerrilla’.

Indeed, the nineteenth century anarchists unashamedly and with forthright, proclaimed themselves to be terrorists and admitted their tactics to be that of terrorism. By the middle of the 20th Century, however, this forthright language was beginning to quell. The Jewish terrorist organisation of the 1940’s known as Lehi is thought to be one of the last terrorist organisations to publicly describe itself as such. Similarly, more than twenty years later the Brazilian revolutionary Carlos Marighela pulled no punches when it came to the avocation of terrorist tactics , yet he still insisted on portraying himself and his followers as ‘urban guerrillas’ rather than ‘urban terrorists’. Furthermore, it is clear from Marighela’s writings that he was fully aware of the word’s undesirable connotations, and took steps to replace them with more favourable ones. The usage of the words ‘terrorism’ and ‘terrorist’ have acquired an intensely negative connotation in contemporary discourse. Part of the explanation is the perception that terrorism targets (innocent) people who should not be targeted, and involves methods that should not be employed, for example, the taking and killing of hostages. Accordingly, the perpetrators of terrorist acts are commonly perceived to be morally depraved, even when the terrorist is willing to sacrifice their own life to further their cause.

There is one point that political scientists generally all agree on: terrorism is a pejorative term. It is a word with distinctly negative connotations that is generally applied to one’s enemies and opponents, or to those with whom one disagrees and would otherwise prefer to ignore. Brian Jenkins wrote that ‘what is called terrorism, thus seems to depend on one’s point of view. Use of the term implies a moral judgement; and if one party can successfully attach the label terrorist to its opponent, then it has indirectly persuaded others to adopt its moral viewpoint’. Hoffman believes that the decision to call someone or label an organisation ‘terrorist’ thus becomes almost unavoidably subjective, depending largely on whether one sympathises with or opposes the person/group/cause concerned. If one identifies with the victim of the violence, for example, then the act is classed as terrorism.

On the other hand, if one identifies with the perpetrator, the violent act is regarded in a more sympathetic, if not positive light; and it is not classed as terrorism. This statement could not be better demonstrated than when, following the 1972 Munich Olympics massacre, then UN Secretary-General Kurt Waldheim urged the UN member states to take practical steps that might prevent further bloodshed. Whilst most member states supported the Secretary-General, a minority of Arab states and various African and Asian countries sought to derail the discussions. They argued that ‘people who struggle to liberate themselves from foreign oppression and exploitation have the right to use all methods at their disposal, including force’.

The delegates from the Third World attempted to justify their stance with two arguments. They first claimed that all bona-fide liberation movements are invariably labelled as ‘terrorists’ by the regimes against which their struggles for freedom are directed. For example, the Nazi’s labelled resistance groups who opposed Germany’s occupation of their lands, ‘terrorists’. Therefore, by seeking to condemn terrorism the UN was effectively endorsing the power of the strong over the weak – in effect, acting to defend the status quo. Secondly, the delegates argued that it is not the violence itself that is germane, but its ‘underlying causes’: that is, the ‘misery, frustration, grievance and despair’ that produce such violent atrocities. As a result of these actions, UN efforts to make substantial progress on international co-operation against terrorism were throttled.

It is perhaps comforting to know, that even the wisest of scholars and respected experts have struggled to come up with an all-encompassing definition of ‘terrorism’. Indeed, Alex Schmid devoted more than a hundred pages to examining more than a hundred definitions of terrorism in an effort to discover a reasonably acceptable, comprehensive explication of the word. Four years and a second edition later, Schmid was no closer in achieving his quest, conceding in the first sentence of his revised volume that the ‘search for an adequate definition is still on’. In his ground-breaking work on the subject, Walter Laqueur experienced immense trouble trying to define terrorism. Eventually concluding that ‘it is neither possible to do so nor worthwhile to make the attempt’. Responding to a survey on definitions by Schmid, Laqueur asserted that ‘ten years of debates on typologies and definitions have not enhanced our knowledge of the subject to a significant degree’.

Throughout, this essay has deliberately not attempted to explicitly define the word terrorism, but rather to demonstrate the elements that factor into attempted definitions of the word; as well as demonstrating just how variable the term ‘terrorism’ actually is. In Inside Terrorism, Hoffman, whilst acknowledging the obvious difficulties with defining the word, sought to attempt his own definition. It is with this definition that this essay concludes.

Hoffman sought firstly to distinguish terrorists from other types of criminals, then to distinguish terrorism from other types of crime. He concluded that terrorism is the ‘deliberate creation and exploitation of fear through violence or the threat of violence in the pursuit of political change’. It is important to note that all terrorist acts involve either violence or the direct threat of violence. Terrorism directly seeks to establish far-reaching psychological effects, going beyond the immediate victim or object of the terrorist attack. It is designed to instil fear, seeking to intimidate a wider target audience.

This audience can include a rival ethnic or religious group, an entire country, a national government or political party, or just public opinion in general. Specifically, terrorism is ‘designed to create power where there is none or to consolidate power where there is very little’. Through their actions – violent or non violent – terrorists seek to obtain the leverage, influence and power they require to effect political change on either a local or international stage.