SSDP - Simple Service Discovery Protocol - can actually turn out to be a disservice, if this protocol acts in the way pictured to the left. As you can see from the Wireshark capture, SSDP is causing some unnecessary congestion in my LAN; in fact, it's not unusual for SSDP to broadcast about 10 frames every couple of minutes. That's annoying, and if it's causing the same problem for you, the following instructions may help stop this spam.
Unfortunately, if you've posted a comment to a Nullamatix.com post between July 24th and August 29th, they weren't submitted to the queue for approval. This was due to a php.ini setting modification in an effort to enhance security. My apologies if anyone wrote a novel during this time frame. The issue has been resolved and the comment submission form is now working as intended.
One year after the release of Debian GNU/Linux 5.0 alias 'lenny' and nearly three years after the release of Debian GNU/Linux 4.0 alias 'etch' the security support for the old distribution (4.0 alias 'etch') is coming to an end next month. The Debian project is proud to be able to support its old distribution for such a long time and even for one year after a new version has been released.
The firewall policies on Nullamatix.com DROP invalid connection attempts. Specifically, if an attempt to start a new tcp connection is not a syn packet, the packet is rejected. This morning I noticed a few dropped connection attempts from an unusual source, The U.S. Department of Defense. Here are the logs:
After the Lighttpd mod security post and the DDoS attack that followed, I began working on a script that parses the Lighttpd server-error.log and inserts matched records into MySQL. The result? Check it out here: security.nullamatix.com Daily Security Reports. With the abundance of ideas I have for the project, it's far from complete, but definitely worth a beta release. Plans for the future include, but aren't limited to:
The attack started around 03:05:07 EST on Saturday, December 12th, 2009. As far as I know, the attack is still going on. My service provider has null routed the target IP (old IP for www.nullamatix.com), at least until the attack subsides. Fortunately, Nullamatix.com is back up and running as of 14:30:00 EST on Sunday, December 13th, 2009. Here are some details of the attack.
Long time Nullamatix readers know how much I love reviewing log files. Logs can provide detailed incite into not only the overall health of a system, but information one can use to mitigate the risks of automated attacks. In this post, I'll go over a couple ways to harden a PHP enabled web server and hopefully prevent: fx29id1.txt, id23.txt, id.txt, id1.txt, fxid.txt, one.txt, fx1.txt, and several other automated attacks from successfully exploiting common weaknesses.
After adding a few IPs to a firewall drop list, I wondered, "exactly how many IPs are in this drop list?" Since the list contained 187 entries, all in CIDR notation, adding up the total number of IPs in my head was impossible. So, I put together this little script and figured someone else out there might also benefit.