Articles taggués ‘HTTP’

How To Isolate Servers Within A Private Network Using Iptables

02/02/2019 Comments off

Source: DigitalOcean – Mitchell Anicas


In this tutorial, we will teach you how to use a Iptables with shared private networking to simulate the network traffic isolation that a true private network can provide. We will also cover why you would want to do this, and provide an example of how to implement this in your own environment. The example should explain the concept well enough that you should be able to adapt the configuration to your own needs.

DigitalOcean’s private networking option grants a second networking interface to a VPS, which is only accessible to other VPSs in the same datacenter–which includes the VPSs of other customers in the same datacenter. This is known as shared private networking. This means that data sent over a VPS’s private interface does not leave the datacenter at all, and no billable bandwidth usage will be incurred.

At the time of this writing, DigitalOcean offers the private networking option for VPSs in the following data centers:

  • Amsterdam 2
  • New York 2
  • Singapore 1

Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, iptables only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called ip6tables, which can be used to maintain firewall rules for IPv6 network addresses.

If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS

Example Scenario

For our example, we will use the environment created by the following tutorial: How To Optimize WordPress Performance With MySQL Replication On Ubuntu 14.04.

Here is a diagram of what the environment looks like:


The example environment uses five VPSs (and iptables are not configured):

  • haproxy-www: Reverse proxy load balancer
  • wordpress-1: First application server
  • wordpress-2: Second application server
  • mysql-1: Master MySQL database server
  • mysql-2: Slave MySQL database server

If your setup doesn’t look like this, you should still be able to follow along. Also, if you would like to read up on setting up a VPS with private networking or iptables basics, here are a few links that you might find to be useful (this tutorial assumes you know the basics of iptables):

If you are already familiar with the concepts, and would like to see the iptables setup, feel free to skip to the Overview of Iptables Configuration section.

Our Goal

When we are finished with this tutorial, we should have an environment that looks something like the following diagram:


All of the servers in the private network area can only be communicated with by other servers within this private network (the orange box). The load balancer will be accessible via the Internet and also be linked to the private network. The enforcement of this policy will be implemented via iptables on each server.

Note: To block traffic to your public interface, you can either disable your public interface or set up firewall rules to achieve a similar effect with Iptables. We will go with the firewall option because we can configure it block unwanted network traffic, while allowing our server to access the Internet when it initiates the connection (this is useful for things like downloading updates on the server).

HTTP DDoS Attack Mitigation Using Tarpitting

28/01/2019 Comments off

Recently, the anti-spam organization Spamhaus has come under yet another distributed denial-of-service attack. With some help from our good friends at myNetWatchman we were able to obtain a sample of the malware used in the attack. This one is particularly nasty, starting up 1500 threads to send randomized HTTP requests to Spamhaus’ webserver in a loop. This attack tool doesn’t have a command-and-control mechanism, so it was likely force-installed on all the infected systems of an existing botnet.

This kind of attack is particularly troublesome to deal with. While simplistic packet-based attacks can be more easily mitigated upstream, with an HTTP-based attack it is often difficult to distinguish attack traffic from legitimate HTTP requests. And because the attack consumes resources from the webserver, not just the system TCP/IP stack, it can quickly bring even a well-tuned webserver to its knees unless the target has better-than-average resources at its disposal to help weather the storm (like Spamhaus does).ddostool

Fortunately, most HTTP-based DoS attacks we have seen have a particular weakness – they are vulnerable to a technique known as « tarpitting ». This idea was first proposed by Tom Liston many years ago when the first scanning worms hit the Internet, and was implemented in his program LaBrea (which he no longer offers for download, due to legal concerns – however, the source code can still be found elsewhere and should work on Linux or BSD-based operating systems). The quickest way to implement tarpitting (if your webserver runs on Linux) is in the Linux netfilter source code. If the tarpit module is compiled for your Linux kernel, the operation becomes as simple as « iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT« .

Tarpitting works by taking advantage of TCP/IP’s idea of window size and state. In a tarpitted session, we respond to the connection initiation as normal, but we immediately set our TCP window size to just a few bytes in size. By design, the connecting system’s TCP/IP stack must not send any more data than will fit in our TCP window before waiting for us to ACK the packets sent. This is to allow connections to deal with packet loss that might occur in a normal session. If the sending system doesn’t get an ACK to a packet sent, it will resend the packet at increasingly longer intervals. In our tarpitted session, we simply don’t ack any of the post-handshake packets at all, forcing the remote TCP/IP stack to keep trying to send us those same few bytes, but waiting longer each time. With this, bandwidth usage falls off quickly to almost nothing.

It might seem reasonable to simply use iptables -j DROP to not respond to connections at all – this will certainly prevent the webserver from seeing the connection, but because the connection may have a timeout set, it is likely we’ll keep seeing connection attempts at a fairly regular rate. Essentially a DROP rule turns our HTTP flood into a SYN flood.

Below is a chart made by running the Spamhaus DDoS malware on a single host in a sandnet, and comparing the bandwidth usage of each iptables mitigation technique with no mitigation. Here we extrapolated the bandwidth usage of the full non-mitigated attack (the blue line in the chart) from just the first 30 seconds of the attack, rather than let it fully DDoS the server the entire two hours. Under load, our untuned Apache server probably would have slowed down, forcing the attack bandwidth to decrease with it as it became unresponsive. In this simulation we are assuming the server can withstand a single attacker with no slowdown.ddosmitigation

We see that although with tarpitting, there are momentary spikes as the sessions finally time out and try again, overall the average bandwidth usage is substantially lower with tarpitting as opposed to simply dropping the attacker’s packets.

There seems to be an added side-effect to mitigation by tarpit. When the attacked host mitigates with an iptables DROP (no response), the attacker’s CPU load is fairly minimal and the system is responsive. However, as demonstated by the graphic below, under tarpitting the CPU load in our test system quickly rose to 100% as the attacking system’s kernel tried to maintain a large number of open connections in a retry state.

In the case of our test system, the user interface became nearly unresponsive. Of course, this may depend on the overal system CPU speed and RAM (our test was done in a VMware environment which also may be a factor), but if the system becomes unacceptibly slow, it serves as an impetus for the unknowing owner of the attacking system to have the computer cleaned of its botnet infection.cpuload

Unfortunately, the TARPIT iptables module is not part of every Linux distribution. It is possible to obtain it by getting the netfilter Patch-o-Matic-NG source and compiling it for your kernel (don’t forget the iptables source must also be patched to support the TARPIT option).

At some point, the scalability of having thousands of iptables rules may come into play. At the University of Florida, Chuck Logan and Jordan Wiens were able to successfully mitigate a DDoS attack from the Netsky virus by writing customized software to detect the attacking hosts and create intelligent chains of iptables rules that were more scalable. Details and source code can be found here.

No matter how you implement it, tarpitting isn’t going to completely stop an attack – it can only slow it down. However, it could be an effective stop-gap measure until upstream providers can effectively null-route an attack on your website, or until the attack stops on its own.

Source: Dell SecureWorks – Author: Joe Stewart

Administration réseau sous Linux: Apache

25/01/2019 Comments off

Source: Wikilivres

Apache est un serveur HTTP libre. Un serveur HTTP permet d’héberger des sites web qui seront accessibles avec un navigateur tel que Mozilla Firefox, Internet Explorer ou encore Chrome.

Un site web peut fournir tout type de contenu (des fichiers textes, HTML, Flash, zip…). Ce contenu peut être statique (le serveur transmet un fichier au navigateur) ou dynamique (le contenu est généré par un programme exécuté par le serveur). Les sites web contiennent généralement plusieurs types de documents, certains étant statiques et d’autres dynamiques.

Nous traiterons ici d’Apache 2.2 sur un système Debian (et ses dérivés, comme Ubuntu).

Fichiers log

Par défaut sous Debian, Apache enregistre les erreurs dans le fichier /var/log/apache2/error.log. Quand quelque chose ne fonctionne pas, ce fichier fournit souvent des pistes pour trouver la solution.

Il enregistre également toutes les requêtes dans /var/log/apache2/access.log.

Configuration de base

Sous Debian, Apache se lance automatiquement lorsqu’on l’installe et à chaque démarrage du système. Lorsqu’on modifie sa configuration, il faut lui faire prendre connaissance des changements avec la commande

/etc/init.d/apache2 reload

Pour l’arrêter, le lancer ou le relancer on utilisera la même commande avec stop, start ou restart.

Pour d’autres systèmes il faudra consulter la documentation du système ou celle d’Apache [archive].

Configuration du serveur

La configuration [archive] du serveur se trouve dans /etc/apache2/apache2.conf. Ce fichier contient des instructions Include [archive] qui permettent de déplacer certaines parties de la configuration dans d’autres fichiers. Debian utilise cette fonctionnalité pour les modules [archive] (comme PHP) et la gestion des serveurs virtuels [archive] :

Configuration des modules

Le répertoire /etc/apache2/mods-available contient les modules installés. Le répertoire /etc/apache2/mods-enabled contient les modules activés. Les modules activés sont des liens symboliques vers les modules installés.

Pour activer ou désactiver un module, on peut manipuler directement les liens ou utiliser les commandes a2enmod et a2dismod (voir les pages de man).

Configuration des sites

De la même manière, le répertoire /etc/apache2/sites-available contient les sites web disponibles et /etc/apache2/sites-enabled les sites activés. Il en existe un préinstallé : le site default.

Les sites peuvent s’activer ou se désactiver en manipulant les liens dans sites-enabled ou en utilisant a2ensite et a2dissite. Lire la suite…

Categories: Logiciel Tags: , ,

iptables: Linux firewall rules for a basic Web Server

15/01/2019 Comments off

What is iptables?

linux firewall web serveriptables is a package and kernel module for Linux that uses the netfilter hooks within the Linux kernel to provide filtering, network address translation, and packet mangling. iptables is a powerful tool for turning a regular Linux system into a simple or advanced firewall.

Firewall & iptables basics

Rules are first come first serve

In iptables much like other (but not all) firewall filtering packages the rules are presented in a list. When a packet is being processed, iptables will read through its rule-set list and the first rule that matches this packet completely gets applied.

For example if our rule-set looks like below, all HTTP connections will be denied:

  • Allow all SSH Connections
  • Deny all connections
  • Allow all HTTP Connections

If the packet was for SSH it would be allowed because it matches rule #1, HTTP traffic on the other hand would be denied because it matches both rule #2 and rule #3. Because rule #2 says Deny all connections the HTTP traffic would be denied.

This is an example of why order matters with iptables, keep this in mind as we will see this later in this article.

Lire la suite…

Websync, web interface to manage your rsync tasks

15/01/2019 Comments off


tasks_tabRsync is a great tool to replicate, sync some data on your computer. And I’m heavily relying on it to backup my server and to mirror some opensource projects and GNU/Linux Distributions.

But I’ve recently found a Web interface to manage all my rsync tasks called websync.

Websync is a web based rsync task manager where you can add, edit, clone, remove, scheduled,…. your rsync tasks while being able to have a remote host as source or destination of the task (With SSH RSA key too)

Under the free license MIT, Websync has been developped by Sander Struijk and is still actively being maintained, as you can see on github forum. But it is still an early project, so if you face any issue, make sure to report them on the issue tracker.

Interested to give it a shot, here is how to install Websync!

Lire la suite…

Categories: Logiciel, Système Tags: , , ,