Tag Archives: hosting

Oct 26

Awesome Phishing Spam

Posted on by

Below is the awesome phishing spam I got today, sent to my work email address. Apparently I was the only actual user account to get this email. The actual email addresses/domains have been redacted. However, just imagine if you had received this email in YOUR work inbox? The .exe payload was a virus.


From: "System" <redacted@redacted>
To: <redacted@redacted>
Subject: Attention - Mail system upgrade
Date: Mon, 26 Oct 2009 19:47:54 +0530

Attention!

On October 30, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

http://updates.redacted.com.secure.s-data1.net/mail/id=7254828-redacted@redacted.com-patch5370226.exe

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

Oct 02

What Firewalls Won’t Do

Posted on by

I had a customer ask me in a ticket today, “why isn’t my hardware firewall protecting my server against this brute-force [login] attack?”

My answer was “a hardware firewall will not protect your server against a brute-force attack.”

Why? because its not designed to do that. A hardware firewall is simply a traffic filter. It allows, disallows, or in some cases, routes traffic based on rules you set. It doesn’t know that Joe User’s account shouldn’t be logged into repeatedly from a Ukranian IP unless you tell it to only allow certain IPs through for that protocol.

That’s why we have scripts like BFD (http://www.rfxn.com/projects/brute-force-detection/).

Its also a good idea to move services like SSH to a random non-default port, disable direct root logins, and of course, only allow certain IPs to access services like SSH.

Oct 23

Security Improvements

Posted on by

Now that I’m on the Secteam at LW, its obviously got me thinking harder about implementing better security measures on this VPS. One thing I’ve already done is install CSF (ConfigServer Security & Firewall, available at http://configserver.com), and set LFD (the login failure daemon) to send me emails about detected security issues.

I also have Apache2/ModSecurity2 (with our latest ruleset), however I’m finding that I probably need to make a few other adjustments, such as enabling SuPhp and open_basedir, locking down permissions, and most importantly, keeping up with new versions of software (omg, WordPress 2.6.2 already?!).  These things I hope to accomplish very, very soon.