errr-online.com

A simple first step to some basic security on your web server is to make the response headers say as little as possible. This is not going to be the end all only thing you need to do to secure your web server, but hey like I said its a basic first step. When you hit a website and are looking at the content you might find your self wondering “What OS, and what web server is this person using.. And hey I see the pages end with .php I wonder what version of that they are using too..” Well this is all (by default on most systems) just pushed out to everyone who visits the site. You can find this with out even having to have any command line skills or know how to use wget or curl. A simple Firefox Plugin can tell anyone this. The typical output will look something like this:

X-Powered-By: PHP/5.2.6-1+lenny4
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 16:18:09 GMT
Server: lighttpd/1.4.25
200 OK

Wow thats a lot of info about this persons server… We can see here that they are running Debian Lenny, and they have php 5.2.6 with a patch set or 2 on it, and they have Lighttpd version 1.4.25. That now lets a possible attacker know which security lists to go hit up looking for possible exploits in any of the above mentioned software.. And a simple nmap command can automate this whole process of looking for a “mark” through entire net blocks in a matter of seconds.

Lets start by telling less info about our web server. The default response from Lighttpd is lighttpd #current-version# To change this all we need to do is edit our lighttpd.conf file. Using your favorite text editor lets open up lighttpd.conf and look though it for server.tag Odds are its not in there but thats OK we will add it and define the value.

server.tag = “WebServer”

Now that we have done that we will need to restart the web server. Next time we check our site it will look more like this:

X-Powered-By: PHP/5.2.6-1+lenny4
Content-Type: text/html
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 15:56:46 GMT
Server: WebServer

Ah now that is much better but that pesky PHP is still telling everyone what OS and version of PHP we have.

Now lets shut PHP up. Using your favorite text editor open your php.ini file and lets look through it for expose_php By default the value will be set to On. We need to set it to Off. Now we need to restart Lighttpd again. Now our response headers will look like:

Content-Type: text/html
Transfer-Encoding: chunked
Date: Sat, 27 Feb 2010 16:02:47 GMT
Server: WebServer

Now again.. This is not the end all.. you still need to sercure the box with iptables or some other type of firewall because this did not make your server any more secure than it was before. All we did was HIDE the info making it harder to find out what you have. There are many other things you can do like running these services in a chroot jail, but this is not going to hurt to do.

Yesterday I was adding a new domain to our servers to slave. While looking though syslog to make sure this was all working I noticed a whole flood of requests for a site that was busted.

unexpected RCODE (REFUSED) resolving ‘www.examplesite.com/A/IN’: x.x.x.x#53

This was just filling my logs like crazy. I wanted to know who on my network was making so many requests for this site.. I was really hoping I didnt have some infected PC on my LAN. To find out I turned on the query log. This is not on by default on Debian, or on Ubuntu, or CentOS which is what I use for all of my DNS. To turn on query log is pretty simple. I added the following to my named.conf.options file

logging {
channel “querylog” {
file “/var/log/bind9-query.log”;
print-time yes;
};
category queries {
querylog;
};
};

Once added you need to make sure this directory is present. If you are in a chroot environment like a good sysadmin remember this path is relevant to your chroot so /var/log/bind9-query.log might really be /chroot/bind9/var/log/bind9-query.log Next make sure your bind user had read/write access to the file.

chown bind:bind /chroot/bind9/var/log/bind9-query.log

Next simply

rndc reload

and go watch that puppy fill up in a hurry. I do not like to keep this turned on because it fills up so fast and I only seem to need it when there is a problem. If you do decide to keep it turned on make sure you set up a logrotate for it. In my environment this log will get to be several megs in under an hour. Sure hope this will help you figure out who is querying what on your network.

Sample output from the log file

05-Feb-2010 09:08:25.524 client 192.168.1.142#51521: query: claimlj2.my.domain.com IN AAAA +

So my media center pc was having issues with sound. Some channels worked great, and others didnt work right at all. By this I mean that you could hear the laugh track perfect but couldnt hear the dialog at all. I am using an Asus P5Q SE/R motherboard, this board has a Realtech HD audio chipset. The sound seemed to work perfect in all the apps I tried.. VLC, Windows Media player, even the HDHomerun Quick TV app. I was stumped.. The device manager showed no unknown devices and reported all devices working correctly. As usual I went to google and tried to find a solution. I found nothing.. I decided there were not enough options in the windows control panel for my sound card so I thought I would see if Asus had a driver for this system They did… I downloaded the audio drivers from Asus here: http://support.asus.com/ you have to search for your motherboard then your OS, then go to the audio driver section. I grabbed the global file which was about 72MB worth of a zip file. Once the down load is complete you can right click the file and extract the files, browse into the directory and find the Setup file, and run through it.. Once the reboot is complete you just need to make sure the Realtech audio settings are correct for your speaker setup do the test from the audio app, and enjoy the sound not giving you problems in media center any more