Search Results

Search found 29222 results on 1169 pages for 'network security'.

Page 157/1169 | < Previous Page | 153 154 155 156 157 158 159 160 161 162 163 164 | Next Page >

How disable mysql command in sudoers file?

- by Carlos A. Junior

How i can disable /usr/bin/mysql command in sudoers file ? ... Actually I've tryed use with this way: %tailonly ALL=!/usr/bin/mysql But when i'm access if user 'tailonly' of group 'tailonly', this command still enabled. In resume, i'm only want that 'tailonly' user access 'tail -f /usr/app/*.log' ... This is possible ? Edit: With this config, the user 'tailonly' still can access mysql terminal with 'mysql' command: $: sudo su $: visudo Cmnd_Alias MYSQL = /usr/bin/mysql Cmnd_Alias TAIL=/usr/bin/tail -f /jacad/jacad3/logs/*.log # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL %swa ALL=/etc/init.d/jacad3 stop %swa ALL=/etc/init.d/jacad3 start %swa ALL=/etc/init.d/jacad3 restart %swa ALL=sudoedit /jacad/jacad3/bin/jacad_start.sh %tailonly ALL=ALL,!MYSQL

Read the article
Validating allowed characters or validating disallowed characters

- by Tom

I've always validated my user input based on a list of valid/allowed characters, rather than a list of invalid/disallowed characters (or simply no validation). It's just a habit I picked up, probably on this site and I've never really questioned it until now. It makes sense if you wish to, say, validate a phone number, or validate an area code, however recently I've realised I'm also validating input such as Bio Text fields, User Comments, etc. for which the input has no solid syntax. The main advantage has always seemed to be: Validating allowed chars reduces the risk of you missing a potentially malicious character, but increases the risk the of you not allowing a character which the user may want to use. The former is more important. But, providing I am correctly preventing SQL Injection (with prepared statements) and also escaping output, is there any need for this extra barrier of protection? It seems to me as if I am just allowing practically every character on the keyboard, and am forgetting to allow some common characters. Is there an accepted practice for this situation? Or am I missing something obvious? Thanks.

Read the article
How to protect SHTML pages from crawlers/spiders/scrapers?

- by Adam Lynch

I have A LOT of SHTML pages I want to protect from crawlers, spiders & scrapers. I understand the limitations of SSIs. An implementation of the following can be suggested in conjunction with any technology/technologies you wish: The idea is that if you request too many pages too fast you're added to a blacklist for 24 hrs and shown a captcha instead of content, upon every page you request. If you enter the captcha correctly you've removed from the blacklist. There is a whitelist so GoogleBot, etc. will never get blocked. Which is the best/easiest way to implement this idea? Server = IIS Cleaning out the old tuples from a DB every 24 hrs is easily done so no need to explain that.

Read the article
Imitating Exchange Server's "RBAC AuthZ" in my own application... (is there something similar?)

- by makerofthings7

Exchange 2010 has a delegation model where groups of winrm cmdlets are essentally grouped into roles, and the roles assigned to a user. (Image source) This is a great & flexible model considering how I can leverage all the benefits of PowerShell, while using the right low level technologies (WCF, SOAP etc), and requiring no additional software on the client side. (Image source) Question(s) Is there a way for me to leverage Exchange's delegation model in my .NET application? Has anyone attempted to imitate this model? If I must start from scratch, how would I go about imitating this approach?

Read the article
How to safely collect bank account from website?

- by Alexandru Trandafir Catalin

I want to collect bank account information from my customers on my website. I'd like to do that trough a form, then I will download it to a PC, print it, and then delete it from the website. Or eventually, send it somewhere external right after the user submitted the form so it never gets stored on the website. The goal is to recieve the payment information without having to ask the customer to print, fill manually, and send it over fax. And accomplish this without having to use an external payment gateway. Thank you, Alex.

Read the article
Is /home encryption useful on a server?

- by Dennis

I've got a question about the use of encryption: I set up a Ubuntu 12.04 server to use it as a router, file server for backups and webserver. Of course, it is probably not the best idea to put backups on the same system as a web server, but it is only for private usage and I don't want to spend too much money. So I thought it is not a bad idea to set up /home-encryption for the backup-user-account with which I do my backups. But in the same moment, another quesiton arises: Does it still makes sense? Via SSH, root login is disabled. And access to the /home-folder of that user is reduced to the user itself. So the only scenario to access the /home-folder is to connect keyboard/display to the server, login as root and change to /home. Or have I overseen a scenario? In case I am right, you can only access the /home-folder from "outside" as the backup-user. But than, encryption also doesn't make sense anymore. Am I right about that thoughts? Or do you still see a way to access the /home-folder of the backup user so that encryption still makes sense? Thanks for your help in advance!

Read the article
Free forum engine with good anti-attack mechanisms

- by macias

I am looking for forum engine (for discussions) with good attack countermeasures built in. Windows (preferrably) or Linux. Free (as beer). I think about registration flooding and blocking user accounts attacks. For registration, such engine should have at least: captcha blocking mulitple registrations from the same IP providing login (for logging in) and user name (for displaying the author of the posts) For logging in: no blocking on multiple tries -- instead after X try sending via mail a token, the third piece needed for next login -- without it logging in will be impossible (it would be similar to activation process) The engine should be designed with two ideas in mind: protecting engine against attacks 0 penalty for decent users Thank you in advance for your help and recommendations.

Read the article
IIS Not Accepting Login Credentials

- by Dale Jay

I have an ASP.NET web form using Microsoft's boilerplate Active Directory login page, set up exactly as suggested. (See http://msdn.microsoft.com/en-us/library/ms180890%28v=vs.80%29.aspx) Windows Authentication is activated on the "Default Website" and "MyWebsite" levels, and Domain\This.User is given "Allow" access to the site. After entering the valid credentials for This.User on the web form, a popup window appears asking me to enter my credentials yet again. Despite entering valid credentials for This.User (after attempting Domain\This.User and This.User formats), it rejects the credentials and returns an unauthorized user page. Active Directory user This.User is valid, the IP address of the AD server has been verified and SPN's have been set up for the server. Any thoughts as to what may be causing this? I can post code if needed.

Read the article
PCI compliance when using third-party processing

- by Moses

My company is outsourcing the development of our new e-commerce site to a third party web development company. The way they set up our site to handle transactions is by having the user enter the necessary payment info, then passing that data to a third party merchant that processes the payment, then completing the transaction if everything is good. When the issue of PCI/DSS compliance was raised, they said: You wont need PCI certification because the clients browser will send the sensitive information directly to the third party merchant when the transaction is processed. However, the process will be transparent to the user because all interface and displays are controlled by us. The only server required to be compliant is the third party merchant's because no sensitive card data ever touches your server or web app. Even though I very much so trust and respect the knowledge of our web developers, what they are saying is raising some serious red flags for me. The way the site is described, I am sure we will not be using a hosted payment page like PayPal or Google Checkout offers (how could we maintain control over UI if we were?) And while my knowledge of e-commerce is laughable at best, it seems like the only other option for us would be to use XML direct to communicate with our third party merchant for processing. My two questions are as follows: Based off everything you've read, is "XML Direct" the only option they could conceivably be using, or is there another method I don't know of which they could be implementing? Most importantly, is it true our site does not need PCI certification? As I understand it, using the XML direct method means that we do have to be PCI/DSS certified, and the only way around getting certified is through a payment hosted page (i.e. PayPal).

Read the article
Copying logins to another server

- by DavidWimbush

I'm busy setting up a new server to replace our main live server and part of that is to get the logins copied over. The database users will come over when I restore the databases but I wanted to get the logins they relate to, with the same SIDs, passwords and other properties as they have on the current server. In fact I don't even know the passwords for the logins created by our Sage accounting package - apparently they are generated by the setup using a number of ingredients unique to each installation. I did some Googling and fount this KB article: http://support.microsoft.com/kb/918992/, which more or less did the trick. It produces a set of CREATE LOGIN statements with the SIDs and hashed passwords. But it didn't include the default language, which can subtly or dramatically alter the behaviour of date-related SQL. So I added that bit and you can help yourself here.

Read the article
What is the best way to restrict access to adult content on Ubuntu?

- by Stephen Myall

I bought my kids a PC and installed 12.04 (Unity) on it. The bottom line is, I want my children to use the computer unsupervised while I have confidence they cannot access anything inappropriate. What I have looked at: I was looking at Scrubit a tool which allows me configure my wifi router to block content and this solution would also protect my other PC and mobile devices. This may be overkill as I just want the solution to work on one PC. I also did some Google searches and came across the application called Nanny (it seems to look the part). My experience of OSS is that the best solutions frequently never appear first on a Google search list and in this case I need to trust the methods therefore my question is very specific. I want to leverage your knowledge and experience to understand “What is the best way to restrict adult content on 12.04 LTS” as this is important to me. It maybe a combination of things so please don't answer this question "try this or that", then give me some PPA unless you can share your experience of how good it is and of course if there are any contraints. Thanks in advance

Read the article
How would I tell if a prospective client website is under DDoS attack?

- by artlung

I have a person asking me whether the DDoS Mitigation Service they're using is worth it. This is out of my expertise, but clearly at some point someone sold this service to the client. Assuming I don't have anything but a domain name, what information can I gather about whether they are indeed under attack and/or how well the DDoS Mitigation Service is working? Assume I don't have any administrative access to the site/server(s) in question.

Read the article
Principles of an extensible data proxy

- by Wesley

There is a growing industry now with more than 30 companies playing in the Backend-As-A-Service (BaaS) market. The principle is simple: give companies a secure way of exposing data housed on premises and behind the firewall publicly. This can include database data, as well as Legacy PC data through established connectors; SAP for example provides a connector for transacting with their legacy systems. Early attempts were fixed providers for specific systems like SAP, IBM or Oracle, but the new breed is extensible, allowing Channel Partners and Consultants to build robust integration applications that can consume whatever data sources the client wants to expose. I just happen to be close to finishing a Cloud Based HTML5 application platform that provides robust integration services, and I would like to break ground on an extensible data proxy to complete the system. From what I can gather, I need to provide either an installable web service of some kind, or a Cloud service which the client can configure with VPN for interactions. Then I can build in connectors, which can be activated with a service account, and expose those transactions via web services of some kind (JSON, SOAP, etc). I can also provide a framework that allows people to build in their own connectors, and use some kind of schema to hook those connectors into the proxy. The end result is some kind of public facing web service that could securely be consumed by applications to show data through HTML5 on any device. My gut is, this isn't as hard as it sounds. Almost all of the 30+ companies (With more popping up almost weekly) have all come into existence in the last 18 months or so, which tells me either the root technology, or the skillset to create the technology is in abundance right now. Where should I start on this? Are there some open source projects I can leverage? A specific group of developers I can hire? I'm confident someone here can set me on the right path and save me some time. You don't see this many companies spring up this rapidly if they are all starting from scratch with proprietary technology. The Register: WTF is BaaS One Minute Video from Kony on their BaaS

Read the article
Had anybody earned $0.25+ from each of a captcha (on your website) passing?

- by vgv8

I am a real dummy in web monetizing schemes. [ 1 ] informs: "Solve [Media] charges a fee of about 25 cents to 50 cents for each form that is filled out using a Type-In ad [captcha]... the company splits its fees 50-50 with the websites where the ads are placed" Honestly, I cannot imagine that someone (in its proper senses) pasy that much money for just one captcha passed. And how to understand these claims? http://www.solvemedia.com/images/ie9_aboutcalcount.png shows: Why would Microsot pay 0.25-0.5 USD for each entered string "Be part of the Beta"? Has any of webmasters (sysadmins) got those from deployed SolveMedia captchas on their websites? Is it scam? Because if to check the sites mentioned in http://www.solvemedia.com/gallery.html, that is, for ex., http://www.toyotanation.com/forum/register.php?do=register, the latter do not have such captchas. What do I miss? Cited: [ 1 ] Jennifer Valentino-DeVries "An Online Ad That’s Tough to Ignore" WallStreet Journal Blog SEPTEMBER 20, 2010 http://blogs.wsj.com/digits/2010/09/20/an-online-ad-thats-tough-to-ignore/

Read the article
How can I allow robots access to my sitemap, but prevent casual users from accessing it?

- by morpheous

I am storing my sitemaps in my web folder. I want web crawlers (Googlebot etc) to be able to access the file, but I dont necessarily want all and sundry to have access to it. For example, this site (superuser.com), has a site index - as specified by its robots.txt file (http://superuser.com/robots.txt). However, when you type http://superuser.com/sitemap.xml, you are directed to a 404 page. How can I implement the same thing on my website? I am running a LAMP website, also I am using a sitemap index file (so I have multiple site maps for the site). I would like to use the same mechanism to make them unavailable via a browser, as described above.

Read the article
HTG Explains: What Is Juice Jacking and How Worried Should You Be?

- by Jason Fitzpatrick

Your smartphone needs a recharge yet again and you’re miles from the charger at home; that public charging kiosk is looking pretty promising–just plug your phone in and get the sweet, sweet, energy you crave. What could possible go wrong, right? Thanks to common traits in cellphone hardware and software design, quite a few things–read on to learn more about juice jacking and how to avoid it.

Read the article
Accessing the JSESSIONID from JSF

- by Frank Nimphius

The following code attempts to access and print the user session ID from ADF Faces, using the session cookie that is automatically set by the server and the Http Session object itself. FacesContext fctx = FacesContext.getCurrentInstance(); ExternalContext ectx = fctx.getExternalContext(); HttpSession session = (HttpSession) ectx.getSession(false); String sessionId = session.getId(); System.out.println("Session Id = "+ sessionId); Cookie[] cookies = ((HttpServletRequest)ectx.getRequest()).getCookies(); //reset session string sessionId = null; if (cookies != null) { for (Cookie brezel : cookies) { if (brezel.getName().equalsIgnoreCase("JSESSIONID")) { sessionId = brezel.getValue(); break; } } } System.out.println("JSESSIONID cookie = "+sessionId); Though apparently both approaches to the same thing, they are different in the value they return and the condition under which they work. The getId method, for example returns a session value as shown below grLFTNzJhhnQTqVwxHMGl0WDZPGhZFl2m0JS5SyYVmZqvrfghFxy!-1834097692!1322120041091 Reading the cookie, returns a value like this grLFTNzJhhnQTqVwxHMGl0WDZPGhZFl2m0JS5SyYVmZqvrfghFxy!-1834097692 Though both seem to be identical, the difference is within "!1322120041091" added to the id when reading it directly from the Http Session object. Dependent on the use case the session Id is looked up for, the difference may not be important. Another difference however, is of importance. The cookie reading only works if the session Id is added as a cookie to the request, which is configurable for applications in the weblogic-application.xml file. If cookies are disabled, then the server adds the session ID to the request URL (actually it appends it to the end of the URI, so right after the view Id reference). In this case however no cookie is set so that the lookup returns empty. In both cases however, the getId variant works.

Read the article
Sync KeePassX with KeePass2

- by bioShark

Simply put: In Ubuntu I am using KeePassX and in Windows KeePass2. In am not able to export/import passwords from one to another. I would prefer to use the same database, but I don't really know how. If there is no possibility to sync the 2, can you recommend another password vault, which is able to sync passwords from 2 OS, using a shared DB. Thanks I am using Ubuntu 12.04 and Win 7. Edit: I have noticed that KeePass2 is available in the Software Center, so I have installed it, and I can successfully open my Win7 database. Now I will migrate my KeePassX passwords. I am seeing now a huge difference in the looks. While KeePassX doesn't exactly have Ubuntu like look&feel, it's 100 times more elegant than the interface KeePass2 comes with. Well, maybe that was my initial decision for installing KeePassX on my Ubuntu machine. I can't remember. @fossfreedom, please add your comment as a response, so that I can accept it. Thank for the suggestion

Read the article
Why is iOS "jailbreaking" CPU specific? [closed]

- by Ted Wong

Recently, iOS 6 was "jailbroken" but only on the Apple A4 CPU. Why is the "jailbreaking" process specific to a CPU? From Wikipedia: ... "iOS jailbreaking is the process of removing the limitations imposed by Apple on devices running the iOS operating system through the use of hardware/software exploits – such devices include the iPhone, iPod touch, iPad, and second generation Apple TV. Jailbreaking allows iOS users to gain root access to the operating system""" ...

Read the article
Hash Sum mismatch on python-keyring

- by Gearoid Murphy

I came in to my workstation this morning to find an apt error notification relating to a hash sum mismatch on the python keyring password storage mechanism, given the sensitive nature of this package, this gives me some cause for concern. Has anyone else seen this error?, how can I ensure that my system has not been compromised? Failed to fetch http://gb.archive.ubuntu.com/ubuntu/pool/main/p/python-keyring/python-keyring_0.9.2-0ubuntu0.12.04.2_all.deb Hash Sum mismatch Xubuntu 11.04 AMD64

Read the article
JDeveloper 11.1.2 : Command Link in Table Column Work Around

- by Frank Nimphius

Just figured that in Oracle JDeveloper 11.1.2, clicking on a command link in a table does not mark the table row as selected as it is the behavior in previous releases of Oracle JDeveloper. For the time being, the following work around can be used to achieve the "old" behavior: To mark the table row as selected, you need to build and queue the table selection event in the code executed by the command link action listener. To queue a selection event, you need to know about the rowKey of the row that the command link that you clicked on is located in. To get to this information, you add an f:attribute tag to the command link as shown below <af:column sortProperty="#{bindings.DepartmentsView1.hints.DepartmentId.name}" sortable="false" headerText="#{bindings.DepartmentsView1.hints.DepartmentId.label}" id="c1"> <af:commandLink text="#{row.DepartmentId}" id="cl1" partialSubmit="true" actionListener="#{BrowseBean.onCommandItemSelected}"> <f:attribute name="rowKey" value="#{row.rowKey}"/> </af:commandLink> ... </af:column> The f:attribute tag references #{row.rowKey} wich in ADF translates to JUCtrlHierNodeBinding.getRowKey(). This information can be used in the command link action listener to compose the RowKeySet you need to queue the selected row. For simplicitly reasons, I created a table "binding" reference to the managed bean that executes the command link action. The managed bean code that is referenced from the af:commandLink actionListener property is shown next: public void onCommandItemSelected(ActionEvent actionEvent) { //get access to the clicked command link RichCommandLink comp = (RichCommandLink)actionEvent.getComponent(); //read the added f:attribute value Key rowKey = (Key) comp.getAttributes().get("rowKey"); //get the current selected RowKeySet from the table RowKeySet oldSelection = table.getSelectedRowKeys(); //build an empty RowKeySet for the new selection RowKeySetImpl newSelection = new RowKeySetImpl(); //RowKeySets contain List objects with key objects in them ArrayList list = new ArrayList(); list.add(rowKey); newSelection.add(list); //create the selectionEvent and queue it SelectionEvent selectionEvent = new SelectionEvent(oldSelection, newSelection, table); selectionEvent.queue(); //refresh the table AdfFacesContext.getCurrentInstance().addPartialTarget(table); }

Read the article
Phishing alert but file never existed

- by IMB

I got an alert from Google Webmasters. They say the following file was present in my host: example.com/~jhostgop/identity.php I checked my files and it never existed at all. I've experience this problem in two different host and domains but the file never existed in my file system. It appears somebody out there is linking a random domain and it prefixes the link with /~jhostgop/identity.php. Now Google may have indexed them so now I get those false phishing alerts. Anyone experienced this? Is it possible to prevent this?

Read the article
Ubuntu comes with firewall by default?

- by LuC1F3R

I understand the Ubuntu comes with firwallul UFW is true? There is a GUI for it? if so, what is his name and where do I download? It is possible that UFW notify us (like in windows with a pop-up windows)when someone wants access to your pc or when an application wants to go out on the internet? Is there any firewall for ubuntu notify you when someone wants access to your PC or when an application wants to access the Internet?

Read the article
WordPress injection?

- by saul

I don't really know how to express my problem, so bear with me. This is a bit hard to explain. I have a Wordpress installation, the latest, and often (once a day) my site redirects users to the /wp-admin/install.php file. Asking for my login credentials of course. I have tried reinstalling WordPress and still have not been able to figure what they are doing. That happens regularly. Also, a few hours later, I am able to see my site normally. Hope this makes sense. I suspect there myst be some database DoS that allows them to inject a redirect of some sort into my admin area, thus redirecting the user to said directory (install.php). But that's just me. I really have no clue what else could they be doing. I looked at the source code from several php files and noted some of them don't include a ? tag. Could that be an issue? My hosting company is iPage, I've contacted them and they say there's nothing wrong with my files. Anyone have a clue? I can paste the code to any source file.

Read the article
How to protect Ubuntu from fork bomb

- by dblang

I heard someone talking about a fork bomb, I did some research and found some dreadful information about some strange looking characters people can have you type at the command line and as a result do bad things on the computer. I certainly would not issue commands I do not understand but one never knows what can happen. I heard that some OS allows the administrator to place some limit on user processes to mitigate the effects of fork bombs, is this protection in Ubuntu by default or would a person with sudo privilege have to set this? If so, how?

Read the article

< Previous Page | 153 154 155 156 157 158 159 160 161 162 163 164 | Next Page >