Search Results

Search found 16593 results on 664 pages for 'adf security deploy'.

Page 164/664 | < Previous Page | 160 161 162 163 164 165 166 167 168 169 170 171 | Next Page >

Where can I find a demonstration of a buffer overflow?

- by boost

Is there a site, or is there a simple way of setting up one, which demonstrates what can happen with a buffer overrun? This is in the context of a web app.

Read the article
How intrusive is using VPN?

- by Slade

My company lets us work from home sometimes using VPN (during weather emergencies and stuff). When logging in a big window comes up that says the network is private and for employees only and that there's no right to privacy while using VPN. It makes sense that they don't want people poking around their network but I wonder if the company can use the connection to look around my computer while I'm connected. I'm not entirely computer-illiterate but I'm not a networks person at all so the technical documents I've found don't help me. Is that possible, and if so to what degree? UPDATE Thanks Mark. The funneling thing is what I was really asking about. Mostly I was worried that I would already have some IM conversation open or log into eBay forgetting that the VPN was open and that my company IT people would see it or that they would log my eBay password. Thanks again. ANOTHER UPDATE What if my son wants to play online poker or Warcraft etcetera while I have VPN on to work? Can my company think I'm the one playing if I am not typing often?

Read the article
What should I do about this user?

- by Tim Brigham

What should I do about this user? The user is: Downloading pornography Attempting unauthorized access Running hacking software Sending unsolicited email Installing software / tampering with the system etc This is intended as a generic answer for employee behavioral problems, a la Can you help me with my software licensing question? I could see where acceptable use issues are a touch out of scope for SF, however it is one of those things most sysadmins will run into. I don't want to keep rewriting similar answers.

Read the article
nginx with fail2ban and mod_security

- by Mahesh

I forgot to update my fail2ban config for nginx. I just moved to nginx from apache. Today, I got a lot of cals from a single IP. IP tried to access login pages with post and get methods IP tried to use nginx as a proxy (GET http:/...) IP searched images, js, css folders IP tried to inject -d url_allow_fopen =1 and something similar. Most of the calls ended with 404. http { limit_req_zone $binary_remote_addr zone=app:10m rate=5r/s; ... server { ... location / { limit_req zone=app burst=50; } I got approximately 50 requests from that ip for a second. So i updated my nginx like the above. Will it avoid too many connections per second now? I have updated my fail2ban jail.local to support nginx. I am confused with the nginx-noscript.conf [Definition] failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi) ignoreregex = I am serving php with nginx. I checked apache's noscript.conf and which has .php extension on it too. I tested this above settings before restarting fail2ban and got thousands of ips matched. I removed php and nothing matched. Do i need .php| in nginx-noscript.conf? Using mod_security and fail2ban together bring any problem? When i was searching today, i came to know mod_security is available for nginx too. So i am planning to use it too.

Read the article
Cannot access an application folder in Program files

- by GiddyUpHorsey

I recently installed Windows 7 Professional 64bit on a new machine. I installed an application using a ClickOnce installer. The application runs fine, but I cannot access the application folder it created in c:\Program files (x86). It bombs with access denied. I try to view the properties on the folder and it takes about 1 minute to display (other folders take 1 second). It says I cannot view any information because I'm not the owner. It doesn't say who the current owner is (instead - Unable to display current owner.) but says I can take ownership. When I try it fails again with Access Denied, even though I have administrative permissions. Why can't I access this folder nor take ownership?

Read the article
Having credit card information on VPS

- by johnlai2004

Is it safe to store credit card information in a database on a VPS? Or is it best to put it on an absolutely under-utilized dedicated server?

Read the article
Member of local Administrators group cannot elevate

- by fixme

Hi We have just installed the first Windows 7 (professional) workstation in our domain. Its primary user has been added to the local (computer's) Administrators group (computername\Administrators). Still, whenever elevation is needed, his credentials are not accepted, and he is never allowed to act as an administrator. For example, he cannot write a file to C:\ (not that he needs to, but it illustrates the problem). Putting him in the domain's Administrators group doesn't help either (anyway we'd rather not do that). I suspect that he may be the victim of some policy that controls elevation, but can't seem to find it. Can anyone shed some light?

Read the article
Protecting a SVN server

- by user35072

For various reasons we are finding it increasingly difficult to work with remote workers. We are a very small developer shop and it's becoming impractical to do manual merges on a daily basis. So we're left with little choice (?) but to consider opening up our SVN servers. I'm looking into the following: Full HTTPS session Running non-80 port Strong password policy Is this enough to prevent someone hacking and stealing data? I will also look into VPN but first would like to understand any alternative solutions.

Read the article
Mitigating the 'firesheep' attack at the network layer?

- by pobk

What are the sysadmin's thoughts on mitigating the 'firesheep' attack for servers they manage? Firesheep is a new firefox extension that allows anyone who installs it to sidejack session it can discover. It does it's discovery by sniffing packets on the network and looking for session cookies from known sites. It is relatively easy to write plugins for the extension to listen for cookies from additional sites. From a systems/network perspective, we've discussed the possibility of encrypting the whole site, but this introduces additional load on servers and screws with site-indexing, assets and general performance. One option we've investigated is to use our firewalls to do SSL Offload, but as I mentioned earlier, this would require all of the site to be encrypted. What's the general thoughts on protecting against this attack vector? I've asked a similar question on StackOverflow, however, it would be interesting to see what the systems engineers thought.

Read the article
Software for defining rules for folder permissions and monitoring deviations

- by Kjensen

Let's say a company has a large number of users, and each user has a home area. On each share used for home area folders, I would like to define some rules saying who is supposed to have which permissions on the folder. Then I would like to audit automatically, that this is actually the case and get some sort of report on deviations. So a rule for \MegaServer\Home01 could be defined something like: Domain Admins - Full Control Backup Agent - Read [Home folder owner] - Full Control I am talking about Windows platform and Windows servers, although I think it would most likely also work for *nix machines that expose Windows shares. Does software like this exist? I could roll my own basic version, but if something already exists, that is usually a better option. I am aware of tools to make displaying permissions easier (AccessEnum, DumpSec), but that is not what I am looking for.

Read the article
Fix Fatal Error Condition showing system path

- by JMC

I've noticed there are a large number of servers running Magento Commerce that will return a fatal error showing the system path: Fatal error: Uncaught exception 'Exception' with message 'File '/usr/local/www/magento/data1702/media/css' does not exists.' in /usr/local/www/magento/data1702/lib/Varien/File/Transfer/Adapter/Http.php:96 Stack trace: #0 /usr/local/www/magento/data1702/get.php(205): Varien_File_Transfer_Adapter_Http->send('/usr/local/www/...') #1 /usr/local/www/magento/data1702/get.php(165): sendFile('/usr/local/www/...') #2 {main} thrown in /usr/local/www/magento/data1702/lib/Varien/File/Transfer/Adapter/Http.php on line 96 Magento as an application is generally good about supressing error messages. How can a linux server running apache be configured to avoid returning this error message since the app has problems suppressing it.

Read the article
Strange ssh login

- by Hikaru

I am running debian server and i have received a strange email warning about ssh login It says, that user mail logged in using ssh from remote address: Environment info: USER=mail SSH_CLIENT=92.46.127.173 40814 22 MAIL=/var/mail/mail HOME=/var/mail SSH_TTY=/dev/pts/7 LOGNAME=mail TERM=xterm PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games LANG=en_US.UTF-8 SHELL=/bin/sh KRB5CCNAME=FILE:/tmp/krb5cc_8 PWD=/var/mail SSH_CONNECTION=92.46.127.173 40814 my-ip-here 22 I looked in /etc/shadow and find out, that password for is not set mail:*:15316:0:99999:7::: I found this lines for login in auth.log n 3 02:57:09 gw sshd[2090]: pam_winbind(sshd:auth): getting password (0x00000388) Jun 3 02:57:09 gw sshd[2090]: pam_winbind(sshd:auth): pam_get_item returned a password Jun 3 02:57:09 gw sshd[2091]: pam_winbind(sshd:auth): user 'mail' granted access Jun 3 02:57:09 gw sshd[2091]: Accepted password for mail from 92.46.127.173 port 45194 ssh2 Jun 3 02:57:09 gw sshd[2091]: pam_unix(sshd:session): session opened for user mail by (uid=0) Jun 3 02:57:10 gw CRON[2051]: pam_unix(cron:session): session closed for user root and lots of auth failures for this user. There is no lines with COMMAND string for this user. Nothing was found with "rkhunter" and with "ps aux" process inspection, also there is no suspicious connections was found with "netstat" (as I can see) Can anyone tell me how it is possible and what else should be done? Thanks in advance.

Read the article
Pass parameters to a script securely

- by codeholic

What is the best way to pass parameters to a forked script securely? E. g. passing parameters through command line operands is not secure, since someone who has an account on the host can run ps and see them. Unnamed pipe is quite secure, as far as I understand, isn't it? I mean, passing parameters to STDIN of the forked process. What about passing parameters in environment vars? Is it secure? What about passing parameters by other means I didn't mention?

Read the article
How are cached Windows credentials stored on the local machine?

- by MDMarra

How are cached Active Directory domain credentials stored on a Windows client? Are they stored in the local SAM database, thus making them susceptible to the same rainbow table attacks that local user accounts are susceptible to, or are they stored differently? Note, that I do realize that they are salted and hashed, so as not to be stored in plain-text, but are they hashed in the same way as local accounts and are they stored in the same location? I realize that at a minimum they're be susceptible to a brute force attack, but that's a much better situation than being vulnerable to rainbow tables in the event of a stolen machine.

Read the article
My Window's 7 is exposing me and my files I am the only administrator.

- by Connie

I am the only administrator on my Window's 7 Asus x53E series laptop. Why is a standard user able to access my files by just searching my name in the start menu? If I log into guest account and search my name it shows an error that i don't have permission. When i log into my roommate's standard account and go to the start menu I put my name in search and everything I have done or searched is open to them . How can i make my administrator account private

Read the article
How can I restrict the backuppc client user as much as possible? (rsync)

- by jxn

I have backuppc making full backups of servers, but I'd like to be sure that my set up is as paranoid as possible. BackupPC is set up to backup via rsync, and it is set up to use a specific user on each client to be backed up. Because the backuppc client user has to have access to every file on the client machine and the ability to ssh into the machine without an interactive password, I'm a little nervous about securing the clients, and I'd like to know I haven't overlooked any options. Here's what I have in place: in the client user's authorized_keys file, i've included from="IPTOSERVER",command="/usr/bin/rsync" before the user's public key, so that the user can only login coming from the BackupPC server. Next, in the sudoers file, I've added this line: backuppc ALL=NOPASSWD: /usr/bin/rsync to allow root-level permissions only for the rsync command for that user. Are there other user, policy, or ssh restrictions that I can add while still allowing the backup pc client user to rsync all files?

Read the article
Use .htaccess to block *All* access to specific folders.

- by Urda

I am not sure how to do this, but I want to block all access to a specific set of folders on my web server. Say secret01 and secret 02... homeDir |- data |- www | |- .htaccess (file) | |- images | |- js | |- secret01 | |- secret02 | |... |... What rule(s) do I need to add to my root .htaccess file to do this? I want all access from the web blocked from going into these folders, period. Only way one could get to them would be over SFTP or SSH. So what rule am I looking for? I am preferably looking for a one-liner so I can add more folders or move it to another site down the road. I really would prefer if the rule could be placed in the .htaccess root file so I don't have to jump all over the place to lock and unlock folders.

Read the article
File/folder Write/Delete wise, is my server secure?

- by acidzombie24

I wanted to know if someone got access to my server by using a nonroot account, how much damage can he do? After i su someuser I used this command to find all files and folders that are writeable. find / -writable >> list.txt Here is the result. Its most /dev/something and /proc/something and these /var/lock /var/run/mysqld/mysqld.sock /var/tmp /var/lib/php5 Is my system secure? /var/tmp makes sense but i am unsure why this user has write access to those folders. Should i change them? stat /var/lib/php5 gives me 1733 which is odd. Why write access? why no read? is this some kind of weird use of a temp file?

Read the article
How to configure mercurial access controls using apache and hgweb?

- by Gj1

I have set up a mercurial repo to be served using apache+wsgi+hgweb on OS X. It is now completely open to anyone who stumbles upon my server on the correct port number.. How can I set it up so that only people with a username+password pair that I approve can pull and/or push from the repo? I know how to very easily achieve this using ssh, but in this specific case the requirement is that the solution doesn't require defining full fledged user accounts on the machine for each person whom I'd like to give access to the repo.

Read the article
How to open a server port outside of an OpenVPN tunnel with a pf firewall on OSX (BSD)

- by Timbo

I have a Mac mini that I use as a media server running XBMC and serves media from my NAS to my stereo and TV (which has been color calibrated with a Spyder3Express, happy). The Mac runs OSX 10.8.2 and the internet connection is tunneled for general privacy over OpenVPN through Tunnelblick. I believe my anonymous VPN provider pushes "redirect_gateway" to OpenVPN/Tunnelblick because when on it effectively tunnels all non-LAN traffic in- and outbound. As an unwanted side effect that also opens the boxes server ports unprotected to the outside world and bypasses my firewall-router (Netgear SRX5308). I have run nmap from outside the LAN on the VPN IP and the server ports on the mini are clearly visible and connectable. The mini has the following ports open: ssh/22, ARD/5900 and 8080+9090 for the XBMC iOS client Constellation. I also have Synology NAS which apart from LAN file serving over AFP and WebDAV only serves up an OpenVPN/1194 and a PPTP/1732 server. When outside of the LAN I connect to this from my laptop over OpenVPN and over PPTP from my iPhone. I only want to connect through AFP/548 from the mini to the NAS. The border firewall (SRX5308) just works excellently, stable and with a very high throughput when streaming from various VOD services. My connection is a 100/10 with a close to theoretical max throughput. The ruleset is as follows Inbound: PPTP/1723 Allow always to 10.0.0.40 (NAS/VPN server) from a restricted IP range >corresponding to possible cell provider range OpenVPN/1194 Allow always to 10.0.0.40 (NAS/VPN server) from any Outbound: Default outbound policy: Allow Always OpenVPN/1194 TCP Allow always from 10.0.0.40 (NAS) to a.b.8.1-a.b.8.254 (VPN provider) OpenVPN/1194 UDP Allow always to 10.0.0.40 (NAS) to a.b.8.1-a.b.8.254 (VPN provider) Block always from NAS to any On the Mini I have disabled the OSX Application Level Firewall because it throws popups which don't remember my choices from one time to another and that's annoying on a media server. Instead I run Little Snitch which controls outgoing connections nicely on an application level. I have configured the excellent OSX builtin firewall pf (from BSD) as follows pf.conf (Apple App firewall tie-ins removed) (# replaced with % to avoid formatting errors) ### macro name for external interface. eth_if = "en0" vpn_if = "tap0" ### wifi_if = "en1" ### %usb_if = "en3" ext_if = $eth_if LAN="{10.0.0.0/24}" ### General housekeeping rules ### ### Drop all blocked packets silently set block-policy drop ### all incoming traffic on external interface is normalized and fragmented ### packets are reassembled. scrub in on $ext_if all fragment reassemble scrub in on $vpn_if all fragment reassemble scrub out all ### exercise antispoofing on the external interface, but add the local ### loopback interface as an exception, to prevent services utilizing the ### local loop from being blocked accidentally. ### set skip on lo0 antispoof for $ext_if inet antispoof for $vpn_if inet ### spoofing protection for all interfaces block in quick from urpf-failed ############################# block all ### Access to the mini server over ssh/22 and remote desktop/5900 from LAN/en0 only pass in on $eth_if proto tcp from $LAN to any port {22, 5900, 8080, 9090} ### Allow all udp and icmp also, necessary for Constellation. Could be tightened. pass on $eth_if proto {udp, icmp} from $LAN to any ### Allow AFP to 10.0.0.40 (NAS) pass out on $eth_if proto tcp from any to 10.0.0.40 port 548 ### Allow OpenVPN tunnel setup over unprotected link (en0) only to VPN provider IPs ### and port ranges pass on $eth_if proto tcp from any to a.b.8.0/24 port 1194:1201 ### OpenVPN Tunnel rules. All traffic allowed out, only in to ports 4100-4110 ### Outgoing pings ok pass in on $vpn_if proto {tcp, udp} from any to any port 4100:4110 pass out on $vpn_if proto {tcp, udp, icmp} from any to any So what are my goals and what does the above setup achieve? (until you tell me otherwise :) 1) Full LAN access to the above ports on the mini/media server (including through my own VPN server) 2) All internet traffic from the mini/media server is anonymized and tunneled over VPN 3) If OpenVPN/Tunnelblick on the mini drops the connection, nothing is leaked both because of pf and the router outgoing ruleset. It can't even do a DNS lookup through the router. So what do I have to hide with all this? Nothing much really, I just got carried away trying to stop port scans through the VPN tunnel :) In any case this setup works perfectly and it is very stable. The Problem at last! I want to run a minecraft server and I installed that on a separate user account on the mini server (user=mc) to keep things partitioned. I don't want this server accessible through the anonymized VPN tunnel because there are lots more port scans and hacking attempts through that than over my regular IP and I don't trust java in general. So I added the following pf rule on the mini: ### Allow Minecraft public through user mc pass in on $eth_if proto {tcp,udp} from any to any port 24983 user mc pass out on $eth_if proto {tcp, udp} from any to any user mc And these additions on the border firewall: Inbound: Allow always TCP/UDP from any to 10.0.0.40 (NAS) Outbound: Allow always TCP port 80 from 10.0.0.40 to any (needed for online account checkups) This works fine but only when the OpenVPN/Tunnelblick tunnel is down. When up no connection is possbile to the minecraft server from outside of LAN. inside LAN is always OK. Everything else functions as intended. I believe the redirect_gateway push is close to the root of the problem, but I want to keep that specific VPN provider because of the fantastic throughput, price and service. The Solution? How can I open up the minecraft server port outside of the tunnel so it's only available over en0 not the VPN tunnel? Should I a static route? But I don't know which IPs will be connecting...stumbles How secure would to estimate this setup to be and do you have other improvements to share? I've searched extensively in the last few days to no avail...If you've read this far I bet you know the answer :)

Read the article
Returning "200 OK" in Apache on HTTP OPTIONS requests

- by i..

I'm attempting to implement cross-domain HTTP access control without touching any code. I've got my Apache(2) server returning the correct Access Control headers with this block: Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Methods "POST, GET, OPTIONS" I now need to prevent Apache from executing my code when the browser sends a HTTP OPTIONS request (it's stored in the REQUEST_METHOD environment variable), returning 200 OK. How can I configure Apache to respond "200 OK" when the request method is OPTIONS? I've tried this mod_rewrite block, but the Access Control headers are lost. RewriteEngine On RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^(.*)$ $1 [R=200,L]

Read the article
Putting a whole linux server under source control (git)

- by Tobias Hertkorn

I am thinking about putting my whole linux server under version control using git. The reason behind it being that that might be the easiest way to detect malicious modifications/rootkits. All I would naively think is necessary to check the integrity of the system: Mount the linux partition every week or so using a rescue system, check if the git repository is still untempered and then issue a git status to detect any changes made to the system. Apart from the obvious waste in disk space, are there any other negative side-effects? Is it a totally crazy idea? Is it even a secure way to check against rootkits since I most likely would have to at least exclude /dev and /proc ?

Read the article
Is Exchange protected from/allow back dated emails?

- by David

Does Exchange Server adequately protect against backdating items in a mailbox folder? I want to determine from an auditing perspective what level of risk exists/what trust can be put into Exchange database records. Is there a (mis)feature that allows end point users to modify the sent/recieved date fields on their own messages? Is there a reasonable way short of hand editing the files for an Exchange Server admin to make such a change? And most importantly: Is there any kind of "sequence number" that we could use to audit Exchange records for evidence of date manipulation (ex. msg100 = Dec 15, msg101 = Dec 10, msg102 = Dec 16)

Read the article
Unauthorized computer use via keyboard or remote access?

- by brydaverambo

I’m suspecting my computer is being used when I’m not at home. This is happening either physically or remotely. My wireless switch is off. Is there any way possible to detect and/or monitor activity without purchasing software? My settings are being changed as well as passwords (Bios PW was changed and I cannot access Bios settings). I connect via the network cable. Is it possible for someone (in range) to connect to my laptop even if the wireless switch is off? This is a Dell Inspiron 1720 with the WLAN 1395 card. Here’s the kicker. When I try to download freeware for monitoring activity, I am not allowed to do this! ????

Read the article
What and how strong is 128bit RC4? [closed]

- by al nik

I notice that services like Gmail use RC4 128 bit as encryption. What is RC4 encryption and how does it work? Is 128-bit RC4 considered strong encryption?

Read the article

< Previous Page | 160 161 162 163 164 165 166 167 168 169 170 171 | Next Page >