-
Posts
233 -
Joined
-
Last visited
-
Days Won
14
Everything posted by ionut97
-
"Ur?sc RELIGIA, dar îl iubesc pe IISUS". "Dac? v-a? spune c? Iisus a venit pentru a aboli religia? (...) Dac? religia este a?a de bun?, de ce a pornit atâtea r?zboaie. De ce construie?te biserici uria?e, dar nu hr?ne?te s?racii?" "S? fiu clar: iubesc biserica, iubesc Biblia ?i da, cred în p?cate. Dar dac? Iisus ar veni la biserica lor, l-ar primi oare?"
-
http://www.youtube.com/watch?feature=player_embedded&v=_x-opM1LdYE#! Securing your organizations network can seem like a monumental challenge but it doesnt have to be. The best place to start is with complete visibility of whats on your network to know each time a new device attempts to connect. Without this visibility and the knowledge of whats connected, the network is not secure. While securing the network can mean different things to different organizations, a logical place to start is by locking down network access to allow only known, authorized devices to connect. Locking down your network is an important first step toward improving your organizations security to protect IT resources and critical information. And, being able to automate this entire process is a necessity in order to reduce the burden on your IT and Security staff. Bradfords Network Sentry family delivers the visibility, identity, control, and monitoring capabilities you need to lock down your network today, with a flexible platform that allows you to deploy more advanced security functions when needed. Source:Lock Down Your Network
-
With all the threats that Internet access can present to your users and your data, web security software is one of the most valuable investments you can make in your information security. Any solution should offer the following key protections: 1. Site blocking 2. Antivirus 3. Reporting and logging GFI WebMonitor offers all that and more. GFI WebMonitor Unified Security includes both the web filtering and anti-malware capabilities, and can be installed as a standalone server or as an add-on to ISA or TMG. This web security suite can be installed on its own server or as a plug-in for TMG, and GFI offers a free 30-day-trial so you can evaluate it risk-free. Installation: The installer for the TMG plug-in is straight-forward only requires a service restart, not a reboot. During the installation, you can choose to enable the optional HTTPS traffic inspection, which functions by dynamically creating certificates and acting as a kind of Man-in-the-Middle to HTTPS sessions. If you have Active Directory you can install the root certificate to the domain, so you can perform HTTPS inspection without having to touch user workstations.If TMG is the default gateway in your office, there nothing else to do to start protecting users. If not, or if you are going to use the standalone version, you can use a Group Policy Object to configure client browsers to use GFI WebMonitor as their web proxy. GFI WebMonitor installs with antivirus protections enabled, but website filtering disabled. The net result is that you get protection against malware automatically, but don’t block any websites until you opt in for that protection. This keeps the potential for business disruption to a minimum, which is very important when first implementing any web security solution. Content filtering: Implementing content filtering is straightforward. There are several out-of-the-box categories for websites to block based on topics like adult content, hacking sites, etc. In addition to the category lists, GFI has a database of sites based on reputation which is updated like a/v definitions. Sites that were safe yesterday but got hacked last night can be blocked today; protecting users from hacks before the hacked site even knows they have a problem. And you can customize your controls exactly the way you want through both white and black lists. More on antivirus: The antivirus capabilities of GFI WebMonitor includes multiple engines for scanning, as well as the ability to block/permit downloads by file type. If you use one antivirus product on your workstations, using two others in WebMonitor covers all your bases. GFI WebMonitor is able to scan not only regular file downloads, but also the “hidden” file downloads that many websites use to deliver media content or plug-ins. Bandwidth Policies: A great feature of GFI WebMonitor is Bandwidth Policies. Instead of completely blocking access to streaming media, you can control how much bandwidth streaming consumes. That way, users can visit YouTube for a how-to video or a vendor’s website for training content, without consuming so much bandwidth that your corporate website or email system is impacted. Logging and reporting: GFI WebMonitor also provides rich logging and reporting. You can run queries, generate scheduled or on-demand reports, and choose whether to anonymize usernames or not. This enables you to look at activity without violating user’s privacy, but also investigate completely when the situation calls for it. Overall, GFI WebMonitor is a very strong part of any defense in depth strategy. It is easy to install, easy to configure, and provides great protection for users. Source: http://thehackernews.com/2012/05/gfi-webmonitor-web-monitoring-and.html
-
Stack Buffer Overflow Demonstration
ionut97 replied to ionut97's topic in Reverse engineering & exploit development
Multumesc! In curand o sa fac si exploitul.Am cateva probleme cu el ,dar sper sa le rezolv rapid. Dupa o sa incerc sa gasesc un BOF si intr-o aplicatie real-world(nu neaparat 0day). -
Salutare,vreau sa va arat un video facut de mine (ca incepator) despre stack buffer overflow. Tutorialul original era aici.Tutorialul are doar poze si este explicat cam pe scurt.Asa ca am facut varianta video si mai pentru incepatori a tutorialului.Am zis sa incerc si eu. Scuzati greselile de scriere si limbajul,l-am facut rapid. Download:Aici. O sa fac si partea cu shellcode-ul/exploitul in curand.
-
Ever been told that you should fully discharge your battery to prolong its life? Or that jailbreaking your phone is illegal? Or that you should wait for the newest Intel processor because it's going to be "so much faster"? These are tech myths we hear all the time, and likely spread to our friends—but most are just a waste of your time (and in some cases, they can actually harm your gadgets). Here are some of the worst offenders. 10. Better Hardware Specs = Better Gadgets If you're waiting to upgrade your gear until the next big processor comes out, or until the latest Android phone with even more RAM appears, you're probably wasting your time. These days, most hardware specs don't even matter that much. Processors have more power than most users will ever need, and phones come out so often that by the time your dream phone comes out, another one will have already been announced. There are exceptions to these rules, of course—both for computers and smartphones—but in general, stop crying over your current device and just upgrade. You'll be a lot happier once you do. 9. Lossless Music Sounds Better than MP3 While bitrate can make a difference in your music, there's a pretty big misconception that as long as you have a good ear, you can hear the difference between lossless files and MP3. It takes a lot more than just careful listening—you'd need a very fine-tuned ear, some really high-end speakers, and a specific type of music, like classical or jazz. Don't believe me? Take an ABX test with your own music files and find out for yourself. You may be surprised at the results. Of course, that doesn't mean you should junk all those FLAC files—they're still ideal if you want to convert that music to a new format later on. Photo by Tess Watson. 8. Android Task Killers Are Necessary for Good Performance Not only have we Android users perpetuated this myth, but lots of hardware manufacturers and cellphone carriers will recommend you use a task killer to lengthen your battery life and speed up your phone. Not only will they do nothing for your battery life, but most are designed to solve problems that don't actually exist (like running out of RAM). If you experience performance boosts with a task killer, it's because you're killing a task that's either gone awry (in which case you're better off just rebooting your phone) or because you've downloaded a poorly written app (in which case you should uninstall it). Task killers can cause other problems with your phones, and you shouldn't use them unless you're using a very, very old phone with very, very outdated software. Check out our explainer on task killers to learn more, and if you want to speed up your phone, check out these other tried and true methods instead. 7. Jailbreaking Your Phone Is Illegal While jailbreaking your phone will definitely void your warranty, people have been going around saying it's actually illegal to do—which is 100% false. The Copyright office has officially said that jailbreaking is completely legal to do with a device you own, as long as you aren't using it to pirate apps, of course. That said, there are a lot of ways you're probably breaking the law without knowing it, so read up on those if you're curious. But if you were holding back on jailbreaking your phone, now would be a great time to check out all its awesome, legal benefits. 6. Mac Users Don't Need to Worry About Malware Mac users have often touted their computers as "more secure" than Windows PCs, which is a very hotly-contested issue—some say OS X's UNIX underpinnings make it inherently more secure, while others claim it's only because the Mac isn't a big target for viruses. Either way, it's important to note that while viruses aren't as widespread as they are on Windows, Macs are far from immune—in fact, we've already seen a few instances of real Mac malware. Don't let your choice of OS obscure the fact that safe browsing and common sense are the best protection against viruses and other malware. After all, just because that email virus didn't infect you doesn't mean you didn't pass it on to your other Windows-using friends. 5. You Should Buy an Extended Warranty for New Gadgets No matter how careful you are, we've all broken at least one gadget in our lives—and it may have tempted you to buy an extended warranty the next time. However, extended warranties aren't all they're cracked up to be. Sometimes they only cover half the things that could go wrong, or sometimes the chances of your device failing are just plain slim. Instead, you're better off setting up an extended warranty fund for yourself—as long as you aren't really clumsy, you'll probably come out ahead in the end. 4. You Should Fully Discharge Your Laptop Battery Every Time Battery life is always at a premium these days, and you've probably heard a whole host of tricks for keeping your battery in tip top shape. This particular myth—that you should fully discharge your battery every time you use it—is left over from old nickel cadmium batteries that suffer from a memory effect no longer present in modern lithium batteries. Today's batteries take less maintenance, but there are still some good ways you can prolong its lifespan, so check out our guide to battery care for more info. 3. Password-Protected Wi-Fi Networks Are Safe from Hackers So you've heard about how important security is on public Wi-Fi networks, but a lot of people are still misinformed about what really constitutes a public network. Just because your network's protected with a password doesn't mean it's secure. In the case of home networks, it means it's secure from outside hackers, but if you head to a coffee shop or hotel, that network is still public. Anyone with a password can still connect to the network (like other coffee shop patrons) and potentially sniff your traffic. So, unless you're at home, always protect yourself when connected to Wi-Fi—you never know who else is connected. Photo by °Florian. 2. PeerBlock will Keep You Safe and ********* on BitTorrent Top 10 Pervasive Tech Myths That Are Only Wasting Your TimeA lot of BitTorrent users are looking to cover their tracks these days, and most are doing so by enabling encryption and using something like PeerBlock to keep unwanted eyes from watching their downloads. However, this does not make you ********* in any way—encryption only keeps your ISP from throttling you, and PeerBlock is not even close to being foolproof. If you really want to stay *********, you have to use a VPN or a proxy service like BTGuard. You can also use a private tracker, which offers other benefits as well, but still isn't quite as secure as other methods. 1. [insert Tweak Here] Will Speed Up Your Computer These are some of the worst myths out there. Everyone's always looking for a quick, free way to drastically increase their computer's speed, and a lot of them are loads of baloney. At best, they'll do nothing, and at worst, they can actually degrade performance. We've talked about a ton of them before, so brush up on your myths before you go trying to speed up your PC. If you really want some speed boosts, upgrade your hardware, or at least make sure you're performing regular maintenance. With proper care, you should never need to do a clean install of Windows again. Sursa:http://lifehacker.com/5911623/top-10-pervasive-tech-myths-that-are-only-wasting-your-time?utm_campaign=socialflow_lifehacker_facebook&utm_source=lifehacker_facebook&utm_medium=socialflow
-
A new version of the Windows 8 operating system could shut out browsers such as Firefox and Chrome, according to Mozilla. Microsoft has been saying all along that x86 apps wouldn't run on Windows on ARM and it explicitly said there would be no third-party code on Windows RT when it announced the details of the platform back in February. That's no plugins for IE on the Windows RT desktop as well as no desktop Firefox and Chrome. According to Mozilla, the makers of Firefox, Microsoft is planning to allow only one fully-functioning browser on Windows RT: Microsoft's own Internet Explorer. Writing on the Mozilla blog, Harvey Anderson, general counsel for the company, lashed out at Microsoft for the slight, and called the alleged move "an unwelcome return to the digital dark ages where users and developers didn’t have browser choices." Why is Mozilla focused on Microsoft? Anderson's answer: Microsoft is a different beast. "The difference here is that Microsoft is using its Windows monopoly power in the OS market to exclude competition in the browser market," Anderson said, possibly referring to Microsoft's dominance of the entire operating system space, not only mobile. The fully featured version of Firefox will be allowed to run on Intel-based Windows 8 tablets. It's only Windows RT where there will be a problem. Microsoft also declined to comment on Mozilla's accusations. Sursa:http://thehackernews.com/2012/05/windows-8-operating-system-will-ban.html
-
Cred ca benzina cu care a dat ala pe ei este mai scumpa decat cartofii pe care i-au furat. Dar prinde mai bine "Vai,doar pentru cartofi".Asa fac mereu astia din mass media.Poate ca ei au facut altele printre care si furtul de cartofi.
-
Se pare ca americanilor le place sa exploateze doar tarile altora fara sa se atinga de a lor. S.U.A detine de 8 ori mai mult petrol decat Arabia Saudita
-
Ce parere aveti de invatamantul din Romania? Nu intreb asta fiindca nu am ce face ci pentru ca de curand la mine in scoala s-a intamplat ceva "care nu este frumos".Puteti sa cititi aici despre ce este vorba.Cel care a atacat era coleg de clasa cu mine si culmea victima era fratele mai mare al unui coleg prieten bun cu cel care a atacat. Motivul nu a fost serios, dar cel care a atacat nu se prea putea controla cand venea vorba de nimicuri si din "intamplare" avea un briceag la el care bineinteles l-a avut si la cursuri. A lovit in brat deoarece dupa cum a zis el nu a nimerit inima. Au mai fost incidente in scoala , dar nu asa de grave. Tot cu acest elev si cu cativa colegi in unele intervenind politia , dar nu s-au luat masuri absolut de loc si acum s-a intamplat. Majoritatea celor care ii stiu cred ca doar daca ajung la un liceu si o sa se tarasca fara sa invete cu adevarat o sa se angajeze automat si o sa aiba parte numai de lucruri bune. Se gandesc in urmatorul fel: Copiez--> Ajung la liceu-->Termin cu 5 -->Ma angajez(doar am liceu)-->Mor fericit. Si sunt foarte multi visatori si multi care cred chiar ca sunt "destepti" din cauza sistemului de punctare si asta este foarte grav.Au acea iluzie de cunostere. Si mai sunt si cei care nu stiu ce o sa faca (sau nu vor sa stie), cei care sunt indiferenti sau care pur si simplu refuza sa se gandeasca pana cand o sa se loveasca de adevar. 90% din copiii romani sunt asa. Ce facem?
-
The Internet Kill Switch; With Global Wiretapping Capability
ionut97 replied to begood's topic in Stiri securitate
The Killswitch : They can remotely modify your Window 8 | The Hacker News L-au bagat si in Windows 8. -
Introductory Intel X86: Architecture, Assembly, Applications http://www.securitytube.net/video/3907 http://www.securitytube.net/video/3908 http://www.securitytube.net/video/3909 http://www.securitytube.net/video/3910 http://www.securitytube.net/video/3911 http://www.securitytube.net/video/3912 http://www.securitytube.net/video/3913 http://www.securitytube.net/video/3914 http://www.securitytube.net/video/3915 http://www.securitytube.net/video/3916 http://www.securitytube.net/video/3917
-
PDF: http://www.exploit-db.com/wp-content/themes/exploit/docs/18810.pdf Reverse Engineering Malware Part 1 Author :Arunpreet Singh Blog : https://reverse2learn.wordpress.com
-
iptables is the user-space tool for configuring firewall rules in the Linux kernel. It is actually a part of the larger netfilter framework. Perhaps because iptables is the most visible part of the netfilter framework, the framework is commonly referred to collectively as iptables. iptables has been the Linux firewall solution since the 2.4 kernel. ipset is an extension to iptables that allows you to create firewall rules that match entire "sets" of addresses at once. Unlike normal iptables chains, which are stored and traversed linearly, IP sets are stored in indexed data structures, making lookups very efficient, even when dealing with large sets. Besides the obvious situations where you might imagine this would be useful, such as blocking long lists of "bad" hosts without worry of killing system resources or causing network congestion, IP sets also open up new ways of approaching certain aspects of firewall design and simplify many configuration scenarios. In this article, after quickly discussing ipset's installation requirements, I spend a bit of time on iptables' core fundamentals and concepts. Then, I cover ipset usage and syntax and show how it integrates with iptables to accomplish various configurations. Finally, I provide some detailed and fairly advanced real-world examples of how ipsets can be used to solve all sorts of problems. With significant performance gains and powerful extra features—like the ability to apply single firewall rules to entire groups of hosts and networks at once—ipset may be iptables' perfect match. Because ipset is just an extension to iptables, this article is as much about iptables as it is about ipset, although the focus is those features relevant to understanding and using ipset. Getting ipset ipset is a simple package option in many distributions, and since plenty of other installation resources are available, I don't spend a whole lot of time on that here. The important thing to understand is that like iptables, ipset consists of both a user-space tool and a kernel module, so you need both for it to work properly. You also need an "ipset-aware" iptables binary to be able to add rules that match against sets. Start by simply doing a search for "ipset" in your distribution's package management tool. There is a good chance you'll be able to find an easy procedure to install ipset in a turn-key way. In Ubuntu (and probably Debian), install the ipset and xtables-addons-source packages. Then, run module-assistant auto-install xtables-addons, and ipset is ready to go in less than 30 seconds. If your distro doesn't have built-in support, follow the manual installation procedure listed on the ipset home page (see Resources) to build from source and patch your kernel and iptables. The versions used in this article are ipset v4.3 and iptables v1.4.9. iptables Overview In a nutshell, an iptables firewall configuration consists of a set of built-in "chains" (grouped into four "tables") that each comprise a list of "rules". For every packet, and at each stage of processing, the kernel consults the appropriate chain to determine the fate of the packet. Chains are consulted in order, based on the "direction" of the packet (remote-to-local, remote-to-remote or local-to-remote) and its current "stage" of processing (before or after "routing"). See Figure 1. Figure 1. iptables Built-in Chains Traversal Order When consulting a chain, the packet is compared to each and every one of the chain's rules, in order, until it matches a rule. Once the first match is found, the action specified in the rule's target is taken. If the end of the chain is reached without finding a match, the action of the chain's default target, or policy, is taken. A chain is nothing more than an ordered list of rules, and a rule is nothing more than a match/target combination. A simple example of a match is "TCP destination port 80". A simple example of a target is "accept the packet". Targets also can redirect to other user-defined chains, which provide a mechanism for the grouping and subdividing of rules, and cascading through multiple matches and chains to arrive finally at an action to be taken on the packet. Every iptables command for defining rules, from the very short to the very long, is composed of three basic parts that specify the table/chain (and order), the match and the target (Figure 2). Figure 2. Anatomy of an iptables Command To configure all these options and create a complete firewall configuration, you run a series of iptables commands in a specific order. iptables is incredibly powerful and extensible. Besides its many built-in features, iptables also provides an API for custom "match extensions" (modules for classifying packets) and "target extensions" (modules for what actions to take when packets match). Enter ipset ipset is a "match extension" for iptables. To use it, you create and populate uniquely named "sets" using the ipset command-line tool, and then separately reference those sets in the match specification of one or more iptables rules. A set is simply a list of addresses stored efficiently for fast lookup. Take the following normal iptables commands that would block inbound traffic from 1.1.1.1 and 2.2.2.2: iptables -A INPUT -s 1.1.1.1 -j DROP iptables -A INPUT -s 2.2.2.2 -j DROP The match specification syntax -s 1.1.1.1 above means "match packets whose source address is 1.1.1.1". To block both 1.1.1.1 and 2.2.2.2, two separate iptables rules with two separate match specifications (one for 1.1.1.1 and one for 2.2.2.2) are defined above. Alternatively, the following ipset/iptables commands achieve the same result: ipset -N myset iphash ipset -A myset 1.1.1.1 ipset -A myset 2.2.2.2 iptables -A INPUT -m set --set myset src -j DROP The ipset commands above create a new set (myset of type iphash) with two addresses (1.1.1.1 and 2.2.2.2). The iptables command then references the set with the match specification -m set --set myset src, which means "match packets whose source header matches (that is, is contained within) the set named myset". The flag src means match on "source". The flag dst would match on "destination", and the flag src,dst would match on both source and destination. In the second version above, only one iptables command is required, regardless of how many additional IP addresses are contained within the set. Although this example uses only two addresses, you could just as easily define 1,000 addresses, and the ipset-based config still would require only a single iptables rule, while the previous approach, without the benefit of ipset, would require 1,000 iptables rules. Set Types Each set is of a specific type, which defines what kind of values can be stored in it (IP addresses, networks, ports and so on) as well as how packets are matched (that is, what part of the packet should be checked and how it's compared to the set). Besides the most common set types, which check the IP address, additional set types are available that check the port, the IP address and port together, MAC address and IP address together and so on. Each set type has its own rules for the type, range and distribution of values it can contain. Different set types also use different types of indexes and are optimized for different scenarios. The best/most efficient set type depends on the situation. The most flexible set types are iphash, which stores lists of arbitrary IP addresses, and nethash, which stores lists of arbitrary networks (IP/mask) of varied sizes. Refer to the ipset man page for a listing and description of all the set types (there are 11 in total at the time of this writing). The special set type setlist also is available, which allows grouping several sets together into one. This is required if you want to have a single set that contains both single IP addresses and networks, for example. Advantages of ipset Besides the performance gains, ipset also allows for more straightforward configurations in many scenarios. If you want to define a firewall condition that would match everything but packets from 1.1.1.1 or 2.2.2.2 and continue processing in mychain, notice that the following does not work: iptables -A INPUT -s ! 1.1.1.1 -g mychain iptables -A INPUT -s ! 2.2.2.2 -g mychain If a packet came in from 1.1.1.1, it would not match the first rule (because the source address is 1.1.1.1), but it would match the second rule (because the source address is not 2.2.2.2). If a packet came in from 2.2.2.2, it would match the first rule (because the source address is not 1.1.1.1). The rules cancel each other out—all packets will match, including 1.1.1.1 and 2.2.2.2. Although there are other ways to construct the rules properly and achieve the desired result without ipset, none are as intuitive or straightforward: ipset -N myset iphash ipset -A myset 1.1.1.1 ipset -A myset 2.2.2.2 iptables -A INPUT -m set ! --set myset src -g mychain In the above, if a packet came in from 1.1.1.1, it would not match the rule (because the source address 1.1.1.1 does match the set myset). If a packet came in from 2.2.2.2, it would not match the rule (because the source address 2.2.2.2 does match the set myset). Although this is a simplistic example, it illustrates the fundamental benefit associated with fitting a complete condition in a single rule. In many ways, separate iptables rules are autonomous from each other, and it's not always straightforward, intuitive or optimal to get separate rules to coalesce into a single logical condition, especially when it involves mixing normal and inverted tests. ipset just makes life easier in these situations. Another benefit of ipset is that sets can be manipulated independently of active iptables rules. Adding/changing/removing entries is a trivial matter because the information is simple and order is irrelevant. Editing a flat list doesn't require a whole lot of thought. In iptables, on the other hand, besides the fact that each rule is a significantly more complex object, the order of rules is of fundamental importance, so in-place rule modifications are much heavier and potentially error-prone operations. Excluding WAN, VPN and Other Routed Networks from the NAT—the Right Way Outbound NAT (SNAT or IP masquerade) allows hosts within a private LAN to access the Internet. An appropriate iptables NAT rule matches Internet-bound packets originating from the private LAN and replaces the source address with the address of the gateway itself (making the gateway appear to be the source host and hiding the private "real" hosts behind it). NAT automatically tracks the active connections so it can forward return packets back to the correct internal host (by changing the destination from the address of the gateway back to the address of the original internal host). Here is an example of a simple outbound NAT rule that does this, where 10.0.0.0/24 is the internal LAN: iptables -t nat -A POSTROUTING \ -s 10.0.0.0/24 -j MASQUERADE This rule matches all packets coming from the internal LAN and masquerades them (that is, it applies "NAT" processing). This might be sufficient if the only route is to the Internet, where all through traffic is Internet traffic. If, however, there are routes to other private networks, such as with VPN or physical WAN links, you probably don't want that traffic masqueraded. One simple way (partially) to overcome this limitation is to base the NAT rule on physical interfaces instead of network numbers (this is one of the most popular NAT rules given in on-line examples and tutorials): iptables -t nat -A POSTROUTING \ -o eth0 -j MASQUERADE This rule assumes that eth0 is the external interface and matches all packets that leave on it. Unlike the previous rule, packets bound for other networks that route out through different interfaces won't match this rule (like with OpenVPN links). Although many network connections may route through separate interfaces, it is not safe to assume that all will. A good example is KAME-based IPsec VPN connections (such as Openswan) that don't use virtual interfaces like other user-space VPNs (such as OpenVPN). Another situation where the above interface match technique wouldn't work is if the outward facing ("external") interface is connected to an intermediate network with routes to other private networks in addition to a route to the Internet. It is entirely plausible for there to be routes to private networks that are several hops away and on the same path as the route to the Internet. Designing firewall rules that rely on matching of physical interfaces can place artificial limits and dependencies on network topology, which makes a strong case for it to be avoided if it's not actually necessary. As it turns out, this is another great application for ipset. Let's say that besides acting as the Internet gateway for the local private LAN (10.0.0.0/24), your box routes directly to four other private networks (10.30.30.0/24, 10.40.40.0/24, 192.168.4.0/23 and 172.22.0.0/22). Run the following commands: ipset -N routed_nets nethash ipset -A routed_nets 10.30.30.0/24 ipset -A routed_nets 10.40.40.0/24 ipset -A routed_nets 192.168.4.0/23 ipset -A routed_nets 172.22.0.0/22 iptables -t nat -A POSTROUTING \ -s 10.0.0.0/24 \ -m set ! --set routed_nets dst \ -j MASQUERADE As you can see, ipset makes it easy to zero in on exactly what you want matched and what you don't. This rule would masquerade all traffic passing through the box from your internal LAN (10.0.0.0/24) except those packets bound for any of the networks in your routed_nets set, preserving normal direct IP routing to those networks. Because this configuration is based purely on network addresses, you don't have to worry about the types of connections in place (type of VPNs, number of hops and so on), nor do you have to worry about physical interfaces and topologies. This is how it should be. Because this is a pure layer-3 (network layer) implementation, the underlying classifications required to achieve it should be pure layer-3 as well. Limiting Certain PCs to Have Access Only to Certain Public Hosts Let's say the boss is concerned about certain employees playing on the Internet instead of working and asks you to limit their PCs' access to a specific set of sites they need to be able to get to for their work, but he doesn't want this to affect all PCs (such as his). To limit three PCs (10.0.0.5, 10.0.0.6 and 10.0.0.7) to have outside access only to worksite1.com, worksite2.com and worksite3.com, run the following commands: ipset -N limited_hosts iphash ipset -A limited_hosts 10.0.0.5 ipset -A limited_hosts 10.0.0.6 ipset -A limited_hosts 10.0.0.7 ipset -N allowed_sites iphash ipset -A allowed_sites worksite1.com ipset -A allowed_sites worksite2.com ipset -A allowed_sites worksite3.com iptables -I FORWARD \ -m set --set limited_hosts src \ -m set ! --set allowed_sites dst \ -j DROP This example matches against two sets in a single rule. If the source matches limited_hosts and the destination does not match allowed_sites, the packet is dropped (because limited_hosts are allowed to communicate only with allowed_sites). Note that because this rule is in the FORWARD chain, it won't affect communication to and from the firewall itself, nor will it affect internal traffic (because that traffic wouldn't even involve the firewall). Blocking Access to Hosts for All but Certain PCs (Inverse Scenario) Let's say the boss wants to block access to a set of sites across all hosts on the LAN except his PC and his assistant's PC. For variety, in this example, let's match the boss and assistant PCs by MAC address instead of IP. Let's say the MACs are 11:11:11:11:11:11 and 22:22:22:22:22:22, and the sites to be blocked for everyone else are badsite1.com, badsite2.com and badsite3.com. In lieu of using a second ipset to match the MACs, let's utilize multiple iptables commands with the MARK target to mark packets for processing in subsequent rules in the same chain: ipset -N blocked_sites iphash ipset -A blocked_sites badsite1.com ipset -A blocked_sites badsite2.com ipset -A blocked_sites badsite3.com iptables -I FORWARD -m mark --mark 0x187 -j DROP iptables -I FORWARD \ -m mark --mark 0x187 \ -m mac --mac-source 11:11:11:11:11:11 \ -j MARK --set-mark 0x0 iptables -I FORWARD \ -m mark --mark 0x187 \ -m mac --mac-source 22:22:22:22:22:22 \ -j MARK --set-mark 0x0 iptables -I FORWARD \ -m set --set blocked_sites dst \ -j MARK --set-mark 0x187 As you can see, because you're not using ipset to do all the matching work as in the previous example, the commands are quite a bit more involved and complex. Because there are multiple iptables commands, it's necessary to recognize that their order is vitally important. Notice that these rules are being added with the -I option (insert) instead of -A (append). When a rule is inserted, it is added to the top of the chain, pushing all the existing rules down. Because each of these rules is being inserted, the effective order is reversed, because as each rule is added, it is inserted above the previous one. The last iptables command above actually becomes the first rule in the FORWARD chain. This rule matches all packets with a destination matching the blocked_sites ipset, and then marks those packets with 0x187 (an arbitrarily chosen hex number). The next two rules match only packets from the hosts to be excluded and that are already marked with 0x187. These two rules then set the marks on those packets to 0x0, which "clears" the 0x187 mark. Finally, the last iptables rule (which is represented by the first iptables command above) drops all packets with the 0x187 mark. This should match all packets with destinations in the blocked_sites set except those packets coming from either of the excluded MACs, because the mark on those packets is cleared before the DROP rule is reached. This is just one way to approach the problem. Other than using a second ipset, another way would be to utilize user-defined chains. If you wanted to use a second ipset instead of the mark technique, you wouldn't be able to achieve the exact outcome as above, because ipset does not have a machash set type. There is a macipmap set type, however, but this requires matching on IP and MACs together, not on MAC alone as above. Cautionary note: in most practical cases, this solution would not actually work for Web sites, because many of the hosts that might be candidates for the blocked_sites set (like Facebook, MySpace and so on) may have multiple IP addresses, and those IPs may change frequently. A general limitation of iptables/ipset is that hostnames should be specified only if they resolve to a single IP. Also, hostname lookups happen only at the time the command is run, so if the IP address changes, the firewall rule will not be aware of the change and still will reference the old IP. For this reason, a better way to accomplish these types of Web access policies is with an HTTP proxy solution, such as Squid. That topic is obviously beyond the scope of this article. Automatically Ban Hosts That Attempt to Access Invalid Services ipset also provides a "target extension" to iptables that provides a mechanism for dynamically adding and removing set entries based on any iptables rule. Instead of having to add entries manually with the ipset command, you can have iptables add them for you on the fly. For example, if a remote host tries to connect to port 25, but you aren't running an SMTP server, it probably is up to no good. To deny that host the opportunity to try anything else proactively, use the following rules: ipset -N banned_hosts iphash iptables -A INPUT \ -p tcp --dport 25 \ -j SET --add-set banned_hosts src iptables -A INPUT \ -m set --set banned_hosts src \ -j DROP If a packet arrives on port 25, say with source address 1.1.1.1, it instantly is added to banned_hosts, just as if this command were run: ipset -A banned_hosts 1.1.1.1 All traffic from 1.1.1.1 is blocked from that moment forward because of the DROP rule. Note that this also will ban hosts that try to run a port scan unless they somehow know to avoid port 25. Clearing the Running Config If you want to clear the ipset and iptables config (sets, rules, entries) and reset to a fresh open firewall state (useful at the top of a firewall script), run the following commands: iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t filter -F iptables -t raw -F iptables -t nat -F iptables -t mangle -F ipset -F ipset -X Sets that are "in use", which means referenced by one or more iptables rules, cannot be destroyed (with ipset -X). So, in order to ensure a complete "reset" from any state, the iptables chains have to be flushed first (as illustrated above). Conclusion ipset adds many useful features and capabilities to the already very powerful netfilter/iptables suite. As described in this article, ipset not only provides new firewall configuration possibilities, but it also simplifies many setups that are difficult, awkward or less efficient to construct with iptables alone. Any time you want to apply firewall rules to groups of hosts or addresses at once, you should be using ipset. As I showed in a few examples, you also can combine ipset with some of the more exotic iptables features, such as packet marking, to accomplish all sorts of designs and network policies. The next time you're working on your firewall setup, consider adding ipset to the mix. I think you will be surprised at just how useful and flexible it can be. Resources Netfilter/iptables Project Home Page: netfilter/iptables project homepage - The netfilter.org project ipset Home Page: IP sets Souce: Advanced Firewall Configurations with ipset | Linux Journal
-
I'm confident that any version of Ubuntu released in the last five years will have absolutely no problem beating [Windows 8]," said Slashdot blogger Barbara Hudson. Of course, "after the success of Windows 7, this is Microsoft snatching defeat from the jaws of victory," she added. "What's the logic? Did Steve Ballmer secretly invest a fortune in Apple stock or something? Off his meds? Run out of chairs?" Well there's a new kid in town here in the Linux blogosphere, and it's already caused quite a stir. It's one of the Ubuntu clan, as its nickname makes clear, but that's as far as the foolin' goes. With five years of support and a scaly, tough hide, this one's here to stay. With time on its side and its eye on the prize, it may just blaze a new trail. Can freedom take hold in a world that's been dominated for so long? That's the new hope among the Pangolin-watching throngs. 'Canonical Has Succeeded' "Literally every review of Precise I've read has been positive, and that's in spite of the fact that it's still got Unity in it," began Google (Nasdaq: GOOG) + blogger Linux Rants down at the Linux blogosphere's seedy Broken Windows Lounge. "I've always been kind of a one-off in that I've always kind of liked Unity, but it sounds like Precise has brought a lot of people around to that way of thinking," Linux Rants added. "In fact, the reviews have been significantly more positive for Precise than they've been for Windows 8. "Having tried them both, Windows 8 feels like a Frankenstein's monster of an OS compared to the fluid beauty of Precise," he opined. "It's obvious that Microsoft's (Nasdaq: MSFT) intent is to make Windows applicable across form factors, but Canonical has succeeded with Precise in a way Microsoft only dreamed about with Windows 8." 'What's the Logic?' Similarly, "having tried the latest Windows 8 consumer preview, I'm confident that any version of Ubuntu released in the last five years will have absolutely no problem beating it," agreed Barbara Hudson, a blogger on Slashdot who goes by "Tom" on the site. Of course, "after the success of Windows 7, this is Microsoft snatching defeat from the jaws of victory," Hudson added. "What's the logic? Did Steve Ballmer secretly invest a fortune in Apple (Nasdaq: AAPL) stock or something? Off his meds? Run out of chairs?" In any case, "one thing is for sure: Windows 8 will cause more disunity in the Windows camp than Unity ever did in the Ubuntu camp -- and we know how Windows users have a lot lower pain threshold when it comes to change," she said. "If Ubuntu can capitalize on Microsoft's latest and greatest mistake, more power to them." 'A Weird GUI' In fact, "I doubt '8' is a challenge for most GNU/Linux operating systems," blogger Robert Pogson suggested. "An operating system is supposed to be software that allows a person to use his PC," Pogson explained. "Too often that other OS is used to prevent a person using his/her PC without spending a lot of extra money and effort." Not only that, but "on top of the baggage that M$ carries, '8' has issues with a weird GUI," he pointed out. "I doubt any user of that other OS familiar with windowed processes would be uncomfortable using GNU/Linux." 'I Recommend Debian' Both Windows 8 and Ubuntu actually have GUI issues, Pogson opined. "I recommend Debian GNU/Linux -- it's the right way to do IT," he concluded. Indeed, "Windows 8's new touch interface leaves a lot of room for competition to step in, but why waste this opportunity with Unity?" wondered consultant and Slashdot blogger Gerhard Mack. 'Amused and Glad' "I'm glad to see a new release of Ubuntu," Hyperlogos blogger Martin Espinoza offered. At the same time, "I'm both amused and glad to see a configuration utility for the Unity dock, when Shuttleworth swore up and down it didn't need one, as it didn't exist in previous releases," Espinoza said. "This seems to me to closely follow the Apple model of telling you that only idiots would buy a certain class of hardware right up until they begin producing it themselves, at which point they tell you that you must be some kind of genius because you want to buy what they're selling," he added. 'Their Crown Was Taken by Mint' Slashdot blogger hairyfeet questioned Ubuntu's relevance. "Seriously, after Unity and their fumbles and arrogance I just don't see Ubuntu being relevant anymore," hairyfeet opined. "Their crown was taken by Mint." After testing out the new Ubuntu, meanwhile, "I see nothing that I care for that I couldn't get in a dozen other distros," he concluded. "While it might work nice on a touchscreen like Win 8, I'll give it a pass." 'A Good Release' Not everyone saw it that way, however. "All-in-all, a good release, but it really is not a game changer," offered Roberto Lim, a lawyer and blogger on Mobile Raptor. "I do not see the Windows crowd flocking to Ubuntu because of Windows 8," Lim added. "Those who don't like Windows 8 will simply stick with Windows 7. "If Windows 8 is unpopular, Microsoft will probably simply offer a free downgrade to Windows 7," he suggested. "I do not see other Linux users flocking to Ubuntu because of HUD." 'Too Much Freedom' Still, "a better Linux operating system is not needed to challenge Windows -- Linux has been good enough for many years now," Lim opined. "It's really about the app ecosystem and driver support." Linux is "terribly fragmented," he said. "It does not look like there is going to be one dominant Linux consumer platform at this point in time," Lim concluded. "Third parties are not going to support a minority operating system with more versions than you can count. "Different developers agreeing to a single package management system for all Linux distributions would be a step in the right direction," he added. "Sometimes too much freedom is not a good thing." Sursa: Linux News: Community: Ubuntu Linux 12.04: Microsoft's Worst Nightmare?
-
Doar un copy si paste la cod in search box si : http://imageshack.us/photo/my-images/207/86148300.jpg/ Doar un HTML code injection.
-
E postat la cross site scripting deci probabil a gasit xss-ul din search box.XSS care a mai fost postat de cateva ori. https://rstcenter.com/forum/4954-evz-ro.rst -- 2006 https://rstcenter.com/forum/36755-xss-evz-ro.rst https://rstcenter.com/forum/38993-xss-evz-ro.rst https://rstcenter.com/forum/47084-evz-ro.rst https://rstcenter.com/forum/52069-xss-evz-ro.rst
-
A serious remote code execution vulnerability in PHP-CGI disclosed. PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files. The developers were still in the process of building the patch for the flaw when it was disclosed Wednesday, But the vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec. According to advisory (CVE-2012-1823) , PHP-CGI installations are vulnerable to remote code execution. You can pass command-line arguments like the “-s” switch “show source” to PHP via the query string. For example, You could see the source via “http://localhost/test.php?-s” . A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server. The team that found the bug, known as Eindbazen. They said that it had been waiting for several months for the PHP Group to release a patch for the vulnerability in order to publish information about the bug. What this vulnerability can do ? It can help attacker to find out database passwords, file locations etc and Execute any file on the server’s local disk. Most important , using some trick if you have the possibility to upload a file to the server, execute any code. So, When PHP is used in a CGI-based setup the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution. Source: Un-Patched PHP-CGI remote code execution vulnerability can expose Source Codes | The Hacker News