Searching for Windows FTP server

Last year I was working on a Gentoo Linux based VMWare server install where I had two VMWare images running. One image was a hardened Gentoo web server and the other was a Windows 2003 server for running ASP/ASP.NET applications for development testing. One of the requirements was to install a FTP server where multiple developers could have access to the box to test code for pre-production.

As most of you know, I'm mainly a Linux guy. I do "some" work with Windows servers, but mostly stay with Gentoo linux servers. Installing a FTP server, in my initial thinking, was "no problem". I always forget you have to pay for EVERYTHING, when it comes to Windows. You can get trials or limited use services, but there is always a catch. At the end of the day, I ended up using Serv-U's personal use FTP Server, but started running into issues since there were multiple users required to log in and manage files. In the end, we ended up purchasing a license to get over this ($$$$$).

Mod_security- 2.1.1-rc1 addresses some issues

Okay.. I started to stop playing Desktop Tower Defense, and thank God! Now, back to 'real' stuff. I'm been running into some weird stuff with the latest mod_security, and thanks to the great community at the ModSec mailing list, we're starting to take care of the problems.

Desktop Tower Defense!!!!

Okay, I'm addicted to a new game. A couple of friends turned me on to this, and I literally can't stop playing/thinking about this game. It's called Desktop Tower Defense.

It's the most brilliant stupid game I've ever played. You need to create a maze with weapon towers to keep the creeps from going to their exits. You need to buy weapons and upgrades with the gold you win by killing creeps. It's cool on all sorts of levels. Good maze skills, time management, resource management. I literally have dreams about this game.

Snort: mysql_error: MySQL server has gone away

From the recent upgrade of Snort 2.4 to 2.6, we started encountering some weird issues with MySQL 5. What tends to happen if MySQL is restarted or there is a large gap between alerts, snort will complain that MySQL has gone away. I'm not sure where to point the problem, is this a MySQL problem or a Snort problem?

If you restart MySQL, Snort will constantly complain that MySQL has gone away. To remedy the problem, you need to restart Snort after every MySQL restart, and everything returns to normal.

The other issue that was extremely hard to track down was when a large gap of time (usually 4-6 hours) between alerts occurred. At this time Snort states that MySQL has gone away. It appears that Snort needs a persistent connection to MySQL, and when a gap occurs that connection is lost or 'released' due to timeout, and Snort doesn't initiate a new connection to MySQL.

Mod_security :: upgrading from 1.x to 2.x (part 2)

Hello All

Well, I was able to get mod_security upgraded from 1.x to 2.x on all servers. There were issues along the way, mainly the problem with mod_limitipconn and mod_security-2.x not playing nice with each other (please review posts below on the matter since it may not be isolated to mod_limitipconn, and resulted in full mod_security bypass!).

They did a major re-work porting 1.x to 2.x, almost all the rule syntax and directives have been changed. Also, they did a much better job on the core rulesets. I'm experiencing some small false positives and issues relating to a few of the rules, but overall the core ruleset is very nice.

Okay, if you're running mod_security-1.8.7 or mod_security-1.9.4 and need to upgrade to 2.1.1, here is how I did it:

Desk Shot

Ok, usually this site I write about some pretty nerdy stuff about Gentoo Linux. Mainly 'issues' and how I resolved them. But with today's sponsored post I get to write about a site that is nerdy AND funny. When I say "funny", I mean funny cool, not funny odd.

The site is Desk Shot (http://www.deskshot.com). Desk Shot is a great example of a web 2.0 community driven web site where users can brag about what's on their desk. Here is the perfect opportunity for a super nerd to show off his transparent case, liquid cooled CPUs, dual monitor system and Dilbert stress toy to the world. The ones that gave me a open chuckle were the submissions of the opposite. I loved the guys that showed off their single monitor work station and bragging it up (obviously sarcasm, but made me laugh).

Mod_security-2.1.1 and mod_limitipconn patch procedure

Hello all The mod_security team quickly isolated my problem and generated a patch for me to address it. To give a summary of the issue, when updating to mod_security-2.1.1 AND using mod_limitipconn-0.22-r1, mod_security blocks are bypassed. Mod_security logs the rule trigger and states that it issued a 403 (or whatever status you set 500, etc), but the request is not stopped and processing is continued. Obviously, this is a bad thing. Removing mod_limitipconn or rolling back to mod_security-1.8.7 fixed the problem.

It was great the mod_sec team worked hard to get a patch out, since mod_limitipconn is a great Apache module and didn't want to leave it behind to take the mod_security.

Thought I'd take a moment to discuss how I applied the patch in my Gentoo environment.

Here is the patch file that was sent to me (subrequests.diff)

Mod_security upgrade from 1.8.7 to 2.1.1 -- Major issue with mod_limitipconn [UPDATE]

I just received an email from Ivan Ristic this morning! He looked through the source of mod_limitipconn and found that the module is NOT compatible with mod_security-2.x.

Ivan Ristic - "I've looked briefly at the source code of mod_limitipconn and it would appear that this module is not compatible with ModSecurity in the current version (as far as blocking is concerned). This is not unusual. Apache has an incredibly rich API that allows modules to significantly change the way requests are processed and it appears that mod_limitipconn does this."

Mod_security upgrade from 1.8.7 to 2.1.1 -- Major issue with mod_limitipconn

Well, I'm getting really close on the migration from mod_security-1.8.7 to mod_security-2.1.1. I've upgraded on a few servers, and overall the migration has been pretty successful. On one server, I came across a really weird issue. It appears that I'm experiencing a mod_security bypass issue.

Creating a simple SecRule to catch basic spam for comments, I noticed that my logs were recording the proper 403 (What I had set for status) but the request was allowed to process the target script regardless! This was a complete bypass of mod_security. After spending several hours of time debugging the problem, I finally isolated it to mod_limitipconn in conjunction with mod_security-2.1.1. With these two modules running, it almost appears that the request was processed first, then passed to mod_security.

Freshclam issues

I've been noticing more and more of these messages being sent to me via logcheck on a few servers. It appears that freshclam is having issues updating agains it's mirrors.

May 24 15:17:29 comp freshclam[6353]: Mirror 64.142.100.50 is not synchronized.
May 24 15:17:29 comp freshclam[6353]: Giving up on database.clamav.net...
May 24 15:17:29 comp freshclam[6353]: Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons.

Syndicate content