How to set up a squid Proxy with basic Username and Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password.
Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with apache2-utils to create your passwords. Here is how it's done:

1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable.

[root@tmp]# touch /etc/squid/squid_passwd
[root@tmp]# chmod o+r /etc/squid/squid_passwd

2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called www:

[root@tmp]# htpasswd /etc/squid/squid_passwd www
New password:
Re-type new password:
Adding password for user www
[root@tmp]#

3) Find your ncsa_auth file using the locate command.

[root@tmp]# locate ncsa_auth
/usr/lib/squid/ncsa_auth
[root@tmp]#

4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important:

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users

5) This requires password authentication and allows access only during business hours. Once again, the order of the statements is important:

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
acl business_hours time M T W H F 9:00-17:00

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users business_hours

Remember to restart Squid for the changes to take effect.

Iptables String Matching for Advanced Firewalling

Introduction.

When it comes to any server or network connected to the internet, security from malicious files and hack attempts is a matter of concern for any administrator. Linux provides its own firewall from the early releases itself. The current iptables firewall maintained by the netfilter team is advancing to more powerful security and network management tool with the recent releases.It will be a topic of interest for any linux based server/network administrator. This article covers effective configuration and optimization of the iptables firewall system in 2.6.x kernels in order to more effectively defend against TCP attacks and to drop unwanted packets without messing them up with your business critical services!!

Kernels from 2.6 include support for matching strings present in IP packets, inspecting the entire packet data. Earlier kernels supported matching at the IP header level only, which was a limitation as the rules can be formed only based on header values like IP addresses, ports, packet state etc. The netfilter iptables firewall system has undergone great advancements in the latest kernels, with the modified string matching option being more interesting among them for server administrators. The rules, based on string matching functions, are very easy to implement. This guide intends to introduce the method to users with a basic understanding of networking and iptables.

System Requirements.

1. Preferred kernel version : 2.6.18 or later.
2. The iptables program(1.3.5 or later) installed on your machine.
3. The kernel should be compiled with string matching support. To do this, the following line should be added to the .config file prior to compiling the kernel:

   CONFIG_NETFILTER_XT_MATCH_STRING=m
   

If you use a pre-complied kernel, check for this option in the config file with the appropriate version of the kernel in your /boot directory. If present, it means that netfilter string matching is compiled as a module. Make sure that the module is loaded (using the lsmod command or by looking for the appropriate entry in the /proc/modules file). The minimum requirement is a 2.6.14 kernel, however it is a bit difficult to get it working on kernels before 2.6.18. Customising the kernel and iptables is required in that case. Suggested configuration options for older kernels can be detailed in another article, if there is demand.

Formating the Rules.

If iptables is installed with string matching support, its man page can be found with the following command:

iptables -m string -help

Here is the relevant section from the iptables(8) man page:

   string

         This  modules  matches  a  given string by using some
pattern matching strategy. It requires a linux kernel >= 2.6.14.

        --algo  bm|kmp

              Select the pattern matching strategy. (bm = Boyer-
Moore, kmp = Knuth-Pratt-Morris)


        --from offset

              Set the offset from which it starts looking for any
matching. If not passed, default is 0.

        --to offset

              Set the offset to which it starts looking for any
matching. If not passed, default  is  the

              packet size.

        --string pattern

              Matches the given pattern.  --hex-string pattern
Matches the given pattern in hex notation.

In iptables 1.3.5, you need to specify the algorithm to use for string matching using the --algo option. We may limit the search by specifying the offset values as well. Two algorithms can be used, Boyer-Moore and Knuth-Morris-Pratt. More information regarding these algorithms can be found at Wikipedia - for Boyer-Moore the URL is:

http://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string_search_algorithm

and for Knuth-Morris-Pratt the URL is:

http://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm

Boyer-Moore is efficient and fast and is preferable in most cases.

Common Applications and Useful Example Rules:

1) To prevent an intrusion attempt.

In case, a suspecious URL upload using the webserver was detected, You could frame similar rules as follows.

iptables -I INPUT 1 -p tcp --dport 80 -m string --string "cmd.exe" --algo bm -j DROP

The rule blocks all packets to port 80 containing the string cmd.exe. Mod_security is an option for the same, but it can be an overload to your busy webservers.

2) To defend DDOS to a service.

It is a common case where we need to drop requests to a domain when it is under DDOS. mod_dosevasive is an option, but it really overloads the webserver. String matching option can be utilized here without overloading the webserver.

iptables -I INPUT 1 -p tcp --dport 80 -m string --string "domain.com" --algo kmp -j DROP

The rule, blocks all web requests to domain.com. These rules can also be used in conjunction with other iptables matches and options depending on what is required.

3) To Defend against E-mail Spoofing.

We can make use of the string matching option in numerous cases to drop intruder and spam packets before they enter the server. Another instance for example is, if the mail server is receiving many spoofed e-mails with a common 'Subject'.If the spammer is using a unique IP address, it is very easy to block him using RBLs, conventional iptables rules etc. But when the spammer is using different IP addresses, it makes things difficult for the administrator.In such a case, the following string based rule can be added to the firewall so that the mail server will not get overloaded by the spoofed mails.

iptables -I INPUT -p tcp --dport 25 -m string --string "Subject" --algo bm -j DROP

**Do it now with an optimised rule!

The same rule might be modified to one with less overhead (that is, it uses less resources) by limiting the search specifying offset values, and by assuming that the SMTP subject header will be within an offset limit of 15000 in the packet.

iptables -I INPUT -p tcp --dport 25 -m string --string "Subject"  --algo bm --to 15000 -j DROP

4) Other general cases.

Apart from the instances discussed above, you can make use of the string matching options, wherever you need to manage the packets entering a server or network,based on strings like URLs, file names, file contents etc.

Conclusion.

The string matching option can be effectively utilized when a network needs to be filtered using strings. We can block the packets right at the kernel level itself without overloading your server applications. However, there is a higher overhead involved for the kernel with string matching, compared to other ordinary iptables matchings. Offset limits should be specified for searching wherever possible in order to reduce this overhead.

Batch Encoding H.264 Video with HandBrake

Batch Encoding H.264 Video with HandBrake

(Just as in the previous section, in this section I’m going to use “H.264 video” as a shorthand for “H.264 baseline profile video and AAC low-complexity profile audio in an MPEG-4 container.” This is the combination of codecs+container that works natively in Safari, in Adobe Flash, on the iPhone, and on Google Android devices.)
HandBrake also comes in a command-line edition. As with ffmpeg2theora, the command-line edition of HandBrake offers a dizzying array of options. (Type HandBrakeCLI --help to read about them.) I’ll focus on just a few:

• --preset "X", where “X” is the name of a HandBrake preset. The preset you want for H.264 web video is called “iPhone & iPod Touch”, and it’s important to put the entire name in quotes.
• --width W, where “W” is the width of your encoded video. HandBrake will automatically adjust the height to maintain the original video’s proportions.
• --vb Q, where “Q” is the average bitrate (measured in kilobits per second).
• --two-pass, which enables 2-pass encoding.
• --turbo, which enables turbo first pass during 2-pass encoding.
• --input F, where “F” is the filename of your source video.
• --output E, where “E” is the destination filename for your encoded video.

Here is an example of calling HandBrake on the command line, with command line flags that match the settings we chose with the graphical version of HandBrake.

you@localhost$ HandBrakeCLI --preset "iPhone & iPod Touch"
                            --width 320
                            --vb 600
                            --two-pass
                            --turbo
                            --input pr6.dv
                            --output pr6.mp4

From top to bottom, this command runs HandBrake with the “iPhone & iPod Touch” preset, resizes the video to 320×240, sets the average bitrate to 600 kbps, enables two-pass encoding with a turbo first pass, reads the file pr6.dv, and encodes it as pr6.mp4. Whew!

Block brute force SSH attacks with iptables

Since 2005 there has been an immense increase in brute force SSH attacks and though Linux is pretty secure by default, it does not stop evil programs from indefinitely trying to login with different passwords. Without proper protection your server is a sitting duck waiting for a bot to guess the right combination and hit the jackpot. But with just 2 commands we can stop that.

Here's an example of the auth.log file. You can see that even as I'm writing this article bots are trying different account combinations to get into my server:

Jul 28 21:32:16 impala sshd[10855]: Illegal user office from 213.191.74.219
Jul 28 21:32:16 impala sshd[10855]: Failed password for illegal user office from 213.191.74.219 port 53033 ssh2
Jul 28 21:32:16 impala sshd[10857]: Illegal user samba from 213.191.74.219
Jul 28 21:32:16 impala sshd[10857]: Failed password for illegal user samba from 213.191.74.219 port 53712 ssh2
Jul 28 21:32:16 impala sshd[10859]: Illegal user tomcat from 213.191.74.219
Jul 28 21:32:16 impala sshd[10859]: Failed password for illegal user tomcat from 213.191.74.219 port 54393 ssh2
Jul 28 21:32:16 impala sshd[10861]: Illegal user webadmin from 213.191.74.219
Jul 28 21:32:16 impala sshd[10861]: Failed password for illegal user webadmin from 213.191.74.219 port 55099 ssh2

 Do you see the rate at which this is happening? Nowadays' connection
speeds allow for crackers to try an enormous amount of combinations
every second! It's time to stop this before someone hits the jackpot
and my server is compromised.

Iptables is the standard Linux firewall and though I use Ubuntu, it should be installed by default on any modern distribution. But it doesn't do anything yet. It's just sitting there, so we need to teach it some rules to prevent brute force attacks.

There are tools available to do this for us like fail2ban. Though it's a great piece of software and certainly has it's advantages, in this article I'd like to stick with iptables because fail2ban parses log files to detect brute force attacks at a certain interval, whereas iptables works directly on the kernel level. Besides I don't think many people know about iptables' full capabilities, and it comes preinstalled!

Because iptables comes standard with every Linux distribution we'll skip right to setting up the specific firewall rules we need. In depth configuring of iptables takes a bit of understanding and is not within the scope of this article, but let's take a look at these two statements:

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

The -i eth0 is the network interface to which ssh connections are made. Typically this is eth0, but maybe you need to change it.

That's it! Together they will rate-limit all incoming SSH connections to 8 in a one minute window. Normal users will have no trouble logging in, but the brute force attacks will be dropped, limiting the number of possible account combinations from unlimited, to 8. That's awesome!

While you're still testing, you might want to add the following line to your crontab

*/10 * * * * /sbin/iptables -F

This will flush all the rules every 10 minutes, just in case you lock yourself out. When you're happy with the results of your work, remove the line from your crontab, and you're in business.

Restore on boot

You will find that on your next reboot, the rules are lost. Damn! You probably want these 2 brute force protection rules automatically restored, right? The most elegant way would probably be to restore the iptables rules when your network interface comes back online. Here how I would this on Ubuntu. Let's get the following content in a file: /etc/network/if-up.d/bfa_protection

#!/bin/bash
[ "${METHOD}" != loopback ] || exit 0
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

Save the file and make it executable:

chmod u+x /etc/network/if-up.d/bfa_protection

Now every time your interface comes up, the rules are added to iptables. Sweet.

Remove on shutdown

But to do this really clean, we need to have a script that removes the rules as well for when the interface goes down. Just to make sure the rules are never added twice. So let's also create a file: /etc/network/if-down.d/bfa_protection

#!/bin/bash
[ "${METHOD}" != loopback ] || exit 0
/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP


-D removes a rule whereas -A adds one. Anyway. Let's save this file and make it executable:

chmod u+x /etc/network/if-down.d/bfa_protection

That's it! We're in business!

Like to test it?

Very wise indeed, well iptables -L shows active rules so why not execute the following:

/etc/network/if-up.d/bfa_protection
iptables -L

Perfect. If you have another machine (not the one you're working on! you do not want to take the risk of getting banned yourself!) you could really test it by logging 8 times within 60 seconds. See if you get banned!

Now does the removal script work as well?

/etc/network/if-down.d/bfa_protection
iptables -L

Now the rules should be gone.

Undo

And oh yes, if at any time you run into problems, the following command will flush all the iptables rules:

iptables -F

And you can undo by just removing the files we created:

rm /etc/network/if-up.d/bfa_protection
rm /etc/network/if-down.d/bfa_protection
iptables -F # flush all the rules, just in case

Add videos to VirtueMart products - with the help of AllVideos Plugin!

AllVideos has made it very easy for people since June 2006 ( :D) to add videos in their Joomla! content. So a natural progression to this would be to add videos in e-shops/product pages as well. We all know that VirtueMart is the best e-shop implementation out there.

So how do we enable video playback in VirtueMart, in an easy manner, similar to the AllVideos Plugin? Well... we just enable the use of AllVideos inside VirtueMart! :D

AllVideos has made it very easy for people since June 2006 ( :D) to add videos in their Joomla! content. So a natural progression to this would be to add videos in e-shops/product pages as well. We all know that VirtueMart is the best e-shop implementation out there.

So how do we enable video playback in VirtueMart, in an easy manner, similar to the AllVideos Plugin? Well... we just enable the use of AllVideos inside VirtueMart! :D

Here's the solution to enable the plugin for the "product details" page:

Open up the file administrator/components/com_virtuemart/html/shop.product_details.php and in the end of it, look for:

Code: Select all

/* Finish and Print out the Page */
echo $template;

and add ABOVE this some code. Overall the change is this:

Code: Select all

// start - enable "content type" plugin parsing
global $_MAMBOTS;
$_MAMBOTS->loadBotGroup( 'content' );
$row->text = $template;
$results = $_MAMBOTS->trigger( 'onPrepareContent', array( &$row, &$params, $page ), true );
$template = $row->text;
// end - enable "content type" plugin parsing

/* Finish and Print out the Page */
echo $template;

This will load the "content type" plugins in VirtueMart. That means that you can use the AllVideos Plugin to add videos in your products (as showcase) and even use the "Tabs & Slides in Content Items" Plugin to display your product's details in Tabs and/or Slides!!

Cool, huh??