Ubuntu is down for imaging.  This will take approximately 45 minutes.  Mint and Debian are available if you need a Debian based server during this maintenance interval.

     We were hit with some kind of denial of service attack this morning that tied up router CPU with very little traffic.  It ended before we could determine it’s exact nature.

     Because only one person is logged in and they’ve been idle for a week, I am taking Debian down for maintenance, specifically to make an image.  This will take approximately 45 minutes.  If you need a Debian based server in the meantime, Ubuntu and Mint are up and available.

We experienced a brief denial of service attack starting at 1pm, peaking at 1:05pm, and falling below service affecting levels by 1:10pm on Thursday July 30th, 2015.

     The phpMyAdmin application will now require that you first authenticate with your normal system login and password before you will be permitted to enter the application and provide your MySQL username and password.

     This was done to add an extra layer of security after some malicious use of this utility.

     I’m upgrading the fail2ban on our servers from version 0.8.14 to the so called “gamma” version, 0.9.2, because I installed it on the web server and it proved to be more capable and stable than the so called “stable” version.

     In particular, on the web server, I had a problem where a jail was matching, regex returned matches, but it did not perform the specified action.  Upgrading to 0.9.2 solved this problem.  It also took the start up time from around 1-1/2 minutes to 8 seconds for it to re-read the logs.

     This should not be service impacting other than it will result in slightly less load on the servers and more reliable security.

     The tables on our website are now mobile friendly.  They will reformat when they are squished to the point where they can’t squish any more.

     I’m having more problem with the new web mail I’m trying to get to work, round square.  For some reason it does not want to connect to the MYSQL server but I haven’t been able to determine why yet.

     Enterprise Linux 6 has just added close to 600 updates to their repository relating to update 7 (RHEL 6.7).  This will no doubt trigger a new release of CentOS 6 and Scientific Linux 6 shortly.  When that happens we’ll have another Friday and perhaps Saturday evening with a lot of maintenance activity to update Centos 6 and SL 6 based servers here.

     If you have a WordPress site here, please install the plugin “WP Fail2ban“.  This plugin will generate a syslog entry for failed logins for which I have created fail2ban rules and will lock out the IP address of anyone attempting a brute force password attack.  Please note this is WP Fail2ban by Charles Lecklider and not WordPress Fail2Ban by Wireflare.  The former has been tested and confirmed working.  The latter may work but I have not tested it.

     Also, if you protect part of your site with HTTP authentication, I have created rules that will pick up multiple password guesses and ban those as well.

     I’ve wanted to do some things here that require authentication of users on the web.  Things like a web based spam filter configuration control and other tweaks, user profiles, chat, a calendar that shares with a Unix desktop that could also work on portable devices, stuff like this requires knowing who the user is with certainty because we don’t want some stranger tweaking your account.

     Tonight I finally got Unix authentication to work on the web.  This opens up a plethora of security issues because http is a connectionless protocol and hypothetically someone could mash thousands of guesses a second at user accounts without some facilities in place to stop that and I’m still working on those things.  But I did get the thing fundamentally working.  It does so without exposing the shadow password to the web server.

     The documentation for mod_authnz_external is entirely broken in that it does not work in a <Directory> context as suggested by the instructions but does work with <Location>.  Not that it matters because actually I’m going to use a form based authentication when all is said and done because I don’t want the browsers caching peoples passwords or to have to beat the daemon to death calling it for each page request.