I’ve reinstalled apache and I’m in the process of cutting over my sites. Not completely, just for non static files, mainly php. Nginx is infront of apache serving static content and is a reverse proxy to apache which runs on 127.0.0.1:81

The reason? I want to give mod_security a spin. It’s loaded now, but it doesn’t seem to do much atm. Will read up on it in due season ;)

Basically, you google for nginx apache proxy wordpress wp-super-cache and you hit the right sort of pages to set it up. It wasn’t smooth sailing though, I used http://tech.nocr.at/tech/how-to-speed-up-wordpress-with-nginx-and-wp-super-cache/ which has a flaw.

It contains the lines at the end on the nginx config sample.
# all other requests go to WordPress
if (!-e $request_filename) {
rewrite . /index.php last;
}
and funnily enough, every url opened the front page of my blog. It took me a bit of head scratching before I commented the lines out, enabled mod_rewrite in apache, and toggled a wordpress permalink setting to get .htaccess written.

After I got it working, I read the comments and someone had already discovered the flaw. Plus another page I read is basically the same, except it’s missing those lines (it wasn’t as good looking, so I didn’t use it).

So I’m pretty happy that I understand the config now, and I’ll continue to cut over the remaining sites, then turn off php5-cgi. I’m also happy apache is back, I went a bit anti apache there for a while, but it has its uses, like mod_security for example.

Sheesh, I write one post on security, mention a security expert in it, and he tries to exploit my server. It’s not an original idea, but if you want to test your server for vulnerabilities, come out and say you’re a security expert.

Anyway, I finished Cyber War, feeling very satisfied since it’s been a long time since I had the will to read a book. Twitter’s 140 character limit has taken a toll.

I think the conclusion the author made was regulation, which will erode privacy, and treaties. Also a new protocol where there are no anonymous users (except for the bad guys, i guess).

The author has no doubt that our critical systems already have backdoors and logic bombs installed, waiting for the day. One thing that struck me is no matter how secure my own network is (which it isn’t very, no need to test), if someone else is vulnerable, it could affect me and millions of others.

On to the next book. This one is lower level I think.

I’ve recently become more interested in security. I always had an interest in it, locking down linux servers and firewalls, trying to avoid common sql injection and XSS bugs while coding. But I guess that’s more of a passive interest or approach, I’m now interested in a more active way, deep packet inspection, etc.

In the past, I locked down a server and assumed it would take care of itself, be crack proof, as crack proof as anything connected to the internet can be. I wasn’t fooling myself, I knew it could still be cracked.

Now I’m looking at it more from position where I believe the hosts are vulnerable, and I want to examine the traffic coming in and out. Trying to secure the network rather than (or as well as) the hosts. Because, well, some hosts can’t be secured, there’s always going to be 0day exploits, old unpatched exploits, and social hacking. Not just trying to stop attacks, but trying to detect owned boxes. Some attacks happen out of band, like from infected usb sticks. Want to sneak some worm onto a target? Do it in plain sight, stand outside their premises and give away usb sticks in a fake promotion, or do it in some conference.

I guess I’ve got to send props to David Bl (Security Expert) for sparking the interest.

I’m half way through Cyber War, the first book I’ve read in a very long time. It’s not a technical manual on security, it’s more of a look at how vulnerable the USA and other countries are from attacks coming in through the internet. It talks about political and military tactics and strategy. It’s more about securing a nation, rather than a network.

It seems the only reason we don’t see a lot of countries launching attacks on other countries through the internet is the countries who have the ability to attack a potential adversary, also have an interest, be it in trade, or bonds or whatever, in the potential adversary. It’s not in their best interest to attack at the moment. Things are going to change though.

You don’t need to be a country to take on someone like the USA, a single person, or a small group with the right know how can do a lot of damage to the military or public infrastructure. Remotely damaging electric generators that take months to replace, crippling banks, whatever. Anything that is connected in someway to the internet is a target. Australia and USA are looking at smart grids, the electric grid is already connected to the internet and it’s going to get a lot more connected and complicated with the added bonus of more attack vectors.

What can be done by the government to protect its citizens in an attack? Nothing, really. Except for China, who have a big firewall they can use to shut off attacks. Anything a government might do to strengthen its internet defence is going to be an attack on citizens privacy. Who in their right mind would trust a government to do the right thing with all the power they would hold over their citizens, if they had the control they needed to defend themselves and their citizens from internet attacks?

Which brings me to the question of Australia’s proposed filter. Filter bad, Conroy bad, and all that, but the filter is a firewall between Australian citizens and the internet, it could be used as a defensive measure against attacks. Not necessarily the technology Conroy is proposing, but a suitable firewall could.

But it’s like the government being able to listen in on every phone call, every conversation. It’s not going to happen, but something needs to happen.

I dare say the font on the security tag on this blog is going to get large in the tag cloud. These are young thoughts, they may change and I’ll be talking about security a lot more.

I just read a post I wanted leave a comment on, but it didn’t allow comments, so I will jot my thoughts down here.

You’ve just spent the last 10 minutes searching for an answer to a problem you’ve got, maybe you had the same problem a few years ago and forgot the answer. You find the answer in a search engine with some obscure search term buried on page 9. You want to blog about it and link to the post, 1, for your own future reference so you can find the info easily in a few years time if the problem reoccurs, and 2, you want to boost the profile of the page to help other people find the same info.

Don’t anchor the link as: here’s some info found on “Joe’s blog” on hoophen frangers, anchor the link as: here’s some info found on Joe’s blog on “hoophen frangers”. ie, put the topic in the anchor, not the blog owners name.

Both ways send “juice” to the page, but the second way associates the topic to the page, rather than the authors name. The first way will help when people search for authors name, the second way will help when people search for the topic.

If you want, make two links, anchor the authors name to the front page or the about page of the blog, and anchor the topic to the blog post’s permalink.