Security is the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, nation, or organization. [read more at]

  • FaF (File Anomaly Finder) is a wrapper for the *nix 'find' utility. It generates audit reports for data matching specific characteristics; such data as setgid/setuid, unowned, and more. The objectives are simply to create a simple anomaly finder that identifies common flawed permissions or otherwise suspicious file system characteristics.

    The main features of FaF are:
    • simplistic and to the point audit reports
    • easy setup and configuration
    • audits emailed to customizable address or user
    • ideal for web servers or general purpose workstations
    • audits of setgid/setuid, hidden, unowned, & world writable data
    • very portable # wget
    # tar xvf  faf-current.tar.gz

    # cd faf*
    # ./

    Install path:     /usr/local/faf/
    Config path:     /usr/local/faf/conf.faf
    Executable path: /usr/local/sbin/faf

    Why do you need such tool?
    Never trust anyone, including sometimes yourself ;-) this tool correctly used just insured You that You will never forget any files with too much permissions. It may also reveal a hacker, putting some new files under the user nobody...

    What to do with the output?

    You'll have to react differently for each occurrence in the report....

    SUID/SGID Binaries

    Sticky bit was used on executables in linux (which was used more often) so that they would remain in the memory more time after the initial execution, hoping they would be needed in the near future. But since today we have more sophisticated memory accessing techniques and the bottleneck related to primary memory is diminishing, the sticky bit is not used today for this. Instead, it is used on folders, to imply that a file or folder created inside a sticky bit-enabled folder could only be deleted by the creator itself. A nice implementation of sticky bit is the /tmp folder,where every user has write permission but only users who own a file can delete them. Remember files inside a folder which has write permission can be deleted even if the file doesn't have write permission. The sticky bit comes useful here.

    SUID or SetUID bit, the executable which has the SUID set runs with the ownership of the program owner. That is, if you own an executable, and another person issues the executable, then it runs with your permission and not his. The default is that a program runs with the ownership of the person executing the binary.

    Consider also reading:
    What are the SUID, SGID and the Sticky Bits?

    You can find them also manually by entering:
    # find / -type f \( -perm -04000 -o -perm -02000 \;
    The SGID bit is the same as of SUID, only the case is that it runs with the permission of the group. Another use is it can be set on folders,making nay files or folders created inside the SGID set folder to have a common group ownership.

    files in/srv  (http root folder)
       You should accept NO files with SUID/SGID in http root folder. Remove them all 
            # find /srv -type f \( -perm -04000 -o -perm -02000 \) -exec  chmod \;

    No Owner/Group
    May also be an indication an intruder has accessed your system...
    Can also be found manually by typing:
    # find / \( -nouser -o -nogroup \) -print
    files in/srv (http root folder)

    Permissions and ownership are linked together to make your server work peacefully. The basic idea is always to give the minimum rights to the file.

    A rule for thumbs would be:
    read only for all file, r--r--r-- or r---------
    read, execute for all directory r-xr-xr-xor r-x------
    The problem is that apache and PHP also run under their own user...

    A very informative article explaining the problem on a concrete example (Gallery2) can be found at

    At least (worst),when apache run as wwwrun user in www group, in your HTTP directory
    # chown -R wwwrun .
    # chgrp  -R www .
    then all files has to be  rw- --- --- and directory r-x------
    Advantages:you can use Joomla! administrator panel
    BUT: any bug in PHP code, attack can read or overwrite any files! -> highly insecure

    Better would be for all files/dir in your HTTP directory to changes accordingly to the right web user!
    # chown -R cedric .
    # chgrp  -R psacln  .
    Change all files/directories that has to be written  by apache (cache directories) to
    # chown -R wwwrun cache
    # chgrp  -R www cache
    Advantages: a bug in apache/php, or attack can not touch any of your files.
    BUt: if PHP do not run under your user, the Joomla! panel wont be usable, as Apache/PHP wont be able to install any new components/images.

    Files in /must generally only be available to root
    # chown -R root /etc
    #chgrp  -R root /etc
    # find /etc -f -exec chmod 600 {} /;

    World Writable

    files in/srv
    must be avoid at any costs! This line remove the world writable bit to  all files in /srv
    # find /srv -f -exec chmod o-w {} /;
    This line remove the world writable bit to  all directories in /srv
    # find /srv -d -exec chmod o-w {} /;
    Files in /
    You should ignores /proc files, /dev files (hundreds of these are correctly world writable),
    Symbolic (soft) links (which should have mode 777), directories with the sticky (save text) bit on, and
    sockets, as that is relatively safe.
    Hidden Files/Paths

    You should normally have no such files! try to understand why (look in google), open them and/or move/delete them
  • This are my mod_evasive settings:
    LoadModule evasive20_module     /usr/lib/apache2/
    <IfModule mod_evasive20.c>
      DOSHashTableSize 3097
      DOSPageCount 5
      DOSSiteCount 100
      DOSPageInterval 2
      DOSSiteInterval 2
      DOSBlockingPeriod 600
      DOSEmailNotify This email address is being protected from spambots. You need JavaScript enabled to view it.

    And this is a small documentation I've forget to add in the previous article:

    • DOSHashTableSize: is the size of the table of URL and IP combined. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.
    • DOSPageCount: is the number of same page requests from the same IP during an interval that will cause that IP to be added to the block list.
    • DOSSiteCount: is the number of pages requested of a site by the same IP during an interval which will cause the IP to be added to the block list.
    • DOSPageInterval:  Interval for the 'DOSPageCount' threshold in second intervals.
    • DOSSiteInterval:Interval for the 'DOSSiteCount' threshold in second intervals.
    • DOSBlockingPeriod: is the time the IP is blacked (in seconds
    • DOSEmailNotify: can be used to notify by sending an email everytime an IP is blocked
    • DOSSystemCommand: is the command used to execute a command when an IP is blocked. It can be used to add a block the user from a firewall or router.
    • DOSWhiteList: can be used to whitelist IPs such as
    So if anybody on my homepage request 5 times the same page in less than 2 seconds, it will get blacklisted.
    If anybody try to make more than 100 requests of my homepage in less than 2 seconds, it will get blacklisted.  
    In less than a week, the following Bots get blacklisted.      Unknown Country   Germany   Chinese (Hong Kong)    Unknown Country    Dutch (Netherlands)      GERMANY (DE) City: Muenchen Latitude: 48.15 Longitude: 11.5833    United States   Country: INDIA (IN) City: Hyderabad Latitude: 17.3833 Longitude: 78.4833      UNITED STATES (US)      Swedish (Sweden)   BELGIUM (BE) City: Tournai Latitude: 50.6 Longitude: 3.3833   NETHERLANDS (NL) City: Harlingen Latitude: 53.1833 Longitude: 5.4167    GERMANY (DE) City: Heinsberg Latitude: 51.0333 Longitude: 8.15    GERMANY (DE)      DENMARK (DK)      Dutch (Netherlands)    ITALY (IT) City: Roma  Latitude: 41.9 Longitude: 12.4833    UNITED STATES (US) City: Mountain View, CA Latitude: 37.402 Longitude: -122.078 GOOGLE      GERMANY (DE)    Dutch (Netherlands)     UNITED STATES (US) City: Raleigh, NC Latitude: 35.8219 Longitude: -78.6588

  • A Patch to protect Mambo administrator login page against brute force password attack!

    How it is working?

    1. It is a component com_hashcash containing alls script to create a MD5 key in PHP and javascript, and verifying a challenge.
    2. The server is sending inside a hidden field a MD5 value which is directly linked to the server, user sessionid, time.
    3. The client will have to encrypt with a MD5 javascript (costly cpu operation for a spammer) the value of this hidden field and send it back to the server as hidden field name.
    4. If the test is not succesful, the spammer will get banned for 60seconds.
    5. All successful/unsucessful submit are logged in a file.
    6. When the file get bigger as 64kb, an email is sent to the admin.

    This component has no administration panel! Simply overwrite the file on Your server with the content of the zip. A component package install is on the way.

    Original Mambo file affected for the login page:

    • /administrator/index.php <- add verification of the challenge
    • administrator\templates\mambo_admin\login.php <- insert hidden fields, and reference to MD5 javascript
    • administrator\templates\mambo_admin_blue\login.php <- insert hidden fields, and reference to MD5 javascript

    • Many cryptographic algorithm, SHA1 on the way,
    • A mambots for changing on the fly all FORM before submit,
    • Ako_comment has been already patched, and  tested -> Waiting OK from Arthur Konze for releasing.
    • Ako_guestbok must be changed
    link in download section...

  • logo_acunetix

    I will use it on my host very soon, if you have your own root server, this tool must be part of your administrator toolbox. Joomla! team use it to test the core framework, so we should be on the safe side, unfortunately we are are all using too many plug-ins that may be unsecure.. Here is how a report generated using Acunetix WVS look like (PDF - 1.5MB).

    Acunetix Web Vulnerability Scanner automatically scans your web applications / website (shopping carts, forms, dynamic content, etc.) and web services for vulnerabilities such as SQL injection, Blind SQL Injection, Cross site scripting, Google hacking, CRLF Injection & other web attacks. Acunetix crawls and analyzes websites including flash content, AJAX / Web 2.0. Also includes reporting for PCI Compliance, OWASP & more

    Out of the 100,000 websites scanned by Acunetix WVS, 42% were found to be vulnerable to Cross Site Scripting. XSS is extremely dangerous and the number of the attacks is on the rise. Hackers are manipulating these vulnerabilities to steal organizations’ sensitive data. Can you afford to be next?

    Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. Exploited Cross Site Scripting is commonly used to achieve the following malicious results:

    • Identity theft
    • Accessing sensitive or restricted information
    • Gaining free access to otherwise paid for content
    • Spying on user’s web browsing habits
    • Altering browser functionality
    • Public defamation of an individual or corporation
    • Web application defacement
    • Denial of Service attacks

    Scan your website for Cross Site Scripting Vulnerabilities at no cost NOW

    Get an insight into Acunetix Manual

  • ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.from
    Installing mod_security as DSO is easier, and the procedure is the same for both Apache branches. First unpack the distribution somewhere (anywhere will do, I copy the .c files in my home),

    # cd
    # wget
    # tar -zxfv mod_security-1.9.4.tar.gz
    # cd mod_security-1.9.4/apache2

    and compile the module with:

    /usr/local/psa/admin/bin/apxs  -cia ~/mod_security.c/usr/sbin/apxs2  -cia ~/mod_security.c

    First problem that may occur is the absence of
    • GccThe GNU Compiler Collection (usually shortened to GCC) is a set of programming language compilers produced by the GNU Project. It is free software distributed by the Free Software Foundation (FSF) under the GNU GPL, and is a key component of the GNU toolchain. It is the standard compiler for the open source Unix-like operating systems, and certain proprietary operating systems derived therefrom such as Mac OS X. [WikiPedia]
    • apache-dev: contains the apxs tool, and required pache heder to compile a module
    Both can be installed via YaST2...

    Tips: if your apxs2 is not located at /usr/bin/apxs2, you can search it by typing # find / -name apxs2

    # /usr/sbin/apxs2  -cia ~/mod_security.c
    /usr/share/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mcpu=i686 -fmessage-length=0 -Wall -g -fPIC -Wall -fno-strict-aliasing -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -DAP_DEBUG -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -pthread -I/usr/include/apache2  -I/usr/include/apache2   -I/usr/include/apache2   -c -o /root/mod_security.lo /root/mod_security.c && touch /root/mod_security.slo
    /usr/share/apache2/build/libtool --silent --mode=link gcc -o /root/  -rpath /usr/lib/apache2 -module -avoid-version    /root/mod_security.lo
    /usr/share/apache2/build/ SH_LIBTOOL='/usr/share/apache2/build/libtool' /root/ /usr/lib/apache2
    /usr/share/apache2/build/libtool --mode=install cp /root/ /usr/lib/apache2/
    cp /root/.libs/ /usr/lib/apache2/
    cp /root/.libs/mod_security.lai /usr/lib/apache2/
    cp /root/.libs/mod_security.a /usr/lib/apache2/mod_security.a
    ranlib /usr/lib/apache2/mod_security.a
    chmod 644 /usr/lib/apache2/mod_security.a
    PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2
    Libraries have been installed in:

    If you ever happen to want to link against installed libraries
    in a given directory, LIBDIR, you must either use libtool, and
    specify the full pathname of the library, or use the `-LLIBDIR'
    flag during linking and do at least one of the following:
       - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
         during execution
       - add LIBDIR to the `LD_RUN_PATH' environment variable
         during linking
       - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
       - have your system administrator add LIBDIR to `/etc/'

    See any operating system documentation about shared libraries for
    more information, such as the ld(1) and manual pages.
    chmod 755 /usr/lib/apache2/
    apxs:Error: Config file /etc/apache2/httpd2-prefork.conf not found.

    Do not take care of the error in blue, since the resulting shared library ( has been automatically copied into /usr/lib/apache2

    Copy then the desired rule set (modsecurity-general.confor modsecurity-php.conf) into /etc/apache2

    Edit /etc/apache2/httpd.confand add the following lines at the end of file, it is also recommended to use the rules from

    LoadModule security_module /usr/lib/apache2/
    SecFilterEngine On
    Include /etc/apache2/modsecurity_rules/modsecurity-general.conf
    Include /etc/apache2/modsecurity_rules/modsecurity-hardening.conf

    rules set found at
    Include /etc/apache2/modsecurity_rules/gotroot/apache2-rules.conf
    Include /etc/apache2/modsecurity_rules/gotroot/badips.conf
    Include /etc/apache2/modsecurity_rules/gotroot/blacklist2.conf
    Include /etc/apache2/modsecurity_rules/gotroot/blacklist.conf
    Include /etc/apache2/modsecurity_rules/gotroot/exclude.conf
    Include /etc/apache2/modsecurity_rules/gotroot/jitp.conf
    Include /etc/apache2/modsecurity_rules/gotroot/proxy.conf
    Include /etc/apache2/modsecurity_rules/gotroot/recons.conf
    Include /etc/apache2/modsecurity_rules/gotroot/rootkits.conf
    Include /etc/apache2/modsecurity_rules/gotroot/rules.conf
    Include /etc/apache2/modsecurity_rules/gotroot/useragents.conf

    BUT be carefull with modsecurity-hardening.conf
    1. This fle has to be tuned  for your server: logs files location, advanced rulesets, read carfeully and uncomment TODO if needed
    2. As default mod_security is in learning mode: it log and let the request  pass through (line SecFilterDefaultAction "pass, log"), recommended as soon as You have a good rulesets SecFilterDefaultAction "deny,log,status:500"
     Restart Apache2 by typing
    # /etc/init.d/apache2 restart

    Now it is time to check if mod_security is running       

    # tail -f /var/log/apache2/error_log
    [Mon Aug 21 18:43:38 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
    [Mon Aug 21 19:01:56 2006] [notice] caught SIGTERM, shutting down
    [Mon Aug 21 19:01:57 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
    [Mon Aug 21 19:01:57 2006] [notice] mod_security/1.9.4 configured
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations

  • It can't be that my anti virus want to scan my disk every&160; day (default settings) and take 23 hours to do so.

    • Either windows stop and sandbox all applications using an hypervisor...and KNOW what
      applications are doing or what is written down to disk so the anti virus scan can be optimized
    • Or disks must be a lot faster! my 3 eclipse version and 10 workspaces (1'500'000 java files) are clearly
      showing the limit of actual hard disks. Defrag is done on a weekly basis...

    At the end, these anti virus are just sucking my CPU brute power (peak 20%) and worst of all a good part of IO
    power, and trust me windows IO are just hilarious compared to Linux, try eclipse under Linux it just fly!


    Pictured is AVG but this post is not targeted against it. They are ALL ridiculously slow.

    Windows just can't protect itself from Internet and mitigate attacks that it need a range of 3rd
    party software...sucking power and my time. We are far away from the Internet OS

  • I will start the auditing of a copy of my website running locally in order to find design and security flaws in Joomla. I have found a quite impressive list of tools to achieve that goal:

    In May of 2003, I conducted a survey of Nmap users from the nmap-hackers mailing list to determine their favorite security tools. Each respondent could list up to 8. This was a followup to the highly successful June 2000 Top 50 list. An astounding 1854 people responded in '03, and their recommendations were so impressive that I have expanded the list to 75 tools! Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way.
    I also plan to point newbies to this page whenever they write me saying "I do not know where to start". Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. Many of the descriptions were taken from the application home page or the Debian or Freshmeat package descriptions. I removed marketing fluff like "revolutionary" and "next generation". No votes for the Nmap Security Scanner were counted because the survey was taken on an Nmap mailing list. This audience also means that the list is slightly biased toward "attack" tools rather than defensive ones.

    And that only because I've seing too much hacker trying to penetrate my guy I am also looking at You (logs)I hope You're smart enought to use windows zombie od hiding Your real internet adress! Moreover my finding will help the joomla community....

    Web Site Test Tools and Site Management Tools: More than 290 tools listed in 12 categories

  • joomla_logo

    These are the script I use to maintains all my 3 demo Joomla! sites:

    These scripts increased security and are trying to standardized how to create, update and maintain Joomla! demo site. Feel free to submit, send me ideas how to improve them or ask for help.


    This project is hosted at under a GPL v3.0 license and the latest documentation can be found in my WIKI


    • 1 script (snapshotit.bat ) per Joomla! instance to create snapshots (files+ database) and save the result in a zip file.
    • 1 generic scripts ( that renew an instance of Joomla! (files+ database) and secure it at the same time


    1. An access to a Linux bash on your server, ideally as root
    2. The possibility to define new crontab entries


    On your desktop or reference server, install preferably in xampp/htdocs as much version of Joomla! as needed. These directories are containing Joomla versions . In these versions you will be able to install, remove configure your extensions. I personally have them  in XAMPP


    In each of these Joomla! installation, copy this file snapshotit.bat inside and configure the variables accordingly. The file is well documented to not describe these variables here.

    This small batch file is making a snapshot of all files and database and create a new file for example.

    Consider while installing Joomla!

    1. To not choose as a default for table name the prefix jos_ but something longer and more random, something like gZ45dF_ to mitigate SQL injection
    2. Do not name your admin user admin, but choose something longer and more random, Fdhtz56df_Gdte34 to reduce risk of brute forcing the administrator login/sql injection

    On the server

    Copy now this file to your server, using FTP, SSH

    Copy also to your server, using FTP, SSH

    Setup crontab

    Add to your crontab for each of your demo site the following big line, I renew demo site every 30 minutes

    $ crontab -e

    add this line

    30      *       *       *       * locationOf_zip locationof_httpdocs dbuser dbpassword dbtablename unixuser unixgrp


    • fully qualified path to
    • locationOf_zip  fully qualified path of zip file (containing Joomla! and .sql file)
    • locationof_httpdocs fully qualified path of the httpdocs directory where this zip file content will be extracted
    • dbuser : database user that is used by Joomla!
    • dbpassword : database user password that is used by Joomla!
    • dbtablename: database schema name that is used by Joomla!
    • unixuser: unix user that is supposed to own all files in httpdocs, for example cedric
    • unixgrp: unix user that is supposed to own all files in httpdocs, for example psaserv

    This script is doing the following with the zip file

    1. Delete all files in locationof_httpdocs removing all potential security threat and settings changes by visitors of your demo site
    2. Lock the demo site by adding an htaccess and htpasswd files temporary
    3. Unzip all file in  to locationof_httpdocs
    4. Restore the database with the file demo-joomla-1.5.sqlfound in
    5. Change user and usergrp to the right one (unixuser, unixgrp)
    6. Change all files and directory to the minimum required set of permissions (555 for directory and 444 for files)
    7. Make the cache directory of Joomla! read write for the owner unixuser
    8. Delete the file  demo-joomla-1.5.sql
    9. It remove potentially dangerous components from demo site, among others
      1. com_media Removing the users the right to upload, alter or delete files
      2. com_config Removing the users the right to change configuration
      3. com_installer Removing the users the right to install extensions
      4. it remove installation or installation.old if present
    10. Unlock the demo site by removing the htaccess and htpasswd files, and restoring the one from the zip files

    All in all and thanks to this development, my 3 demo site are now online, update will be a lot easier and I will keep them more often up to date Smile

    Joomla! 1.0 tricks

    In Joomla! 1.0 configuration.php I use the following trick to not have any stage dependent values.

    $mosConfig_absolute_path = dirname(__FILE__);
    $mosConfig_cachepath = dirname(__FILE__).'/cache';
  • From WikiPedia

    Inline linking (also known as hotlinking, leeching, piggy-backing, direct linking, offsite image grabs and bandwidth theft) is the use of a linked object, often an image, from one site into a web page belonging to a second site. The second site is said to have an inline link to the site where the object is located.

    This is not just Bandwidth Stealing, as

    • It cost CPU and bandwidth which means less performance for your visitors,
    • It cost a lot of money as you still pay the server cost, and loose ad revenues,
    • It drive people away from your reputable homepage since they will find your picture or files on any mirrors,
    • It may be a security threat at least for distributable software, anybody may alter (backdoor,ads, privacy information stealing) any of my open source component without my consent.

    The mod_rewrite module is able to intercept incoming URLs and modify them according to a set of rules that you specify. The basic idea is use the mod_rewrite module to inspect the incoming HTTP header. The field we're looking for is the Referer field - or basically the URL that the current request originated from.


    This optional header field allows the client to specify, for the server's benefit, the address ( URI ) of the document (or element within the document) from which the URI in the request was obtained.
    This allows a server to generate lists of back-links to documents, for interest, logging, etc. It allows bad links to be traced for maintenance.

    So create a file .htaccess at the root of your site with the following content:

    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$&160;&160;&160;&160; [NC]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$&160;&160;&160;&160; [NC]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$&160;&160;&160;&160; [NC]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$&160;&160;&160;&160; [NC]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$&160;&160;&160;&160; [NC]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$&160;&160;&160;&160; [NC]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$&160;&160;&160;&160; [NC]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$&160;&160;&160;&160; [NC]
    RewriteRule .*\.(jpg|jpeg|gif|png|bmp|zip|css)$ [R,NC]


    • I want to allow cross linking between all my Subdomains wiki,demo, bugs, forums... so I have a bigger list of allowed Referer than usual to enter...
    • I do not allow hotlinking of the following resources for obvious reasons: jpg|jpeg|gif|png|bmp|zip|css
    • I redirect any bad people to a fix files on disk
    • You are allowed to copy the templates as long as you keep the bottom link.
    • Note the latest RewriteCond: I always allow Google to references my images

    There is a useful online generator with a lot more explanation online at the bottom of this page . This is active on my server since 2 weeks, and I've see a performance in response time.

    More tips&160;

    • To have an insight on resources stealing in nearly real time, simply put a statistics marker with for example Google Analytics to see how many people are landing on that page per week or months!
    • To generate money (better than nothing), dot forget also to put advertisements publicity on your redirect hot linking page
  • site.down.hacked

    If you are running any of the following Joomla versions it might just be a matter of time before you too are hacked!

    • Joomla! 1.5.0
    • Joomla! 1.5.1
    • Joomla! 1.5.2
    • Joomla! 1.5.3
    • Joomla! 1.5.4
    • Joomla! 1.5.5
    • Joomla! 1.5.6
    • Joomla! 1.5.7
    • Joomla! 1.5.8
    • Joomla! 1.5.9
    • And maybe to a lesser extent Joomla! 1.5.10
    The latest, and most secure Joomla version is Joomla! 1.5.11 - and was released last week! Backup your site and database and just unpack the right Joomla! distribution now.
  • Nginx-logo

    nginx (pronounced “engine-x”) is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. It is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX and Microsoft Windows [WikiPedia]

    These are my reusable settings for any Joomla hosting, these are the most secure, and fastest settings to the best of my knowledge.

    Configuration files are provided using Gist&160; and are CONSTANTLY updated for added security and speed. Gist is a simple way to share snippets and pastes with others. All gists are git repositories, so they are automatically versioned, forkable and usable as a git repository. I recommend you to starred them to stay up to date.

    Joomla.conf for nginx

    Create a new directory nginx/conf to be able to place reusable nginx settings:

    mkdir -p /etc/nginx/conf

    vi /etc/nginx/conf/joomla.conf

    Edit or create joomla.conf, you can find the latest joomla.conf documented version in one of my Gist at

    Adding a new Joomla Site to nginx

    Create required directory anywhere on your disk, here is an example with a domain

    mkdir -p /var/www/vhosts/
    mkdir -p /var/www/vhosts/

    Set the right permission to the user and group you have defined in nginx.conf

    chown -fR www-data:www-data /var/www/vhosts/

    Copy the nginx template and adapt to your liking

    cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example
    vi /etc/nginx/sites-available/example

    Edit or create example, you can find the latest file example documented version in one of my Gist at

    this file include Joomla.conf to avoid duplicating nginx settings

    Activate the new domain

    ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example
    service nginx restart
  • How many times have you seen an alert similar to one of the below while trying to connect to the café or airport WiFi to check email or login to a secure website?


  • Beyond Corp project scrap the notion of a corporate network and move to a zero-trust model....

    Google sees little distinction between boardrooms and bars, cubicles and coffee shops; all are untrusted under its perimeter-less security model detailed in a paper published this week. The "BeyondCorp model" under development for more than five years is a zero-trust network model where the user is king and log in location means little. Staff devices including laptops and phones are logged into a device inventory service which contains trust information and snapshots of the devices at a given time. Employees are awarded varying levels of trust provided they meet minimum criteria which authors Barclay Osborn, Justin McWilliams, Betsy Beyer, and Max Saltonst all say reduces maintenance cost and improves device usability (PDF)

    White Paper 


  • A SECURITY flaw could allow hackers to eavesdrop on cellphone conversations made on Bluetooth-based wireless headsets was revealed in april 2004...But at that time an expensive piece of hardware was needed. Now it is even worse a simple brute force while the device are doing keyring exchange...

    "Whitehouse showed in 2004 that a hacker could arrive at this link key without knowing the PIN using a piece of equipment called a Bluetooth sniffer. This can record the exchanged messages being used to derive the link key and feed the recordings to software that knows the Bluetooth algorithms and can cycle through all 10,000 possibilities of the PIN. Once a hacker knows the link keys, Whitehouse reasoned they could hijack the device."

    Now the new attack force the  two bluetooth devices to pair, they can work out the link key in just 0.06 seconds on a Pentium IV-enabled computer, and 0.3 seconds on a Pentium-III


  • My mind map you can use as a checklist to secure your Linux server and Joomla has a new home, it is now located at:

    I will update it regularly with new tips and how-to. Your feedback is as always welcomed, you can use the comment thread below.

  • chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the 'ps' command.
    Log to the server with ssh as root user

    # wget

    Unpack the chkrootkit you just downloaded.
    # tar xvzf chkrootkit.tar.gz

    go to that  directory
    # cd chkrootkit

    # make sense

    # chkrootkit

    •Receive e-mail everyday with the result chkrootkit
    For Root user
    # crontab -e
    For any user
    # crontab -e -u username

    and add

    •0 3 * * * (./usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output" -c This email address is being protected from spambots. You need JavaScript enabled to view it.,This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.)

    * the correct path can be found with which chkrootkit
    This will run chkrootkit at 3:00 am every day, and e-mail the output to This email address is being protected from spambots. You need JavaScript enabled to view it. and copies to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it.

    False alarms:
     "Checking `bindshell'... INFECTED (PORTS: 465)" This is normal and  NOT really a rootkit.

    If you ever get a positive alarm, you can try to remove the rootkit, but all professionals would advice you to reinstall the server from scratch, and restore a previous backup (that mean saving nothing from server as soon as the rootkit is revealed....)

  • CSF: A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. It easily replace APF and (Advanced policy firewall) and BFD (Brute Force Detection). It is also runing 28 basics but non obvious checks...

     CSF has a loot of functionnalities and has 2 nice features. It can block trafic from well known spammers network
    using the DShield Block List and the Spamhaus DROP List.
    It easily replace APF and (Advanced policy firewall) and BFD (Brute Force Detection).

    • Straight-forward SPI iptables firewall script
    • Daemon process that checks for login authentication failures for:
      • courier imap and pop3
      • ssh
      • non-ssl cpanel / whm / webmail (cPanel servers only)
      • pure-pftd
      • password protected web pages (htpasswd)
      • mod_security failures
    • POP3/IMAP login tracking to enforce logins per hour
    • SSH login notification
    • SU login notification
    • Excessive connection blocking
    • WHM configuration interface (cPanel servers only) or through Webmin
    • WHM iptables report log (cPanel servers only)
    • Easy upgrade between versions from within WHM (cPanel servers only) or through Webmin
    • Easy upgrade between versions from shell
    • A standard Webmin Module to configure csf is included in the distribution ready to install into Webmin - csfwebmin.tgz
    • Pre-configured to work on a cPanel server with all the standard cPanel ports open (cPanel servers only)
    • Auto-configures the SSH port if it's non-standard on installation
    • Block traffic on unused server IP addresses - helps reduce the risk to your server
    • Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
    • Suspicious process reporting - reports potential exploits running on the server
    • Excessive user processes reporting
    • Excessive user process usage reporting and optional termination
    • Suspicious file reporting - reports potential exploit files in /tmp and similar directories
    • Directory and file watching - reports if a watched directory or a file changes
    • Block traffic on the DShield Block List and the Spamhaus DROP List
    • Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
    • Works with multiple ethernet devices
    • Server Security Check - Performs a basic security and settings check on the server (cPanel servers only)
    • Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
    • Alert sent if server load average remains high for a specified length of time
    • mod_security log reporting (if installed)
    • Email relay tracking - tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
    • IDS (Intrusion Detection System) - the last line of detection alerts you to changes to system and application binaries

    Installation is straightforward:

    # wget
    # tar xvf csf.tgz
    # cd csf
    # ./

    Note all ports that are displayed after the installation, these are port running already on your system (UDP, TCP in and out)
    review the config file by editing:

    # vi /etc/csf/csf.conf

    and add at least the port written before (if you trsut your system before install ;-))
    Do not allow incoming connection or outgoing connections to mysql port (use ssh localforwarding), ftp (use scp)
    As default the rules are only working 5 minutes then get erased. This is the learnig mode, you cant break anything. Just continue reading the file csf.conf It contains a lot of interesting informations...
  • Create a new RSA key

    # openssl genrsa -des3 -out server.key 1024
    Give a very lengthy key, and save it somewhere in a PGP file or TrueCrypt volume

    Create a non encrypted version for Apache

    # openssl rsa -in server.key -out server.key.unsecure

    Prepare the mark inquiry

    # openssl req -new -key server.key -out server.csr
    Attention enter the host from where the certificate will be use, since browser are matching content of certificate with host url.

    Sign the certificate

    # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    Add the SSL certificate to Apache

    path to server.key and server.crt may differ!

    (SuSE 9.3 keys store at /etc/apache2/ssl.key/)
    # cp server.key.unsecure /etc/httpd/ssl.key/server.key
    # cp server.crt /etc/httpd/ssl.crt/server.crt
    # chmod 400 /etc/httpd/ssl.key/server.key
    # chmod 400 /etc/httpd/ssl.crt/server.crt

    Restart Apache


    # /etc/init.d/apache restart

    # apache2ctl gracefu
  • cryptoparty

    CryptoParty is a grassroots global endeavor to introduce the basics of practical cryptography such as the Tor anonymity network, key signing parties, True Crypt, and virtual private networks to the general public.

    The first draft of the 442-page CryptoParty&160;Handbook (the hard copy of which is available at cost), was pulled together in three days using the book sprint approach, and was released 2012-10-04 under a CC-BY-SA license; it remains under constant revision.

    The CryptoParty&160;Handbook v1.1 has been released and you download or edit here

    Why Privacy Matters
    Privacy is a fundamental human right. It is recognized in many countries to be as central to individual human dignity and social values as Freedom of Association and Freedom of Speech. Simply put, privacy is the border where we draw a line between how far a society can intrude into our personal lives.

  • Some examples of what is going on in online eBanking applications securities...

    • Lloyds TSBis going from a 2 stage login system to a securid (2 stage login definition at WikiPedia)in order to reduce online fraud...
      First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information. The aim of using menus rather than the keyboard has been to defeat so-called "keyloggers", tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords. There's no hiding the fact that fraud is on the increase Matthew Timms, Lloyds TSB But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times.
      Lloyds says that about £12m was lost to this kind of scam in 2004 - but it warns that attacks are multiplying fast.
    • Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.

    One interesting point is that Mozilla firefox want to drop definitively SSL 2.0

    SSL is a  security protocol methodology (Originally created by Netscape in 1994) designed to create a secure connection to the server for the transmission of confidential data through the Internet. SSL uses public key encryption, one of the industry's strongest encryption methods, to protect data as it travels over the Internet. .

    support in favor of the stronger SSL3.0 or  TLS 1.0

    Transport Layer Security. A protocol intended to secure and authenticate communications across a public networks by using data encryption. TLS is designed as a successor to SSL and uses the same cryptographic methods but supports more cryptographic algorithms.

    Do not forget to have a look at verisign tutorial on what to do to keep your site security up to date


  • apache_maven

    This issue has turn me upside down a long time. In fact in the official Google Group I was not the only one to have this issue.

    I did try the following, and it is always good to check first

    • Checking PHP version,
    • Starting Maven with -X for having more debug information
    • Testing it in Eclipse + M2Eclipse on windows, was working there,
    • Comparing calculated PHP include path on Windows and Linux: they were identical in this case

    Only my Linux box was not working. . .(

    After that I did materialize the eclipse project of maven-php-plugin and even built a custom version that I’ve deployed without any effort to my Artifactory (

    And what is the solution?

    it my server configuration and paranoia :-)

    open your php.ini, ideally the right one, don’t put your server at risks: You may have many under Linux, especially if you use plesk or cpanel 

    • cli at /etc/php5/cli/php.ini
    • apache2, /etc/php5/apache2/php.ini
    • fastcgi at /etc/php5/fastcgi/php.ini

    location most of the time


    and add the directory where your build server make a checkout...

    ; open_basedir, if set, limits all file operations to the defined directory
    ; and below.  This directive makes most sense if used in a per-directory
    ; or per-virtualhost web server configuration file. This directive is
    ; *NOT* affected by whether Safe Mode is turned On or Off.
    open_basedir = /www/vhosts:/tmp:/xxxx/yyyy/

    Next step is to put Joomla! 1.6 and all their PHPUnit tests a run along with Selenium. May also need to  patch Maven for PHP to better support Tests reporting like Surefire.

  • Généralités

    • Une moto qui tombe a l'arret sur le coté ou en roulant est une moto quasiment foutue, les cache cylindre vont prendre un tel coup que pour peu que ce soit un modele ancien, votre moto sera déclarée épave. Solution? des roulettes pour 100€ ou pare cylindre en téflon + alu.
    • Si c'est pour frimer, oublier la moto sportive, vous serez tellement harnaché et raide que vous ressemblerez a un cosmonaute, preférez un custom.


    • Investisser dans une bonne combinaison cuir (de 500 a 1200 €) et une hiver type Gore-Tex (le cuir est pas imperméable ou alors rarement). N'économiser pas sur les gants, bottes et casques, idem pour la protection dainese dorsale (100€), car on n'a qu'une peau et aussi belle ou tunée que soit votre moto, cela reste un bout de ferraille (de plus vous en aurez d'autres des motos, n'est ce pas?) alors que boiter ou àªtre brulé aux bras aux jambes, c'est un truc qu'on trimballe pour la vie.
    • Vous je sais pas mais moi j'achete le systeme d-Air de dainese des qu'il est disponible (airbag) meme pour 1000€, c'est mieux qu'une sortie de pot carbone ! de toute facon un pot reste un bout de metal et se casse si on se glande meme a l'arret.
    • N'acheter que des U ou antivols frappés du sigle FFMC (Federation Francaise des motards en colere), garantis qu'ils tiennent au moins 12 min aux assaut d'un voleur. Sinon cela va d'apres les tests de 3 secondes (!) à 1 min en moyenne... (cela fait cher la seconde). Noter que la FFMC se refuse d'utiliser le chalumeau oxycoupeur (rien au monde n'y resiste, mais cela ne fait pas partie de l'attirail du voleur de base).
    • Idem attendez le hors serie conso de "Moto Magazine" avant d'acheter de l'equipement lourd (€€) et ne marchez pas au coup de coeur. Si vous acheter une moto, prevoyer des le départ un budget équipement et n'économiser pas dessus !
    • Dainese est cher et tendance, au crash test leur produits sont les meilleurs et de loin, regarder les comparatifs et choississer en connaissance de cause. Mieux vaut 1 cuir de qualité que 2 pour frimer.
    • Cuir ou textile? pour résumer : cuir pour la route et la vitesse c'est ce qui offre la meilleure protection, textile pour la ville et les sorties basse vitesse (basse vitesse je veut dire législation francaise urbaine de vitesse ;-) )


    • Ne rouler jamais en short, jeans, basket, tee shirt. Oui il fait chaud, oui la combinaison est moins cool (et surtout fraiche), mais on ne planifie jamais une gamelle ou un accident. On ne tente màªme pas une fois car c'est dans ces moments la que cela vous tombe dessus (comme le vil inspecteur des impots sur le frele contribuable).
    • Méfier vous comme le diable des automobilistes, penser que si vous chuter en circulation, vous risquez de vous faire écrabouiller par les autres véhicules.
    • Ne prendre la moto que si vous étes en pleine forme (pas de fià¨vre, douleurs musculaires, avec le moral aussi... etc), vous avez besoin de tous vos moyens pour piloter. Rester alerte et concentré en permanence, si vous prenez un virage a forte allure, soyez convaincu que cela passe et rester humble et en accord avec votre niveau de pilotage, un flottement, on freine et vous àªtes dans le décor peut àªtre de manià¨re définitive.
    • Changer les clignogants d'origine pour des gouttes d'eau, c'est cool mais si on vous voit pas tourner ou doubler, vous àªtes mort. Laisser cela aux autres et augmenter vos chances de survie, il suffit de rencontrer une fois un imbécile ou un distrait et pfouit...on parlera de vous au passé.
    • Monter des generateurs a ultrasons passifs pour repousser les animaux, je ne sais pas si leur efficacité est prouvé, mais c'est si peu cher et cela ne se voit pas sous le phare avant.
    • A l'aide d'une étiqueteuse électronique, pensez a noter votre nom et groupe sanguin sur votre casque, si possible bien en vue. Cela pourrait éventuellement vous donner une chance supplémentaire si vous avez un accident.


    • Méfier vous des feuilles mortes, attention aux gravillons et à tous les zones peintes sur la route. cela glisse et sentir la roue avant glisser est un moment que l'on n'oublie pas.


    • attention les pneus mettent plus de temps a chauffer! ne pas attaquer sur l'angle dés le départ, sinon frayeur assuré!
    • Si vous sortez a plusieurs moto, metter le conducteur le plus novice devant tous les autres, c'est lui qui doit ouvrir et imposer la vitesse du convoi. Si vous faites le contraire, pensez a cela: que se passera t'il si le novice essaie de vous suivre et prend des risques inconsidérés? pas bon pas bon.
    • Enrichissez vous des expériences des autres motards, avant que la chance du novice ne vous quitte ou ne vous fasse défaut.
    • Decathlon vends des tours de cou en polyester pour la pratique du vélo en hiver qui marche trà¨s bien aussi pour la moto.


    • Le démontage des pneu de la Hornet ne nécessite pas de prendre des repà¨res ou d'outillage particulier. Vous economiserez 20 euros en moyenne si vous n'amenez que les jantes chez le concessionaire ou Point S.
    • Attention si vous venez de changer vos pneus: la moto n'a plus du tout le màªme comportement (vitesse de prise sur l'angle, réactivité) et de plus un pneu neuf a moins d'adhérence. C'est pourquoi il faut le roder un peu, 400 ou 500km semble àªtre un bon compromis.


  • From the man wo break the first XBOX.

    At any rate, some very interesting things are afoot. Much of it stems from the discovery of an all-media bootable kiosk demo disk. Many hackers will instantly recognize the value of this, but it’s still interesting to reflect on the significance of this find. Like the original Xbox, the Xbox360 uses a media flag on its executables.

    The media flag tells the OS what type of media it should be on; typically, games are released with the flag set to Microsoft’s proprietary secure Xbox DVD format (which is in itself not that secure…). Significantly, only the executable is signed for a game; the data sections typically are not signed (presumably for performance reasons). Thus, one has the ability to fuzz the executable by corrupting the data sections, potentially invoking a buffer overrun or some other unintentional behavior–if one could effectively modify the data sections. Remember that this is normally not possible, since modifying the data segment requires making a copy to a writeable media, and this contradicts the signed media flag.

    Thus, the run-anywhere demo disk now enables software hackers to create and test the interaction of signed executables with modified game data using no tool other than a DVD-RW drive (and an Xbox360 console, still considerably rare and difficult to obtain in the US). Some of the more interesting modifiable data regions include Shockwave Flash movies, and the pixel shaders executed by the GPU (more info can be found on the website). Of particular interest is the MEMEXPORT shader command in the 360, which could enable people to dump physical memory to the screen (where it can be digitized or extracted with a sniffer upstream of the ANA chip), or to some other peripheral function. Presuming plaintext kernel code can be extracted this way, it bootstraps further efforts in vulnerability analysis of the code running in the Xbox…and so forth. Of course, its quite possible that this hole is plugged, since Microsoft’s NGSCB spec calls for the Northbridge to limit DMA access from the graphics card to main memory. Furthermore, buffer overrun exploits have questionable applicability since each process runs as its own virtual machine and rumors has it that the no-execute bit is used on heap space. Still, I’m very surprised that such a media was even released into the wild by Microsoft…their own worst enemy is their own haste to get to the market and carelessness; security is for naught without consideration of human factors. Very exciting! Perhaps the Xbox360 will be opened without the need for significant hardware hacking.
  • If you want to know a bit more on the infrastructure that is used by Google...

  • Google increase security by using only HSTS and it is a good idea to do the same for your server. HTTP Strict Transport Security (HSTS) instructs browsers to communicate with your site only over HTTPS.

    For many years, we’ve worked to increase the use of encryption between our users and Google. Today, the vast majority of these connections are encrypted, and our work continues on this effort.

    To further protect users, we've taken another step to strengthen how we use encryption for data in transit by implementing HTTP Strict Transport Security—HSTS for short—on the domain. HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.

    see Bringing HSTS to

    Quoting the Mozilla Developer Network:

    If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types or even just This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page. The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. see

    An example scenario:

    You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker. Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

    For NGINX add this in the server block for your HTTPS configuration:

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

    I would also add the X-Frame-Options header to your HTTPS website to make sure it is not embedded in a frame or iframe. This avoids clickjacking, and might be helpfull for HTTPS websites.

    The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a `<frame>` or `<iframe>`. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. see

    For NGINX add this in the server block for your HTTPS configuration:

    add_header X-Frame-Options "DENY";

    Don't forget to restart NGINX.