Tag Archive for 'web'

Blocking e107 dDOS attack with fail2ban

Published 1 month ago. 0 Comments Tags: , , , , , , , , .

Last month, a new security vulnerability was discovered in e107. If a fix was released quickly, some instances on the web were left unpatched. These sites are easy target for hackers script-kiddies, and a generalized dDOS attack was carry out on every e107 websites out there.

I’m no exception and the old and decrepit part of Cool Cavemen’s website still running on e107 was attacked. This was enough to crash my tiny server. Unfortunately this happened while I was on holidays. Without any time to address this issue properly, I decided to shutdown my web server. This explain why this blog and all Cool Cavemen’s websites were dead during half of july.

Now everything is back to normal (I hope), thanks to fail2ban. I created a set of rules (based on this article) to dynamically catch dDOS attempts and ban all IP addresses involved. Here is how I configured fail2ban

First, create a new empty file at /etc/fail2ban/filter.d/apache-e107ddos.conf and put the following directives there:

# Fail2Ban configuration file
# Notes.:  Regexp to catch all attemps to exploit an e107 vulnerability.
# Author: Kevin Deldycke

[Definition]
failregex = <HOST>\s-\s-\s.*\s"(GET|POST).*\/(help_us|contact|config|avd_start|\*)\.php
            <HOST>\s-\s-\s.*(Casper|b3b4s|dex|Dex|kmccrew|plaNETWORK|sasqia|sledink|indocom) Bot Search
            <HOST>\s-\s-\s.*MaMa CaSpEr
            <HOST>\s-\s-\s.*rk q kangen
            <HOST>\s-\s-\s.*Mozilla\/4\.76 \[ru\] \(X11; U; SunOS 5\.7 sun4u\)
            <HOST>\s-\s-\s.*perl post
ignoreregex =

Then update you fail2ban config file (/etc/fail2ban/jail.local in my case) with the appropriate section:

[apache-e107ddos]
enabled  = true
filter   = apache-e107ddos
port     = http,https
action   = iptables-allports
logpath  = /var/log/apache*/*access.log
maxretry = 1

Then restart your fail2ban service:

$ /etc/init.d/fail2ban restart

And you’ll start to get those nice logs:

$ tail -F /var/log/fail2ban.log
2010-06-23 16:05:37,417 fail2ban.actions: WARNING [apache-e107ddos] Ban 193.33.21.199
2010-06-23 16:05:58,113 fail2ban.actions: WARNING [apache-e107ddos] Ban 89.108.116.226
2010-06-23 16:05:58,521 fail2ban.actions: WARNING [apache-e107ddos] Ban 69.41.162.10
2010-06-23 16:05:58,541 fail2ban.actions: WARNING [apache-e107ddos] Ban 209.62.28.178
2010-06-23 16:06:03,573 fail2ban.actions: WARNING [apache-e107ddos] Ban 69.73.147.90
2010-06-23 16:06:42,975 fail2ban.actions: WARNING [apache-e107ddos] 69.41.162.10 already banned
2010-06-23 16:06:44,227 fail2ban.actions: WARNING [apache-e107ddos] 69.41.162.10 already banned
2010-06-23 16:06:54,238 fail2ban.actions: WARNING [apache-e107ddos] 69.73.147.90 already banned
2010-06-23 16:07:50,305 fail2ban.actions: WARNING [apache-e107ddos] Ban 80.55.107.74

Twitter search failed… :(

Published 6 months, 1 week ago. 0 Comments Tags: , , , , .

Had an issue with ÜberCart tonight.

Was sure I already solved it.

Knew I explained the solution on Twitter.

Tried to search for it:

and failed !

And all I was looking for was this little tweet.

Is Twitter’s search supposed to work ? :(

Google AdWords: bon de réduction de 75€ offert !

Published 6 months, 4 weeks ago. 4 Comments Tags: , , , , , , .

On dirait que Google cherche à promouvoir agressivement en France AdWords, son service de régie publicitaire en ligne. Après avoir eu entre les mains plusieurs bons de réductions (100 euros et 50 euros) ces derniers mois, j’ai reçu aujourd’hui par courrier un bon de 75 euros.

Malheureusement, je ne peux pas l’utiliser car j’ai déjà un compte AdWords. En effet, le bon en question n’est valable que pour les compte AdWords créés il y a moins de 14 jours (et dont l’adresse de facturation est située en France). J’offre donc ce bon d’achat au premier qui m’en fait la demande sous la forme d’un commentaire (n’oubliez pas de renseigner votre adresse mail).

A noter que ce crédit promotionnel garde sa valeur de 75€ jusqu’au 28 février 2010. Passé cette date, le bon reprends une valeur nominale de 50€, et expire définitivement le 31 mars 2010.

2 bons de 50€ offerts pour Google AdWords

Published 9 months ago. 4 Comments Tags: , , , , , , .

google-adwords-50-euros-voucher J’ai deux bons d’achats de 50€ pour le service Google AdWords. Ca traînent sur mon bureau depuis plusieurs semaines, et je ne peux pas les utiliser car j’ai déjà profité cette année d’une offre similaire. Voilà pourquoi j’en offre aux deux premières personnes qui laissent un commentaire sous ce post.

D’après la brochure, ces bons ne sont utilisables que si les conditions suivantes sont réunies:

  1. le compte AdWords à été créé il y a moins de 14 jours,
  2. l’adresse de facturation associée au compte est localisée en France,
  3. le bon d’achat est utilisé avant le 31 décembre 2009.

Ca fait beaucoup de conditions donc je doute que les gens se bousculent, d’autant plus que je suis loin d’être le seul en France à recevoir ce genre de pub…

Moving a WordPress blog to another domain

Published 11 months, 2 weeks ago. 1 Comment Tags: , , , , , , , , , , , .

qpx-site-domain-migration I provide hosting for free to some of my friends. One of them, QPX, had a side project called Lich’ti. But the latter is no longer active, so he decided to not renew the lich-ti.fr domain.

If Lich’ti’s domain name is dead, QPX’s personal blog is not. His website is powered by WordPress and was available at http://qpx.lich-ti.fr. My job is now to move it to http://qpx.coolcavemen.com. In this post, I’ll tell you how I’ve done it.

Before going further, backup everything, and be ready to revert back to your original situation at any moment ! What works for me will not necessary works for you…

To play nice with your visitors, you can setup a temporary maintenance page while we’re performing the migration.

Let’s start the migration by replacing, in the files served by Apache, all occurrences of the old domain name by the new one:

find /var/www/qpx-blog -mount -print -type f -exec sed -i 's/qpx.lich-ti.fr/qpx.coolcavemen.com/g' "{}" \;

If you have doubts about the efficiency of the command above, you can check the presence of the string we’re looking to replace via this command:

grep -RIi "qpx.lich-ti.fr" ./*

Then, we dump the database containing all WordPress content and config to a local file (the command will prompt for password):

mysqldump -p --host=localhost --port=3306 --user=root --opt --databases "qpx_blog" > qpx_dump.sql

And we replace all strings of the old domain by the new one:

sed 's/qpx.lich-ti.fr/qpx.coolcavemen.com/g' qpx_dump.sql > new_qpx.sql

Finally, we re-inject the modified database content after clearing the original:

mysql -p --host=localhost --port=3306 --user=root --execute='DROP DATABASE `qpx_blog`;'
mysql -p --host=localhost --port=3306 --user=root < new_qpx.sql

Now you can disable the maintenance page and test the blog to check nothing’s broken.

Again, to play nice with your visitors (and search engines), you can redirect old URLs to the new domain, with apache directives similar to this one:

<VirtualHost *:80>
  ServerName qpx.lich-ti.fr
  RedirectMatch permanent (.*) http://qpx.coolcavemen.com$1
</VirtualHost>