Recently I’ve seen people having issues with certain devices attached via USB to their thinking machines… Issues that included, Spyware, Malware, Viruses.. ugh, many more.. Wouldn’t it be good to disable these unwanted creepy devices when on a shared/public windows  machines? Ok, follow these steps & get yourself a bit secured.

This can be implemented on your local Windows Machine or on the Windows Dedicated servers, please make sure to backup the Windows registry before following these steps. As making incorrect changes in Windows registry can make the system unbootable.

Search for the following keys in your registry to disable each of them respectively or as per your requirement.

SYSTEMCurrentControlSetServices

Notice the value ‘Start‘, this should be 3 by default [3 = enabled]. Switch this value to 4 [4 = disabled], and USB storage devices are disabled. To re-enable the device switch this value to 3.

To disable USB ports:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUsbStor

To disable CD-ROM drive:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicescdrom

To disable Floppy drive:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesflpydisk

To disable a High Capacity Floppy Drive:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessfloppy

Once done, you’d need to reboot your machine for the changes to come into effect. That is it

• Click Start >> Run, to open the Run dialog box
• Here, type regedit to open the registry.
• Navigate to the following registry key – HKEY_LOCAL_MACHINE >> System >> CurrentControlSet >> Services >> NetBT >> Parameters
• On the right-hand pane find the option TransportBindName.
• Double
  click on TransportBindName and delete the existing default value.
• 
  click Ok

From the above, it is clear, that you have closed Port 445 by giving a blank value to TransportBindName for NetBT services.

close Port 135:

• Click Start >> Run, to open the Run dialog box
• Here, type regedit to open the registry
• Navigate to the following registry key – HKEY_LOCAL_MACHINE >> software >> microsoft >> Ole
• On thee right hand window pane find an option called EnableDCOM
• Double-click EnableDCOM and change the value from Y to N
• click Ok
• Close the Registry Editor and restart your computer

These steps will only work for a standalone servers. Any serveres that are in a cluster state such as Active Directory, SQL failover cluster, Network Load Balancing [NLB] or Windows Replication service that NEVER-EVER follow these steps as it will simply diable port 135 which is used my Distributed File System [DFS] for the servers to comunicate with each other. Disabling it will just wont allow the servers to communicate and the services will fail.

The File system comes with Windows NT. (NT File System) An optional file system for Windows NT, 2000, XP and Vista. NTFS is the more advanced file system, compared to FAT32. It improves performance and is required in order to implement numerous security and administrative features in the OS. NTFS supports Active Directory domain names and provides file encryption. Permissions can be set at the file level rather than by folder, and individual users can be assigned disk space quotas. NTFS is designed to log activity and recover on the fly from hard disk crashes. It also supports the Unicode character set and allows file names up to 255 characters in length. See FAT32 and file system.

NTFS compared to FAT and FAT32

NTFS has always been a more powerful file system than FAT and FAT32. Windows 2000, Windows XP, and the Windows Server 2003 family include a new version of NTFS, with support for a variety of features including Active Directory, which is needed for domains, user accounts, and other important security features.
FAT and FAT32 are similar to each other, except that FAT32 is designed for larger disks than FAT. The file system that works most easily with large disks is NTFS.

The following will describes the compatibility of each file system with various operating.

NTFS :
A computer running Windows 2000, Windows XP, or a product in the Windows Server 2003 family can access files on a local NTFS partition. A computer running Windows NT 4.0 with Service Pack 5 or later might be able to access some files. Other operating systems allow no local access.

FAT :
Access to files on a local partition is available through MS-DOS, all versions of Windows, and OS/2.

FAT32 :
Access to files on a local partition is available only through Windows 95 OSR2, Windows 98, Windows Millennium Edition, Windows 2000, Windows XP, and products in the Windows Server 2003 family.

The following are comparison of disk and file sizes possible with each file system.

NTFS :
Recommended minimum volume size is approximately 10 MB. Maximum volume and partition sizes start at 2 terabytes (TB) and range upward. For example, a dynamic disk formatted with a standard allocation unit size (4 KB) can have partitions of 16 TB minus 4 KB. Cannot be used on floppy disks.

Maximum file size is potentially 16 TB minus 64 KB, although files cannot be larger than the volume or partition they are located on.

FAT :
Volumes from floppy disk size up to 4 GB. This file system does not support domains controller.
Maximum file size is 2 GB.

FAT32 :
Volumes from 33 MB to 2 TB can be written to or read using products in the Windows Server 2003 family.
Volumes up to 32 GB can be formatted as FAT32 using products in the Windows Server 2003 family.
Does not support domains controller.
Maximum file size is 4 GB.

Windows Server 2003 provides improved alternatives to CDONTS. To make CDONTS
functioning on a Windows Server 2003-based computer, use one of the following

solution:

1. Obtain CDONTS.DLL and put it into %systemroot%\system32 folder
(C:\Windows\system32 by default).

2. Register the CDONTS.DLL component on your server using the following command:

regsvr32 “%systemroot%\system32\cdonts.dll”

For example:

C:\WINDOWS\system32>regsvr32.exe cdonts.dll

3. After you have registered your CDONTS.DLL component you need to check whether
your SMTP service is running. Go to Administrative tools > IIS and expand your local
machine. If SMTP service is listed then it is installed, else  it’s necessary to
install this service. To install SMTP perform the following operation:
Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components >
Application Server > IIS > Mark SMTP service > Click OK.

4. Change the port number for SMTP service. Default port is 25. Use 25 only if you
don’t have another SMTP service running. If another SMTP service is already running
on your server you should switch IIS SMTP port to another, for example to 26. You
can do through IIS management console:
Control Panel > IIS > expand `local computer` > SMTP > Properties > General tab >
click on Advanced button > Edit.

5. Configure SMTP service. The main things are to set a valid full-qualified domain
name for SMTP service:
Control Panel > IIS > expand `local computer` > SMTP > Properties > Delivery tab >
click on Advanced button

6. Configure Security for SMTP service. It’s necessary to grant permissions to
IIS_WPG standard IIS Worker Process Group.

Control Panel > IIS > expand `local computer` > SMTP > Properties > Security tab >
click on Add button > Cick Object types… button > Mark Groups item > click OK >
Add IIS_WPG as object name to add > Click OK.

7. Additional setting:

Choose Authentication and tick Anonymous Access and Integrated Windows
Authentication. Click OK, then click CONNECTION. Configure RELAY settings as you
wish. Click the DELIVERY tab then click ADVANCED.

8. Stop SMTP service of IIS and start it again. Now IIS SMTP service as configured
and ready to work.

The Apache HTTP Web Server, we all well know it as Apache, is one of the world’s most widely used Web servers. It is very popular because of its strong security features, most outstanding performance & the fact that it does cost us any thing. It comprehensively supports and it is most recommended for MySQL & PHP/Perl/Python (and now also supports Ruby) programming languages.

It’s available for all flavours of Unix (GNU/Linux & UNIX systems), Microsoft Windows including other OS as well, for Example Linux distros such as  RedHat, SuSe, Debian, CentOs, Gentoo, Mandrake, Fedora, etc etc. Apache is used to serve both dynamic static content & static Web pages on the Internet. Some web applications are developed expecting the features & environment that Apache provides. It is one of the most basic feature in the hosting world is what allows your website to be seen by the world.

What is a DDoS attack ?

A Denial-Of-Service attack (DoS attack) or Distributed Denial-Of-Service attack (DDoS attack) is nopthing but an attempt to make a domain name or a computer resource unavailable to its users by sending mass packets to it. Perpetrators of DoS attacks like to target domains/sites/hosts or services hosted with high profile webhosting servers such as credit card payment gateways, banks, & even root nameservers.

The most common method of attack involves saturating the target (victim) machine with request that communicates externally, such that even the legimate traffic also does not get a response, or respond very slowly as to be effectively unavailable.

In general terms, DoS attacks are set so that the targeted computer(s) is either reset or consume all the available resources so that the target is no longer available to provide its intended service or to obstruct the communication between the users & the victim so that there is no suitable communication between them.

There are several ways to stop such kind of attacks, most of the providers use “Proxy Shield” which is most effective services available today and can handle an attack upto 4GB per second. Although it is a very expensive service and only corporate websites can afford them. If you want to handle small DDos attacks then you can either go for a hardware firewall or a software application like the one below, which is very effective to handle DDos at its initial stage.

About mod_evasive & how does it prevent DDoS attack ?

mod_evasive is basically an evasive maneuvers module configured on Apache web server to provide evasive action where ever there is an brute force attack or DDoS attack or HTTP DoS. You can also use it as a traffic detection or network management tool and can be effective configured to work with ipchains, routers, firewalls etc. You can also set mod_evasive up to send abuse reports via email & syslog facilities.

It creats an internal dynamic hash table of IP Addresses for detections & URIs and denying any single IP if any of the following is true:

– Making any requests while temporarily blacklisted on the server.
– Single page on your website is access for more then n number of time.
– Establishing more than 50 concurrent connections per second on the same child.

This method works well on both attacks, may it be single-server script attackor a distributed attack but like any other evasive tools it is only useful to the point of processor consumption & bandwidth hence to configure this tool with your firewalls & routers gines out the maximum protection to your dedicated server as well as webhosting sites.

This module is instantiated for each listener individually that is every time when there is a HTTP request to Apache Web Server and therefore the evassive tool has a built-in scaling capabilities & cleanup mechanism. Because of this per-child design, only the scripted attacks get cought and blocked access and legitimate requests are never compromised even if they come from NAT addresses or proxies. Even if the user repeatedly click on ‘reload’ button should not be affected unless they do it maliciously. One can tweak mod_evasive fully through the Apache configuration file that is httpd.conf and it is very easy to incorporate into your Linux web hosting server and most important, easy to use.

Here are the steps to install mod_evasive:

Install & configure it on a Linux Server:

Login to the server as root & execute following connabds one bu one:

cd /usr/local/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive

For Apache 2.0.x

/usr/sbin/apxs -cia mod_evasive20.c

Then add add this too httpd.conf

DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600

For Apache 1.3.x

/usr/local/apache/bin/apxs -cia mod_evasive.c

Then add this too httpd.conf

DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600

Now just restart Apache web hosting server & the installation is complete..

/etc/init.d/httpd restart

Congratulations.. your Linux Apache web hosting server is now more safer from the DDoS attacks.

Here is a reasonable goal:  Computers are as secure as real world systems, and people believe it.

Security is the condition of being protected against danger, loss, and hackers. In the general sense, security is a concept similar to safety.

In today’s web-based world, hackers and malicious software are the biggest threat to anyone who conducts business online.  Viruses and worms have the ability to cripple entire networks while an experienced hacker can penetrate a system and thieve confidential data.  Because of this, consumers and online businesses alike are taking proactive steps towards protecting their personal information.  Some are conferring with their web hosting providers to ensure that the security measures they implement are reliable.

There are many creative ways that unscrupulous people use to access or abuse unprotected computers. I have mentioned few of them below,

•    Remote login
•    Application backdoors
•    SMTP session hijacking
•    Operating system bugs
•    Denial of service
•    E-mail bombs
•    Macros
•    Spam
•    Redirect bombs
•    Source routing

Firewalls help us to protect this type of hacking or abuse activities. Some of the items in the list above are hard, if not impossible, to filter using a firewall. While some firewalls offer virus protection, it is worth the investment to install anti-virus software on each computer. And, even though it is annoying, some spam is going to get through your firewall as long as you accept e-mail. We can add or remove filters based on several conditions. Some of these are:

IP addresses - Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four “octets” in a “dotted decimal number.” A typical IP address looks like this: 98.166.52.145. For example, if a certain IP address outside the company is reading too many files from a server, the firewall can block all traffic to or from that IP address.

Domain names – Because it is hard to remember the string of numbers that make up an IP address, and because IP addresses sometimes need to change, all servers on the Internet also have human-readable names, called domain names. For example, it is easier for most of us to remember www.mywebhostingblog.net than it is to remember 98.166.52.145. A company might block all access to certain domain names, or allow access only to specific domain names.

Protocols – The protocol is the pre-defined way that someone who wants to use a service talks with that service. The “someone” could be a person, but more often it is a computer program like a Web browser. Protocols are often text, and simply describe how the client and server will have their conversation. The http in the Web’s protocol. Some common protocols that you can set firewall filters for include:

• IP (Internet Protocol) – the main delivery system for information over the Internet
• TCP (Transmission Control Protocol) – used to break apart and rebuild information that travels over the Internet
• HTTP (Hyper Text Transfer Protocol) – used for Web pages
• FTP (File Transfer Protocol) – used to download and upload files
• UDP (User Datagram Protocol) – used for information that requires no response, such as streaming audio and video
• ICMP (Internet Control Message Protocol) – used by a router to exchange the information with other routers
• SMTP (Simple Mail Transport Protocol) – used to send text-based information (e-mail)
• SNMP (Simple Network Management Protocol) – used to collect system information from a remote computer
• Telnet - used to perform commands on a remote computer

Ports – Any server machine makes its services available to the Internet using numbered ports, one for each service that is available on the server. For example, if a server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be available on port 80, and the FTP server would be available on port 21. A company might block port 21 access on all machines but one inside the company.

Specific words and phrases – This can be anything. The firewall will sniff (search through) each packet of information for an exact match of the text listed in the filter. For example, you could instruct the firewall to block any packet with the word “X-rated” in it. The key here is that it has to be an exact match. The “X-rated” filter would not catch “X rated” (no hyphen). But you can include as many words, phrases and variations of them as you need.

A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through.

Firewalls use one or more of three methods to control traffic flowing in and out of the network:
•    Packet filtering - Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.
•    Proxy service - Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.
•    Stateful inspection – A newer method that doesn’t examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.