The statistics show that Adobe Flash is installed in a whooping 98% of computers connected to the Internet. The use of Flash, a Web developer is able to give his imagination a free field and build magnificent multimedia intensive but also functional sites.

But so far, building Flash sites had a singular disadvantage. However, search engines had no way of indexing unless the Web developer also included text in its Flash site explaining what the site or rather on the content of the site is all about.

Some time ago, Adobe has published the file format Flash SWF as an open specification that encourages third-party developers to create applications that could make Flash files. Adobe has now gone one step further and collaborates closely with Internet search engine companies Yahoo and Google for help in indexing Flash. It is a clear green light for all web developers to start creating sites that are heavy on the Flash content. It also means the Web developers can reduce the size of their Flash sites by deleting the text.

You should know that the latest version of Adobe Flash Player is available for Linux as a platform and make Flash which is a universal format to share and present content on the Web.

Read the official information from Adobe and the announcement of Google.

Read more...

This tutorial will guide you through the setting of Shorewall (Shoreline) 4.0 firewall on CentOS 5.1, which can be easily adapted to any other Linux distribution.

The Shoreline of firewalls, more commonly known as "Shorewall" is a high-level configuration tool Netfilter. You describe your firewall / gateway using entries in a set of configuration files. Shorewall read configuration files and with the help of utility iptables, Shorewall configure Netfilter to match your needs. Shorewall can be used on a dedicated firewall system , a multi-function gateway / router / server or on GNU / Linux system. Shorewall doesn't use Netfilter ipchains compatibility mode and can thus benefit from connecting Netfilter state monitoring capabilities.

http://www.shorewall.net/

Important Note:
Before installing shorewall we need to uninstall ipchains if you installed in your machine.

Download shorewall

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-4.0.11-2.noarch.rpm

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-perl-4.0.11-2.noarch.rpm

wget http://www.invoca.ch/pub/packages/shorewall/4.0/shorewall-4.0.11/shorewall-shell-4.0.11-2.noarch.rpm

You can check download section in shorewall official web site for newer versions.
http://www.shorewall.net/download.htm

Install Shorewall

Installing shorewall is quite easy. Just open a terminal and do a

rpm -ivh shorewall-perl-4.0.11-2.noarch.rpm shorewall-shell-4.0.11-2.noarch.rpm shorewall-4.0.11-2.noarch.rpm

and you're all ready. Don't close your terminal, because we will need it some more.

Setting Shorewall

The program will not start unless you change the shorewall configuration file /etc/shorewall/shorewall.conf .You can do this in following way:

vim /etc/shorewall/shorewall.conf

Change the first line from

STARTUP_ENABLED=No

to

STARTUP_ENABLED=Yes

Save and exit (in VIM, hit [ESC] and then ':wq').

If you want to configure shorewall you need to copy the sample configuration file from
/usr/share/doc/shorewall-4.0.11/Samples/. In Samples directory there are 3 different directories :one-interface/,two-interfaces/ and
three-interfaces/. Depending on your network,you can do this by the following command:

cp /usr/share/doc/shorewall-4.0.11/Samples/one-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

or

cp /usr/share/doc/shorewall-4.0.11/Samples/two-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

or

cp /usr/share/doc/shorewall-4.0.11/Samples/three-interfaces/{interfaces,policy,masq,routestopped,rules,zones} /etc/shorewall/

Now you have configuration files located in /etc/shorewall.

Zones Configuration

Open and edit the file /etc/shorewall/zones to specify the different network zones,
these are just labels that you will use in the other files.

vim /etc/shorewall/zones

Consider the Internet(net) as one zone, and a private network(dmz) as another zone.The firewall zone or "fw" is your linux box itself.
If you have these then the zones file would look like this:

#ZONE TYPE OPTIONS  IN OPTIONS  OUT OPTIONS
#
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces Configuration

The next file to edit is the interfaces file to specify the interfaces on your machine.

vim /etc/shorewall/interfaces

Here you will connect the zones that you defined in the previous step with an actual interface.
The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point.

#ZONE INTERFACE BROADCAST OPTIONS
net     eth0            detect          tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc     eth1            detect          tcpflags,nosmurfs
dmz     eth2            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Policy Configuration

The next file defines your firewall default policy. The default policy is used if no other rules apply.
Often you will set the default policy to REJECT or DROP as the default, and then configure
specifically what ports/services are allowed in the next step, and any that you do not configure are by default
rejected or dropped according to this policy.

vim /etc/shorewall/policy

An example policy (based on the zones and interfaces we used above) would be:

#SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# in your DMZ, change the following policy to REJECT info.
loc  net  ACCEPT
# If you want open access to DMZ from loc, change the following policy
# to ACCEPT.  (If you chose not to do this, you will need to add a rule
# for each service in the rules file.)
loc  dmz  REJECT  info
loc  $FW  REJECT  info
loc  all  REJECT  info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW  net  REJECT  info
$FW  dmz  REJECT  info
$FW  loc  REJECT  info
$FW  all  REJECT  info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT.  This may be useful if you run a proxy server in
# your DMZ.
dmz  net  REJECT  info
dmz  $FW  REJECT  info
dmz  loc  REJECT  info
dmz  all  REJECT  info
#
# Policies for traffic originating from the Internet zone (net)
#
net  dmz  DROP  info
net  $FW  DROP  info
net  loc  DROP  info
net  all  DROP  info
# THE FOLLOWING POLICY MUST BE LAST
all  all  REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Rules Configuration

The most important file is the rules. This is where you set what is allowed or not.
Any new connection that comes into your firewall passes over these rules, if none of these apply, then the
default policy will apply.

Note: This is only for new connections, existing connections are automatically accepted.

The comments in the file give you a good idea of how things work, but the following will provided an example
that can give you a head-start:

vim /etc/shorewall/rules

An example would be:

#############################################################################################################
#ACTION  SOURCE  DEST PROTO DEST SOURCE  ORIGINAL RATE USER/ MARK
#      PORT PORT(S)  DEST  LIMIT  GROUP
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW  net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      loc             dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz  net
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP     net             $FW
#
#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
#       (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT     loc             $FW
Ping/ACCEPT     dmz             $FW
Ping/ACCEPT     loc             dmz
Ping/ACCEPT     dmz             loc
Ping/ACCEPT     dmz             net
ACCEPT  $FW  net  icmp
ACCEPT  $FW  loc  icmp
ACCEPT  $FW  dmz  icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
#Ping/ACCEPT    net             dmz
#Ping/ACCEPT    net             loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Finally

Well we are done, let's fire up the services and begin testing.

service shorewall start

Shorewall Web interface or GUI tool

We have a webmin interface for shorewall to configure through GUI. You can download from http://www.webmin.com/download/modules/shorewall.wbm.gz.

Read more...

About the Script:

The script is about to build a firewall in Linux using iptables, the user need only to monitor and respond to simple and easy measures and the script will generate the user specified iptables rule in its form original.

I tested the script to PCLinuxOS, FEDORA-9, DREAM_LINUX, UBUNTU-8.
This is my iptables, version 1.0

About iptables:

Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One way to provide additional protection is to invest in a firewall. Although prices are still falling, in some cases, you be able to create a comparable unit using the Linux iptables package on a server for little or no additional cost.

Originally, most firewall / NAT package running on Linux was ipchains, but it had a number of shortcomings. To remedy this situation, Netfilter organization has decided to create a product called iptables.


Starting of the Script

A Menu will appear like this:

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

1. Check Iptables Package

Now let the user select the option 1. Check iptable Package from the menu by pressing "1" from the keyboard.

Now the script confirms that the user must be Root, and we know that the UID of Root is zero ( 0 ). So first I have to compare the UID of the current user with zero ( 0 ), if the UID doesn't match with the UID of root then it will display the following message:

****You must be the root user to run this script!****

and if the UID matches with root's UID then it displays the following message and runs the script:

***Identity Verified_You are the Root***

We can check the UID of the current user by typing the following command in the terminal:

echo $UID

If the identity of the user is verified as root, then the script will check the iptables package in the Linux OS by using the following command.

rpm -q iptables

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

Now if the user selects the option 2. Iptables Services then the checkstatus function will be called. In this function there are some options for the user:

*****Note: Save your Iptables before stop/Restart the iptables Services*****
1. Save the iptables
2. Status of Iptables
3. Start iptables Services
4. Stop iptables Services
5. Restart iptable Services
6. Flush iptables (**Use Carefully_it will remove all the rules from iptables**)
7. Go back to Main Menu

If the user selects 1. Save the iptables the iptables rules will be saved in the Linux OS by using the following command:

/etc/init.d/iptables save

If the user selects 2. Status of iptables the current status of iptables will be displayed, using the following command:

/etc/init.d/iptables status

Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.1.45 172.16.4.8 reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.1.1 192.168.1.25
LOG icmp -- anywhere anywhere LOG level warning

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP udp -- 192.168.6.3 10.6.3.7

If the user selects 3. Start iptables Services then iptables will be started, using the following command:

/etc/init.d/iptables start

If the user selects 4. Stop iptables Services then iptables will be stopped, using the following command:

/etc/init.d/iptables stop

If the user selects 5. Restart iptable Services then iptables will be restarted, using the following command, it will load the saved iptables rules:

/etc/init.d/iptables restart

If the user selects 6. Flush iptables then iptables will be flushed, (**use Carefully_it will remove all the rules from iptables**), using the following command, it will flush the saved iptables rules:

iptables -F

To go back to the Main Menu the user must select option 7. Go back to Main Menu.

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

Option 3. Build your Firewall with Iptables is the heart of this script, by using this option users can create the firewall with iptables using simple steps, when a user selects the option 3. Build your Firewall with Iptables then the script will ask the user to create the firewall.

Using Which Chain of Filter Table?
1. INPUT
2. OUTPUT
3. Forward"

The above menu will ask the user to select the chain where he/she wants to put the rule.

Now the script will ask the user to get the IP information from the Source side...

1. Firewall using Single Source IP
2. Firewall using Source Subnet
3. Firewall using for All Source Networks

Then the above menu ask the user the above three question, if the user selects the option 1. Firewall using Single Source IP then the script will ask the user to enter the IP address.

If the user selects option 2. Firewall using Source Subnet then the script will ask the user to enter the subnet in the form of "192.168.1.0/24".

If the user selects option 3. Firewall using for All Source Networks then the script will put 0/0 in the variable named "ip_source" in the script.

Now the script will ask the user to get the IP information from the Destination side...

1. Firewall using Single Destination IP
2. Firewall using Destination Subnet
3. Firewall using for All Destination Networks

Then the above menu asks the user the above three questions, if the user selects option 1. Firewall using Single Destination IP then the script will ask the user to enter the IP address.

If the user selects option 2. Firewall using Destination Subnet then the script will ask the user to enter the subnet in the form of "192.168.1.0/24"

If the user selects option 3. Firewall using for All Destination Networks then the script will put 0/0 in the variable named "ip_dest" in the script.

Now the script asks the user to select the PROTOCOL:

1. Block All Traffic of TCP
2. Block Specific TCP Service
3. Block Specific Port
4. Using no Protocol

Now from the above displayed menu if the user selects 1. Block All Traffic of TCP then the script will block all the TCP Traffic.

If the user selects 2. Block Specific TCP Service, now the script will ask the user to enter the TCP Service of his/her choice (e.g ICMP).

Note: the TCP Service name should be in CAPITAL LETTERS!!!

If the user selects 3. Block Specific Port the script will ask the user to enter the PORT number.

Now the script prompts the user What to do with the Above Created Rule?

What to do with Rule?
1. Accept the Packet
2. Reject the Packet
3. Drop the Packet
4. Create Log

If the user selects 1. Accept the Packet then the packet will be accepted.

If the user selects 2. Reject the Packet then the packet will be rejected.

If the user selects 3. Drop the Packet then the packet will be dropped.

If the user selects 4. Create Log then only the log will be created.

Now the following message will be shown to the user:

Press Enter key to Generate the Complete Rule!!!

When the user presses the Enter key then the script generates the original rule with the correct syntax and displays it to the user, in my case:

The Generated Rule is
iptables -A INPUT -s 192.168.0.0/24 -d 172.16.0.0/16 -p TCP -j ACCEPT

Now the script shows the following message to the user:

Do you want to Enter the Above rule to the IPTABLES? Yes=1 , No=2

If the above rule is correct then the user presses 1 for Yes and adds the rule to iptables
otherwise 2 for No and the script will return to let the user edit the rule.

Here is the whole script:

#!/bin/bash
echo -e "****************Welcome*************"
###############################IPTABLE SERVICES PROGRAM BEGINS HERE###############################
checkstatus()
 {
  opt_checkstatus=1
 while [ $opt_checkstatus != 7 ]
      do
       clear
  #echo -e "\nChoose the Option Bellow!!!\n
  echo -e "\n\t*****Note: Save your Iptables before stop/Restart the iptables Services*****\n"
  echo -e "   1. Save the iptables\n
   2. Status of Iptables\n
   3. Start iptables Services\n
   4. Stop iptables Services\n
   5. Restart iptable Services\n
   6. Flush iptables (**Use Carefully_it will remove all the rules from iptables**)\n
   7. Go back to Main Menu"
  read opt_checkstatus
  case $opt_checkstatus in
   1) echo -e "*******************************************************\n" 
               /etc/init.d/iptables save 
      echo -e "\n*******************************************************\n"
    echo -e "Press Enter key to Continue..."
    read temp;;
   2) echo -e "*******************************************************\n"
               /etc/init.d/iptables status 
      echo -e "*******************************************************"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
   3) echo -e "*******************************************************\n"  
               /etc/init.d/iptables start 
      echo -e "*******************************************************\n"
                                 echo -e "Press Enter key to Continue..."
                                       read temp;;
   
   4) echo -e "*******************************************************\n"
               /etc/init.d/iptables stop
      echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
     
             5) echo -e "*******************************************************\n"
                      /etc/init.d/iptables restart 
      echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
   6) iptables -F 
   echo -e "*******************************************************"
   echo -e "All the Rules from the Iptables are Flushed!!!"
   echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                 read temp;;
   7) main;;
   *) echo -e "Wrong Option Selected!!!"
  esac
 done
 }
###############################BUILD FIREWALL PROGRAM BEGINS FROM HERE############################### 
buildfirewall()
 {
  ###############Getting the Chain############
  echo -e "Using Which Chain of Filter Table?\n
  1. INPUT
  2. OUTPUT
  3. Forward"
  read opt_ch
  case $opt_ch in
   1) chain="INPUT" ;;
   2) chain="OUTPUT" ;;
   3) chain="FORWARD" ;;
   *) echo -e "Wrong Option Selected!!!"
  esac
 
  #########Getting Source IP Address##########
  #Label
   
  echo -e "
  1. Firewall using Single Source IP\n
  2. Firewall using Source Subnet\n
  3. Firewall using for All Source Networks\n"
  read opt_ip
   
  case $opt_ip in
   1) echo -e "\nPlease Enter the IP Address of the Source"
   read ip_source ;;
   2) echo -e "\nPlease Enter the Source Subnet (e.g 192.168.10.0/24)"
   read ip_source ;;
   3) ip_source="0/0" ;;
   #4) ip_source = "NULL" ;;
   *) echo -e "Wrong Option Selected"
  esac
  #########Getting Destination IP Address##########
   echo -e "
  1. Firewall using Single Destination IP\n
                2. Firewall using Destination Subnet\n
         3. Firewall using for All Destination Networks\n"
  
     read opt_ip
              case $opt_ip in
        1) echo -e "\nPlease Enter the IP Address of the Destination"
                     read ip_dest ;;
               2) echo -e "\nPlease Enter the Destination Subnet (e.g 192.168.10.0/24)"
                     read ip_dest ;;
               3) ip_dest="0/0" ;;
        #4) ip_dest = "NULL" ;;
               *) echo -e "Wrong Option Selected"
       esac
       ###############Getting the Protocol#############
       echo -e "
       1. Block All Traffic of TCP
       2. Block Specific TCP Service
       3. Block Specific Port
       4. Using no Protocol"
       read proto_ch
       case $proto_ch in
        1) proto=TCP ;;
        2) echo -e "Enter the TCP Service Name: (CAPITAL LETTERS!!!)"
       read proto ;;
        3) echo -e "Enter the Port Name: (CAPITAL LETTERS!!!)" 
       read proto ;;
        4) proto="NULL" ;;
        *) echo -e "Wrong option Selected!!!"
       esac
 
       #############What to do With Rule############# 
       echo -e "What to do with Rule?
       1. Accept the Packet
       2. Reject the Packet
       3. Drop the Packet
       4. Create Log"
       read rule_ch
       case $rule_ch in 
        1) rule="ACCEPT" ;;
        2) rule="REJECT" ;;
        3) rule="DROP" ;;
        4) rule="LOG" ;;
       esac
###################Generating the Rule####################
echo -e "\n\tPress Enter key to Generate the Complete Rule!!!"
read temp
echo -e "The Generated Rule is \n"
if [ $proto == "NULL" ]; then
 echo -e "\niptables -A $chain -s $ip_source -d $ip_dest -j $rule\n"
 gen=1
else
 echo -e "\niptables -A $chain -s $ip_source -d $ip_dest -p $proto -j $rule\n"
 gen=2
fi 
echo -e "\n\tDo you want to Enter the Above rule to the IPTABLES? Yes=1 , No=2"
read yesno
if [ $yesno == 1 ] && [ $gen == 1 ]; then
 iptables -A $chain -s $ip_source -d $ip_dest -j $rule
else if [ $yesno == 1 ] && [ $gen == 2 ]; then
 iptables -A $chain -s $ip_source -d $ip_dest -p $proto -j $rule         
   
else if [ $yesno == 2 ]; then
 
 main
fi
fi
fi
}
      
main()
{
 ROOT_UID=0
 if [ $UID == $ROOT_UID ];
 then
 clear
 opt_main=1
 while [ $opt_main != 4 ]
 do
echo -e "/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\n" 
#############Check Whether the iptables installed or not############ 
 echo -e "\t*****Main Menu*****\n
 1. Check Iptables Package\n
 2. Iptables Services\n
 3. Build Your Firewall with Iptables\n
 4. Exit"
 read opt_main
 case $opt_main in
  1) echo -e "******************************"
    rpm -q iptables 
     echo -e "******************************" ;;
  2) checkstatus ;;
  3) buildfirewall ;;
  4) exit 0 ;;
  *) echo -e "Wrong option Selected!!!"
 esac
done
else
 echo -e "You Must be the ROOT to Perfom this Task!!!"
fi
}
main
exit 0

Read more...

This tutorial will guide you through setting up DHCP fail on CentOS 5.1 default using the ISC DHCP server, which can be easily adapted to any other Linux distribution on the market. You'll probably need changeover in network environments where downtime can not be tolerated. At my house is running a configuration DLNA so I need my devices to be able to obtain network settings at any time.

Since DHCP and DNS often go hand in hand i will be setting up a local DNS server which allows updates dynamic, such as host names will be automatically updated DNS forever when a lease is granted to a customer.

My setup use the following configuration please substitute to your own network configuration.

• Domain name - home.topdog-software.com
  


• Network - 192.168.1.0/24
  


• DHCP servers - 192.168.1.2,192.168.1.3
  


• Gateway - 192.168.1.254
  


• DNS servers - 192.168.1.2,192.168.1.3
  

Install required Packages

• DHCP
  
  # yum install dhcp -y
  
  


• DNS
  
  # yum install bind bind-chroot caching-nameserver -y
  
  


• NTP
  
  # yum install ntp -y
  
  

Configuration :
DHCP

Backup your original config on the Master 192.168.1.2:

# cp /etc/dhcpd.conf /etc/dhcpd.conf.orig

Edit the DHCP configuration /etc/dhcpd.conf on the master 192.168.1.2 and add the following, read the comments to understand the options:

authoritative;                                  # server is authoritative
option domain-name "home.topdog-software.com";       # the domain name issued
option domain-name-servers 192.168.1.2,192.168.1.3;  # name servers issued
option netbios-name-servers 192.168.1.2;             # netbios servers
allow booting;                                       # allow for booting over the network
allow bootp;                                         # allow for booting
next-server 192.168.1.2;                             # TFTP server for booting
filename "pxelinux.0";                               # kernel for network booting
ddns-update-style interim;                           # setup dynamic DNS updates
ddns-updates on;
ddns-domainname "home.topdog-software.com";          # domain name for DDNS updates
key rndckey {
        algorithm       hmac-md5;
        secret          "xxxxxxxxxx";                # get from the /etc/rndc.key file
}
zone home.topdog-software.com                        # forward zone to update
{
        primary 127.0.0.1;                           # update on the local machine
        key rndckey;                                 # key to use for the update
}
zone 1.168.192.in-addr.arpa                          # reverse zone to update
{
        primary 127.0.0.1;                           # update on the local machine
        key rndckey;                                 # key for update
}
failover peer "home-net" {                           # fail over configuration
         primary;                                    # This is the primary
         address 192.168.1.2;                        # primarys ip address
         port 647;
         peer address 192.168.1.3;                   # peer's ip address
         peer port 647;
         max-response-delay 60;
         max-unacked-updates 10;
         mclt 3600;
         split 128;
         load balance max seconds 3;
}
subnet 192.168.1.0 netmask 255.255.255.0             # zone to issue addresses from
{
        pool {
                failover peer "home-net";            # pool for dhcp leases with failover bootp not allowed 
                deny dynamic bootp clients;         
                option routers 192.168.1.254;
                range 192.168.1.25 192.168.1.50;
        }
        pool {                                       # accomodate our bootp clients here no replication and failover
                option routers 192.168.1.254;
                range 192.168.1.51 192.168.1.55;
        }
        allow unknown-clients;
        ignore client-updates;
}

Back up your original config on the Slave 192.168.1.3:

# cp /etc/dhcpd.conf /etc/dhcpd.conf.orig

Edit the DHCP configuration /etc/dhcpd.conf on the slave 192.168.1.3 and add the following, read the comments to understand the options:

authoritative;                                  # server is authoritative
option domain-name "home.topdog-software.com";       # the domain name issued
option domain-name-servers 192.168.1.2,192.168.1.3;  # name servers issued
option netbios-name-servers 192.168.1.2;             # netbios servers
allow booting;                                       # allow for booting over the network
allow bootp;                                         # allow for booting
next-server 192.168.1.2;                             # TFTP server for booting
filename "pxelinux.0";                               # kernel for network booting
ddns-update-style interim;                           # setup dynamic DNS updates
ddns-updates on;
ddns-domainname "home.topdog-software.com";          # domain name for DDNS updates
key rndckey {
        algorithm       hmac-md5;
        secret          "xxxxxxxxxx";                # get from the /etc/rndc.key file on the master
}
zone home.topdog-software.com                        # forward zone to update
{
        primary 192.168.1.2;                         # update on the local machine
        key rndckey;                                 # key to use for the update
}
zone 1.168.192.in-addr.arpa                          # reverse zone to update
{
        primary 192.168.1.2;                         # update on the local machine
        key rndckey;                                 # key for update
}
failover peer "home-net" {                           # fail over configuration
         secondary;                                  # This is the secondary
         address 192.168.1.3;                        # our ip address
         port 647;
         peer address 192.168.1.2;                   # primary's ip address
         peer port 647;
         max-response-delay 60;
         max-unacked-updates 10;
         mclt 3600;
         load balance max seconds 3;
}
subnet 192.168.1.0 netmask 255.255.255.0             # zone to issue addresses from
{
        pool {
                failover peer "home-net";            # pool for dhcp leases with failover bootp not allowed 
                deny dynamic bootp clients;         
                option routers 192.168.1.254;
                range 192.168.1.25 192.168.1.50;
        }
        pool {                                       # accomodate our bootp clients here no replication and failover
                option routers 192.168.1.254;
                range 192.168.1.51 192.168.1.55;
        }
        allow unknown-clients;
        ignore client-updates;
}

DNS

Back up the the Bind configuration on the master:

# cp /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.caching-nameserver.conf.orig

Edit the configuration to reflect the config below.

options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        query-source    port 53;
        query-source-v6 port 53;
        allow-query     { localhost; localnets; };
};
include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
zone "home.topdog-software.com" {
        type master;
        file "data/home.topdog-software.com.hosts";
        allow-transfer { 192.168.1.3; };
        allow-update { key "rndckey"; };
        allow-query { any; };
};
zone "1.168.192.in-addr.arpa" {
        type master;
        file "data/1.168.192.in-addr.arpa.hosts";
        allow-transfer { 192.168.1.3; };
        allow-update { key "rndckey"; };
        allow-query { any; };
};

Back up the the Bind configuration on the slave:

# cp /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.caching-nameserver.conf.orig

Edit the configuration to reflect the config below.

options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        query-source    port 53;
        query-source-v6 port 53;
        allow-query     { localhost; localnets; };
};
include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
zone "home.topdog-software.com" {
        type slave;
        masters { 192.168.1.2; };
        file "data/home.topdog-software.com.hosts";
};
zone "1.168.192.in-addr.arpa" {
        type slave;
        masters { 192.168.1.2; };
        file "data/1.168.192.in-addr.arpa.hosts";
};

Create the zone files on the master

• /var/named/chroot/var/named/data/home.topdog-software.com.hosts
  

  $ORIGIN .
  $TTL 38400 
  home.topdog-software.com IN SOA ns1.home.topdog-software.com. andrew.topdog.za.net. (
                                  2008061629 ; serial
                                  10800      ; refresh (3 hours)
                                  3600       ; retry (1 hour)
                                  604800     ; expire (1 week)
                                  38400      ; minimum (10 hours 40 minutes)
                                  )
                          NS      ns1.home.topdog-software.com.
                          NS      ns2.home.topdog-software.com.
  ns1      IN    A 192.168.1.2
  ns2      IN    A 192.168.1.3
  




• /var/named/chroot/var/named/data/1.168.192.in-addr.arpa.hosts
  

  $ORIGIN .
  $TTL 38400      ; 10 hours 40 minutes
  1.168.192.in-addr.arpa  IN SOA  ns1.home.topdog-software.com. andrew.topdog.za.net. (
                                  2008061644 ; serial
                                  10800      ; refresh (3 hours)
                                  3600       ; retry (1 hour)
                                  604800     ; expire (1 week)
                                  38400      ; minimum (10 hours 40 minutes)
                                  )
                          NS      ns1.home.topdog-software.com.
                          NS      ns2.home.topdog-software.com.
  2    IN  PTR ns1.home.topdog-software.com.
  3    IN  PTR ns2.home.topdog-software.com.
  
  

NTP

NTP is required because the two DHCP servers need to be in sync for fail over as well as DDNS to take place. You can run a full fledged NTP server if you want, i will only provide you with instructions on using cron to sync NTP to an external NTP server every hour. You need to do this on BOTH servers.

• create a file /etc/cron.hourly/timesync and add the following:
  
  

  #!/bin/bash
  #
  ntpdate -s 0.rhel.pool.ntp.org
  




• make the file executable and run it for the first time:
  
  # /etc/cron.hourly/timesync

Finally

Well we are done, let's fire up the services and begin testing.

• on the master:
  
  # service named start
  
  # service dhcpd start



• on the slave:
  
  # service named start
  
  # service dhcpd start

You should see the following in your logs on the master:

Jun 16 13:58:56 kudusoft dhcpd: failover peer home-net: I move from recover to startup
Jun 16 13:58:56 kudusoft dhcpd: dhcpd startup succeeded
Jun 16 13:58:56 kudusoft dhcpd: failover peer home-net: I move from startup to recover
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer moves from unknown-state to recover
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: requesting full update from peer
Jun 16 13:59:12 kudusoft dhcpd: Sent update request all message to home-net
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer moves from recover to recover
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: requesting full update from peer
Jun 16 13:59:12 kudusoft dhcpd: Update request all from home-net: sending update
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: peer update completed.
Jun 16 13:59:12 kudusoft dhcpd: failover peer home-net: I move from recover to recover-done
Jun 16 13:59:13 kudusoft dhcpd: Sent update done message to home-net
Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: peer moves from recover to recover-done
Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: I move from recover-done to normal
Jun 16 13:59:13 kudusoft dhcpd: failover peer home-net: peer moves from recover-done to normal
Jun 16 13:59:14 kudusoft dhcpd: pool 914eb10 192.168.1/24 total 26  free 25  backup 0  lts -12
Jun 16 13:59:14 kudusoft dhcpd: pool 914eb10 192.168.1/24  total 26  free 25  backup 0  lts 12

And on the slave:

Jun 16 13:59:12 shaka dhcpd: Sending on   Socket/fallback/fallback-net
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: I move from recover to startup
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: peer moves from unknown-state to recover
Jun 16 13:59:12 shaka dhcpd: dhcpd startup succeeded
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: requesting full update from peer
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: I move from startup to recover
Jun 16 13:59:12 shaka dhcpd: Sent update request all message to home-net
Jun 16 13:59:12 shaka dhcpd: Sent update done message to home-net
Jun 16 13:59:12 shaka dhcpd: Update request all from home-net: nothing pending
Jun 16 13:59:12 shaka dhcpd: failover peer home-net: peer moves from recover to recover-done
Jun 16 13:59:14 shaka dhcpd: failover peer home-net: peer update completed.
Jun 16 13:59:14 shaka dhcpd: failover peer home-net: I move from recover to recover-done
Jun 16 13:59:14 shaka dhcpd: failover peer home-net: peer moves from recover-done to normal
Jun 16 13:59:14 shaka dhcpd: failover peer home-net: I move from recover-done to normal
Jun 16 13:59:14 shaka dhcpd: pool 9d78ad8 192.168.1/24 total 26  free 25  backup 0  lts 12
Jun 16 13:59:14 shaka dhcpd: pool response: 12 leases

Read more...

This tutorial will demonstrate how to secured PostgreSQL databases using two factors authentication of the WiKID strong authentication server via WFP on Linux. We assume that you have PostgreSQL and WiKID strong authentication server configured.

Configuring Postgresql

Configuring Postgresql to use PAM authentication is trivial. Edit the pg_hba.conf file to use PAM and add
an entry for PAM for the appropriate network:

host all all 192.168.0.0/24 pam postgresql

This entry specifies that all the users from the local lan (192.168.x.x) will use PAM, specifically the file postgresql which on redhat flavors is found in /etc/pam.d. We assume you have a separate line for access by applications. You don't want to break any applications that are using Postgres.

Configuring PAM

If your system does not have a package for pam_radius you can download the source from the Pam Radius website. Installation documentation is
also available.

Once installed, edit the postgresql PAM file to use radius:

#%PAM-1.0 
 
auth       sufficient   /lib/security/pam_radius_auth.so 
 
account    include      system-auth 
 
password   include      system-auth 
 
session    include      system-auth  
 

PAM settings vary by linux flavor, so please consult your distribution's PAM documentation.

Now edit the /etc/raddb/server file to point to your WiKID server:

# server[:port] shared_secret      timeout (s)
#127.0.0.1      secret             1
192.168.0.10    your_shared_secret  3     

Configuring the WiKID Strong Authentication Server
Adding a domain to the WiKID server 

The WiKID Authentication System employs the concept of authentication domains. An authentication domain is a segmentation of authentication authority. Any given token client using the system can participate in any number of authentication domains. These domains may exist on an individual WiKID Strong Authentication Server or they may exist on separate and discrete servers (or any combination). Conversely, a WiKID Strong Authentication Server may provide authentication services for any number of discrete domains. These domains may be exclusive or inclusive of any set of token clients.

An authentication domain is initially defined by the 12-digit code used in token client provisioning. This code allows any un-configured, unrelated token client to locate and register with a particular WiKID Strong Authentication Server and domain. In practice, the 12-digit code signifies a zero-padded IP address that is Internet accessible. Optionally, if may designate a prefix in the wikidsystems.net domain. For example, a WiKID Strong Authentication Server with the public IP address of 27.232.7.14 would be directly accessible via the 12-digit code 027232007014. Using the wikidsystem.net service, codes signifying non-routable IP addresses may be used, such as 999888777666. You can also alter the DNS settings by deploying a custom jw.properties file with your software token.

Selecting the [Domains] header option will display the current domains served by this WiKID Strong Authentication Server. See Figure 1 below.

Figure 1 – Domain Configuration Screen

Selecting [Create New Domain] on this screen will allow the administrator to establish a new authentication domain for this server. The new domain parameter screen is depicted in Figure 2.

The required domain configuration options are:

Domain Name – This is a descriptive label for this domain visible only in the administration system.

Device Domain Name – This is the domain label that will appear in the menu option on the token client. This label should be relatively short to facilitate viewing on a mobile device.

Minimum PIN Length - This is the minimum allowable PIN length for this domain. Any attempt to set a pin shorter than this value will generate an error on the client token client.

Passcode Lifetime – This parameter specifies the maximum lifetime of the one-time passcode generated in this domain. After N elapsed seconds, the one-time passcode will automatically be invalidated.

Server Code – This is the zero-padded IP address of the server or the pre-registered prefix in the wikidsystems.net domain. This value must be exactly 12 digits in length.

Max Bad PIN Attempts – The maximum number of bad PINs attempted by a token client in this domain before the token is disabled.

Max Bad Passcode Attempts – The maximum number of bad passcodes entered for a userid registered in this domain before the userid is disabled.

Max Sequential Offlines – The maximum number of times a token client may use the offline challenge/response authentication before being required to authenticate online. This feature is used in the Enterprise version for the wireless clients when they are out-of-network coverage.

Use TACACS+ Select this to use TACACS+ for this domain.

Creating Network Clients

Network clients are systems that request one-time password validation from a WiKID Strong Authentication Server. These systems act in a proxy capacity, accepting questionable information from users and communicating with the WiKID Strong Authentication Server for validation.
Network clients utilize one of the installed protocol modules. The protocol module must be installed, initialized and enabled before you can configure add a network client for it.

Each network client must be configured on the WiKID Strong Authentication Server before it will allow the client to request validation.
Figure 3 shows the initial network client screen.

Initial Network Client Screen

Select – Create new Network Client - to begin adding a network client. You will be presented with a screen similar to Figure 4 below.

Network Client Properties Screen

These are the general network client properties. These values are required for each network client configured, regardless of the protocol selected. Property definitions are:

Name – The descriptive name of the server. This will be the primary display name in the administrative system and in system logs and reports. It is recommended that you use a combination of hostname, and WiKID domain for clarity.

IP Address – The IP address of the network client.

Protocol – The communications protocol used by this network client. Only protocols previously enabled will be available. The protocol selection will dictate the additional properties that must be defined for this client. In this instance, choose Radius.

Domain – This is the WiKID authentication domain in which this client will request credential validation. Your postgresql administrators will need to have their tokens registered in this domain.

Radius traffic is encoded by a shared secret, so we need to enter the same shared secret here as we entered on Postgresql server's /etc/raddb/server file:

That's it! To access Postgresql from the command line or from any GUI interface will require a one-time passcode from the WiKID Strong Authentication server.

Read more...

This tutorial explains how you can install MySQL Proxy on a CentOS 5 (x86_64). MySQL Proxy is a simple program that sits between your client and MySQL server that can monitor, analyze and transform their communication. Its flexibility allows an unlimited number of uses; common include: load balancing, failover; query analysis, filtering and application modification, and many others.

At a minimum Centos 5 final x86_64 install:

yum
install gcc.x86_64 libevent.x86_64 libevent-devel.x86_64
readline.x86_64 readline-devel.x86_64 ncurses.x86_64
ncurses-devel.x86_64 glib2.x86_64 glib2-devel.x86_64

cd /usr/local/src/

wget http://www.lua.org/ftp/lua-5.1.3.tar.gz

tar zxvf lua-5.1.3.tar.gz

cd lua-5.1.3

make linux

make install

wget
http://dev.mysql.com/get/Downloads/MySQL-Cluster-6.2/mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23.tar.gz/\
from/http://www.mirrorservice.org/sites/ftp.mysql.com/

tar xzvf mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23.tar.gz

ln -s mysql-5.1.23-ndb-6.2.15-linux-x86_64-glibc23 mysql

PATH=$PATH:/usr/local/mysql/bin

export PATH

Edit your .profile to make this permanent:

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
       . ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:/usr/local/mysql/bin:$HOME/bin

export PATH
unset USERNAME

wget
http://dev.mysql.com/get/Downloads/MySQL-Proxy/mysql-proxy-0.6.1.tar.gz/from/http://www.mirrorservice.org/sites/ftp.mysql.com/

tar zxvf mysql-proxy-0.6.1.tar.gz

cd mysql-proxy-0.6.1

./configure LDFLAGS="-lm -ldl" LUA_CFLAGS="-I/usr/local/include/" LUA_LIBS=/usr/local/lib/liblua.a

make

make install

Let's create a sample LUA script so you can see some logs.

mkdir /var/log/mysql-proxy/

mkdir -p /usr/local/mysql/lua-scripts/

vi /usr/local/mysql/lua-scripts/simple-log.lua

(see: http://www.oreillynet.com/pub/a/databases/2007/07/12/getting-started-with-mysql-proxy.html?page=3

Script modified to get IP and to use proxy.connection.server.thread_id.)

local log_file = '/var/log/mysql-proxy/mysql.log'
local fh = io.open(log_file, "a+")

function read_query( packet )
if string.byte(packet) == proxy.COM_QUERY then
 local query = string.sub(packet, 2)
 fh:write( string.format("%s %6d -- %s :IP %s :USER: %s\n",
 os.date('%Y-%m-%d %H:%M:%S'),
 proxy.connection.server.thread_id,
 query,
 proxy.connection.client.address,
 proxy.connection.client.username))
fh:flush()
end
end

Now start up your proxy using the variable --proxy-backend-addresses to point the proxy at your servers.

/usr/local/sbin/mysql-proxy
--proxy-lua-script=/usr/local/mysql/lua-scripts/simple-log.lua
--proxy-backend-addresses=192.168.1.33:3306
--proxy-backend-addresses=192.168.1.34:3306 --daemon

192.168.1.33 and 192.168.1.34 are the MySQL nodes that the proxy will be connecting to.

Allow connections for the proxy through your firewall:

### ALLOWED TO CONNECT TO MYSQL PROXY
###
### LOCAL ADMINS
-A INPUT -s SRC-IP -d DST-IP -p tcp -m state --state NEW -m tcp --dport 4040 -j ACCEPT

Where DST-IP is my proxy server and SRC-IP is my local box (client machine).

Now
from your local box (not the mysql-proxy server) try and connect to the
backend databases through the proxy ( user with relevent permissions
must exist in the db).

mysql -u dba_admin -p -h PROXY-SERVER -P 4040

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 16 to server version: 5.1.23-ndb-6.2.15

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;

+--------------------+
| Database |
+--------------------+
| information_schema |
| Imap_Forms |
| mysql |
| test |
+--------------------+

4 rows in set (0.01 sec)

mysql> quit

Bye

N.B. The proxy uses the port 4040 instead of 3306.

Test the mysql-proxy admin interface from the mysql-proxy server:

mysql -u root -p -h 127.0.0.1 -P 4041

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 1

Server version: 5.1.20-agent MySQL Enterprise Agent

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select * from proxy_connections;

+------+--------+-------+------+
| id | type | state | db |
+------+--------+-------+------+
| 0 | server | 0 | |
| 1 | proxy | 0 | |
| 2 | server | 10 | |
+------+--------+-------+------+

3 rows in set (0.00 sec)

mysql>quit

bye

Job done! Now read on:

http://dev.mysql.com/tech-resources/articles/proxy-gettingstarted.html

http://forge.mysql.com/wiki/MySQL_Proxy

http://www.oreillynet.com/pub/a/databases/2007/07/12/getting-started-with-mysql-proxy.html?page=1

Read more...

This tutorial explains how to set up PHPIDS on a web server with Apache2 and PHP5. PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art layer of security for your PHP based web application. The IDS or bands or filters sanitizes any malicious input, it recognizes when an attacker tries to break your site and reacts exactly how you want. On the basis of a set of highly approved and tested filtering rules any attack is a digital impact rating which makes it easy to decide what type of action should follow the hacking attempt. It may be the simple logging to send an urgent email to the development team, displaying a warning message to the attacker or even to terminate the user session.


1 Preliminary Note

I have tested this on a Debian Etch LAMP system with Apache2 and PHP5 and the IP address 192.168.0.100. The Apache user and group on Debian Etch is www-data, so if you are on a different distribution, the Apache user and group might be different. The location of php.ini (/etc/php5/apache2/php.ini on Debian Etch) might differ as well.

I'm using a virtual host with the document root /var/www/web1/web in this example.

2 Installing PHPIDS

For security reasons, I want to install PHPIDS outside of the document root, so I create the directory /var/www/web1/phpids:

mkdir /var/www/web1/phpids

Then I install PHPIDS as follows (at the time of this writing the latest version was 0.4.7) - of all the contents of the phpids-0.4.7.tar.gz file, we only need the lib/ directory:

cd /tmp

wget http://php-ids.org/files/phpids-0.4.7.tar.gz

tar xvfz phpids-0.4.7.tar.gz

cd phpids-0.4.7

mv lib/ /var/www/web1/phpids/

Now I change to the directory /var/www/web1/phpids/lib/IDS...

cd /var/www/web1/phpids/lib/IDS

... and make the tmp/ directory (which will hold the PHPIDS log file) writable for the Apache user and group:

chown -R www-data:www-data tmp/

Next we configure the PHPIDS configuration file (Config.ini):

cd Config/

vi Config.ini

I'm using the default configuration here, all I did was to adjust the paths:

; PHPIDS Config.ini

; General configuration settings

; !!!DO NOT PLACE THIS FILE INSIDE THE WEB-ROOT IF DATABASE CONNECTION DATA WAS ADDED!!!

[General]

    filter_type     = xml
    filter_path     = /var/www/web1/phpids/lib/IDS/default_filter.xml
    tmp_path        = /var/www/web1/phpids/lib/IDS/tmp
    scan_keys       = false

    exceptions[]    = __utmz
    exceptions[]    = __utmc

; If you use the PHPIDS logger you can define specific configuration here

[Logging]

    ; file logging
    path            = /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt

    ; email logging

    ; note that enabling safemode you can prevent spam attempts,
    ; see documentation
    recipients[]    = test@test.com.invalid
    subject         = "PHPIDS detected an intrusion attempt!"
    header                      = "From: <PHPIDS> info@php-ids.org"
    safemode        = true
    allowed_rate    = 15

    ; database logging

    wrapper         = "mysql:host=localhost;port=3306;dbname=phpids"
    user            = phpids_user
    password        = 123456
    table           = intrusions

; If you would like to use other methods than file caching you can configure them here

[Caching]

    ; caching:      session|file|database|memcached|none
    caching         = file
    expiration_time = 600

    ; file cache
    path            = /var/www/web1/phpids/lib/IDS/tmp/default_filter.cache

    ; database cache
    wrapper         = "mysql:host=localhost;port=3306;dbname=phpids"
    user            = phpids_user
    password        = 123456
    table           = cache

    ; memcached
    ;host           = localhost
    ;port           = 11211
    ;key_prefix     = PHPIDS
    ;tmp_path       = /var/www/web1/phpids/lib/IDS/tmp/memcache.timestamp

3 Using PHPIDS

We will now create the file /var/www/web1/web/phpids.php which will call PHPIDS for us (we will later on prepend that file to all our PHP files so that our PHP files can make use of PHPIDS automatically):

vi /var/www/web1/web/phpids.php

<?php
set_include_path(
   get_include_path()
   . PATH_SEPARATOR
   . '/var/www/web1/phpids/lib'
  );

  require_once 'IDS/Init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = IDS_Init::init('/var/www/web1/phpids/lib/IDS/Config/Config.ini');
  $ids = new IDS_Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
   require_once 'IDS/Log/File.php';
   require_once 'IDS/Log/Composite.php';

   $compositeLog = new IDS_Log_Composite();
   $compositeLog->addLogger(IDS_Log_File::getInstance($init));
   $compositeLog->execute($result);
  }
?>

Now when you call that file in a browser, (e.g. http://192.168.0.100/phpids.php), you will see a blank page. But if you try to append some malicious parameters to the URL (e.g. http://192.168.0.100/phpids.php?test=%22%3EXXX%3Cscript%3Ealert(1)%3C/script%3E), PHPIDS will detect this and print its findings in the browser:

Now we have to find a way to make our PHP scripts use PHPIDS. Of course, you don't want to modify all your PHP scripts (you could have hundreds of them...). Fortunately, there's a better way: we can tell PHP to prepend a PHP script whenever a PHP script is called. For example, if we call the script info.php in a browser, PHP would first execute phpids.php and then info.php, and we don't even have to modify info.php.

We can do this by using PHP's auto_prepend_file parameter. We can either set this in our php.ini (this is a global setting which is valid for all PHP web sites on the server), or in an .htaccess file (this is a setting valid only for the web site in question):

---

php.ini

Open your php.ini (e.g. /etc/php5/apache2/php.ini), and set auto_prepend_file to /var/www/web1/web/phpids.php:

vi /etc/php5/apache2/php.ini

[...]
auto_prepend_file = /var/www/web1/web/phpids.php
[...]

Restart Apache afterwards:

/etc/init.d/apache2 restart

.htaccess

Instead of modifying php.ini (which is a global change, i.e., the change is valid for all web sites that use PHP on the server), you can instead use an .htaccess file (so the setting would be valid only for the web site for which you create the .htaccess file):

vi /var/www/web1/web/.htaccess

php_value auto_prepend_file /var/www/web1/web/phpids.php

Please make sure that the vhost for the web site in /var/www/web1/web contains something like this (otherwise the php_value line in the .htaccess file will be ignored) (if you have to modify the vhost, please don't forget to restart Apache):

<Directory /var/www/web1/web/>
AllowOverride All
</Directory>

---

Now we create a simple PHP file, /var/www/web1/web/info.php:

vi /var/www/web1/web/info.php

<?php
phpinfo();
?>

Call that file in a browser (http://192.168.0.100/info.php), and you should see the normal phpinfo() output.

Now append some malicious parameters to the URL (e.g. http://192.168.0.100/info.php?test=%22%3EXXX%3Cscript%3Ealert(1)%3C/script%3E), and you should find a PHPIDS report before the phpinfo() output (because /var/www/web1/web/phpids.php was executed before /var/www/web1/web/info.php):

PHPIDS logs to /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt, so you should see something in the log now:

cat /var/www/web1/phpids/lib/IDS/tmp/phpids_log.txt

"192.168.0.200",2008-06-04T17:36:08+02:00,54,"xss csrf id rfe lfi","REQUEST.test=%5C%22%3EXXX%3Cscript%3Ealert%281%29%3C%2Fscript%3E GET.test=%5C%22%3EXXX%3Cscript%3Ealert%281%29%3C%2Fscript%3E",
"%2Finfo.php%3Ftest%3D%2522%253EXXX%253Cscript%253Ealert%281%29%253C%2Fscript%253E"

Now by observing that log you learn what hackers are trying to do to your PHP applications, and you can try to harden your applications.

To add another level of security, we can stop our PHP scripts from executing if PHPIDS find that they are under attack: we simply add something like die('<h1>Go away!</h1>'); to the if (!$result->isEmpty()) {} section of the /var/www/web1/web/phpids.php script:

vi /var/www/web1/web/phpids.php

<?php
set_include_path(
   get_include_path()
   . PATH_SEPARATOR
   . '/var/www/web1/phpids/lib'
  );

  require_once 'IDS/Init.php';
  $request = array(
      'REQUEST' => $_REQUEST,
      'GET' => $_GET,
      'POST' => $_POST,
      'COOKIE' => $_COOKIE
  );
  $init = IDS_Init::init('/var/www/web1/phpids/lib/IDS/Config/Config.ini');
  $ids = new IDS_Monitor($request, $init);
  $result = $ids->run();

  if (!$result->isEmpty()) {
   // Take a look at the result object
   echo $result;
   require_once 'IDS/Log/File.php';
   require_once 'IDS/Log/Composite.php';

   $compositeLog = new IDS_Log_Composite();
   $compositeLog->addLogger(IDS_Log_File::getInstance($init));
   $compositeLog->execute($result);

   die('<h1>Go away!</h1>');
  }
?>

If there's no attack, the scripts are executed, but if PHPIDS finds an attack, it prevents the scripts from being executed and displays a message to the hackers:

4 Links

• PHPIDS: http://php-ids.org


• PHP: http://www.php.net


• Apache: http://httpd.apache.org

Read more...

OpenSUSE has released its latest version alias 11.0 today. This version will contain fresh innovations and new features. Some of them being the inclusion of KDE 4.04, marks a new theme installation, the latest Linux kernel (2.6.25.4) and a series of characteristics of OpenSUSE.

For a list of new features, read the release notes. And then go see screenshots of the installer to get an idea of how easy it is to be installed on your machine.

Read more...

The guide explains how to set up WebDAV MySQL Authentication (using mod_auth_mysql) Apache2 on a server Debian Etch. WebDAV means Web-based Distributed Authoring and versioning and is a set of extensions to the HTTP protocol which allows users to edit files directly on the Apache server so they do not need to be downloaded or sent via FTP. Of course, WebDAV may also be used to send and download files.

1 Preliminary Note

I'm using a Debian Etch server with the hostname server1.example.com and the IP address 192.168.0.100 here.

2 Installing Apache2, WebDAV, MySQL, mod_auth_mysql

Unfortunately libapache2-mod-auth-mysql is available as a Debian package only for Debian Lenny (testing) and Sid (unstable), but not for Etch. Therefore we will install the libapache2-mod-auth-mysql package from Lenny. To do this, open /etc/apt/sources.list and add the line deb http://ftp2.de.debian.org/debian/ lenny main; your /etc/apt/sources.list could then look like this:

vi /etc/apt/sources.list

deb http://ftp2.de.debian.org/debian/ etch main
deb-src http://ftp2.de.debian.org/debian/ etch main

deb http://ftp2.de.debian.org/debian/ lenny main

deb http://security.debian.org/ etch/updates main contrib
deb-src http://security.debian.org/ etch/updates main contrib

Of course (in order not to mess up our system), we want to install packages from Lenny only if there's no appropriate package from Etch - if there are packages from Etch and Lenny, we want to install the one from Etch. To do this, we give packages from Etch a higher priority in /etc/apt/preferences:

vi /etc/apt/preferences

Package: *
Pin: release a=etch
Pin-Priority: 700

Package: *
Pin: release a=lenny
Pin-Priority: 650

(The terms etch and lenny refer to the appropriate terms in /etc/apt/sources.list; if you're using stable and testing there, you must use stable and testing instead of etch and lenny in /etc/apt/preferences as well.)

Afterwards, we update our packages database:

apt-get update

If you're getting an error like this:

Segmentation faultsts... 96%

or this one:

E: Dynamic MMap ran out of room

open /etc/apt/apt.conf and add a line for APT::Cache-Limit with a very high value, e.g. like this:

vi /etc/apt/apt.conf

APT::Cache-Limit "100000000";

Then run

apt-get update

again and upgrade the installed packages:

apt-get upgrade

(If you see any questions, you can accept the default values.)

To install Apache2, WebDAV, MySQL, and mod_auth_mysql, we run:

apt-get install apache2 mysql-server mysql-client libapache2-mod-auth-mysql

Create a password for the MySQL user root (replace yourrootsqlpassword with the password you want to use):

mysqladmin -u root password yourrootsqlpassword

Then check with

netstat -tap | grep mysql

on which addresses MySQL is listening. If the output looks like this:

tcp 0 0 localhost.localdo:mysql *:* LISTEN 2713/mysqld

which means MySQL is listening on localhost.localdomain only, then you're safe with the password you set before. But if the output looks like this:

tcp 0 0 *:mysql *:* LISTEN 2713/mysqld

you should set a MySQL password for your hostname, too, because otherwise anybody can access your database and modify data:

mysqladmin -h server1.example.com -u root password yourrootsqlpassword

Afterwards, enable the WebDAV and mod_auth_mysql modules:

a2enmod dav_fs

a2enmod dav

a2enmod auth_mysql

Reload Apache:

/etc/init.d/apache2 force-reload

3 Creating A Virtual Host

I will now create a default Apache vhost in the directory /var/www/web1/web. For this purpose, I will modify the default Apache vhost configuration in /etc/apache2/sites-available/default. If you already have a vhost for which you'd like to enable WebDAV, you must adjust this tutorial to your situation.

First, we create the directory /var/www/web1/web and make the Apache user (www-data) the owner of that directory:

mkdir -p /var/www/web1/web

chown www-data /var/www/web1/web

Then we back up the default Apache vhost configuration (/etc/apache2/sites-available/default) and create our own one:

mv /etc/apache2/sites-available/default /etc/apache2/sites-available/default_orig

vi /etc/apache2/sites-available/default

NameVirtualHost *
<VirtualHost *>
  ServerAdmin webmaster@localhost

  DocumentRoot /var/www/web1/web/
  <Directory /var/www/web1/web/>
          Options Indexes MultiViews
          AllowOverride None
          Order allow,deny
          allow from all
  </Directory>

</VirtualHost>

Then reload Apache:

/etc/init.d/apache2 reload

Read more...

Systems fully encrypted to prevent others from obtaining your data from physical access. The rational of an encryption system is that you do not worry about what you encrypt and what not, because everything (except for / boot), will be encrypted.

However, the problem I encountered so far, how could I restart my computer from a distance? I would be obliged to be in front of the computer and enter the password. I asked at this stage how I could restart the computer remotely.

On Debian Administrator then I found an article written by Wulf (Coulmann Wolfram), in which he creates an initrd with Dropbear light as ssh server and unlock a script. However, the script still has some bugs and is not suitable for Ubuntu. In comments There are some changes (in particular comment # 31 and # 29), which will also work on Ubuntu.

The Script

Well, here's the script: dropbear

#!/bin/bash
# We add dropbear to the initrd to be able
# mount crypted partitions from remote
# copyright Wulf Coulmann
# GNU GPL
# http://www.gnu.org/licenses/gpl.html
#
# Download me here: http://gpl.coulmann.de/dropbear
# get infos about this script here:
# http://gpl.coulmann.de/ssh_luks_unlock.html
# Modified by Anonymous 2008
# Modified By Geoffroy RABOUIN 26/05/2008
# Modified by hyper_ch 15/06/2008
### INSTRUCTIONS FOR UBUNTU ###
# 0. Enable root login
# 1. Install killall, busybox and dropbear:
#    ~# sudo apt-get install psmisc busybox dropbear
# 2. Edit network configuration below and copy contents
#    of this file to /etc/initramfs-tools/hooks/dropbear
# 3. Save the script and make it executable:
#    ~# sudo chmod +x /etc/initramfs-tools/hooks/dropbear
# 4. Create new initrd:
#    ~# sudo mkinitramfs -o /boot/netboot
# 5. Edit /boot/grub/menu.lst and add your new initrd as the first entry
# 6. Delete the dropbear script the hooks folder
#    ~# sudo rm /etc/initramfs-tools/hooks/dropbear
# 7. Profit!
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# load the prepared functions of debians initramfs enviroment
source /usr/share/initramfs-tools/hook-functions
# build the directories
DIRS='/lib /bin /usr/bin /usr/sbin/ /proc/ /root/.ssh/ /var/ /var/run/ /etc/dropbear/'
for now in $DIRS ; do
if [ ! -e ${DESTDIR}$now ]
then
mkdir -p ${DESTDIR}$now
fi
done
# copy the ssh-daemon and librarys
copy_exec /usr/sbin/dropbear /usr/sbin/
copy_exec /usr/bin/passwd /usr/bin/
copy_exec /bin/login /bin/
copy_exec /usr/bin/killall /usr/bin/
copy_exec /sbin/route /sbin/
copy_exec /usr/bin/awk /usr/bin/
#copy_exec /usr/bin/strace /usr/bin/
#copy_exec /bin/nc /bin/
copy_exec /usr/bin/wc /usr/bin/
# some librarys are not autoincluded by copy_exec
copy_exec /lib/libnss_compat.so.2 /lib/
copy_exec /usr/lib/libz.so.1 /usr/lib/
copy_exec /etc/ld.so.cache /etc/
copy_exec /lib/libutil.so.1 /lib/
# we copy config and key files
cp -pr /etc/dropbear/dropbear_dss_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/dropbear/dropbear_rsa_host_key ${DESTDIR}/etc/dropbear/
cp -pr /etc/passwd ${DESTDIR}/etc/
cp -pr /etc/shadow ${DESTDIR}/etc/
cp -pr /etc/group ${DESTDIR}/etc/
if [ -e /root/.ssh/authorized_keys ]
then
cp -pr /root/.ssh/authorized_keys ${DESTDIR}/root/.ssh/
fi
cp -pr /etc/nsswitch.conf ${DESTDIR}/etc/
cp -pr /etc/localtime ${DESTDIR}/etc/
cp -pr /lib/tls ${DESTDIR}/lib/
# we don't have bash in our initrd
# also we only add the root account
cat /etc/passwd | grep root | sed s/\\/bash/\\/sh/ > ${DESTDIR}/etc/passwd
cat /etc/shadow | grep root > ${DESTDIR}/etc/shadow
cat /etc/group | grep root > ${DESTDIR}/etc/group
cat >${DESTDIR}/scripts/local-top/network_ssh << 'EOF'
#!/bin/sh
# we start the network and ssh-server
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# build up helpful environment
[ -d /dev ] || mkdir -m 0755 /dev
[ -d /root ] || mkdir --mode=0700 /root
[ -d /tmp ] || mkdir /tmp
[ -d /sys ] || {
mkdir /sys
mount -t sysfs -o nodev,noexec,nosuid none /sys
}
[ -d /proc ] || {
mkdir /proc
mount -t proc -o nodev,noexec,nosuid none /proc
}
mkdir -p /var/lock
mkdir -p /var/log
touch /var/log/lastlog
mkdir /dev/pts
mount -t devpts -o gid=5,mode=620 /dev/pts /dev/pts
/bin/sleep 5
################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 172.16.2.128 netmask 255.255.255.0
route add default gw 172.16.2.2
################# CHANGE THE LINES ABOVE #################
# display the network settings for double check
ifconfig
# If you like to use dhcp make sure you include dhclient or pump in
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /sbin/dhclient
# for debugging ssh-server you may run it in forgound
# /usr/sbin/dropbear -E -F
# for more debugging you may run it with strace
# therfor you have to include strace and nc at top of
# /etc/initramfs-tools/hooks/dropbear via
# copy_exec /usr/bin/strace
# copy_exec /usr/bin/nc
# then start nc on an other host and run
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv <ip of="" other="" host=""> <nc port="" of="" other="" host="">
# e.g.:
# /usr/sbin/dropbear -E -F 2>&1 | /bin/nc -vv 192.168.1.2 8888
# We will use /dev/urandom because /dev/random gets easily blocked
mv /dev/random /dev/random.old
ln -s /dev/urandom /dev/random
# /usr/sbin/dropbear -E -F -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
/usr/sbin/dropbear -b /etc/dropbear/banner -d /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_rsa_host_key -p 22
#ls -al
rm -f /dev/random
mv /dev/random.old /dev/random
EOF
chmod 700 ${DESTDIR}/scripts/local-top/network_ssh
cat >${DESTDIR}/etc/dropbear/banner << 'EOF'
To unlock root-partition run
unlock
EOF
# script to unlock luks via ssh
# dirty but effektive
cat >${DESTDIR}/usr/bin/unlock << 'EOF'
#!/bin/sh
/bin/sh /scripts/local-top/cryptroot
# Kill processes locking boot process
[ `ls /dev/mapper/ | grep -v control| wc -l | awk '{print $1}'` -gt 0 ] && {
for i in `ps | grep -E "cryptroot|cryptsetup" | awk '{ print $1 }'`
do
kill $i
done
}
/bin/sh /scripts/local-bottom/rm_dropbear
EOF
chmod 700 ${DESTDIR}/usr/bin/unlock
# make sure we exit dropbear at the end of the startup process
cat >${DESTDIR}/scripts/local-bottom/rm_dropbear << 'EOF'
#!/bin/sh
PREREQ=""
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Begin real processing below this line
# we kill dropbear ssh-server
/usr/bin/killall dropbear
EOF
chmod 700 ${DESTDIR}/scripts/local-bottom/rm_dropbear

Step 0: Enable root login

First, you have to enable the root account.

sudo passwd root

The reason why I say that root must be enabled is, because I couldn't work out how to get the whole sudo permission stuff into the initrd. I'm sure there must be a way and if someone is willing to take up the challenge, please go ahead. However you can enable root login only during the creation of the initrd. Once it's created then the according stuff is saved in there and you can remove root login from the actual installation again. The root login is only required to log into dropbear and then run the unlock script. It's not used for anything else.

Step 1: Install required packages

Install those packages:

sudo apt-get install psmisc busybox dropbear

Step 2: Configure network

In the script change the network configuration to your needs. I have sofar only used static ips. The script itself provides also option for dhcp - however I did not try those.

################# CHANGE THE LINES BELOW #################
# The network setup: edit ip address and gateway to match your needs
ifconfig eth0 172.16.2.128 netmask 255.255.255.0
route add default gw 172.16.2.2
################# CHANGE THE LINES ABOVE #################

The above settings are just the values from my vmware machine on where I tested it.

Step 3: Save the script and make it executable:

Save the altered script to [I]/etc/initramfs-tools/hooks/dropbear[/I] and make it then executable:

sudo chmod +x /etc/initramfs-tools/hooks/dropbear

Step 4: Create new initrd

Run this command to create a new initrd with the name of "netboot". Of course you can rename "netboot" to anything you like.

sudo mkinitramfs -o /boot/netboot

Step 5: Edit /boot/grub/menu.lst and add your new initrd as the first entry

Now you have to edit grub's menu list to add the new init.rd.

Run:

sudo nano /boot/grub/menu.lst

to edit the menu.lst in nano.

Go to the end (or almost) and copy an existing kernel entry e.g.

title           Ubuntu 8.04.1, kernel 2.6.24-19-generic
root            (hd0,1)
kernel          /vmlinuz-2.6.24-19-generic root=/dev/mapper/sda4_crypt ro quiet splash
initrd          /initrd.img-2.6.24-19-generic

Change it to something like:

title           Netboot
root            (hd0,1)
kernel          /vmlinuz-2.6.24-19-generic root=/dev/mapper/sda4_crypt ro quiet splash
initrd          /netboot

Don't copy my example directly but use yours. That way the root hd entry and the mapper name are correct.

Finally, at the top of the menu.lst also change the default boot entry accordingly. If you have 7 kernel entries, then you will put a "6" there because it starts with 0 and you add the netboot one at the bottom.

Step 6: Delete the dropbear script in the hooks folder

When I tried it on my machine, after a kernel upgrade there were some problems (which may have resulted from my earlier tries with a buggy script). Just to make sure, delete the dropbear script from the folder.

sudo rm /etc/initramfs-tools/hooks/dropbear

Step 7: Profit!

That's it... it should be working now.

A few things to mention

- Well, in the script I currently call a ifconfig after the network configuration. I did that for bugtracing. You can of course delete that from the script.

- After you have now created the netboot initrd you can either change the root password again or disable root login. As the initrd is not encrypted it is possible to get the hash of the root password and so you want to use a different one from remote unlocking the crypto drives. I highly recommend changing the password or disabling root login in the actual machine.

Change root password

sudo passwd root

or delete the root password (disable root)

sudo passwd -l root

- Although the system is fully encrypted, there are still two possible attacks left to gain access to the data:

  (1) ColdBoot Attack by reading the crypto password from the ram blocks (not much you can't do against that without special hardware, see here)

  (2) The created initrd can be manipulated so that it logs the crypto password somewhere. As /boot is not encrypted an attacker may gain this way the password for the LUKS-devices. You could, to prevent that, make a bootable cd with the according kernels and initrds and implement some kind of hash check... maybe there are other methods... feedback is welcomed here.

- Most of this tutorial is not from me, just a few adapations and explanations. So thanks goes to Wolfram Coulmann and the others who modified the original script.

Read more...

Opera has released another version of its flagship Web browser with the same name. It comes with unique features, many of which are not yet available on other browsers of the box.

I have always found using Opera to be a pleasant experience. Some new features offered by Opera are as follows:

1. Opera Link: For the first time ever, all your bookmarks, speed dialing and notes taken in Opera Web browser will follow you everywhere around you. You can even access from your mobile phone. The catch is that you must use a Web browser Opera. Opera offers space on their server to store your bookmarks and other parameters which makes it possible.
2. Quick Search: Opera monitors not only Web addresses you visit, but also the words of pages you've visited. So if you do not remember the address but do not forget a word about the Web page by typing in the address bar will allow you to zero on the web page accurate.
3. Better protection against fraud.
4. A clear skin.

Opera has also claimed --
-- It’s faster, lighter and pushes us further out in front of other browsers,
-- by blending the mobile and desktop worlds together in new
-- and powerful ways.

But let the end-users who decide. Why not visit the opera and download the latest version 9.5 and take it for a spin? For all you know, you might get hooked on another fabulous Web browser.

Read more...

Slowly, I saw my hard drive use more and more space, I knew it was the log files which are growing more and much more. I discovered that the Apache log files were the worst, it was about 1 GB of space used in 3 months.

So I decided to make a bash script, which compresses the Apache log files every month.

The script can be altered to your needs:

#!/bin/bash

MONTH="$((`date +%m`-1))"
YEAR=$(date +"%Y")

cd /var/www/

for f in $(ls /var/www | grep web); do
cd /var/www/$f/log
if [ -a $YEAR ];
then
cd $YEAR
  if [ -a 0$MONTH ];
    then
     tar -zcvf 0$MONTH.tar.gz 0$MONTH
     rm -rf /var/www/$f/log/$YEAR/0$MONTH
  fi
fi
done

Then you run this script in your crontab the first day of each month:

05 03 1 * * sh /root/logclean.sh

Read more...

If you run a mail server and use blacklists to block spam, you probably know this problem from time to time your customers complain they can not receive e-mails from certain freemailers. Most often this occurs because a freemailer has been abused to send spam and thus obtained a blacklist. This little guide shows you how such a whitelist Postfix mail server to make your customers happy.
I'm not issue any guarantee that it works for you!

If a blacklisted server tries to send mail to your server, you should find something like this in your mail log:

SMTP error from remote mail server after RCPT TO:<bla@example.com>: host mail.example.com [4.3.2.1]: 554 5.7.1 Service unavailable; Client host [1.2.3.4] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?1.2.3.4

In this example, the mail server 1.2.3.4 is blacklisted and therefore blocked.

To whitelist that server, create the file /etc/postfix/rbl_override where you list all IP addresses or host names (one per line!) that you want to whitelist:

vi /etc/postfix/rbl_override1.2.3.4 OK

1.2.3.5 OK
mail.freemailer.tld OK

After you've created/modified that file, you must runpostmap /etc/postfix/rbl_override

Next open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions parameter. Add check_client_access hash:/etc/postfix/rbl_override to that parameter, after reject_unauth_destination, but before the first blacklist.

So if smtpd_recipient_restrictions looks like this now...

vi /etc/postfix/main.cf

[...]
smtpd_recipient_restrictions = reject_invalid_hostname,
   reject_unauth_pipelining,
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_rbl_client multi.uribl.com,
   reject_rbl_client dsn.rfc-ignorant.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client dnsbl.sorbs.net,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client ix.dnsbl.manitu.net,
   reject_rbl_client combined.rbl.msrbl.net,
   reject_rbl_client rabl.nuclearelephant.com,
   permit
[...]

... modify it so that it looks as follows:

[...]
smtpd_recipient_restrictions = reject_invalid_hostname,
   reject_unauth_pipelining,
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_client_access hash:/etc/postfix/rbl_override,
   reject_rbl_client multi.uribl.com,
   reject_rbl_client dsn.rfc-ignorant.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client dnsbl.sorbs.net,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client ix.dnsbl.manitu.net,
   reject_rbl_client combined.rbl.msrbl.net,
   reject_rbl_client rabl.nuclearelephant.com,
   permit
[...]

That's it! Restart Postfix, and you're done:

/etc/init.d/postfix restart

Read more...