Pareto Security :: Description of features

Below is a description of the advanced features of Pareto Security listed in the Advanced settings of the dashboard.

As stated, it is best not to use these features unless you know a thing or two about web security. 99% of what Pareto Security does, it does in its default settings therefore you do not need to enable these extra features. In doing so you increase the possibility that legitimate users IP addresses may get accidentally banned.

The first two features are enabled by default, you do not need to enable advanced filtering to enabled these features.

  • Hard ban attempts to attack the webserver: There are requests made to your webserver than can only be attempts to attack the server. These are prevented from executing, and the IP address where the request originated from is banned from accessing your website again.
  • Hard ban attempts to inject malicious code into the database: The same as above except this separates out attempts to attack the database.

The rest are enabled by enabling advanced filtering

  • Hard ban injection attempts via browser user-agents: Every web browser sends a piece of information stating what type of browser it is, this can be spoofed by an attacker and can contain attack scripts to exploit your website. Many malicious requests spoofed in this manner are benign blind attempts, others are very serious attack attempts, these serious ones are banned. There is however a tiny risk of banning the IP address of a legitimate user, so for this reason, and for all of the following features, it is best not to use these unless you know the risks.
  • Advanced HTTP_HOST filtering: Aims to address this – https://expressionengine.com/blog/http-host-and-server-name-security-issues
  • Soft Ban Bots: As stated above, not all bots are bad – but many are indicators of vulnerability scanners intent on mapping your website in preparation for an attack, so in advanced mode will block any request from an attempt to browse your website where the browsers user-agent is not a usual web browser. Soft ban means, block the request but don’t ban the IP address permanently.
  • Advanced POST Filtering: In some earlier versions of PHP (versions older than 5.4) are quite easy to carry out a denial of service attack via blind posting of data. These methods are not well known, one of them I discovered myself, however if they were to become well known – since WordPress still recommends some versions of PHP older than 5.4, it could get quite messy.
  • Domain Name Safe List: Ths is related to the Advanced HTTP_HOST filtering feature. When you first enable Advanced Filtering, the domain name of your website is registered as the official domain. This works in most instances however it will cause problems in rare cases.
  • Filter login attempts: This feature compares the login username against the database list and blocks the request from continuing if the username is not registered. When the Hard Ban option is left disabled, this merely blocks the request, however if Hard Ban in enabled, the IP address of the requester is added to a permanent ban list.

Again, there is no need to enable Advanced Filtering, and certainly do not enable the Hard Ban option if you do not know how to edit an .htaccess file.

Tor network friendly hammer for rotten onions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Quick Rationale:

Tor Hidden Services ( TorHS ) allows for users of Tor to host their services/websites in such a way that it is very hard to track the hosting location and even to attack them where necessary. This website for example is run on a TorHS hosted webserver as is the Aotearoa Leaks Dead Drop.

There are some TorHS websites that, well, just need a fucking scrub-cutter taken to them…in order to on balance, justify the existence of Tor itself which makes it possible for these sites to exist with impunity ( along with of course, lots of other sites and services that are beneficial to planet Papatuanuku ), a targeted attack is needed against TorHS’s that can effectively dice a bad onion, but not hurt the Tor’s anonymity volunteer network of guards, relays, exit nodes etc.

Criteria of the attack:

1/ A method preferably restricted to attacks only against TorHS webservers, else the attack can be used on non-TorHS websites therefore using up Tor resources without benefiting the Tor volunteer anonymity network, and or resulting in blacklisting of Tor exit nodes.
2/ Does not overwhelm Tor’s volunteer guard/bridge/relay network: The attack needs to use as little Tor resources as possible.

Fortunately someone has already come up with an implementation that does just this. Rootseck’s Torloris delivers the Slowloris attack via Tor on to its intended target.

The type of attack is a thread consumption attack on Apache. Uses very little data. The one issue though is that Torloris can also be used against any website which could result in many if not all of the Tor exit relays being needlessly banned.

I present Torloris For Onions. This is a quick’n’crude edit of Torloris to restrict it to *.onion websites only.

1/ You will need Tor ( TorBrowser ), Perl and IO::Socket::Socks module
2/ For Windblows users you will need perl activestate, and install module IO::Socket::Socks
Example: c:\perl\bin\perl ppm install IO::Socket::Socks

Usage: Obviously edit the demo onion URL ( abcdefghijklmnop.onion ) and replace with the onion address that needs slicing and dicing.

Code Repository: https://github.com/Taipo/TorLoris-For-Onions
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+KxjAAoJEL7YCbL0gxCTjQQP/iwvZYy/fnhSRkZ9ZJLaVIV0
n2BzSm/Ih669QwwN6QDm/u76RErhitbjmSWQ32RzMHhudvbNYHLVaHb55cDnR8cP
nfgMGgz1DMm9ScU7GhvzOXN7T/qntL/tQlmVsHySgkuboMPHAzwg7zWhCXSOHR5Y
/A+8ilQnytZiM7k/U3toW/TZNqxW85XOUHgUwn7eSdb8TMSvqRr47AS4W6f9xMyi
l6bm1m6iuA3/FDdvR9U6eA8foJw/sS0R6dPILy6qR2UQ9Qa/27bTzbr6TW8Mha7X
XPFo7R5mjX0WXomAgp2RFkbzVSA85GpyAGpPZJOxB3z9PT786SUxns5nysxB0nO2
85511u9AoxeTzwL4JjiaIo+LyhHyk1gRSPnpa447NDg68o+TjCz5pW5j8ry8cQK4
tVoKEotB60Q7rC+JC5LXP+FVFr2w4wCjorozxMK6A02kAEhZHVDeepGLb0CNsazE
TTR0pwuQJ5a7EaOVA5Zn0LwSKRZxKuIWU4pq+id8rf7LsD4qTSjTIbLA4Cn+R6oR
QvZoPDCSk23Gmgu98sITmuqlLfSpNVrfIudYyc/W5SYeF4LK+zg4cGpV0eLPCzRH
0BsywHU3SUrMGiRDN9YzgYSrf/JGpIdXzLwTYBNQxemxsbalZ5Ss7tnu+jKl8ULp
IY3orbIxFI+3ElF+GUqh
=to1+
-----END PGP SIGNATURE-----

Pareto Security PHP Core Security Class

Protect your wordpress user inputs from the usual array of attack vectors

Had enough of the security theatre presented by the raft of WordPress security plugins? Time to put a stop to the attacks!

Firstly WordPress and most other CMS’s are built using PHP. PHP is a very insecure programming language, even worse in the hands of amateurs.

WordPress has been plagued by plugins authored by amateurs that bring with them security vulnerabilities.

Security plugin designers mostly focus on cleaning up attacks rather than stopping them dead in their tracks.

Pareto Security class acts as a Central Security Hub checking all inputs from users, preventing bad requests from executing on your website.

* Real Attack Prevention that can be achieved via a plugin
* Automatic Blacklist Management
* Easy-To-Use
* No customisation needed
* Works silently, you only get notified when you really want to be notified
* Completely Free
* and much more…

PARETO SECURITY PROTECTION
* Pareto Security Protection identifies and blocks malicious traffic.
* Pareto Security Protection dynamic IP Blacklist protects your site while reducing load.
* Protects your site at the entry-point, disabling attack peneration of your WordPress site.
* Extends WordPress inbuilt security, defends your website against vulnerabilities added in via bad plugin coding.

PARETO SECURITY TOOLS
* Monitor blocked attack attempts
* Optionally receive notifications of *REAL* attack attempts that Pareto Security has blocked

A Word on Security
By the very nature of plugins:

  • No plugin should ever claim to be a Web Application Firewall.
  • No security plugin can save your website from really-really badly written site, theme and/or plugin code.
  • No security plugin can save your site from attacks that result from when administrators do not follow basic security practices.

Keeping any CMS as secure as possible is not easy. The very best thing you can do to prevent attacks is to always keep your website code, themes and plugins up to date, and remove any plugins and themes you are not using.

See https://hokioisecurity.com/?p=343 for extended description of advanced features.

Download Options:

Option 1: Install from WordPress via your admin dashboards Plugins section

Option 2: Download directly from WordPress – https://wordpress.org/plugins/pareto-security/

Canary Statement

canarypronounce

noun

1… A small songbird in the finch family, serinus canaria domestica, originally native to islands in the North Atlantic.

warrant_canary-150x150

2… A mechanism to test for unsafe conditions, originating from the use of canaries in coal mines to detect poisonous gases or cave-ins. If the canary died, it was time to get out of the mine. More recently, the term has been used by some online service providers to refer to an affirmative statement, updated regularly, that the provider has not been subjected to certain legal processes. If the statement is not updated in a timely fashion, users may infer that the canary statement may no longer be true.

.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Status: All good
Period: June 1 to December 31, 2018

As of 2018, Hokioi Security has not received any secret court orders, and have not been subject to any gag order by any FVEY secret courts, or any other similar court of any government.

Hokioi Security has never placed any backdoor subroutines or malicious code in any of our applications.

We also have not received any requests to do so, and neither would we do so under any duress.

Hokioi Security has never disclosed any user communications to any third party.

Regarding server seizures, in June, 2004 and October 2007, the NZ Police seized several of Hokioi Security’s servers.

These servers were returned and promptly destroyed as is the strict security policy of Hokioi Security.

All Hokioi Security server hardrives are encrypted.

Finally, even if Hokioi Security did receive any such secret court orders, we have never, and will never-ever fracking comply!!!

Te Taipo
Security Researcher
Hokioi Security
https://hokioisecurity.com
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/l/8slIXB864vHI+TaSqQAWX3kIFAlsLF1wACgkQTaSqQAWX
3kIySw/+N+YpbG6dKEEjvA1gDnBfGF3HLIppf/J/Z0Surr/3y8zPWvzCojCLICtY
Gg1o6XXdwCH3uz6W1j6gIHCShfHacyCV3TxqPAkwU5vzEkaYy8f2whKnMnvgy4XU
KdTRrrDrcfOlVGeYN2GdyYeYr2yPRGXHL7/0Sdo7OELpZ5fptrToxA6RncnWULFN
dObHTZ2jWQaHOZVd90AvtTf50m7hE5P6r2I9+YOfGN2C7O25p0FrLffkD/KKNGSe
cyyfJebcBZcr4ZVWfT7fAQIThv9WxgBgrf+PZWISdLU7E4IkXYyPOaPiNXXxh7hd
j24dYKRxrcurZSCqpEBp7attHfnagPznLrsxDJOOcHrocCQ3oXVonpYJX+IY2UnW
J92+E6lq7m2mUzd8+IlAgvpwOAWvutLEI7lJTcR3A0fSvY+o5t/VlKOVTSgceKAE
1hh3UWtWIkGiy9Q7LWIU7pLVpnS0MY1cfLM0CCgoFb7gMsoDygMia6k/JWMRU7jR
rYZ5m7Z6U6zGfcVwWBKJ4vitPUAzTfJk+jThXg4c/2cl0qyiIAf00fNW60C7qfeU
idso+dfvOwUeHEtbVRlBF2+SZuN1xUo2212rqWY0TzRofsh8iikwhV7bLx7ATfvP
lKpxMPVydPUbUnlwOAa22wAmMpvOAs4/IKhlx/kzQLUKe5+oX+M=
=dJ77
-----END PGP SIGNATURE-----

Configuring A Hidden Service on Ubuntu Server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

A) Ubuntu Server:

1 Go to http://www.ubuntu.com/download/server.
1.1 Download Ubuntu Server and install.

1.2 Configure Networking

1.3 Update

sudo apt-get update
sudo apt-get upgrade -y

2 Extra Security
2.1 Install the following:

sudo apt-get install ufw chkrootkit rkhunter

2.2 Configure ufw ( Uncomplicated Firewall )
sudo ufw default deny incoming
sudo ufw default allow outgoing
2.2.1 Manually edit UFW to disable ICMP network traffic:
vi /etc/ufw/before.rules
Comment out the 5 rules in the ‘ok icmp codes for INPUT’ section:
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-reject -j ACCEPT

2.2.2 Enable the Uncomplicated Firewall:
sudo ufw enable

2.3 Configure chkrootkit
sudo vi /etc/chkrootkit.conf

Edit:
RUN_DAILY="true"
RUN_DAILY_OPTS=""

2.3.1 Manually run chkrootkit ( due this regularly )
chkrootkit &> logfile.log

2.4 Set cron for RKHunter:
sudo vi /etc/default/rkhunter

Edit:
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"

2.5 Manually run RKHunter
sudo rkhunter --propupd --update --versioncheck

2.6 Disable IPv6
sudo vi /etc/default/grub
Find:
GRUB_CMDLINE_LINUX_DEFAULT=""
Inline edit:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disabled=1"

2.6.1 Update Grub
sudo update-grub

Important: At this point, this server is now ready for you to install either SecureDrop or Globaleaks platforms. However if you are intending to run your hidden service for something else other than a secure whistleblower platform, then complete the following:

3 Install apache2 and tor packages:
sudo apt-get install -y apache2 tor

3.1 Configure your apache2 to listen to 127.0.0.1 only:
echo "Listen 127.0.0.1:80" > /etc/apache2/ports.conf

3.2 Change apache’s user from www-data to debian-tor so that Tor can read only its directories:
sudo vi /etc/apache2/envvars
export APACHE_RUN_USER=debian-tor
export APACHE_RUN_GROUP=debian-tor
service apache2 stop
sudo chown -R debian-tor:debian-tor /var/{lock,log}/apache2 /var/www

4 Security:
4.1 Hide your onion address private_key:
sudo vi /etc/apache2/apache2.conf
<FilesMatch "private_key">
Require all denied
</FilesMatch>

4.2 Change two options:
sudo vi /etc/apache2/conf-enabled/security.conf
ServerSignature Off
ServerTokens Prod

4.3 Disable server-status modules:
sudo a2dismod status
rm /etc/apache2/mods-available/status.*
rm /etc/apache2/mods-enabled/status.*

4.4 Return a server error 403 to requests for /server-status:
sudo vi /etc/apache2/sites-enabled/000-default.conf
Append to bottom:
<Location /server-status>
SetHandler server-status
order deny,allow
Require all denied
</Location>

Important:
Only install MYSQL & PHP if you need to use them

5 Install MYSQL:

5.1 Run the following
sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql
sudo mysql_install_db
sudo /usr/bin/mysql_secure_installation
Follow instructions…

6 Install PHP:

6.1 Run the following commands
sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt
sudo nano /etc/apache2/mods-enabled/dir.conf

Add the following:
<IfModule mod_dir.c>
DirectoryIndex index.php index.html index.htm
</IfModule>
Don’t forget to configure your php.ini file!

7 Let’s create your first hidden web page:
echo "Hello world!" > /var/www/index.php

8 Restart apache2:
service apache2 start

9 Tor:
9.1 Let’s configure Tor:
cat >> /etc/tor/torrc << EOF
HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 80 127.0.0.1:80
EOF

9.2 Edit apparmor rules, need to add only one line:
sudo vi /etc/apparmor.d/system_tor
owner /var/www/** rwk,

Restart apparmor:
service apparmor restart

9.3 Restart Tor daemon:
service tor restart

10 DoS Attack Mitigation:
10.1 Install mod_reqTimeout
sudo a2enmod reqTimeout

10.2 Harden the prefork mod
sudo vi /etc/apache2/mods-enabled/mpm_prefork.conf
Set MaxRequestWorkers to be greater than default 150
MaxRequestWorkers 500
Add this line:
ServerLimit 500

10.3 Edit Apache configuration file
sudo vi /etc/apache2/apache2.conf
Set Timeout to something lower than default 300
Timeout 30
10.4 Restart Apache
sudo service apache2 restart

Final Tips:
– – You need to harden your Apache and PHP. There are plenty of tutorials around that explain all of this.
– – Use Torify to do updates
– – MANDATORY: Use a network firewall. I recommend SG-22220 pfSense router [here]

  • Allow Tor outbound
  • Allow DNS
  • Allow NTP
  • Drop all other traffic

Github
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+J3WAAoJEL7YCbL0gxCTz0QP/12Go+vQyTgV40S014hX+5XU
X6V2fW9GonOe6/wdedxKLuYfAFDruhs+xfhvb/noJjzbC1zQM/+oczr4E9GT9Jh9
x99Yfaw63budF4MaSmz5xQiX+jgFWUZwHVF7T30HPpaQ6cEZ9hg58N00Bz2KukYQ
ByRhQO9Z2JMnNyO9eq60XasEJyhXIUy2nis2BqGTz1sWlrZFhcq4u5VRlZaggSNy
55kVzFy4B7e3n96tGpRCykKYf4M9RtadoBa9EFQUaq0dVlvbV5cusaNCLKpOFBAR
4Jdil5jh69r3fS9qjJvL3RNGVFP+8xffnW16RONNxlUGLtN3IDcIQP438srKFlyn
YqtzWrgxIhfOcGWuHql5uxwcYIdlN9viX7CdeWylNeLH3njg2x1QCB5Hd8P1O6YF
jjoxekFGe4FO0MstfRXSQ7NReHO5S2w9pOwGzqrItdwFO1sbHLQy9rJCa6BZV+pL
dj0I0oxShZ2ipq67QQtWLPxclBDk+2Zl64UKkmJvZVgkfVW1l6j9jpN5cuXRosVK
CPaaAlNTtgd7NpWDvJsNi101yqcCg19jsgoSGOcrCE/xF7h1F5H5MRAYot+Y167t
TD+OixYBttKpu7AEcjyX3Xmby1QlJAluuDo7K2zpce6jvX1Hrh3OIqjNMr0qies4
RfwlQ96uerSXvaEqNUY+
=aU21
-----END PGP SIGNATURE-----