Pareto Security :: Description of features

Below is a description of the advanced features of Pareto Security listed in the Advanced settings of the dashboard.

As stated, it is best not to use these features unless you know a thing or two about web security. 99% of what Pareto Security does, it does in its default settings therefore you do not need to enable these extra features. In doing so you increase the possibility that legitimate users IP addresses may get accidentally banned.

The first two features are enabled by default, you do not need to enable advanced filtering to enabled these features.

  • Hard ban attempts to attack the webserver: There are requests made to your webserver than can only be attempts to attack the server. These are prevented from executing, and the IP address where the request originated from is banned from accessing your website again.
  • Hard ban attempts to inject malicious code into the database: The same as above except this separates out attempts to attack the database.

The rest are enabled by enabling advanced filtering

  • Hard ban injection attempts via browser user-agents: Every web browser sends a piece of information stating what type of browser it is, this can be spoofed by an attacker and can contain attack scripts to exploit your website. Many malicious requests spoofed in this manner are benign blind attempts, others are very serious attack attempts, these serious ones are banned. There is however a tiny risk of banning the IP address of a legitimate user, so for this reason, and for all of the following features, it is best not to use these unless you know the risks.
  • Advanced HTTP_HOST filtering: Aims to address this –
  • Soft Ban Bots: As stated above, not all bots are bad – but many are indicators of vulnerability scanners intent on mapping your website in preparation for an attack, so in advanced mode will block any request from an attempt to browse your website where the browsers user-agent is not a usual web browser. Soft ban means, block the request but don’t ban the IP address permanently.
  • Advanced POST Filtering: In some earlier versions of PHP (versions older than 5.4) are quite easy to carry out a denial of service attack via blind posting of data. These methods are not well known, one of them I discovered myself, however if they were to become well known – since WordPress still recommends some versions of PHP older than 5.4, it could get quite messy.
  • Domain Name Safe List: Ths is related to the Advanced HTTP_HOST filtering feature. When you first enable Advanced Filtering, the domain name of your website is registered as the official domain. This works in most instances however it will cause problems in rare cases.
  • Filter login attempts: This feature compares the login username against the database list and blocks the request from continuing if the username is not registered. When the Hard Ban option is left disabled, this merely blocks the request, however if Hard Ban in enabled, the IP address of the requester is added to a permanent ban list.

Again, there is no need to enable Advanced Filtering, and certainly do not enable the Hard Ban option if you do not know how to edit an .htaccess file.

Tor network friendly hammer for rotten onions

Hash: SHA256

Quick Rationale:

Tor Hidden Services ( TorHS ) allows for users of Tor to host their services/websites in such a way that it is very hard to track the hosting location and even to attack them where necessary. This website for example is run on a TorHS hosted webserver as is the Aotearoa Leaks Dead Drop.

There are some TorHS websites that, well, just need a fucking scrub-cutter taken to them…in order to on balance, justify the existence of Tor itself which makes it possible for these sites to exist with impunity ( along with of course, lots of other sites and services that are beneficial to planet Papatuanuku ), a targeted attack is needed against TorHS’s that can effectively dice a bad onion, but not hurt the Tor’s anonymity volunteer network of guards, relays, exit nodes etc.

Criteria of the attack:

1/ A method preferably restricted to attacks only against TorHS webservers, else the attack can be used on non-TorHS websites therefore using up Tor resources without benefiting the Tor volunteer anonymity network, and or resulting in blacklisting of Tor exit nodes.
2/ Does not overwhelm Tor’s volunteer guard/bridge/relay network: The attack needs to use as little Tor resources as possible.

Fortunately someone has already come up with an implementation that does just this. Rootseck’s Torloris delivers the Slowloris attack via Tor on to its intended target.

The type of attack is a thread consumption attack on Apache. Uses very little data. The one issue though is that Torloris can also be used against any website which could result in many if not all of the Tor exit relays being needlessly banned.

I present Torloris For Onions. This is a quick’n’crude edit of Torloris to restrict it to *.onion websites only.

1/ You will need Tor ( TorBrowser ), Perl and IO::Socket::Socks module
2/ For Windblows users you will need perl activestate, and install module IO::Socket::Socks
Example: c:\perl\bin\perl ppm install IO::Socket::Socks

Usage: Obviously edit the demo onion URL ( abcdefghijklmnop.onion ) and replace with the onion address that needs slicing and dicing.

Code Repository:
Version: GnuPG v2


Pareto Security PHP Core Security Class

Protect your wordpress user inputs from the usual array of attack vectors

Had enough of the security theatre presented by the raft of WordPress security plugins? Time to put a stop to the attacks!

Firstly WordPress and most other CMS’s are built using PHP. PHP is a very insecure programming language, even worse in the hands of amateurs.

WordPress has been plagued by plugins authored by amateurs that bring with them security vulnerabilities.

Security plugin designers mostly focus on cleaning up attacks rather than stopping them dead in their tracks.

Pareto Security class acts as a Central Security Hub checking all inputs from users, preventing bad requests from executing on your website.

* Real Attack Prevention that can be achieved via a plugin
* Automatic Blacklist Management
* Easy-To-Use
* No customisation needed
* Works silently, you only get notified when you really want to be notified
* Completely Free
* and much more…

* Pareto Security Protection identifies and blocks malicious traffic.
* Pareto Security Protection dynamic IP Blacklist protects your site while reducing load.
* Protects your site at the entry-point, disabling attack peneration of your WordPress site.
* Extends WordPress inbuilt security, defends your website against vulnerabilities added in via bad plugin coding.

* Monitor blocked attack attempts
* Optionally receive notifications of *REAL* attack attempts that Pareto Security has blocked

A Word on Security
By the very nature of plugins:

  • No plugin should ever claim to be a Web Application Firewall.
  • No security plugin can save your website from really-really badly written site, theme and/or plugin code.
  • No security plugin can save your site from attacks that result from when administrators do not follow basic security practices.

Keeping any CMS as secure as possible is not easy. The very best thing you can do to prevent attacks is to always keep your website code, themes and plugins up to date, and remove any plugins and themes you are not using.

See for extended description of advanced features.

Download Options:

Option 1: Install from WordPress via your admin dashboards Plugins section

Option 2: Download directly from WordPress –

Canary Statement



1… A small songbird in the finch family, serinus canaria domestica, originally native to islands in the North Atlantic.


2… A mechanism to test for unsafe conditions, originating from the use of canaries in coal mines to detect poisonous gases or cave-ins. If the canary died, it was time to get out of the mine. More recently, the term has been used by some online service providers to refer to an affirmative statement, updated regularly, that the provider has not been subjected to certain legal processes. If the statement is not updated in a timely fashion, users may infer that the canary statement may no longer be true.

Hash: SHA256

Status: All good
Period: June 1 to December 31, 2018

As of 2018, Hokioi Security has not received any secret court orders, and have not been subject to any gag order by any FVEY secret courts, or any other similar court of any government.

Hokioi Security has never placed any backdoor subroutines or malicious code in any of our applications.

We also have not received any requests to do so, and neither would we do so under any duress.

Hokioi Security has never disclosed any user communications to any third party.

Regarding server seizures, in June, 2004 and October 2007, the NZ Police seized several of Hokioi Security’s servers.

These servers were returned and promptly destroyed as is the strict security policy of Hokioi Security.

All Hokioi Security server hardrives are encrypted.

Finally, even if Hokioi Security did receive any such secret court orders, we have never, and will never-ever fracking comply!!!

Te Taipo
Security Researcher
Hokioi Security


Configuring A Hidden Service on Ubuntu Server

Hash: SHA256

A) Ubuntu Server:

1 Go to
1.1 Download Ubuntu Server and install.

1.2 Configure Networking

1.3 Update

sudo apt-get update
sudo apt-get upgrade -y

2 Extra Security
2.1 Install the following:

sudo apt-get install ufw chkrootkit rkhunter

2.2 Configure ufw ( Uncomplicated Firewall )
sudo ufw default deny incoming
sudo ufw default allow outgoing
2.2.1 Manually edit UFW to disable ICMP network traffic:
vi /etc/ufw/before.rules
Comment out the 5 rules in the ‘ok icmp codes for INPUT’ section:
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-reject -j ACCEPT

2.2.2 Enable the Uncomplicated Firewall:
sudo ufw enable

2.3 Configure chkrootkit
sudo vi /etc/chkrootkit.conf


2.3.1 Manually run chkrootkit ( due this regularly )
chkrootkit &> logfile.log

2.4 Set cron for RKHunter:
sudo vi /etc/default/rkhunter


2.5 Manually run RKHunter
sudo rkhunter --propupd --update --versioncheck

2.6 Disable IPv6
sudo vi /etc/default/grub
Inline edit:

2.6.1 Update Grub
sudo update-grub

Important: At this point, this server is now ready for you to install either SecureDrop or Globaleaks platforms. However if you are intending to run your hidden service for something else other than a secure whistleblower platform, then complete the following:

3 Install apache2 and tor packages:
sudo apt-get install -y apache2 tor

3.1 Configure your apache2 to listen to only:
echo "Listen" > /etc/apache2/ports.conf

3.2 Change apache’s user from www-data to debian-tor so that Tor can read only its directories:
sudo vi /etc/apache2/envvars
export APACHE_RUN_USER=debian-tor
export APACHE_RUN_GROUP=debian-tor
service apache2 stop
sudo chown -R debian-tor:debian-tor /var/{lock,log}/apache2 /var/www

4 Security:
4.1 Hide your onion address private_key:
sudo vi /etc/apache2/apache2.conf
<FilesMatch "private_key">
Require all denied

4.2 Change two options:
sudo vi /etc/apache2/conf-enabled/security.conf
ServerSignature Off
ServerTokens Prod

4.3 Disable server-status modules:
sudo a2dismod status
rm /etc/apache2/mods-available/status.*
rm /etc/apache2/mods-enabled/status.*

4.4 Return a server error 403 to requests for /server-status:
sudo vi /etc/apache2/sites-enabled/000-default.conf
Append to bottom:
<Location /server-status>
SetHandler server-status
order deny,allow
Require all denied

Only install MYSQL & PHP if you need to use them

5 Install MYSQL:

5.1 Run the following
sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql
sudo mysql_install_db
sudo /usr/bin/mysql_secure_installation
Follow instructions…

6 Install PHP:

6.1 Run the following commands
sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt
sudo nano /etc/apache2/mods-enabled/dir.conf

Add the following:
<IfModule mod_dir.c>
DirectoryIndex index.php index.html index.htm
Don’t forget to configure your php.ini file!

7 Let’s create your first hidden web page:
echo "Hello world!" > /var/www/index.php

8 Restart apache2:
service apache2 start

9 Tor:
9.1 Let’s configure Tor:
cat >> /etc/tor/torrc << EOF
HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 80

9.2 Edit apparmor rules, need to add only one line:
sudo vi /etc/apparmor.d/system_tor
owner /var/www/** rwk,

Restart apparmor:
service apparmor restart

9.3 Restart Tor daemon:
service tor restart

10 DoS Attack Mitigation:
10.1 Install mod_reqTimeout
sudo a2enmod reqTimeout

10.2 Harden the prefork mod
sudo vi /etc/apache2/mods-enabled/mpm_prefork.conf
Set MaxRequestWorkers to be greater than default 150
MaxRequestWorkers 500
Add this line:
ServerLimit 500

10.3 Edit Apache configuration file
sudo vi /etc/apache2/apache2.conf
Set Timeout to something lower than default 300
Timeout 30
10.4 Restart Apache
sudo service apache2 restart

Final Tips:
– – You need to harden your Apache and PHP. There are plenty of tutorials around that explain all of this.
– – Use Torify to do updates
– – MANDATORY: Use a network firewall. I recommend SG-22220 pfSense router [here]

  • Allow Tor outbound
  • Allow DNS
  • Allow NTP
  • Drop all other traffic

Version: GnuPG v2