Archive for the tag 'Preventing'

SBDavid
Feb 23rd, 2012

Preventing Allocation on a Physical Volume

Preventing Allocation on a Physical Volume

You can prevent allocation of physical extents on the free space of one or more physical volumes with the pvchange command. This may be necessary if there are disk errors, or if you will be removing the physical volume.

The following command disallows the allocation of physical extents on /dev/sdk1.

# pvchange -x n /dev/sdk1

We can also use the -xy arguments of the pvchange command to allow allocation where it had previously been disallowed.

SBDavid
Apr 23rd, 2011

Php Security Preventing Information Disclosure

Php Security Preventing Information Disclosure

Disclosing information, such as errors, to attackers can leave your system in a vulnerable position. Before and during an attack, the attacker will need to acquire a wealth of general information about your system. This information includes your directory structure, database names, usernames, and more. Preventing PHP from printing errors to the web application’s user interface is one way to inhibit an attacker’s ability to gain information he could use to compromise your system.

When display_errors is disabled, your developers are still able to retrieve debugging information from the appropriate PHP logs.

SBDavid
Nov 18th, 2009

Preventing Graphics Hotlinking on a Web Site

Preventing Graphics Hotlinking on a Web Site

Bandwidth theft or hotlinking is a direct linking to web site’s files (images, video, etc.). It can be prevented with the mod_rewrite module.

Place rules like below into the vhost.conf or .htaccess files for the domain (for example www.example.com):

RewriteEngine on
RewriteCond % !^$
RewriteCond % !^http://(www\.)?example\.com(/)?.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|swf)$ - [NC,F]
SBDavid
Oct 27th, 2009

Preventing Accidental Denial of Service

Preventing Accidental Denial of Service

Linux allows you to set limits on the amount of system resources that users and groups can use.

Restricting System Resources

The following example shows a practical use of setting or restricting system resources for an database user account. For a list of system resource settings, see /etc/security/limits.conf. It would be a good idea to review the default settings of system resource.

database soft nofile 4096
database hard nofile 63536

The “soft limit” in the first line defines the number of file handles or open files that the database user will have after login. If the database user gets error messages about running out of file handles, then the database user can increase the number of file handles like in this example up to 63536 (”hard limit”) by running the following command:

ulimit -n 63536

Most shells like Bash provide control over various resources like the maximum allowable number of open file descriptors or the maximum number of processes available to a user. To see all shell limits, run:

ulimit -a

# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 20
file size (blocks, -f) unlimited
pending signals (-i) 16382
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

Each line describes a limit for a user in the form:

[domain] [type] [item] [value]
#
#Where:
# can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, must be
# the literal username root.
#
# can have the two values:
# - “soft” for enforcing the soft limits
# - “hard” for enforcing hard limits
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - core - limits the core file size (KB)

Example:

@student hard nproc 50
@faculty soft nproc 50
SBDavid
Sep 17th, 2009

Preventing Allocation on a Physical Volume

Preventing Allocation on a Physical Volume

You can prevent allocation of physical extents on the free space of one or more physical volumes with the pvchange command. This may be necessary if there are disk errors, or if you will be removing the physical volume.

The following command disallows the allocation of physical extents on /dev/sdk1.

pvchange -x n /dev/sdk1

You can also use the -xy arguments of the pvchange command to allow allocation where it had previously been disallowed.

“pvchange -x n /dev/sdk1″ disallows the allocation of physical extents on this physical volume (possibly because of disk errors, or because it will be removed after freeing it.

Next »