Monitoring your server traffic with ntop – Cool! :)

ntop_all_proto
The is a tool, ntop, a tool that will give you statistic of your server. I keep wondering myself how much data have been transfered so far, and how much throughput rate d I get with this current provider. Now, ntop come and I get to install it in my server.

My main reference was this book, Linux Server Hacks, by Oreilly written by Andrew Lockhart, hacks #63 as well and written by Rob Flickenger in Network Security Hacks by Oreilly, hacks #64. Rob Flickenger also discuss about the same thing. The article look indentical, just the ilustration look different. Mr Lockhart refering to Flickenger’s writing actually.

I downloaded Ntop into /usr/port/distfiles/ and extract it to /usr/port/distfiles/ntop-3.2rc1/. Before installing ntop, I just added a user ntop with group ntop.

su-2.05b# ./configure
su-2.05b# make
su-2.05b# gmake clean

Ntop need to use gmake instead of make. I have tried using make install command, and it will show an error.

“You might run it using make, please use gmake instead”
*Somthing like that la…

After installing, it have automatically created /usr/local/etc/ntop/ and all the default ssl sertificate file have been there. These are default certificate, and you can also create a new certificate, sign it your own. Now I just have to initialize ntop database and set an adaministrative password. Ntop use round robin database, which is a good database for storing traffic report and logging. The main advantage of this database is it will not grow and fill up your harddisk. New entry will remove the old entry out.

su-2.05b# ntop -A -u ntop -P /usr/local/etc/ntop
10/Sep/2005 20:30:23 Initializing GDBM...
10/Sep/2005 20:30:23 Started thread (1026) for network packet analyser.
10/Sep/2005 20:30:23 Started thread (2051) for idle hosts detection.
10/Sep/2005 20:30:23 Started thread (3076) for DNS address resolution.
10/Sep/2005 20:30:23 Started thread (4101) for address purge.

Please enter the password for the admin user:
Please enter the password again:
10/Sep/2005 20:30:29 Admin user password has been set.

Then we initialize ntop, with https at port 1234(example) and run it as a daemon:

su-2.05b# ntop -u ntop -P /usr/local/etc/ntop -W1234 -d

The tools just works fine in my FreeBSD 4.11 server. By now it already run for 3 days and 6 hours. At first when my ntop aged around 2 days, the page will load very slow, it take up to 1 hour to load. I dont know what happen. Now, it works just fine, and it can display all the graph nicely.

By the way, you might want to secure your page avoiding other people from viewing your server statistic. The best and simple solutions is using .htaccess and .htpasswd file. Please refer to my next blog entry, on securing folder using .htaccess and .htpasswd file.

Ntop.org
Linux Server Hacks [O’Reilly] – Download here
Network Security Hacks [O’Reilly] – Download here

Google earth – Review

google-earth

I found another Google poroduct, Google Earth. You can have a visit to http://earth.google.com, the beta version software also can be downloaded from there..

The software is really cool. You can view I think almost any place in the world. I have downloaded Google Earth the free version. When I searched for “Kuala Lumpur”, the system will automatically search for it, and zoom into Kuala Lumpur. The map was not really precise, you cannot view up to the roads, but you can still view the main roads, roughly. You can estimate where’s your location on earth.

It also can tell you the details of your coordinate. The software also can integrate with your GPS device, but its not supported by the free version. It also have the functionality to view for lodging, dining, Bank/ATMs, Coffe house, shopping mall, Groceries, gas station, fire/hospital, pharmacy, golf, stadium, and many other places of interest.

Google Earth Plus just cost you USD 20. It can have more precise image for you, not like Google Plus. It also can import address points from a .cvs file. For a corporate use, you might need Google Earth Pro. Wow!

Anyway, Google might change how we define our locatin, by cordinates! 🙂

http://earth.google.com
Google Earth Pro – Download(7 day trial)

Half terabyte harddisk?!

Hitachi's Deskstar 7K500Hitachi's Deskstar 7K500

Hitachi now have already launched 500GB harddisk Hitachi’s Deskstar 7K500.

There’s alot changes within these few years. I have experience myself using 4GB harddisk a few years ago, when I first using computer.

Internet and IT in malaysia in particular have change so fast, faster internet connection, and larger media storage, have push the demand for more harddisk space. I would say 500 GB harddisk is a need for personal computing as well. Even for myself, I have 40GB harddisk for my notebook, and 60GB for portable harddisk, still not enough!!

Looking forward to have more harddisk space, for personal, and for my server 🙂

Wassalam..

http://techreport.com/reviews/2005q3/deskstar-7k500/index.x?pg=1

Howto enable WAP in your apache

waplogo
This is some information to share, on how to enable WAP on your apache web server. WAP will just works with your ordinary apache web server, it just need some additional code to be inserted into the configuration file.

Add the following code into your httpd.conf file, between <IfModule mod_mime.c> and </IfModule> tag.
AddType text/vnd.wap.wml .wml .wml
AddType Application/vnd.wap.wmlc .wmlc
AddType text/vnd.wap.vmlscript .wmls
AddType Application/vnd.wap.wmlscriptc .vmlsc
AddType image/vnd.wap.wbmp .wbmp

You also have to locate “DirectoryIndex” in the config file, and add index.wml. This is to make apache will read index.wml inside a folder, so that you can access it easily like http://wap.farhanfaisal.com, where it will immediatey read index.wml inside wap.farhanfaisal.com

Thats all, hope in future we will have more something in common to share, WAP site! 🙂

Wassalam

Enable WAP in apache – mrEriksson-Network

Appearing in 642-436 is not an issue for a 70-293 professional, whether he has done 350-018 and 70-647 or not.

httptop for live monitoring for your domains

I downloaded an ebook, Linux Server hacks [O’reilly], hacks #65, “Monitoring Web Traffic in Real Time with httptop. Its quite interesting, you can view the traffic, but in CLI, just a black screen. But you can see who’s hitting your web server up to the second.

Firstly, this is my reference,
cat
You can also download a full ebook from here. The file is quite big, 34MB! But… I found the Window help file version for the ebook!

The server used to setup all this things up is using FreeBSD 4.11, using DirectAdmin control panel. Mod_perl update were managed by DirectAdmin, and it makes my job easier to add additional Perl modules for httptop to works. Httptop need Time::HiRes and File::Tail Module installed to mod perl.

The first thing to do is to create additional information in httpd.conf for my domain, farhanfaisal.com. I just add these 2 additional line in the file. (Find the suitable place your own :D)
CustomLog /var/log/httpd/domains/total_log vhost
LogFormat “%v %h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i”” vhost

“total_log” is a newly created file, where the new log data will dumped into, using these specified format. chmod it to 644.

Then we go to our httptop file. You can get the source code from O’reilly official website, or just download it from here.

In order to make sure the scripts will work, we have to install Time::HiRes module and File::Tail perl module.
cd /usr/ports/devel/p5-DateTime-HiRes
make install clean
cd /usr/ports/devel/p5-File-Tail
make install clean
/usr/local/directadmin/customapache/build mod_perl

I just restarted apache using DirectAdmin control panel, and issue this command to initiate httptop

httptop -f vhost -r 2 /var/log/httpd/domains/total_log

Walla, now you can see the result.
httptop small pics

Linux server hacks [pdf]
Linux server hacks [chm]

Certificates like 640-816 and 650-393 are important for a 70-284 professional’s career, particularly if he is planning on a future in 642-552 and 646-588.

Overlook an exploit in metasploit.

Last Sunday, UiTM held a Open Source Expo and National Hacking Competition. I was one of the participant 🙂
Me and Wahida

One of the challenge is to view the source code of a ASP file. I run nikto, and below is the result:

————————————————————————
root@budihost-box:~# perl /usr/bin/nikto.pl -h 192.168.0.3
---------------------------------------------------------------------------
- Nikto 1.32/1.23 - www.cirt.net
+ Target IP: 192.168.0.3
+ Target Hostname: 192.168.0.3
+ Target Port: 80
+ Start Time: Fri Aug 26 13:52:56 2005
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Microsoft-IIS/5.0
+ IIS may reveal its internal IP in the Content-Location header. The value is "http://192.168.0.3/Default.htm". CAN-2000
-0649.
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is
allowed but a default page exists.
+ HTTP method 'SEARCH' may be used to get directory listings if Index Server is running.
+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.
+ Microsoft-IIS/5.0 is outdated if server is Win2000 (4.0 is current for NT 4)
+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_s
creen.pdf for details (TRACE)
+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mir
ror/WhitePaper_screen.pdf for details (TRACK)
+ /scripts - Redirects to http://192.168.0.3/scripts/ , Remote scripts directory is browsable.
+ /blahb.idq - Reveals physical path. To fix: Preferences -> Home directory -> Application & check 'Check if file exists
' for the ISAPI mappings. MS01-033. (GET)
+ /xxxxx.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. Ensure Q252463i, Q252463a or Q251170
is installed. MS00-006. (GET)
+ /NULL.printer - Internet Printing (IPP) is enabled. Some versions have a buffer overflow/DoS in Windows 2000 which al
lows remote attackers to gain admin privileges via a long print request that is passed to the extension through IIS 5.0.
Disabling the .printer mapping is recommended. EEYE-AD20010501, CVE-2001-0241, MS01-023, CA-2001-10, BID 2674 (GET)
+ /scripts/samples/search/qfullhit.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. MS00-006. (
GET)
+ /scripts/samples/search/qsumrhit.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. MS00-006. (
GET)

+ /_vti_bin/fpcount.exe - Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbi
trary system commands, though a vulnerability in this version could not be confirmed. CAN-1999-1376. BID-2252. (GET)
+ /_vti_bin/shtml.dll/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 - Gives info about server settings. CAN-2000-041
3, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (POST)
+ /_vti_bin/shtml.exe - Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a
DoS was not attempted. CAN-2000-0413, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (GET)
+ /_vti_bin/shtml.exe/_vti_rpc - FrontPage may be installed. (GET)
+ /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 - Gives info about server settings. CAN-2000-041
3, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (POST)
+ /_vti_bin/_vti_aut/author.dll?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplore
rDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false
&listBorders=false - Needs Auth: (realm NTLM)
+ /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplore
rDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false
&listBorders=false - Needs Auth: (realm NTLM)
+ /_vti_inf.html - FrontPage may be installed. (GET)
+ /login/ - This might be interesting... (GET)
+ /localstart.asp - Needs Auth: (realm "192.168.0.3")
+ /localstart.asp - This may be interesting... (GET)
+ 2645 items checked - 15 item(s) found on remote host(s)
+ End Time: Fri Aug 26 13:53:16 2005 (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

————————————————————————-
The server runs IIS 5, with source code dislosure vulnerability.

I didn’t notice that Metasploit Framework already have the exploit. The task should be more easy with Metasploit.

Quite a few advertising agencies are making use of cheap web hosting and free web design templates by saving there and spending on seo like email marketing.

Happy Merdeka Day!

Merdeka announcement

Happy Merdeka Day!!

Merdeka! Merdeka! still can be heard today. Last night IIUM students also celebrating Merdeka Day in the campus. Many peoples were there, students, lecturers and many other people around the area.

Just few hours before the 12 o’clock, i was in KL, lift a friend to PuduRaya, balik kampung 🙂
There were many people in KL last night. I saw a family with their children planning to celebrate Merdeka in KL. It makes me remember, I was never being outside at night during my young ages.

I still agree that we still cannot know the value of Merdeka, since we have already been in all the harmony, and have all the peaceful life. How can be protect our country, without knowing the value of independence?

Peace be among the warriors, who strive for our independence.

Auditor security linux

Auditor Security Linux

Auditor security linux, must try linux for anyone who interested in security aspects of networking and administration. Auditor provides full of application needed information gathering, vulnerability assesment, and many more.

The application have been arrange in categorical, so that you can go to specific application specific to what purpose. There are many more tools that not included in the category, you can search for it.

You can download it from here:
http://new.remote-exploit.org/index.php/Auditor_mirrors

New IM – Google Talk

As all of us wait and all the rumours spread, now Google come out with its new IM for its users, Google Talk.

Google Talk client application

All you need is just a Google account, and the client application. The application is just 900KB in size, and can be downloaded from here

The application is simple, small in size, and the file is all the software that you need. You dont need to redownload other program to use it. Google Talk support Voice Call with your buddies.

Download now, and start inviting your Google friends to your Buddy list!