UPDATE: Maybe not so stable. Got panics on some other machines, same config and everything so I take that back about being stable. The download for stable version is – http;//nix101.com/kernels/sstlinux-2.6.27.10.tar.gz – This is latest stable grsecurity kernel BUT it is all the way from December of 2008 so it may be worth a panic or two to try and get a newer kernel in your box. Make sure to always use grub savedefault once and set panic=5 on your grub.conf at the end of the kernel line.

I guess we will go ahead and call this stable. I have been running it on all machines – quad core intels with hw raid/linux raid – 64bit, 32 bit intel dual core with sata hds and have successfully ran it on a client’s intel server. I have not had any problems, everything works fine. This is just like the other latest ones, you will need the latest binutils to compile it after grsec/pax patch.

On this kernel config I have the grsec/pax settings pretty tight. If you do not want to mess with paxctl and changing the flags of a few things like php when you get started then you need to deselect the non-executable paging options. If you do wanna try it out get paxctl.

Once you get paxctl first I recommend reading over all options to determine which binaries you want to set to allow executable paging. On php if you have zend or anything similar you will need to change the pax flags of php and your php cgi/sapi/httpd module.

To do this do paxctl -c /path/php_binary (replacing path and binary of course with your relevant info). This will convert the flags to pax flags. To be honest I am not sure what exact paxctl flag needs disabled to make it run so I just do them all with paxctl -permxs /path/php_binary. But if you wanted to only disable the ones needed to make it run unless all need disabled you can disable one at a time and try the php after each. For example paxctl -p php_binary then run php -v and see if it works. if it doesn’t you will get an error about permission denied on zend or just a segfault. And then just do that until it works.

As far as tarpit goes, I will get back on that as soon as possible. For now I’m not messing with it as we are working on other methods. My main issue with tarpit is you cannot use it as default deny on certain firewall scripts because you wont be able to tarpit your own outgoing connections for good reason. But if you got your own firewall script you can use tarpit for incoming deny and drop or reject for outgoing.

Here is download for kernel:

http://nix101.com/kernels/sstlinux.tar.gz

wget http://nix101.com/kernels/sstlinux.tar.gz

I have a site on one of my servers that has been under attack constantly for 2 years straight. No kidding…

I)ll first explain average attacker behavior. Usually an attacker will attack a site and keep it down as long as possible. When that user gets on a protected hosting and attack gets blocked, site is up. The attacker will continue around 2 more days and ddos his lil heart out trying to bring it down. When he finally realizes his attacks have no effect anymore then he moves on to the next target, most likely denying to his buddies he ever attacked the site in the first place to save face.

They first came on my high risk hosting 2 years ago when attack was real bad. About 150 k packets per second. We had him on our high protection plans for a long time. Then, we started gradually decreasing his plans as the attacks became weaker and weaker.

I would say the original botnet had about 5k bots. And as it started losing bots the attack died down.

What became strange at the very first is once we had attack mitigated the attacker continued for days, weeks, then months after that. each time I would clear my firewall bans and restart I would see his bots attacking.

Then I had come to the conclusion that the guy most likely issued some command to his net like “ddos stockegg.com 10000000000000″ and then he died, was raided or his mommy took his computer. Surely this guy wouldn’t continue that long with no effect.

I was restarting my firewall in my softlayer server where I eventually moved these guys and lo and behold – http://secureservertech.com/egg

Its definitely not enough to bother our servers the way they are setup but I assume most other shared hosts, especially ones running Apache would kick him in an instant. Usually we just ban those real quick and not see them again until ban lists are cleared.

Has anyone else seen a similar situation?

One explanation a ddos expert/botnet hunter told me is that it was the storm worm and that it was all automated. He said the storm worm or its variants will search the web looking for certain keywords in websites related to spam and then attack them. This user used to have a disclaimer over his newlestter signup _”You will not get spam, I hate spam too” So we don’t know if that is what caused it or what. But he removed that after the first few months.

Just something I thought I would share with everyone. Would like to hear if anyone else has had similar experiences

The site got defaced the other day by some arab script kiddy. It kills me that after all this time that developers are still making such stupid mistakes in their php coding that any idiot can audit the scripts and find an exploit. I converted all to wordpess about 2 years ago in the hope that it is a better maintained and secure app. Which I will say in the defense of wordpress I am using the svn version and they say not to use it on live sites but I never really had a problem before.

I like using the svn because I can upgrade the entire site by issuing “svn update” in shell. So its really convenient. I’m still not totally sure how the kid got in but after doing an update and cleaning up a bit it looks ok for now. SO I guess I will see.

Shit happens and unless you are some expert php coder its hard to prevent your php driven site from being comprised sometime. I will say though that this is the first time on this site and app.

I will start posting more regularly. Seems like I still use this site nearly everyday as a copy and paste tutorial depository when I do certain things on the servers.

Today I will post latest stable sstlinux beta