Since few days ago, I got a report from my friend that his websites isn’t normal. After I checked the website, I’m found double / multiple contents in home page. Wow, is it a Joomla Bug?

Yep, finally I got an answer to this problem, it’s a bug in Joomla MySQL query and have been submitted to bugtracker. Just two way to solve this problem, let’s do that:

1. Go to your web directory, usually for shared hosting the location will be in public_html.
2. Find directory components/com_content/models/articles.php and change some parameters like this:

$query->join(‘LEFT’,'#__contact_details AS contact on contact.user_id = a.created_by’);

to

$query->join(‘LEFT’,'#__contact_details AS contact on contact.id = a.created_by’);

Now your Joomla website should be normal again, have a great day!

Pagi yang indah tampaknya ternodai oleh kejadian yang agaknya mengganggu kinerja email server. Pagi tenang saya terusik lantaran ada user yang berteriak “Pak…, kenapa email server lambat sekali”, setelah saya pastikan untuk login ke server terasa sangat lambat. Setelah check koneksi dan resource system yang masih wajar saya kemudian melihat file audit.log dimana file audit.log ini merupakan file yang mencatat aktivitas login oleh user. Dan terang saja server menjadi lambat karena ada request login yang cukup banyak, hasil dari audit.log:

2010-05-24 09:26:28,374 WARN  [Pop3Server-1187] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for admin, invalid password;
2010-05-24 09:26:36,595 WARN  [Pop3Server-1196] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for postmaster, invalid password;
2010-05-24 09:26:38,997 WARN  [Pop3Server-1198] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for postmaster, invalid password;
2010-05-24 09:26:42,487 WARN  [Pop3Server-1201] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for postmaster, invalid password;
2010-05-24 09:27:33,481 INFO  [Pop3Server-1253] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; error=account lockout due to too many failed logins;
2010-05-24 09:27:33,525 WARN  [Pop3Server-1253] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for admin, invalid password;
2010-05-24 09:27:34,712 WARN  [Pop3Server-1254] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for postmaster, account lockout;
2010-05-24 09:28:18,536 WARN  [Pop3Server-1296] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for admin, account lockout;
2010-05-24 09:28:27,794 WARN  [Pop3Server-1305] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for postmaster, account lockout;
2010-05-24 09:29:00,790 WARN  [Pop3Server-1338] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for admin, account lockout;
2010-05-24 09:29:12,795 WARN  [Pop3Server-1349] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for admin, account lockout;
2010-05-24 09:30:55,621 WARN  [Pop3Server-1451] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for admin, account lockout;
2010-05-24 09:31:51,629 WARN  [Pop3Server-1502] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for postmaster, account lockout;
2010-05-24 09:32:23,616 WARN  [Pop3Server-1532] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for postmaster, account lockout;
2010-05-24 09:32:48,561 INFO  [Pop3Server-1556] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; error=account lockout due to too many failed logins;
2010-05-24 09:32:48,615 WARN  [Pop3Server-1556] [ip=71.249.235.39;] security – cmd=Auth; account=postmaster@noname.com; protocol=pop3; error=authentication failed for admin, invalid password;

Sebenarnya saya telah membatasi maksimum login fail dan ketika melebihi batas username akan di block untuk sementara, namun nampaknya meski di blok si attacker terus menjalankan aksinya (dasar bot). Masalah ini sudah saya posting di milis CentOS.org dan beberapa member ada yang menggunakan failban, sshdfilter, ataupun iptables. Yang palign sederhana dari ketiga cara diatas ada filter menggunakan iptables. Kurang lebihnya seperti ini:

iptables -A INPUT -p tcp –dport 110 -m state –state NEW -m recent –set –name POP
iptables -A INPUT -p tcp –dport 110 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 –rttl –name POP -j LOG –log-prefix ‘POP3 attack: ‘
iptables -A INPUT -p tcp –dport 110 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 –rttl –name POP -j DROP

Hingga saat ini, saya masih menggunakan iptables sebagai aplikasi filtering baik firewall untuk intranet maupun internet, dan saya pikir iptables cukup reliabel. how to securing email server? how to preventing email server from brute force? Hal yang paling tepat adalah rajin melihat log :)

Referensi:
Milis CentOS.org

Bagi sebagian orang, phising seperti ini tidaklah penting untuk diperhatikan,  namun perlu diketahui bahwa phising adalah tindakan yang bisa sangat merugikan apabila data email yang tersimpan adalah email-email penting seperti account bank, account perusahaan, koleksi password, photo bareng selingkuhan dan lain-lain. Apakah sudah terbayang akibat yang dapat terjadi bila informasi pribadi Anda dicuri orang?

Phising sebenarnya termasuk dalam kategori tindak kejahatan cyber tingkat ringan, namun bahaya yang ditimbulkan bisa sangat fatal sesuai dengan seberapa penting data yang berhasil dicuri oleh pelaku. Email phising, seringkali dibuat semirip dan se-luwes mungkin agar korban dapat terperdaya. Sebagian besar, phising digunakan untuk mencuri account bank, account credit card, account email. Pada umumnya email phising akan dikenali sebagai spam oleh penerima karena beberapa email server akan memberikan flag SPAM atau JUNK bila email dikirimkan ke ratusan user secara bersamaan.

Berikut isi email tersebut:

Dear Account User,

This Email is from Hotmail/Live Customer Care and we are sending it to every Email User Accounts Owner for safety. We are having congestions due to the anonymous registration of Hotmail/Live accounts so we are shutting down some Hotmail/Live accounts and your account was among those to be deleted.

We also noticed a violation use of your account and if you think you have not violated the Terms and Condition of Hotmail/Live, please verify below with information requested

You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 48 hours for security reasons.

* Username: ……………………
* Password: ……………………
* Date of Birth: ……………….
* Country Or Territory: …………

After following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconveniences.

Warning: Account owner that refuses to update his/her account after two weeks of receiving this warning will lose his or her account permanently.

Sincerely,

The Windows Live Hotmail/Live Team.

Beberapa hal yang agak janggal dari email diatas adalah respon mail server saya yang memberikan flag sebagai SPAM, setelah ditelusuri ternyata sender juga bukan berasal dari microsoft, selain itu email ini juga berisi ancaman. Adapun microsoft tidak pernah meminta username dan password dalam bentuk letter seperti email diatas, maintenance username dan password selalu dilakukan di halaman windows live itu sendiri.

Sudah lama saya menuliskan optimasi kernel Linux dengan konfigurasi systcl.conf, tapi berhubung arsip di main blog saya http://pnyet.web.id tidak terekam search engine dengan baik maka saya menuliskan ulang disini. Konfigurasi sysctl.conf ini bertujuan untuk performance tunning, dan security tunning di sistem operasi Linux. Secara spesifik, konfigurasi ini saya gunakan di CentOS namun konfigurasi bukan tidak mungkin untuk digunakan di GNU/Linux varian lainnya.Dalam kaitannya dengan keamanan maka konfigurasi dibawah ini dapat menghindarkan server dari serangan DOS maupun Spoofing. Sebagai catatan, dalam konfigurasi ini saya menggunakan eth0 sebagai primary networking interface.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

#Ignore Ping
net.ipv4.icmp_echo_ignore_all = 0

#Ignore Broadcast ICMP Request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536