Session contains objects whose class definition isn't available.
Remember to require the classes for all objects kept in the session.
(Original exception: uninitialized constant Map [NameError])

Specifically I have a geographical map class (Map) and I am storing the map object in sessions. Rails cannot unmarshal the serialized session representation into the map object until it knows what the Map class looks like.

To overcome this problem, I added the following line of code in my config/locales/application.rb file and it solved the error for me:

 require “#{Rails.root}/app/models/map”

where my map class is defined in /app/models/map.rb file.

Though it is discouraged to store complex objects in sessions, I got to know about this taboo much later in my development cycle. At that point, this fix was easier for me than to rewrite major pieces of code.
I hope this helps someone on the other side of planet who is banging his head over this peculiar error.

This article demonstrates a replay attack where – in certain cases – your login based application’s logic can be subverted to bypass the authentication and directly impersonate an user (whose cookie you’ve managed to sniff/steal).

This post will:

• Illustrate how sessions are stored in cookies instead of server side storage.
• Demonstrate a common mechanism in web applications to identify if the user is authenticated.
• Show how can a stolen cookie can be replayed to impersonate a valid user (even after the real user logs off).

In cookie based session stores, all the session data is stored in a cookie as a hash map of key:value pairs. Everything that you set in a session is serialized into a stream of bytes – base64 encoded – and set as a browser cookie. Hence, all of your session variables actually end up being stored on client side. From then on, your browser sends all your session data to the server in each single request you make to the website.

However there is a security mechanism that prevents from any user from tampering the session data stored as cookie – and that is the HMAC of the session byte stream calculated from a server side secret. So here is how it works:

• When you do a session[:valid] = “true” in a rails application, the application converts it into a hash, serializes it into a byte stream and calculates a HMAC of this stream.
• This HMAC is appended along with the session object in the cookie with a ‘- -’ delimeter.
• The browser sends this cookie (session object–HMAC) with every request to server.
• For every request, the server calculates the HMAC of the session hash that browser sent in the cookie and compares it with the accompanying HMAC in the cookie. If they don’t match, the session hash (or the HMAC) has been modified on client side – the session data will be ignored in this case.

Now lets see a common way how sessions are managed in many web applications.
Suppose your web applications’ authentication routine looks like this:

The code above checks for the valid credentials, and sets some session variables once the user is authenticated. A common technique employed for session management is to set a special session variable once an user is authenticated. Thereafter for each request by the browser, a simple check is performed to see if that session variable is set or not. If its set, the requested ‘member only’ page is displayed else an error is displayed asking user to login to access that page. This value is cleared when user presses logout. In our code above, session[:valid] serves the purpose of the ‘flag’ to denote a authenticated user.

Consecutively, our ‘members only’ pages will have something like this defined in their controller:

Where check_login_status is a method which will be evaluated before every action in this controller. The check_login_status will look something like:

I’ve put up a demo application at http://replayattack.mocktest.net where you can play with a simple login based application which uses cookie based session store. You can try the replay attack (described below) on this application.

I use a simple Firefox extension – Live HTTP headers for evaluating and replaying the cookie. So, lets login at the application (demo/demo) and lets see what cookie we got. The headers for ‘/members/profile’ page sets this cookie.

Set-Cookie: _rails_demo_session=BAh7DUkiD3Nlc3Npb25faWQGOgZFRiIlZTBhZWRjZGE3M
GE5MTk5MGMyNTllMDU1ZWRkMGRkMDdJIhBfY3NyZl90b2tlbgY7AEZJIjFicFl4aUpuSURI
WkVhaE8rTVpuTDgrUWNvdzlwRnYzVWJhcEYwazBDRzM0PQY7AEZJIgp2YWxpZAY7AEZJ
Igl0cnVlBjsARkkiCW5hbWUGOwBGSSIRU2hpdmFtIFBhdGVsBjsARkkiCmVtYWlsBjsARkkiE3
NoaXZhbUBjbXUuZWR1BjsARkkiDXBhc3N3b3JkBjsARkkiEGNvbW1hY2tANzgyBjsARkkiDGN
yZWRpdHMGOwBGSSIINzgwBjsARkkiCmZsYXNoBjsARklDOiVBY3Rpb25EaXNwYXRjaDo6Rm
xhc2g6OkZsYXNoSGFzaHsGOgxtZXNzYWdlSSIxTG9naW4gU3VjY2Vzc2Z1bCEgV2VsY29tZSB
0byB0aGUgbWVtYmVyIGFyZWEGOwBGBjoKQHVzZWRvOghTZXQGOgpAaGFzaHsA–8033ab5323d8adfb80a32fa448a41a586138ee4a; path=/; HttpOnly

You can now see two distinct parts of this cookie: The base64 encoded session data followed by the delimiter – - followed by the HMAC (8033ab5323d8adfb80a32fa448a41a586138ee4a). If you use any base64 decoder and try to decode the session data part of the cookie (BAh7…. aHsA), you’ll see the serialized representation of the session hash:

{
I”session_id:EF”%e0aedcda70a91990c259e055edd0dd07I”_csrf_token;�FI”1bpYxiJnIDHZEahO+MZnL8+Qcow9pFv3UbapF0k0CG34=;�FI”
valid;�FI”    true;�FI”    name;�FI”Shivam Patel;�FI”
email;�FI”shivam@cmu.edu;�FI”
password;�FI”commack@782;�FI”credits;�FI”780;�FI”
flash;�FIC:%ActionDispatch::Flash::FlashHash{:messageI”1Login Successful! Welcome to the member area;�F:
@usedo:Set:
@hash{�

We can see the session variables highlighted in this semi-readable text. Can you change the value of ‘credits’ in the cookie and fool the server to accept that. Fortunately not, because the HMAC won’t match. But you can always store this cookie to replay it later. And here lies the problem.

Now we’ll logout from the application by clicking the ‘Logout’ link on the web application. The logout code is:

This resets the session and generates a new session id. If you inspect the new cookie (post logout) in Live HTTP headers, you’ll no longer find those session variables.

Locate an old GET request in Live HTTP header and replay it

But what if you just replay that old cookie. In Live HTTP headers, all you need to do it to scroll up to reach the request which was made to a page before you clicked logout and “Replay it”.

As soon as you click that, BINGO !!! – you are logged in as a valid user.

This happened because the session[:valid] flag we are checking on server side to see if the user has already authenticated to the application is set in this cookie which obviously is of a time before users clicked ‘Logout’. This is a very serious issue. You need to worry if your applications’ login design is similar to one described here.
This will allow people to sniff your users cookie if they are on a public wireless (airports, coffee shops) and replay it to gain access to your application even when the real user has logged off the application.

You are safe from such an attack if:

• You use SSL on your website. However, remember that SSL should be enabled for the entire site rather than for the login page only. For sites using SSL, there is no way an attacker can sniff plain text cookies and try to read/replay them.
  • Also make sure that you set the ‘secure’ cookie flag so that the cookie is never inadvertently transmitted on a http channel
• You are not using cookie store to manage your sessions.

If you want to quickly migrate from cookie based session store to database based sessions, its actually very easy. However you may want to think about the performance impact it will have based on the way you’ve deployed your application.

In case you want to switch to database backed sessions, here is how to.

Hope this post helped you understand how cookie based sessions work and why and when you should not use CookieStore. Have fun doing the replays at http://replayattack.mocktest.net. Don’t mount other nefarious attacks on it please.

Aditya seeing me off !!

The early morning train did not allow me to sleep much last night. Thankfully, Aditya accompanied me to the train station and we just had a sad parting. The train now steers off into woods, mountains, springs and begins its breathtakingly enchanting journey to the east coast. I must thank my friend, Krishna, who suggested that I should try the Pittsburgh-New York train ride. Although it is a bit costlier than the airplane journey and 9x times longer but it has been only an hour and already I seem to be very happy about this decision.

I am overflowing with a multitude of thoughts as I leave Pittsburgh and thought that I can preserve them by writing them down. Pittsburgh was my gateway to United States. My first city in the US and a perfect one to get acclimatized to the American lifestyle and culture. It is neither too fast nor too slow, relatively cheap, full of scenic beauty and provides a great academic setting with some very fine Universities.

I had two contrasting years at Carnegie Mellon. The first year was one of the most torturous one I’d ever had (or probably will have in future). Days and nights were spent studying and doing hard work.  I had been living an easy life for 2 years before coming to CMU and the contrast in the lifestyles completely threw me out of my comfort zone. It was not uncommon to come back home at 4 AM in the morning, cook and eat ‘dinner’ by 5-6AM and then have a good night’s sleep after that.

Second year though was a little easy. Partly because we got accustomed to the lifestyle, partly because the tough courses were over and partly because I got an offer from Bloomberg and many apprehensions about the job and job search were over. I chose the computer forensics track in my second year and time was spent in doing a lot of forensics – which was real fun. With a little less workload, I could find time to do other activities. Swimming was one of them. I am happy that I was pretty regular at swimming this semester and hope to continue that even in New York. I also could devote a good time for the alumni activities of my Undergrad school which resulted in a great east coast alumni meet.

Last 30 days have been so eventful at Pittsburgh. Final exams, graduation ceremony, visiting friends and lots of time spent at the playground.
During my two years in Pittsburgh, I stayed in a street called Murray Ave. It is a hub of restaurants and pubs – one of the liveliest streets in that area.  Although we walked down that street every day, we never had a chance to try out various eateries (or should I say any eatery). With only a few days of Pittsburgh left, we decided to try each of them. This meant freedom from cooking and lots of intercontinental food every day. What a great end

Gullifty's

Silk Elephant

Sun Penang

I cannot close my Pittsburgh chapter without mentioning about the friends I made here. Definitely, it would have been impossible to survive without these wonderful people I met here. They were a critical ingredient in making my stay wonderful and splendid. No wonder they’ve become my friends for life. I’d love to thank Shishir, Aditya, Mayuresh, Snehal, Rohan and Krishna for being such great friends. There are so many things I’d love to learn from each of them.

Shishir – Well, the list is long. Anyone who knows Shishir knows what qualities of his I am talking about. I’ll keep telling stories of Shishir as an example of will, determination and Hard work.

.

Aditya – I really wish I could get the calmness and virtue of patience that Aditya has. His never say die attitude and optimism towards life(whether aiming for 105 out of 100 in an assignment – by chasing 5 extra credits or chasing a bus that is 3 stops ahead) is simply inspiring.

Mayuresh –   I always appreciate (and envy) this guy’s technical skills and sharp mind. This might be for the first time I am ever accepting that in public, but I wish I could borrow some intelligence from you.

Snehal – Snehal’s journey from MIT (Maharashtra Institute of Technology) to MIT (Massachusetts Institute of Technology) is an inspiration. I am glad that in this jump from MIT to MIT, he chanced to be at CMU and I could know and befriend him. A super sensitive person at heart: dare to hurt him and you’ll receive an 18 page email from him after 3 days of silence.

Rohan – A happy go lucky person who’ll say only one thing in case of trouble: “arre suno na… tum tension mat lo, ho jayega”

.

Krishna – I owe him for tolerating me a lot in all the coursework and assignments we did together. Thank you for getting me good marks in all those projects

.
I am finishing this up after arriving at my home in NJ and I can already feel the loneliness and vaccum without them.

All  Good Things Must Come to An End, and so has this. I’ll cherish each moment spent at Carnegie Mellon and Pittsburgh throughout my life.

I’ll end this blog on a happy note. Here are all the pictures that I took all the while I was writing this blog. Next time you are making a journey from NYC to Pittsburgh or the other way round, consider taking a train !!

http://picasaweb.google.com/shivam.unleashed/LastDaysAtPittsburghAndTrainRideFromPittToNYC#5482073489044775890

I see so many attacks on my SSH server trying to brute force the password for usernames ‘admin’ and ‘root’. Clever sshd just lets them keep guessing without telling them that the username doesn’t exist. It just sits there and enjoys the conversation. Actually it is fun to see the usernames/password that are tried. Just fire up wireshark/tcpdump when under attack and look at the packets, the username/passwords are as amusing as they can get. Sometimes the passwords are pure dictionary attack. Sometimes they even have a local tinge in them. For example, Chinese names !!!

Most of the attacks are from bots. Bots running on ‘owned’ machines – compromised machines at government offices, educational institutes and public kiosks. Basically, this is generally how botnets work – a bot infects your computer, it then starts launching attacks on other computer in its quest to multiply. In addition it also opens up other services on the infected computer to achieve its other primary objectives. Remember, bots and botnets are all about money today. It is no longer a fame game. So typically a owned machine will have port 80 (http), 21(ftp), 22(ssh). You will also see compromised computers hosting a website (often porn) and running services like webmail, phpmyadmin etc.

Last weekend, I thought – is there something I can do when under attack… Ummm well maybe I can become a good netizen and let the world know about the attack. Why would that help anyone? Well just in case someone else in world is getting attacked by the same IP address and chooses to type its IP address on google, he can have a little more information about the attack and his fellow sufferers.

Okay, so I want to make the attack information quickly available to the world. So probably I can have a webpage of such attack information and I’ll keep updating it as and when I get an attack. Well … sort of good idea but not so slick. If google indexes my webpage every 30 days, it will take 30 days (worst case) for the information to be available on google.

A better approach is to ‘tweet’ about the attack . Google indexes twitter accounts far more frequently than it indexes an average website. So an twitter update can be indexed even within minutes after it has been tweet’ed.

We* wrote a quick and dirty python script to help us do exactly that. The scripts monitors the log files every few minutes (15 minutes in our case). The log files are /var/log/auth.log and /var/log/vsftpd.log.
The scripts maintains an in-memory hash table of <ip, [list of usernames used in attack]>. Here ip is IP address of the attacker and it serves as an key in the hash table. The corresponding value is a list of all the usernames that the attacking computer tried.

So the in memory hash table grows with each attack and would typically look like:
< 210.90.74.163, [admin, test, root, nagios…]>

The following algorithm is repeated every 15 minutes:

• We check the new attacks in past 15 minutes and update our in memory hash table
• For all those entries that have surpassed a threshold number of tries in this timeslot are eligible to get tweeted. For eg. With a threshold of 5 tries, all those entries that now have more than 5 entries in the username list (and were not tweeted before) are deemed as attacks and are tweeted.
• A simple twitter API for python makes tweeting as simple as possible.
• A new tweet appears on http://twitter.com/compromised_sys account.

A diagrammatic representation of the process is below:

Overview of the entire process

In case you are interested in seeing the python implementation, you can download the file below. As I said earlier, it is quick and dirty implementation and requires code cleanup.
tweet_attacks.py

Results:
The script runs in production and tweets the twitter account http://twitter.com/compromised_sys regularly. Once we had the first version up and running, we could see tweets getting indexed in as less as 15 minutes after updates to twitter account.

*This code was co-authored by Aditya Mahendrakar

There is only one ‘argument’ for a full disclosure – that it ’forces’ the organization to act swiftly and fix the vulnerability. And believe me there are many organizations that are lazy enough to fix a problem reported to them.

Lately, I chanced to visit the website of National Institute of Design, Ahmedabad. NID happens to be one of the premier institute of design in India. The website has a portal (called Kportal) aimed to provide unified login for students, staff and alumni for various institute related functions. It has monthly pay-slips for employees and library records for students and many more Institute specific features.

This portal has several security vulnerabilities. It is a great example of a ‘poor design’. By design I mean the design of their web architecture rather than their user interface. I was curious to know how deep can one get into their systems and it took me a couple of hours to verify that a sophisticated attack can actually give one access to their database. And guess what do you find in their database. You find pay slips, marks of students and passwords (very unfortunately in plain text). This was horrifying.  More horrifying was the fact that updating records in the database was just a matter of firing some update queries using a specific channel. I wish I were a student there

Immediately after, I sent an email to the top officials of NID explaining them about the vulnerabilities that their portal has. Since, I did not know the right person to talk to regarding this, I went to their ‘Director and Deans’ page and emailed their Director (Shri Pradyumna Vyas), Activity Chairperson (Shri Akhil Succena),  Acting Dean, R&D Campus (Dr. S Ghosal). I also emailed Ms. L Padmavati Bet, a person I believe to be closely related to development of this portal. I specifically wrote about the vulnerability and the amount of data that can be leaked in case one is successful in his attempt. I sent a separate email to Ms. Padmavati explaining in detail a typical hack which makes her account is especially vulnerable. By the nature of the design of Kportal, her account was ‘most prone’ to a very popular class of attack (I am not mentioning the names of techniques for obvious reasons).

Guess what the response was!! I heard nothing back from them. They read the emails and didn’t bother to take any action on it. The portal still poses a big threat to the personal data of all the students/staff of NID. I volunteered to give specific inputs to harden their portal in case they need it but they don’t want any.

The downside of all this is that the students of NID are continually exposed to attacks leading to privacy invasion and data loss. I may not be the first person to discover this. Maybe there are many others who are snooping into accounts of these students without their knowledge.  Even worse, many people tend to keep their passwords same for various online accounts that they have. In such a case, getting a password from the NID portal will enable any attacker to login to the other accounts of users.  There are many more lateral attacks possible than I can enumerate here. Think about the secret question. What if you have different passwords for different accounts but you keep the same secret question-answer for all of them. As of today its fairly easy to get any of these detail of any NID student/staff.

There is an urgent need for NID to let the students know about the weakness that they had and send emails to all the 1848 students/staff registered on their portal to do the following:

• Change passwords of all other online accounts which had the same password as the one they used for K portal.

• Change the secret question/answer of all other online accounts that have the same secret question/answer pair as used on K portal.

I wish I could force them to do this. I wish they were a little more responsible. If you are running an organization this big, isn’t it your responsibility to protect your users data ??

So this fine night, I was struggling to make ‘upbazar.com’ live. I had been working really hard on this project since past couple of weeks and I was very excited about it. upbazar.com had a interesting story behind it. My computer vendor came up with this excellent idea of creating a ‘online marketplace’ which would provide a interface where users can search for businesses based on keywords. We would categorize local businesses (think dmoz) and also provide advanced search features to find local shops that sell the items or provide the service one is looking for. A kind of online yellow pages on steroids. The idea was to hire a bunch of sales executives who will visit local businesses (shops, restaurants etc.) and pursue them to buy one of our ‘silver’, ‘gold’ or ‘platinum’ packages which were priced at Rs. 250, Rs. 500 and Rs. 850 respectively. These were essentially their entries into our database. A silver package was just a listing on our website, a gold package was a highlighted entry and a platinum package also included a dedicated web page for that business (wow !).

All was set. Now this idea had to be implemented. Let me introduce you to the core team of this expedition. My computer vendor, Sandeep Saxena was the big boss (aka CEO) who would do all the funding for this project. I was the lead developer along with my friend Himanshu Yadav. My another friend Randeep Singh Bedi was the semi sales – semi tech guy. A true arm-twister as he is, he got himself designated as the ‘Director’ of the company and also got ‘company sponsored’ business cards (much to our disgust). A 22 years old director, wow. My yet another friend, Shashi Shekhar joined later and got involved into marketing domain.
So, the couple of things that were needed first were:

• A website – that was the core product,
• A office
• A bunch of sales executives who’d report to the office in the morning, get their areas and targets assigned, go to their designated area and work all day, come back in evening to report their status and deliver data to the dev team that would feed it to the databases.
• A manager who’d manage all this sales and marketing stuff.

I started the dev work on war scale. I’d spend entire nights to develop a site that was intuitive and which could scale well. Sandeep leased a office at a prime locality in Lucknow. I personally liked that office. Within no time we had telephone, internet and a couple of computers at our office. While on the other hand, we were recruiting for one manager and a couple of sales executives. We had advertized these vacancies in the leading local newspapers.

One rather interesting moment occurred to us one day. I and Randeep were sitting idle at office that day and a lady appears and says she’s come of a walk-in interview that we advertised in the newspaper. Normally we had nothing to do (and no say) in the recruitment process but since Sandeep wasn’t around, we thought to handle the situation. We posed as if we were the right people to talk to and started the interview. The lady ‘L Sri Priya’ was a rather short, dark complexioned south Indian and didn’t look like she was worthy enough for this job. But faces deceive. Our first question was about her work experience and the answer was that she has been a Manager in Standard Chartered bank for a couple of years. Now now now, we were quiet in trouble. We had no idea how to deal with a senior person that she was. Obviously we had no questions to ask. Although we did ask ‘why upbazar.com’ and why did you leave Standard Chartered. It turned out that her husband was transferred to Lucknow and she had to accompany him to this city and now she was looking for some job that won’t have any long term commitment.

She was good in all respect for our needs. Sandeep went by our word and hired her. Very soon we also had half a dozen sales executives. The company was growing fast, you see. However, I was never convinced by the core idea behind the company. Computer penetration in a city like Lucknow was very low. A fraction of people had computers at that time and only a fraction of the people who had computers had Internet. So why would a person log on to computer and visit a website to find out which is the best shop for him. Normally, a person knows where to get his daily stuff.

But I had a different interest in this project. Learning. I couldn’t afford a web space just for experimenting. Web server space was costly and I was just a student. So, I saw this as a big opportunity to play with a web space and know more about how a website is hosted.

So as I said before, I worked really hard to develop the website. And this night I was all set to make the site ‘live’. But the question was ‘How’? I had no idea what do I need to do to make my site run on the server. I didn’t know anything about FTP nor did I know how can I copy files to the server. So I was shooting queries like ‘copy file to server’, ‘run website on server’ on google (so nice that google was there at that time too). So it took a lot of discovery to figure out that we can upload file to a server with the help of something called FTP. Finally a couple of hours later, I could get my files up there and database configured. And lo… if I type upbazar.com on the browser, the website opens… the same one that opens on my localhost. It was a moment of triumph for me. Simply the thought that people can see my creation from anywhere in the world was so exhilarating. It was really a happy moment for me.
The site was up and within some time we had a couple of customers too.

And then we hit the wall. Persuading businesses to advertise with us was a difficult task. While we had customers, but we needed a lot more even to break even. As I look back to it, I feel there were a couple of things that could and should have been done differently.

• We were paying way too high to our manager. Fine that she was very qualified but she was over-qualified for the job that we had. We were paying her commensurate to her qualifications which was not right. We should have been paying her commensurate to the job requirements that we had.
• I feel that this project was way ahead in time for Lucknow. Lucknow (or for that matter even metro cities) was not technically advanced to fully leverage the benefits of such a system. People still preferred traditional ways to shop.
• Technology in general wasn’t at a stage where it could compliment our business. For example, there were no iPhones or smartphones then. I just think of a scenario where people would use PDA’s and our site would then have a mobile version where one could make use of all the facilities via mobile phones. This was much more convenient for a person who is on road and wants to lookup something.

Sandeep tried hard to continue the business. Unfortunately, he suffered huge losses in a years’ time and had to shut down the business. It was really sad. The domain name wasn’t renewed the following year and the site was off the Internet. It has been years since then, but whenever I chance to go alongside the road where that office was, I remember those days and feel bad about the outcome. I still have that website on my computer and it still works. Probably I’ll have it with me for the rest of my life. After all it was my first website that went ‘on air’.

Incidentally, the CEO of a New York based startup yext.com had come to Carnegie Mellon to hire engineers for his company. Yext.com is a ‘the next yellow pages’ company (and hence the name yext). He gave a impressive introduction about his company. Surprisingly, this company has a very similar concept that we had. During his entire address, I kept thinking about upbazar.com. Its a multi-million dollars company already and has only 4 engineers and about a couple of dozens of sales and marketing people. How similar to our setup. Obviously ideas are re-discovered over time and more importantly it’s their implementation that makes them work. Recently the business model of yext was liked by many at Techcrunch50 and he got huge funding.

Upbazar.com came to a end. But we all kept moving. Some in that team moved really far. I completed my engineering and moved to USA. Himanshu, the other developer, has moved to UK. Sandeep is doing fine with his primary business and Randeep is now a commercial pilot and flies Airbus A320(don’t be surprised – he is a sardar, he is bound to do crazy things.)

My technical skills have bettered since then and I have developed and hosted a lots of sites since then. Fortunately I landed up at Carnegie Mellon University where my learning curve has been exponential. With so many websites running on various collocated servers, lately recurring payments to web hosting companies was becoming a pain and so I thought – ‘time has come to have my own webserver’.

I had been searching for some hardware to turn it into a webserver. I found good enough box at craiglist and was all set to do the magic. So last night, there was a lot of resemblance in what I was doing a couple of years back. But my queries were a bit different though. This time they were ‘apache vs IIS’, ‘best linux disto for webserver’ and ‘chrooting for FTP’. After a couple of hours of configurations and installations, I had my webserver up, running and live. Running a webserver when you don’t want to make ‘any’ investments is a big Jugad. I am running my server on my home connection. So, I had to find and configure a free dynamic DNS, a free and robust dynamic DNS client, proper port forwarding and correct configurations. I specially stress on correct configuration for the reasons mentioned below.

Well, I am specializing in Information security and have taken many security/computer forensics classes. In more than one class, the professors told that it is common for a machine (specially server) to get attacked and compromised within hours once it gets connected to a wild wild internet. I always wondered how could that be

I don’t wonder anymore. Within hours after the DNS was set up to route traffic to my server, I got my first attack. A brute-force attack on FTP. I was very excited to see the attack happening right before my eyes. I quickly fired up wireshark and could see the passwords that the attacker was trying to access the FTP account. The pattern of passwords indicated a dictionary attack. My excitement did not last long as soon I realized that getting attacked is now the order of the day. I get almost 4-5 FTP attacks per day. The attacking computers are from all over the world- China, Korea, Germany.. you name it. For almost all the cases, the attacking computers are themselves compromised. It is the bot on that machine that is attacking my server and the owner of that computer doesn’t know it. Poor owners of those computers don’t even know that their computer has port 80 (http), 21(ftp) opened on their systems and that they are serving porn to the world and attacking other computers.

However, I’ll take a moment to clarify that although I get attacked many times a day, my server hasn’t been compromised on any of those attacks. I have set up sophisticated triggers that ban IP’s on 15 invalid attempts of FTP logins and other such security primitives. And for those who didn’t know, companies like google, facebook, amazon face huge attacks from around the world every hour and survive them. The internet is a very hostile environment – ask any system administrator and he’ll tell you the tales of horror.

My next action item is to make the server really secure. It will indeed be a shame if my server gets hacked. Currently it is on a Windows/Apache platform, I plan it to move it to Linux/Apache pretty soon. Currently my old school project http://mocktest.net runs on it. It’s a ASP website running on Apache so obviously isn’t functional but the point is that I can host php/mysql websites now.

Before I end my gigantic blog, a note to all my special friends: Come on, stop paying to your webhosts, your friend just got a ‘world class’ server. Gimme your code and I’ll host it for free !

So, this is the story of two triumphs of my life. Although the first triumph was much more special but nevertheless it is a great feeling to have my own webserver. It feels great whenever the server’s hard disk starts churning every now and then. I know that someone, somewhere in the world has clicked my website

Oh by the way.. here’s what my server looks like:

I and my Web Server !!

The bridge’s railing consists of 7000 programmable LED’s that animate to represent 6 different metaphors from his book “The Last Lecture”. The 6 animated sequence represent:

• Fun with Crayons
• Outer Space
• Make the Most of Each Day
• Be the First Penguin
• The Elevator in Randy’s Room
• Disney and the Circus

A beautiful video on the various sequence can be seen below.

This bridge will stand forever and keep inspiring generations of students who’ll walk on it. We’ll always miss him.
This picture was taken on 6 December 2009

Two rivers, Allegheny and Monongahela meet here to form the Ohio river. The place of confluence is called the Golden Triangle (between Allegheny and Monongahela) and there is a nice park at this place.

The beauty of this is accentuated by surrounding hills which present make the view even better. If you want to admire its real beauty, take a fun ride on Duquesne Incline to reach the top of Mt. Washington and start clicking

About this Picture:
This picture was taken from Mt. Washington on 19 Dec 2008.