Windows-based Firewall Installation (Juniper Netscreen 5-GT)

Bodhost.com provides windows-based firewall protection with servers in tie-up with Juniper Networks which are known for their security services. We offer firewall which are not only cost-effective but provide the best service when it comes to security.

They are all-in-one security firewall provider which include IPs / Anti-viruses / Anti-spams and network filtering. We also provide regular updates for anti-viruses to tackle day-to-day scenario.

Juniper Netsceen 5GT Ethernet has 5 ethernet interfaces which can be assigned to different configurations.

Bodhost.com also provide Cisco firewall protections which will be mentioned in our next web hosting knowledgebase article.

APF Firewall (Advanced Policy Firewall)

Linux-based Firewall (Netfilter / IPtables)

Firewalls are known to secure networks to a major extent. Bodhost.com has always aimed to provide better security to all our customers. Our support team works day and night to provide even better service in security of all our clients.

Advanced Policy Firewall is a linux-based firewall which aims to fulfil today’s needs to security. It is provided in the form of IPtables or netfilter. ‘apf’ is a common command used which provides stats and information to us.

It normally follows the following rule :

> Static rule based policies - Traffic management of incoming and outgoing connections
> Connection based stateful policies - Known Connections will only be allowed
> Sanity based policies - Management of differenct traffic

Some of the features of APF are as follows -

> Configuration file (detailed)
> Inbound and Outgoing filters
> Known Connection / application filters
> Rule downloads
> Reactive address blocking (RAB)
> feature test in debugging mode
> speeding connection features
> Individual network connections
> global tcp/udp port / icmp filters
> Rate of packet flows
> network rule configurations
> network / IP bans
> Verification of Routing
> Attack filters
> Traffic detection
> Easy Configuration
> p2p application filters
> network stats
> Kernel Configurations with firewall
> Network limit set

It is php installation for securing server and users. It intends to use advanced protection system. It intends to have two parts - a) The first one includes small patch which includes some protection in against vulnerabilities. b) This is known to be a powerful PHP extention for high-level security.

a) Used to check network packets.
b) Translation of network address
c) IP chain backwards compatibility
d) Modifications of rules for packet filters
e) Open-Source

This will mainly explains you on how to setup SSL on IIS 5.0, making use of Certificate Server 2.0 as Certificate Provider -

1) Web server Certificate request -
a)Start Internet Service Manager>Right Click on the websites on which you want to
enable SSL>Go on Properties>Directory Security tab>Server Certificate to start
Web Server Certificate Wizard.
b) Next>Create a new certificate
c) Next>Name the certificate>Select Server Gated Cryptography
d) Next>Select type of organizational Unit
e) Next>Common name (, if the URL is https://www.mydomain.com/securedir, then
the common name must be www.mydomain.com.
f) Next>Type Country, State, City or locality.
g) Next>Select Location and file name.
h) Next twice>Finish

2) Process of Certificate Server Request -
a) CAServerName/CertSrv >Request Certificate
b) Next>Advance request>Next>Submit Certificate request making use of base64
encoded PKCS #10 file/renewal request using a base64 encoded PKCS #7 file.
c) Next>Request file that is saved from Web certificate wizard in Notepad>Past Entire
Text of file>submit>Pending Certificate dialog box arises>If Download asked>Skip
to step 2>Close Browser>Open Certification Authority MMC>Open>expand tree
under the server name>select Pending requests folder.
d) Right-click on the certificate that is submitted>Click All Task>Click Issue>Close
CA MMC.
e) Open a new browser Windows browse to URL>Check on pending
Certificate>Next>Select earlier Request>Next>DER encoded>Click Download CA
certificate>Save file>Close Browser.

3) Finish processing IIS request and enabling SSL -
a) Internet Information Services MMC> right-click the Web site on which you want to
enable SSL> Properties> Directory Security tab> Server Certificate.
b) Next> Process the pending request> install the certificate.
c) Next>Enter path/file name saved> Next twice> Finish.
d) Web Site tab>Default port is 443>OK>Close Web Site Properties dialog Box.

SSL now can be used on the server. The Url now will be https:// instead of http://.

Maintaing the kernel Security is one of the important task in Sys.Admin especially against the hackers. So friends following are some of the tips which will help to manage the kernel security through /proc pseudo-filesystem, Quite a few files /proc/sys are directly related to security. The parameter just need to have a flag(boolean value) set.

Enabled if contains a 1 and disables if contains 0 , Many of the options are under /proc/sys/net/ipv4

Such as ..

icmp_echo_ignore_all : Ignore all ICMP ECHO requests ( Ping Request)

ip_forward : Enables or disables the forwarding of IP packets between interfaces depending on the kernel is configured as a host or router.

For example just take a look at this command.

echo “0″ > /proc/sys/net/ipv4/icmp_echo_ignore_all

The above command will deny all the ping request on the server.

The command sysctl -A will show the kernel configuration parameters set on the server, Basically the command reads the configuation file /etc/sysctl.conf after each reboot.

Caution !! Don’t try this with other parameters which you are not aware of. Otherwise the results maybe a KERNEL PANIC…

Kernel is the core of operating system; it is the program that controls the basic services that are utilised by user programs; it is this suite of basic services in the form of system calls that make an operating system “UNIX”.

The kernel is also responsible for:
-CPU resource scheduling (with the associated duties of process management)
-Memory management (including the important implementation of protection)
-Device control (including providing the device-file/device-driver interface)
-Security (at a device, process and user level)
-Accounting services (including CPU usage and disk quotas)
-Inter Process Communication (shared memory, semaphores and message passing)

The Unix kernel acts as a mediator for your programs. First, it does the memory management for all of the running programs (processes), and makes sure that they all get a fair share of the processor’s cycles. In addition, it provides a nice, fairly portable interface for programs to talk to your hardware.

The kernel is physically a file that is usually located in the /boot directory. Under Linux, this file is called vmlinuz.

bash-2.05a# ls -l /boot/vm*
-rwxr-xr-x 1 root root 3007276 Mar 14 04:10 vmlinux-2.4.18-27.7.x
lrwxrwxrwx 1 root root 21 Mar 28 23:20 vmlinuz -> vmlinuz-2.4.18-27.7.x

You can see in this instance that the “kernel file” is actually a link to another file containing the kernel image. The actual kernel size will vary from machine to machine. The reason for this is that the size of the kernel is dependant on what features you have compiled into it, what modifications you’ve make to the kernel data structures and what (if any) additions you have made to the kernel code.

vmlinuz is referred to as the kernel image. At a physical level, this file consists of a small section of machine code followed by a compressed block. At boot time, the program at the start of the kernel is loaded into memory at which point it uncompresses the rest of the kernel.

An umcompressed kernel is really a giant object file; the product of C and assembler linking - the kernel is not an “executable” file (i.e. you just can’t type vmlinuz at the prompt to run the kernel). The actual source of the kernel is stored in the /usr/src/ directory; a typical listing may produce:

[bash-2.05a# /usr/src/ ls -l
total 8
lrwxrwxrwx 1 root root 19 Mar 28 23:19 linux-2.4 -> linux-2.4.18-27.7.x
drwxr-xr-x 17 root root 4096 Mar 28 23:19 linux-2.4.18-27.7.x
drwxr-xr-x 7 root root 4096 Mar 28 23:08 redhat

/usr/src/linux is a soft link to /usr/src/ - this means you can store several kernel source trees - however - you MUST change the soft link of /usr/src/linux to the version of the kernel you will be compiling as there are several components of the kernel source that rely on this.

Take note of the /boot/vmlinux* file - this is the uncompressed kernel! Notice the size? [vmlinuz is the .z (or compressed) version of vmlinux plus the decompression code]

Within this directory hierarchy are in excess of 1300 files and directories which consists of around 400 C source code files, 370 C header files, 40 Assembler source files and 46 Makefiles. These, when compiled, produce around 300 object files and libraries.

While this may seem like quite a bit of code, much of it actually isn’t used in the kernel. Quite a large portion of this is driver code; only drivers that are needed on the system are compiled into the kernel, and then only those that are required at run time (the rest can be placed separately in things called modules).

In the case of Linux, the following steps are performed to boot the kernel:

1) The boot loader program (e.g. lilo or grub) starts by loading the vmlinuz from disk into memory, then starts the code executing.
2) After the kernel image is decompressed, the actual kernel is started. This part of the code was produced from assembler source; it is totally machine specific. Technically at this point the kernel is running. This is the first process (0) and is called swapper. Swapper does some low level checks on the processor, memory and FPU availability, then places the system into protected mode. Paging is enabled.
3) Interrupts are disabled (every one) though the interrupt table is set up for later use. The entire kernel is realigned in memory (post paging) and some of the basic memory management structures are created.
4) At this point, a function called start_kernel is called. start_kernel is physically located in /usr/src/linux-2.4.18-27.7.x/init/main.c and is really the core kernel function - really the equivalent of the void main(void). main.c itself is virtually the root file for all other source and header files.
5) start_kernel sets up the memory, interrupts and scheduling. In effect, the kernel has now has multi-tasking enabled. The console already has had several messages displayed to it.
6) The kernel command line options are parsed (those passed in by the boot loader) and all embedded device driver modules are initialised.
7) Further memory initialisations occur, socket/networking is started and further bug checks are performed.
8. The final action performed by swapper is the first process creation with fork whereby the init program is launched. Swapper now enters an infinite idle loop.

It is interesting to note that as a linear program, the kernel has finished running! The timer interrupts are now set so that the scheduler can step in and pre-empt the running process. However, sections of the kernel will be periodically executed by other processes.

Do you want to block some site to be browsed from personal computer which have windows operatiing system.

Ok then do this just Go to.

C:\WINDOWS\system32\drivers\etc

Open a “host” file in notepad. At the bottom of the line, you can see as per below
127.0.0.1 localhost

Add the following line at end now
127.0.0.1
www.blocksitename.com put there the site name to which you want to block

#!/bin/sh
date=`date ‘+%m-%d-%y’` (This is if you need time date and year of the backup which is a must)
mysqldump -upva_test -ppva_test > /home/pva/mysql_backup/pva_test.$date.sql (This will take your mysql database backup)
chown pva:pva mysql_backup -R (This will change the ownership of the file as this script will create backup file with root as owner)