Today I discovered this gem in my OSSEC logs:
Back on the 12th August I wrote about my discovery of forced opt-in spyware in the popular Google Chrome extension 'Awesome Screenshot', which tracks and sends all browsing history over plaintext HTTP to an upstream marketing service.
UPDATE: Awesome Screenshot 3.7.12 now offers an 'opt-out' setting to address this (but it's on by default) - read my new article here.
Back in June, my OSSEC logs alerted me to some web crawling activity by a crawler with a user-agent of 'niki-bot'. Chances are if you grep or analyse your web logs, you've seen it too.
I recently spoke at the Drupal Melbourne July meetup about the open source intrusion detection system OSSEC, and how it can be used to give you more insight into attacks/strange/broken activity on your Drupal sites (as well as more generally across your infrastructure).
I recently got a few Yubikeys and have been implementing PAM, SSH integration and the like for two factor authentication across a range of infrastructure.
Having learnt the hard way over the years, I always make sure to implement a set of firewall rules not just inbound to my servers, but also outbound for traffic leaving them.
I really like OSSEC, the open-source intrusion detection system, and deploy it wherever I'm working. Not only is it great from a security point of view (detecting brute force attacks, crawlers, XSS injection attempts, bad permissions on files, modificatons to files, notification of installed/removed packages, presence of rootkits etc etc), but it's also really good at exposing the general state of things on your infrastructure that might otherwise go unnoticed (even if they're logged).
1. Add this line to /etc/apt/sources.list or create a new file called /etc/apt/sources.list.d/mig5.list
deb http://debian.mig5.net/debian/ wheezy main
2. My repo is signed with my GPG public key. To fetch the key: