sph1.net

I am looking for full time, part time or one time jobs for server admin work. I have over 5 years experience with hosting and servers. Anyone who has kept up with my blogs – evolution-security.com, nix101.com and sph1.net (current) can safely assume I know what I am doing. If any individual or company is needing an honest, reliable and skilled admin based in the eastern US I am the man for the job.

Click below to download my resume

Resume Download

This is someone’s lame attempt to patent the method of fighting ddos attacks but it is very informative and a good read

Method and apparatus for defending against SYN packet bandwidth attacks on TCP servers

My assignments at blockdos have come to a close and I am unsure of what to do about the blog, whether they will want me to continue hosting it with them or not. I may end up moving it if they are not going to use it. In the meantime I am looking for admin work and/or writing postions. If anyone is looking for a good and reliable admin that knows all aspects of the hosting industry contact me at jonvfelosi@gmail.com

I wish to thank all the people at Blockdos/Server4sale in the help they gave me while I was recovering from the disaster of a merger I went through last fall. I would have continued working for Blockdos if they had the time to go ahead with the projects in which they brought me on for but they dont so I am back on the job market.

I will be regularly posting on the hosting forums looking around but if anyone happens by my blog and would like to speak to me email jonvfelosi@gmail.com

Professional DDOS Protection Guaranteed for $299/mo. Don’t Pay until Website is UPProfessional DDOS Protection Guaranteed for $299/mo. Don’t Pay until Website is UP!

BlockDos.Net is offering Professional DDOS Protection Service from $299 a month for limited time. Protection against all type of attacks. We have our OWN Mitigation system in addition to some of the great companies here. You can fill out under attack or contact us form on our website if you need emergency assistance.
For normal queries you can ask here or email sales { at } blockdos.net

Years of Experience: 8+ Years

Specialty: Protecting Websites Against DDOS attacks GUARANTEED

Mitigation Locations: 11+ World Wide

Washington, DC
Los Angeles
Chicago
Dallas
Seattle
Toronto
Vancouver
Montreal
Netherlands
London
Russia
Ukraine
Sweden
Malaysia
More Coming Soon

Company Based In: Canada

Industries We Serve:

Financial Institutions
Governments
Online Gaming
Pharmaceuticals
E commerce
Aviation
Payment Processors
Corporate Sites
Public Sector

What Makes us Different?

For Customers:

Free Setup
No Pre Payment Required
Do not Pay until your website is operational
Providing Complete assistance on your end to bring you up and running.
IM / Phone support when doing the setup
Communicating with your Service providing on your behalf.
Emergency Setup at NO charge
NO CONTRACTS

For Clients:

Free Upgrades to Higher Protection
Free DNS
Monitoring of your website 24/7/365
Professional Advice
Recommendations on Performance Optimization
Custom Error Page
Secondary IP

In General:

Multiple Locations. So you can get the best speed possible
Can Filter very large DDOS attacks without asking you for payment first.
And Many more.

How it Works?
http://www.blockdos.net/process.html

DDOS Protection Plans:
http://www.blockdos.net/ddosprotection_plans.html

Prices:
Starts from $299

Technical Support:
IM / Email / Phone
24/7/365

Payment Type:
Bank Wire ( Preferred ) , Credit Cards , Digital Currencies like PayPal / LibertyReserve / WMZ / AlertPay Accepted

For More Information, Please visit us at www.BlockDos.Net
If you need emergency assistance , You can fill out under attack or contact us form on our website. For normal queries you can ask here or email sales { at } blockdos.net

I am sure some of you have tried to activate the rules form gotroot.com and got nothing but syntax errors or tons of false positives right away. It has always been that way with them. Although I am thankful they make the rules, or gather them, whatever. I wish they would at least perform syntax checks and live server testing first. I have even tried to contact them before to offer my experience and solutions but they never implemented them or replied to me. Maybe they want the rules like that to get people on the paid service? Who knows. They are decent ruleset though once you weed out the false positives and syntax errors. I have also found it best to delete all of the malware and antispam rules as they have LOTS of false positives.

Ok, so if you know how to add these to httpd.conf then just go ahead and grab them

wget ddosfilter.com/modsec2.tar.gz

If you need some guidance read on:

For apache users.
First make sure modsecurity is installed. If not and you are using cpanel re-do easyapache with mod security selected. For other or no control panels just google or find out how to install mod_security 2.
Wget the rules to your httpd conf directory, usually /etc/httpd/conf or /usr/local/apache/conf
In httpd.conf add
Include "/usr/local/apache/conf/modsec2.conf"

For litespeed users:
cd to your conf directory, if you are using apache config, same as above.
Litespeed can reach mod security 2 syntax so simply add
Include "/usr/local/apache/conf/modsec2.conf"
To your server config file. If you are using apache config do as above and add the line to httpd.conf
With litespeed it is not totally necessary to have mod_security installed. HOWEVER if you are using cpanel or any other control panel that uses apache default and uses apache to do SSL certs and such you will need to make sure you have mod security installed and with the above mod security lines added to your httpd.conf that it passes syntax check – service httpd configtest

Here is the latest stable grsec tarball. All pre-configured and pre-patched, it also includes the latest binutils as it will be needed for pax in some OS releases due to old binutils. This has been configured for 64 bit machines.
http://ddosfilter.com/linux-2.6.32.15-grsec.tar.gz

repost from nix101 days. retrieved from WHT

I’m sure all of you who use eaccelerator know how big the cache can get and that it needs emptied manually. Well at least to my knowledge it does, the only thing I have seen that you can configure is the shm pruning. If anyone does know such a feature with eaccelerator please share. But I also notice a performance decrease and a few php errors mostly related to memory allocations here and there.

Anyway I was piddling around and came up with a command to disable eaccelerator from php.ini, delete the cache folder and then enable it back. I figured this would be good as a daily cron. I would like some input if anyone knows any better ways.

So I wanted to share this in case someone else here has the same problems with eaccelerator cache folder getting huge. If anyone knows a way to make this better or shorter please reply with solution.

Of course this will vary depending on where your php.ini is and where your eaccelerator cache is. Just replace those values with yours. I’m sure there is also a way to use similar commands to find and input these values, again if anyone knows please share.

find /usr/local/lib -name 'php.ini' | xargs perl -pi -e 's/extension="eaccelerator.so"/;extension="eaccelerator.so"/g' ; rm -rf /usr/lib/php/eacc ; mkdir /usr/lib/php/eacc ; chmod 4777 /usr/lib/php/eacc ; find /usr/local/lib -name 'php.ini' | xargs perl -pi -e 's/;extension="eaccelerator.so"/extension="eaccelerator.so"/g'

These days bind comes more secure then it used to via the OS install or control panel install of it. It seems to have recursion turned off by default which is good as open dns servers are responsible for some of the biggest ddos attacks on the net and if your dns server is open chances are you have attacked people before. What I used to find so funny is that when I had a client come under dns amplification attack we would get tons of TOS complaints from admins and networks claiming we was attacking their dns server when in reality they was the ones attacking us as the attack works by the attacker sending spoofed dns queries using the victim ip to the open dns servers. People would see the victim ip supposedly connected to their dns server so much and assume it was the victim attacking them. The ironic and moronic part is if they are so vigilant in checking their logs and connections why cant they simply investigate the connection or query a lil more or check their named.conf? Or heck, why cant they run a simple dns check like on intodns.com or dnsstuff.com?

Anyway, a post on WHT reminded me to make this post. The things to check for in your named.conf are that recursion is off by adding or making sure recursion no; is in options area. And also make sure zone-transfers are disabled so no one can do axfr lookups on you or use this as method for attacking you. Simply add allow-transfer {127.0.0.1;}; to the options area as well.

here are some useful shortcut commands i use on every server.

echo "netstat -ntup" > /usr/bin/nst ; chmod 700 /usr/bin/nst

echo "netstat -ntup | grep SYN_RECV" > /usr/bin/syng ; chmod 700 /usr/bin/syng

echo "nano -w /usr/local/lib/php.ini" > /usr/bin/phpc ; chmod 700 /usr/bin/phpc

echo "/opt/lsws/bin/lswsctrl restart" > /usr/bin/ltr ; chmod 700 /usr/bin/ltr

echo "nano -w /etc/httpd/conf/httpd.conf" >/usr/bin/htc ; chmod 700 /usr/bin/htc

More will be updated soon

I found some links on the net useful for finding php shells in hosting servers

Find r57 and c99 Shells Hidden Inside PHP and TXT Files – Nullamatix – Technology Made Simple

How to search for backdoor PHP shell scripts on a hacked server

And the other day I had to break down and have a client install Configserver Exploit Scanner which actually does about all this and more for you. But if you look to do this yourself here is 2 useful links, Ill update this with a tutorial and more info soon.