BAM is a company that provides services to Students Unions around the country primarily dealing with union websites. My Students’ Guild signed up with them last year to provide our website, from the off I was quite opposed to the move anticipating it would turn into a complete joke which, naturally, it has. BAM uses their own proprietary in house developed content management system, from the outside it looks bloody awful and I am reliably informed that the administration side of things is worse. Last month a meeting was held to discuss the Guild website and what was wrong with it, the general consensus was — everything. Pushed on by this I decided to take a poke around and see if I could find any vulnerabilities, I didn’t have to look hard, it only took me 10 minutes to find the first. I found two more before I decided I would stop in case I scared myself senseless.
Archive for the ‘Security’ Category
BAM Vulnerabilities
Thursday, December 4th, 2008Punching holes in Firewalls
Sunday, November 16th, 2008It is a lot easier than you think.
OpenSSH, which can only be described as the best utility of all time, is quite a versatile tool one feature people use frequently is port forwarding. This allows you to open a port on your computer that forwards the data over the SSH connection to the destination you specify, very useful when needing access to the an intranet web server when you don’t have a proper VPN set up for example. However, SSH can also do this in reverse! It opens a listening port up on the remote machine which then relays data to the destination you specify. For example you can SSH into a remote host and get SSH to open a port on that host which relays data back to the SSH port on the machine you are connection from, thereby allowing SSH access to a machine where it would normally be impossible.
A practical example:
chris@ktulu:~$ ssh sandman.cs278.org -R 2222:localhost:22
This connects to the server sandman.cs278.org and opens port 2222 which forwards traffic to localhost:22 (localhost is the machine I am connecting from). Once logged into the server I can do this:
chris@sandman:~$ ssh localhost -p 2222
Which opens a connection back to the remote machine.
Blocking SSH Brute Force attempts using iptables
Saturday, January 12th, 2008After my recent break in I have looked into ways of protecting SSH and my server resources. I employ fail2ban on my main server, it has the resources to run such a programme – my Linksys NSLU2’s however do not. The solution is to use iptables to limit the number of connections any host can make in a given time frame. I wrote up a quick how to on this over at my wiki. Enjoy.
Disabled Akismet, comments held for moderation.
Tuesday, September 25th, 2007I have made the decision to disable Akismet, after reading some hype about the new Wordpress 2.3’s plugin version check API, which turned out to be negative but reveals something interesting with regards to Akismet. The following code is taken from the official Akismet plugin for Wordpres.
$ignore = array( 'HTTP_COOKIE' );
foreach ( $_SERVER as $key => $value )
if ( !in_array( $key, $ignore ) )
$comment["$key"] = $value;
$query_string = '';
foreach ( $comment as $key => $data )
$query_string .= $key . '=' . urlencode( stripslashes($data) ) . '&';
$response = akismet_http_post($query_string, $akismet_api_host, '/1.1/comment-check', $akismet_api_port);
The bit that worries me is the use of $_SERVER, the only item from this array not sent is HTTP_COOKIE, fair enough. But why do you need to know the full paths to the files on my server and other server environment variables Akismet? I do not have a problem with sending data to Akismet, just not this data!
Remote Munin Nodes
Thursday, May 24th, 2007My laptop and desktop are not always connected to the same network as my server and when this is the case its most likely I do not have control of the network or want the information passed over the internet in plain text. So this is my answer to remote munin nodes, using the remote forwarding feature of SSH.
- Install Munin Node:
$ sudo aptitude install munin-node
- Create the upstart event file:
$ sudo -e /etc/event.d/munin-tunnel
Write in the following text:
start on runlevel 2 start on runlevel 3 stop on runlevel 0 stop on runlevel 1 stop on runlevel 4 stop on runlevel 5 stop on runlevel 6 exec sudo -u munin ssh -N munin-reporter@munin-server.example.com respawn
- Generate a SSH key for munin:
You do not want to set a password on the SSH key
$ sudo sudo -H -u munin /bin/bash $ mkdir /var/lib/munin/.ssh/ $ cd /var/lib/munin/.ssh $ ssh-keygen -b 1024 -C munin@`hostname -f` -t rsa $ exit
- Edit the SSH configuration for the munin user:
$ sudo -e /var/lib/munin/.ssh/config $ sudo chown munin:munin /var/lib/munin/.ssh/config
Insert:
Host munin-server.example.com RemoteForward some-port-number localhost:4949
- Now you need to do some leg work on your server first create a user so that the SSH tunnel can be created, I used munin-reporter. Then you need to copy the munin users public key on your client into the ~munin-reporter/.ssh/authorized_keys file on your munin server. I will leave this as a user task, set up how you like on your server. I would recommend prepending the munin public key with the following in the authorized_keys file to restrict what the user can do.
no-pty,no-X11-forwarding,no-agent-forwarding
- Again, on your server, we need to tell munin where to get the data about the remote host from, using the snippet below:
sudo nano /etc/munin/munin.conf
[node.example.com] address 127.0.0.1 port some-port-number use_node_name yes
- Next we need to test the connection and verify the host signature so, that it doesn’t need to be done again.
$ sudo sudo -u munin ssh munin-reporter@munin-server.example.com -v
Check for any errors etc. if you spot a problem retrace your steps.
- All that is left is to start the upstart event and wait for some pretty graphs
sudo start munin-tunnel
Wordpress Upgrade
Monday, April 9th, 2007Another release of Wordpress another potentially PITA upgrade to complete, but it isn’t thanks too patch. I quickly ran a diff of the Subversion repository like so:
$ svn diff http://svn.automattic.com/wordpress/tags/2.1.2 http://svn.automattic.com/wordpress/tags/2.1.3
Piped it to a file and applied it to Wordpress using patch, no drama no mess no effort. Just the way I like it 
Wordpress Upgrade
Saturday, March 3rd, 2007I have upgraded the version of Wordpres my blog runs, for me this is a pain in the ass due to custom modifications. So, this time I decided to use their subversion repository to create a patch and use that, guess what it worked first time.
To patch:
$ patch -i ./wordpress-2.1_2.1.2.diff -d /path/to/wordpress -p0
Get SSH Key Fingerprint
Thursday, February 15th, 2007I struggled a little to find out how to get the SSH fingerprint of an SSH key earlier so, I thought I would preserve how for ever more. The snippet below will return the SSH fingerprint for the machines public RSA key (under Debian derived distributions at least.)
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 d6:59:bc:0b:18:ba:17:15:41:fc:d0:2a:60:f4:7e:e8 /etc/ssh/ssh_host_rsa_key.pub
HOWTO: Install Ubuntu 7.04 using debootstrap to an encrypted root partition
Sunday, February 4th, 2007I am in the process of writing a guide detailing how it is possible to install Ubuntu 7.04 (yet to be released) on to a hard disc for a laptop or another computer without the use of any CDs or temporary partitions to hold to root partition while you encrypt what will be the root partition which most other guides demonstrate, this is fine if you want to keep the partition say for /home or something but my laptops hard drive is not big enough for that sort of segregation. I use debootstrap to install Ubuntu on the laptop hard disc mounted on another Ubuntu machine. My method has huge advantages, you don’t need to burn any CDs, its far quicker because it is more direct.
I will be tidying this up and possibly turning it into a automated script. I must admit this has not been easy no one guide has got it going it has taken multiple HOWTOs to inch every step of the way, but now I have it done I am happy, the gotchas were rather frustrating at time due to the difficulty of easily debugging the initial ram image when the machine is booting.
Securing Firefox DNS Lookups
Tuesday, December 12th, 2006It always amazes me what nice features can be found in about:config, such as sending DNS requests to a SOCK’s proxy.
