A lot of times, you kind of want access to your favorite content, even if it's just to read it, while at work or school. Some places with more draconian Internet access policies block pretty much everything "cool" and paint their restrictions with a very wide brush. In this series, we'll uncover a few ways around these restrictions.
With each article, I will delve into techniques that are progressively more advanced and difficult to implement. Keep in mind that this is a thought exercise in evasion. Implementing this stuff could get you expelled from school, fired from your job, or banned from public-access computers in a library or coffee shop. With a little bit of wisdom, you can often get around the restrictions set in place without getting yourself into hot water.
Today, we will cover using "wide open" proxies to bounce our connections through. Since proxies are transient and often configured poorly, they pass the ire of most web filters. The rub? You usually have to find one that operates on a well-known port such as 80 (http) or 443 (https/ssl). Finding a working proxy can be a pain, and using it involves tweaking your browser settings and/or installing special software. Group policies could leave you in the cold on this one. The increased difficulty of this particular evasion technique brings this trick in at #4 in our series.
Public Proxies
Public proxies are (often SOCKS v5) proxy servers that have either been intentionally or accidentally configured to allow anyone on the Internet to access proxied content without proper access controls. I could go on and on about the various security implications of these proxies but that's not what this series is about. Simply put, HTTP proxies differ from Web Proxies in that the browser directly handles communication with the proxy behind the scenes. Regardless of what protocols the proxies are capable of handling, we're only concerned about Web traffic (http/https) for the time being.
Browser Configuration:
Yesterday, I linked to various proxy configuration instructions for different browsers. Today, you can use the same instructions to add the proxies you discover on your own. If you find that there is already a proxy server configured, you might be out of luck for this trick (and maybe for the fifth and final one, as well). If your employer is already forcing your web traffic through their own proxy, there's a good chance that they're blocking all outgoing traffic from your workstation to the Internet, making HTTP Proxies AND Tunneling difficult, if not impossible.
Security Risks:
The same risks apply here as apply to web proxies. Your data is going through a third party and you're subject to data manipulation, sniffing, or other bad things. Essentially, you're trusting a potentially unknown and untrusted third party with your traffic. By now, it should be obvious that these more aggressive evasion techniques can't be easily justified. You have been warned.
Finding public HTTP Proxies:
Public proxies play a huge role in the so-called underground. I'm talking mostly about illegal or frowned-upon activities such as phishing, spamming, and illegal file sharing. As such, there are groups that go out of their way to sniff out and enumerate poorly-configured proxy servers that are easily hijacked for whatever purpose others desire. I don't advocate using services without permission. In a moment, I'll discuss how to set up your own public HTTP Proxy.
One source that provides a list of proxies that can be sorted on several criteria: http://www.xroxy.com/proxy-port.htm
Assuming your employer or school has you locked down to using only port 80 or 443, use the above tool to find proxies that operate on those ports. Then, update your proxy settings to match one of the servers in the list. If it's too slow or fails to work, try again. Soon enough, you should be able to access all of the content your heart desires.
Squid at home (or on another server outside of work/school)
You can also configure Squid to act as your own proxy. Making it a public proxy is a bad idea, so lock it down to your remote computer's IP Address. First, find your public-facing IP address from the computer you normally use, and write it down. The easiest way is to visit WhatIsMyIP.com. Then, using the Squid configuration guide from yesterday, add the following lines:
At the top of the block of "acl" lines (replace with your actual ip address in place of 65.43.2.1):
acl myremote src 65.43.2.1 255.255.255.255
Above the other http_access lines:
http_access allow myremote all
Finally, you will need Squid to listen on a port you can use. For this example, we will use Port 80. Keep in mind this will interfere with any web server running on this host. Below the existing http_port line(s), add:
http_port 80
Restart Squid, then point your browser's proxy to the IP address of your squid server, port 80.
The IP Address restriction of "myremote" will keep others from hijacking your proxy. Add as many rules as you need to for other remote IP addresses.
On Wednesday, the final aricle in this series will cover encrypted and tunneled proxy traffic.
Monday, April 21, 2008
Web filter evasion part 4: Public HTTP Proxies
Sunday, April 20, 2008
Sysadmin Sunday: Squid Cache
What is Squid?
Aside from something Bruce Schneier writes about every Friday, "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on Unix and Windows and is licensed under the GNU GPL." -- taken from Squid-Cache.org, as I couldn't explain it any better myself.
On your network, you can set up Squid on a reasonably well-endowed server for the purposes of manipulating certain Internet traffic - specifically HTTP, usually for the purpose of increasing load times on frequently-visited content. There are other things you can do with Squid, such as blocking advertisements or turning all of the images upside down (or is that umop ap!sdn). For now, though, we'll set up a Squid server in our lab on our AMP (Apache/MySQL/PHP) fun box, running Gutsy server.
Getting and Installing Squid
Many operating systems' package installers have Squid available for installation. Squid has a list of binary packages for popular operating systems, but building Squid from source code is trivial at best (with a ./configure && make && sudo make install ) but for the sake of cleanliness, I'll just do a sudo apt-get install squid on Ubuntu.
Making Squid Work
Squid must have a cache directory that it can store the data in. If the package installation did not create this, then you must run (as root), squid -z, which will create the cache directory. You should also make sure that squid will start by default. If you reboot and squid isn't running, adding "squid" to your rc.local file is the easiest way, but there could be a start-up script somewhere that would do a more elegant job.
Proxy settings on your workstation(s)
Squid, by default, runs on port 3128. To enable proxy for your workstation, you will need to know the IP Address of your Squid server, and when asked for what port the proxy runs on, enter 3128. Here are some links for setting up Proxy in various browsers. Just remember to use your Squid IP and Port in place of any example proxy configuration used.
Now what?
At this point, you likely have a Squid server up and running with the basic default configuration enabled, and for the most part, it's completely useless. Shown below, I've pointed Safari's proxy settings to the Squid server then attempted to access HiR Information Report to no avail.
To fix this, find the ACL lines in squid.conf (on Gutsy, it's /etc/squid/squid.conf) and simply add a line define your local network. Obviously, you would want to replace this with your own IP subnetting information.
acl localnet src 192.168.0.0/255.255.255.0
Then, find the http_access lines and add a line (preferably above all of the other http_access lines) allowing machines on the local network to get out to the rest of the Internet:
http_access allow localnet all
After re-starting squid (killall squid, pkill squid, /etc/init.d/squid restart, etc...) I can access anything through squid, and the pages will now be cached. This will reduce the bandwidth used for day-to-day web browsing and make pages seem to load faster. For a small business running on typical consumer broadband connections, this is a quick and easy way to increase browsing performance. Also, operating system patches will only be downloaded once and then cached. When the time comes to do the updates on all of the workstations, this trick will make life a little easier for you.
If you wish to force all HTTP traffic through Squid (for instance, if you yourself are planning on implementing a Web filter with Squid) and you have a somewhat flexible router or firewall, you can block all outgoing traffic destined for port 80 and 443 except for traffic coming from the Squid server. That, however, is beyond the scope of this article.
Tomorrow, you'll learn how to tweak a few options for Squid so that you can use it to evade web filters in the fourth article in my ongoing web filter evasion series.
Saturday, April 19, 2008
Web filter evasion part 3: Anonymous Web Proxy
A lot of times, you kind of want access to your favorite content, even if it's just to read it, while at work or school. Some places with more draconian Internet access policies block pretty much everything "cool" and paint their restrictions with a very wide brush. In this series, we'll uncover a few ways around these restrictions.
With each article, I will delve into techniques that are progressively more advanced and difficult to implement. Keep in mind that this is a thought exercise in evasion. Implementing this stuff could get you expelled from school, fired from your job, or banned from public-access computers in a library or coffee shop. With a little bit of wisdom, you can often get around the restrictions set in place without getting yourself into hot water.
In Part 3, I am going to discuss using web "privacy" or "anonymizer" proxies. It's number three on the list because it is simple to use and often free -- risks be damned. These often free (but occasionally subscription-based) web sites provide you with a special URL that you visit, whereupon you enter the URL you wish to visit. These sites often claim to keep rogue websites from storing cookies or executing scripts on your computer, while others focus on evading web filters or blocking ads.
Risk of getting punished if caught
Regardless, you will have a difficult time weaseling your way out of this stunt if you're caught. The only reason you'd want to use proxies such as these one while in a web-restricted environment is to evade the restrictions. There's no innocent sweet-talking that will save you here. Also, many web filtering companies specifically play cat-and-mouse with these kinds of services, often blocking them shortly after they appear. Users who trigger this rule on a web filter are almost certainly going to get a visit from a higher-up.
Security risk of using proxies
Any time you use a proxy, you are routing traffic through someone else's network. While it's true that all Internet traffic hits various networks, the operators of proxies KNOW that people are using their services either for privacy or filter evasion. As such, not all proxy providers are guaranteed to be trustworthy, including those listed below.
Managed Web Proxies
Megaproxy offers a free trial. It was one of the first web-based anonymous proxies, with the intended purpose of keeping cookies and ads at bay, making it more difficult for site owners to gather data about you. The (perhaps unintentional) side effect was that people who could access the it from behind a web filter service could often use it to access blocked content. The paid version has a much more obscure and innocuous URL that isn't likely to make netadmins question it, but its URLs are most likely blocked on commercial filtering software because they go to great lengths to find most of the high-profile ways to evade. I actually did subscribe to this service many years ago, but I've since let it lapse. I was generally happy with it while I used it.
Privax offers an extensive list of (what appear to be free) Anonymous Web Proxies. The catch being here that there are many different URLs you can visit, with the hopes one or more won't be filtered. Some addresses blatantly announce that it's a proxy service while others are less obvious. Like other web proxies, Privax places a secondary navigation bar at the top of every page, making it easy to tell if the stuff you're looking at is, in fact, being proxied. I haven't extensively used Privax before, but it looks like a decent solution as I sit here now and try some sites through it.
Set up your own
For a while, I ran my own CGI Proxy on a hosted server that I could access from anywhere. If you have web space, this is a way to set up your own proxy under the radar, especially if you access it via SSL. The down-side is that many web-based anonymizers that you can host yourself (there are others, written in PHP, Perl, etc) lack some of the more advanced functionality of the commercial "anonymizer" providers. If setting one up yourself, be sure to use a method of password protecting your proxy so that it can't be abused by others who stumble across it.
Tomorrow on Sysadmin Sunday, I'll discuss setting up Squid, a caching HTTP proxy. This is different than a Web or CGI proxy, but it can be used to evade web filters as well. On Monday, I'll pick up the series again and discuss how to bypass web filters with your new Squid server.
Read the whole series: Web Filter Evasion
Thursday, April 17, 2008
Web filter evasion part 2: Out of band
A lot of times, you kind of want access to your favorite content, even if it's just to read it, while at work or school. Some places with more draconian Internet access policies block pretty much everything "cool" and paint their restrictions with a very wide brush. In this series, we'll uncover a few ways around these restrictions.
With each article, I will delve into techniques that are progressively more advanced and difficult to implement. Keep in mind that this is a thought exercise in evasion. Implementing this stuff could get you expelled from school, fired from your job, or banned from public-access computers in a library or coffee shop. With a little bit of wisdom, you can often get around the restrictions set in place without getting yourself into hot water.
In Part 2, I'll cover out-of-band communication. Why spend time trying to trick the web filter when you can simply not go through it at all? Creeping into our list at number two, this trick is somewhat obvious and well-documented. Most computer users can manage to connect to a wireless network or follow the instructions that come with a mobile data service plan.
Personally, this is what I do most of the time. I'm using my own laptop and my own internet connection. Where I work, I'm not breaking any rules at all, so long as the content I'm browsing doesn't offend my peers. If I'm not disturbing anyone and I'm getting my work done, my boss doesn't mind.
Problems
- Cost. To properly implement something like this, you'll likely need a laptop computer, Wi-Fi enabled PDA, a smartphone of some sort, or other expensive equipment.
- Totally uncontrolled access. Neither IT Departments nor managers are often comfortable when you have 100% unfettered access to whatever you want. This could get you in trouble.
- The fact that you'll be avoiding connecting through the work or school network means that anything on your computer is NOT on the work or school network. This is sometimes a sigh of relief for netadmins.
- What you do out-of-band can't be monitored by the network, either.
Wi-Fi
If you feel like getting a little bit more advanced in your search for a public network to piggyback, install wireless scanning software (KisMAC, BSD Airtools, Kismet or Netstumbler), pick up some high-gain antennae and a high-power wireless ethernet card. The widespread deployment of privately-operated, free Wi-Fi makes this a viable option in dense urban and business districts.
Mobile Data plans (Wireless broadband)
Also in the same vein are smartphones. Gadgets such as the iPhone offer feature-packed browsing via the phone's data plan. You can also get on AIM/MSN/Yahoo or check many websites and mail providers through the built-in WAP Browser on less advanced mobile phones.
Mobile Phone Tethering
This is a little more shady, and could get your account terminated with your wireless carrier. By plugging in a cable between your laptop and mobile phone (or using bluetooth to make the connection) you can "tether" and use your phone's built-in data connection to access the Internet. HowardForums is a good place to learn about this stuff in more detail.
Next in this series, we'll dive head-first into web-based anonymous proxies -- a sure-fire way to get your IT guys angry at you, should you be caught in the act.
Tuesday, April 15, 2008
Web filter evasion part 1: RSS and You
A lot of times, you kind of want access to your favorite content, even if it's just to read it, while at work or school. Some places with more draconian Internet access policies block pretty much everything "cool" and paint their restrictions with a very wide brush. In this series, we'll uncover a few ways around these restrictions.
In Part 1, I am going to cover one way of evading these restrictions that is not only one of the most straightforward and easy methods, but also the least likely to get you in trouble with your boss or your IT department: Online RSS readers.
About RSS
RSS was invented around the turn of the century, but started to gain widespread popularity in the wake of so-called "Web 2.0", when syndication, mash-ups, cross-platform publication and content management all coalesced together. While not every web site has an RSS feed, almost every blog, news site and social network has some kind of RSS integration going on. In this article, I'll focus on gaining access to content via RSS despite web filtering software's strangle-hold.
Local RSS Clients
Local RSS clients such as FeedReader or Mozilla Firefox Live Bookmarks usually contact the site directly, pulling a data feed down (RSS, Atom, XML, etc) to display the information in a lightweight, easy-to-read format. The problem with this is that the RSS feed usually has the blocked URL in it. For example, Digg's rss feeds are all on digg.com. If access to Digg is blocked, you can't get to the feeds, either.
Online Readers
Online RSS readers pull the feed from a central server, then just display the information to you directly over the web. For this example, I'll use Google Reader. That said, My Yahoo and MSN Live (among dozens of others) also offer the ability to integrate feeds on your page but it's not quite as robust as Google Reader. Using the example above, if you add Digg's RSS feeds to Google Reader, your web filter only sees you trying to access http://www.google.com/reader/ which is passing the contents of the RSS feeds to you - and most web filters let you get to Google. Again, if that doesn't work, there are dozens of ways to access RSS feeds with online readers.
Things to note
One flaw here is that embedded content from banned sites won't load and may be logged in your web filtering software. If your employer blocks Flickr, you can load someone's Flickr RSS feed into your reader and see their feed, but all of their images will fail to load. Same goes for blog posts with embedded YouTube videos if YouTube is blocked. You get the idea. Basically, this works best for RSS feeds where most of the content is text-based. News sites like CNN or Engadget. Social bookmarking sites like Digg, delicious and reddit. Blogspot, wordpress or livejournal blogs. Even twitter.
Justification
If you get busted (which is not likely if you play your cards right), you can always say that you use something like Google Reader to track updates to your favorite websites at home. If you can get to it from work, it must be okay, right? Make sure you're managing your time wisely, and keep the content you view at work "work safe" and non-offensive. Chances are that your boss won't mind. In fact, he might just think you're checking your personal email really quick, as RSS readers often look somewhat similar to web mail clients. Plausible deniability only works once, though. If you're asked to stop it, you should stop. If your written policy specifically bans all personal Internet browsing, you may also get the book thrown at you. HiR won't be held responsible for legal or employment problems.
How to do it:
First, sign up for a free Google account if you don't have one already.
Next, go to Google Reader and log in.
Add a subscription RSS feed. I'll add HiR Information Report to my Google Reader:
In part 2, I'll cover using out-of-band communication.
Monday, April 7, 2008
"Hacking" MediaWiki PasswordProtected extension
I say "Hacking" because this is so retarded that I can't even believe it.
A group I'm working with (not directly related to HiR Information Report) is thinking of setting up a Wiki on the network for internal collaboration as well as communication of policies and contact information to other groups within the organization. They want some stuff (for instance, step-by-step audit documentation) to be shielded from view. This isn't Internet-facing, but it's stuff that no one else really needs to know. With that, they had the sysadmins install MediaWiki installed with the PasswordProtected extension.
Usage is simple. You use a "password" tag object around the text of the password you want to use.
Bypassing it is even simpler. Just look at the page history of the password protected page. There, in plain text, lies the password for all to see. See, I told you I couldn't justify saying "hacking" without putting quotes around it. I've been unable to get in touch with the maintainer of this extension.
Consider me disgusted. If you use this extension, quit fooling yourself. I guess it's back to the drawing board for my friends, though.
Sunday, April 6, 2008
Sysadmin Sunday: Linux and BSD Filesystem attributes
Most sysadmins are familiar with the concept of file ownership and permissions. Read, Write, and Execute are ingrained in our memories from the start. Sometimes, though, that's not enough. Here are some extended attributes for files in Linux and *BSD:
BSD:
To set file flags in BSD, use chflags. To view them, use ls -lO. Flags are as follows (from the chflags(1) man page):
schg and sappnd are particularly useful. As described, they place files in an append-only or immutable state, where nothing, not even root can break the rules without first going into single-user mode and disabling the flag. uchg will keep you from accidentally clobbering an important file as well, but can still be un-set by you.
arch, archived
set the archived flag (super-user only)
opaque set the opaque flag (owner or super-user only). [Directory
is opaque when viewed through a union mount]
nodump set the nodump flag (owner or super-user only)
sappnd, sappend
set the system append-only flag (super-user only)
schg, schange, simmutable
set the system immutable flag (super-user only)
uappnd, uappend
set the user append-only flag (owner or super-user only)
uchg, uchange, uimmutable
set the user immutable flag (owner or super-user only)
hidden set the hidden flag [Hide item from GUI]
As discussed in chflags(2), the sappnd and schg flags may only be unset
when the system is in single-user mode.
Putting the letters ``no'' before or removing the letters ``no'' from a
keyword causes the flag to be cleared. For example:
nouchg clear the user immutable flag (owner or super-user only)
dump clear the nodump flag (owner or super-user only)
Example viewing, setting, and demonstrating the uchg flag:
Chimera:Documents axon$ ls -lO
total 32
-rw-r--r-- 1 axon staff - 8258 Apr 6 19:16 description.html
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc
Chimera:Documents axon$ chflags uchg description.html
Chimera:Documents axon$ ls -lO
total 32
-rw-r--r-- 1 axon staff uchg 8258 Apr 6 19:16 description.html
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc
Chimera:Documents axon$ rm description.html
override rw-r--r-- axon/staff uchg for description.html? y
rm: description.html: Operation not permitted
Chimera:Documents axon$ chflags nouchg description.html
Chimera:Documents axon$ rm description.html
Chimera:Documents axon$ ls -lO
total 8
-rw-r--r-- 1 axon staff - 21 Apr 2 12:25 file.doc
Linux:
Use chattr to set attributes and lsattr to view them.
From the chattr(1) man page:
The format of a symbolic mode is +-=[ASacDdIijsTtu].
The operator ‘+’ causes the selected attributes to be added to the
existing attributes of the files; ‘-’ causes them to be removed; and
‘=’ causes them to be the only attributes that the files have.
The letters ‘acdijsuADST’ select the new attributes for the files:
append only (a), compressed (c), no dump (d), immutable (i), data jour‐
nalling (j), secure deletion (s), no tail-merging (t), undeletable (u),
no atime updates (A), synchronous directory updates (D), synchronous
updates (S), and top of directory hierarchy (T).
As you can see, most of these attributes are similar to the BSD flags. We'll do the same thing on Linux with the immutable attribute.
axon@hosting:~/hir-test$ lsattr
------------------ ./internet-resume.doc
------------------ ./mail.sql
axon@hosting:~/hir-test$ chattr +i mail.sql
axon@hosting:~/hir-test$ lsattr
------------------ ./internet-resume.doc
----i------------- ./mail.sql
axon@hosting:~/hir-test$ rm mail.sql
rm: remove write-protected regular file `mail.sql'? y
rm: cannot remove `mail.sql': Operation not permitted
Friday, April 4, 2008
April Kansas City 2600 Meeting Sneak Preview
jlime Linux on the HP Jornada 720 Handheld/PC
This and a bunch of other stuff at the KC 2600 meeting.
Tonight (Friday, April 4 2008)
Oak Park Mall Food Court (Northeast entrance)
SE Corner of 95th and Quivira in Overland Park, KS
Starts at 5:00PM. Look for geeks with laptops.
Friday, March 28, 2008
Copying and pasting between workstations with web mail
Occasionally, I have to quickly get information copied and pasted between my personal laptop and my desktop. Maybe it's a URL or a shell script. Who knows?
I usually have GMail fired up on my laptop anyways, so I simply create a new mail, then paste the text into the e-mail body and save it as a draft. 
I go to the other computer, open up the draft, and copy the contents to the clipboard.
Other options do exist (such as X2VNC and friends), but don't always work too well between platforms for clipboard activity. Note, you can also use file attachments in a draft.
You can do this with pretty much any web mail client that supports drafts, and it's not quite as cumbersome as actually e-mailing yourself. You can just trash the draft when you're done, or use a draft as a transient scratch pad for data you wish to access from multiple computers.
Mac OS X: Pwned in two minutes flat - CanSecWest
Coverage like this might seem somewhat odd given the fact that most of the HiR crew are Mac users. As it turns out, this is likely an issue with Safari, which I've been known to hate on very frequently. Safari and I just don't get along. Never mind the fact that FireFox is tied up with something else and I'm making this post from within Safari (much to my chagrin, given Safari's lack of compatibility and frequent crashes with Blogger).
This year, the PWN 2 OWN hacking competition at CanSecWest was over nearly as quickly as the second day started, as famed iPhone hacker Charlie Miller showed the MacBook Air on display who its father really was. Apparently Mr. Miller visited a website which contained his exploit code (presumably via a crossover cable connected to a nearby MacBook), which then "allowed him to seize control of the computer, as about 20 onlookers [read: unashamed nerds] cheered him on." Of note, contestants could only use software that came pre-loaded on the OS, so obviously it was Safari that fell victim here.
Full story on InfoWorld
Saturday, March 22, 2008
Hak.5 - Shmoocon Special
The Hak.5 guys went to Shmoocon and pumped out an hour.5 long interview with five high-profile hackers. Vista (in)security, GSM Cracking, SSD/Flash data recovery, and the new version of BackTrack are covered, among other things. It's worth a watch, but don't get caught slacking off at work! An hour and a half is a long lunch break.
Hak.5 Season 3 Ep. 8
Friday, March 21, 2008
iPod touch hack released
iPOD touch hack released.
Check out http://www.ziphone.org/. Zibri found the solution to the iPod touch's in ability to be unjailed. The problem was with the nvram being corrupted.
Here is how to do it.
- Just run the un-corruption utility in the zPhone utility
- Run the jailbreak.
- Install the BSD Subsystem.
- Then Run the 1.1.3 updates for the BSD subsystem terminal for back spacing.
- Then install the SUID Lib Fix .
- Install The Term-VT100 terminal program.
- Install the Cydia package (DEBIAN style package management!) which will replace the BSD subsystem.
- The /Library/LaunchAgent/ folder contains the daemon launch plists. deleting one will prevent it from loading.
- If you still have the BSD subsystem do not change the root password. The BSD passwd utility BREAKS the OS causing you to need to re-install the firmware. The Cydia utility works with out incident.
- The default root password for for the iPOD will be either "alpine" or "dottie".
Sunday, March 9, 2008
Sysadmin Sunday: LogCheck
I've been using LogCheck in its various incarnations for quite a while. When I started using it (it feels like a decade ago but it may have been a little less) it was called LogSentry. While it's still pretty simple, it gets the job done. LogCheck's been passed around many times, and I'm relatively sure that the package I downloaded has remained for the most part unchanged for at least 5 years. For a small group of servers you wish to keep tabs on, this tool is great. For an enterprise, you might want something more heavy duty such as a database-driven centralized logging server.
Note that by itself, LogCheck only does two things:
- Looks through all the log files shown for suspicious or "hackish" activity
- E-mails the report
Installation:
I'll be doing the install on FreeBSD. LogCheck is just a script, so it will run on pretty much anything that isn't Windows.
$ sudo pkg_add -r logcheckConfiguration:
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.3-release/Latest/logcheck.tbz... Done.
To see what LogCheck thinks is "hackish", check out logcheck.hacking and logcheck.violations (in /usr/local/etc/ when installed from FreeBSD's packages) Those contain a list of regular expressions (one per line) that will be used to gather reporting information from the logs. Similarly, logcheck.ignore and logcheck.violations.ignore contain regular expressions that can filter certain results from the report. I recommend looking at these files but not editing them at first. Let LogCheck run for a week or so (daily) to get a feel for it. Then, start adding or removing expressions to the lists to fine tune your reports.
To change what e-mail address the report is sent to, find logcheck.sh (it's also in /usr/local/etc/ when installed from FreeBSD's packages) and modify this block of text as appropriate:
# Person to send log activity to.Look at the other variables, too. By default, the log files and configuration will likely be workable, but it's a good idea to make sure.
SYSADMIN=root
Adding the following line to the system's crontab will launch LogCheck every hour. This isn't a big deal because it will only mail you if there is something suspicious. If you would rather have a daily log, read the man page on crontab to figure out how the schedule options.
00 * * * * root /bin/sh /usr/local/etc/logcheck.sh
Thursday, March 6, 2008
Shutting off wireless auto-config in Mac OS X
As a matter of security and simply less annoyance, I prefer my computers to not connect willy-nilly to just any wireless network in range. OS X currently doesn't connect to random open networks, but it does always look for them, and by default it prompts you to connect to new ones. In OS X, all you have to do is un-check the "Ask to join new networks" on the AirPort adapter in Network preferences to stop this behavior. 
Once you do that, go into the Advanced preferences and remove all those random access points that you've connected to in the past, leaving only the ones you know and trust on the list. If your access point has a default-ish name (like WLAN, Default, linksys, etc) you should probably change it so that your computer doesn't join up to the first "linksys" network it runs across.
On Linux and BSD, it's easy. You simply have to try -- and mean it -- to get on a wireless network. You don't just accidentally connect.
Also, it's a cold day in hell. Last week, I bought my wife a new computer that came loaded with Windows Vista Home Premium. I can only use it for a few minutes at a time before I have the urge to go take a shower with a steel wool pad to try to get Vista off of me, but I can't for the life of me figure out how to kill Vista's auto-join feature while letting it connect to preferred networks only. If you have any tips, drop us a line. It definitely isn't like XP. The only thing I saw told me to kill the Wireless Autoconfig service (maybe called something a little different) and all that did was completely disable wireless access on Vista.
Sunday, March 2, 2008
Sysadmin Sunday: Encrypted Swap Space in FreeBSD
New research shows that cold boot attacks can compromise encryption by giving you access to the RAM's contents. This even applies to full-disk encryption that encrypts swap space and whatnot. We'll probably talk more about that in our podcast.
Physical access almost always means that a total compromise of security is somehow possible. Sensitive data could be at risk long after the data in RAM decays into oblivion. Encryption keys, large documents, and other files containing data you don't want falling into the wrong hands will almost certainly see their fair share of time in virtual memory. That means pages of RAM will be written, for better or worse, to the hard drive.
Encrypting just your swap space can be easier than switching to full-disk encryption and makes it more difficult for an attacker to obtain sensitive data as it gets shuffled in and out of RAM.
OpenBSD encrypts swap by default without any further action. To the best of my knowledge it's alone in that fact. I can't outline how to encrypt swap space in every operating system, but since FreeBSD's the flavor-du-jour, I'll show you how easy it can be.
First, disable swap:
[axon@floaty-fbsd ~]$ sudo swapoff -aWhoops! If there's too much stuff running to fit in RAM without swap, you'll need to cut back. Close your applications, stop the X Window system or whatever you have to do. Let's try that again.
swapoff: /dev/ad0s1b: Cannot allocate memory
[axon@floaty-fbsd ~]$ sudo swapoff -aNow, find the swap partition and over-write it using dd(1) to stream /dev/urandom to it. It could take a while depending on the size of the swap partition. Yes, this is a paranoia countermeasure and nothing more. Keep in mind that only freshly-used parts of swap will be encrypted once we're finished. Right now, there could be (ab)usable data out there. Not for long!
[axon@floaty-fbsd ~]$ grep swap /etc/fstabTo enable GEOM ELI on your swap partition, edit /etc/fstab and add ".eli" to the end of the swap device.
/dev/ad0s1b none swap sw 0 0
[axon@floaty-fbsd ~]$ sudo dd if=/dev/urandom of=/dev/ad0s1b
dd: /dev/ad0s1b: end of device
464657+0 records in
464656+0 records out
237903872 bytes transferred in 88.835558 secs (2678025 bytes/sec)
[axon@floaty-fbsd ~]$ sudo vi /etc/fstabYou have to reboot for this to take effect. Once it comes back online, use kldstat and swapinfo to verify that the geom_eli.ko module is loaded and that the new swap device is being used.
change this line:
/dev/ad0s1b none swap sw 0 0
to this:
/dev/ad0s1b.eli none swap sw 0 0
[axon@floaty-fbsd ~]$ kldstatVoila!
Id Refs Address Size Name
1 10 0xc0400000 7b2d2c kernel
2 1 0xc0bb3000 6974 snd_ich.ko
3 2 0xc0bba000 239a8 sound.ko
4 1 0xc0bde000 5c304 acpi.ko
5 1 0xc1f19000 e000 geom_eli.ko
6 1 0xc1f27000 19000 crypto.ko
7 1 0xc1f40000 a000 zlib.ko
8 1 0xc21ec000 2000 warp_saver.ko
[axon@floaty-fbsd ~]$ swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.eli 232328 0 232328 0%
Sunday, February 24, 2008
Hungry Hungry Hackers
So, what do command line junkies do when the urge to food hits? They tap out their order and wait for the steaming goodness to arrive via Pizza Party. Not having a Dominoes account to work with I'm at a loss to test, but it looks promising. Now you can justifiably say that, yes, you can do just about anything from the command line.
(via a recent post on KCLUG)
Sysadmin Sunday: Quick & Dirty SSH Tunneling
Occasionally, you might need to tunnel some other traffic over SSH. This could be to get access to an external web proxy, to get a remote X display up, or to get around a firewall-blocked port that you must access.
The syntax (on the command-line OpenSSH client) for a Local forward is like this:
# ssh remote-example.h-i-r.net -L 3128:localhost:3128
This tells my SSH client to tunnel traffic to port 3128 on my workstation to port 3128 on my DMZ box. Port 3128 isn't accessible because of a firewall, but tunnelled over SSH it works fine. In this case, I'm running squid on the remote example host. Telling Firefox to use http://localhost:3128 as the proxy will now tunnel all of my web traffic over the SSH tunnel to the squid proxy behind the firewall. The reason it's called a local forward because it forwards a local port over the SSH connection.
A remote forward will open up a port on the remote machine and connect it to a port on the client's network. The syntax is similar:
# ssh remote-example.h-i-r.net -R 3306:dbserver:3306
This would open up port 3306 (the MySQL server port) on the remote host and tunnel it to the MySQL service on the host named dbserver on my local network.
While running forwarding of either type, you can enter the hotkey sequence "~#" to see all the open connections through the forwarded ports.
Tuesday, February 19, 2008
HiR Reading Room: Hakin9 Magazine
I picked up the most recent copy of Hakin9 magazine this week. As usual, it delivers some good content.
I first ran into Hakin9 at the local Border's Book Store when looking for Make magazine about a year ago. I usually subscribe to magazines I like, so you won't find me perusing the periodicals too often.
The first issues of Hakin9 I found were a little rough around the edges. I've mentioned hakin9 in passing before, but it seems to be maturing (just a little bit). Of note, the overall grammar in the publication seems to be improved. This is partially, I'd suspect, because more writers seem to be from English-speaking countries.
Hakin9 always comes with a CD-ROM of goodies. For the past several issues, this has been Hakin9 Live, a slightly modified release of BackTrack 2 with some extra content related to the magazine. The most recent issue of Hakin9 Live comes with two decent video tutorials, some demonstration software, and simply by way of building on BackTrack 2, a LOT of security tools ready to use if you boot a system up from the CD. Both of the video demonstrations show how to use tools right from within BackTrack.
Additionally, this issue's hardcopy content is juicy. The article count is pretty low, but it makes up for it with a great level of detail, rich illustrations, and some epic profiles of big names in the industry: Gary McGraw -- who I mentioned a few weeks ago, and Eugene Kaspersky.
Always rounding out the pages are overviews of the extra software included on the CD, frequent book reviews, and product reviews and recommendations.
While Hakin9 obviously still carries a strong bias from the "Attack" side of things, it has enough defense-centric advice to keep it relevant to the task at hand for people in the information security biz. As such, it's never a bad thing for white hats to understand how the back hats think or what they're up to -- and we're all just various shades of grey anyways. There's obviously a verbose disclaimer about how the information within Hakin9's pages are for use on your private network and machines. We know. ;) I do think it's cool that they publish in several different languages, though.
Link:
Hakin9 - Hard Core IT Security Magazine (English)
Sunday, February 17, 2008
2007: Nearly 70% of web hacking incidents were for profit
Sorry folks, no Sysadmin Sunday this week. But here's an interesting tidbit from Breach Security Labs: Their analysis of the significant web hacking events in 2007 show that almost 70% of web hacking incidents were performed for profit. Check out the press release here. The full report [PDF] is available here. It requires a free registration, but reliable sources (that's me) say that you can just use a dummy account.
Sunday, February 10, 2008
Sysadmin Sunday: Pure-ftpd configuration on Ubuntu Server Edition
0. Introduction
There are tons of ftp servers out there. Some are leftovers from the stone age others are fairly up to date with SSL capability and virtual user support. In this case I have chosen Ubuntu server and Pure-ftpd.
Why: Ubuntu comes out of the box unencumbered by unnecessary bloat that many server editions are forced to install out of a spider web of software dependencies. It at the same time has a very mature package management system which allows for easy software updates.
I'll stop there because I don't intend this to be a flame war on what Linux is best. An important difference that the Ubuntu installation has versus its native configuration is that it uses a configuration wrapper instead of modifying a start-up script. Which is why I am writing this article.
This article assumes that you have an intermediate or advanced knowledge of command line based UNIX operating systems.
-=-=-=-=-=-=-=-
Table of contents:
-=-=-=-=-=-=-=-
0.........Intro
1..........System setup and overview on what needs to be done
2..........Package installation
3..........Wrapper configuration with virtual users and SSL
4..........Access control via virtual users and iptables and or pure-ftp
5..........Informative resources
-=-=-=-=-=-=-=-
1.System setup and overview on what needs to be done
-=-=-=-=-=-=-=-
We will be needing an Ubuntu server edition installation. Preferably with a firewall in place.
In this case I have a pile of users who need to use dreamweaver to edit their web sites. Preferably they need to have their own logins, those logins need to be chrooted to their directory. Secondly, the users have no earthly reason to have a system user account.
For security sake I want the option for them to use encryption (once we can get licenses for the newer version of Dreamweaver which supports it). Lastly having these virtual users have disk space quotas so some idiot doesn't up load a ton of the family pictures that were taken with a 10 Megapixel camera and are like 20 Mb a piece causing the storage array to !#*& itself.
Pure-Ftpd can use arbitrary file paths for virtual user home directories. You can assign a local system user account and group for each virtual user or group of virtual users.
You can make a system user and group called webadmin who owns the "sites" folder under "/data/sites". All of the virtual users from a system standpoint are doing business as "webadmin". Pureftp does the job of doing access control and permissions on its end and keeping people in their home folders.
-=-=-=-=-=-=-=-
2.Package installation
-=-=-=-=-=-=-=-
Run the command: apt-get install pure-ftpd
There is a GUI configuration tool but by default Ubuntu does not have a GUI so I leave that to you.
Once installed the wrapper configuration folder is on "/etc/pure-ftpd". The folder contains a structure like so:root@stage:/etc/pure-ftpd# ls -al
total 32
drwxr-xr-x 5 root root 4096 2008-02-20 01:32 .
drwxr-xr-x 133 root root 12288 2008-02-20 01:32 ..
drwxr-xr-x 2 root root 4096 2008-02-20 01:32 auth
drwxr-xr-x 2 root root 4096 2008-02-20 01:32 conf
drwxr-xr-x 2 root root 4096 2007-06-21 19:01 db
-rw-r--r-- 1 root root 230 2007-06-21 19:01 pureftpd-dir-aliases
Under Auth you will find the following symlinks:root@stage:/etc/pure-ftpd/auth# ls -alF
Delete all of these and make a symlink to "../conf/PureDB":
total 8
drwxr-xr-x 2 root root 4096 2008-02-20 01:32 ./
drwxr-xr-x 5 root root 4096 2008-02-20 01:32 ../
lrwxrwxrwx 1 root root 26 2008-02-20 01:32 65unix -> ../conf/UnixAuthentication
lrwxrwxrwx 1 root root 25 2008-02-20 01:32 70pam -> ../conf/PAMAuthenticationroot@stage:/etc/pure-ftpd/auth# ln -s ../conf/PureDB
Go to the conf directory and edit the "PAMAuthentication" file to say NO insted of YES.
Add a new file called "ChrootEveryone" and edit it and add the word "YES".
Now lets make a user!pure-pw useradd test -u webadmin -g webadmin -d /data/sites/localhost/ -N 25
Where -N is a 25 Mb quota and -u and -g is the userid and groupid of the corresponding system user. -d is the folder that the user is chrooted in. The command "mkdb" creates the binary password database.
pure-pw mkdb
Now we have our chrooted ftpd environment finished we just need to configure the ssl option.
now it is possible to FORCE users to use ftp-SSL however thats out side of the scope of this article.
(from the pure-ftpd documentation)
mkdir -p /etc/ssl/private openssl req -x509 -nodes -newkey rsa:1024 -keyout \
/etc/ssl/private/pure-ftpd.pem \
-out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/*.pem(0 disables encryption, 1 makes it optional and 2 makes it mandatory).
Now restart the service :
/etc/init.d/pure-ftpd restart
And login to your new ftp server!
-=-=-=-=-=-
4.Access control via virtual users and iptables and or pure-ftp
-=-=-=-=-=-
It pisses me off to read the logs and see all of the automated Interweb
exploit scripted attacks. So here are some suggestions to keep the
automated attacks down.
1. Hosts.deny doesn't work. Use Ip tables filtering.
2. Grab a blackhole ip list (BBL) from http://www.unixhub.com/block.html.
3. Determine your scope of service, if your users work only within the continental United States then blocking AP-NIC and any other non-local IP ranges in their entirety would be a good idea.
If you want to tie it down on a per-user basis try this:
pure-pw usermod testuser \where -r is allowed IP ranged and -R is denied ranges (Example: -R 200.0.0.0/8 -r 192.168.0.0/16)
-r IP-ADDRESS-RANGE\
-R IP-ADDRESS-RANGE
-=-=-=-=-=-
5.Informative resources
-=-=-=-=-=-
Barnes, Robert. "Bad IP addresses/Bob's Block List (BBL)", (Accessed Feb, 2008)
http://www.unixhub.com/block.html
Denis, Frank. "Pure ftpd", (Accessed Feb, 2008)
http://www.pureftpd.org
http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS
Hornburg, Stefan (Racke). "Debian pure-ftpd-wrapper man page", (Accessed Feb, 2008)
http://www.penguin-soft.com/penguin/man/8/pure-ftpd-wrapper.html
