|
Entries posted in July 2006
1 July 2006 21:50
A busy night results in the 0.1 release of mod_ifier, it allows matching and rejection on arbitary incoming HTTP request headers, with helpers for User-Agent and Referer headers.
ie. DropReferer is now a synonym for "DropHeader Referer …", and DropAgent is similarly processed as "DropHeader User-Agent .."
There is a Debian x86 package for Sarge, and matching source package, along with brief instructions.
It seems stable and reliable. Next I need to look at URI matching, POST payload analysis, and the use of regular expressions instead of literal matches.
No tags
|
2 July 2006 21:50
A lazy night yesterday watching Tomb Raider, and working on mod_ifier. It is almost ready for a 0.2 release now.
The Debian package now builds in magic support for loading files from /etc/apache2/mod-ifier.d/ and ships some sample files in there for blocking user-agents, referers and now CGI parameters.
There are three types of CGI parameter blocking:
- Based on the presence of a particular CGI parameter name, eg. "mosConfig_absolute_path" is some kind of exploit attempt.
- Based upon a named parameter having a particular value, eg "theme contains 'http://'".
- Based upon the contents of any submitted parameter.
If I can get the CGI GET variable parsing a bit cleaner I'll make a release and drop mod_security on my dedicated host. There are still a few things that would be nice to have, CGI POST parsing, etc, but I can live without them for the moment.
Anybody with interesting ideas of things to match/block feel free to comment.
No tags
|
3 July 2006 21:50
Before:
skx@desktop:~$ ssh security-master.debian.org groups
Password:
Debian webwml sec_data
skx@desktop:~$
After:
skx@desktop:~$ ssh security-master.debian.org -l skx groups
Password:
Debian <b>security</b> webwml sec_data
... or in other words I'm no longer a secretary of the Debian Security Team, instead I'm a full member!
Tags: debian security team
|
6 July 2006 21:50
A busy few days with a new release of mod_ifier, and a new toy: 20gb hard-drive based MP3 player for keeping me company on the train to work.
I'm going to spend tonight figuring out how to get access to POST data sent to Apache, by looking at the source of mod_tcl - It seems to be annoyingly complicated, but I'm sure there are reasons..
Nothing else much happening at the moment. I spent a few hours writing scripts to setup a virtual hosting environment for Apache2 + Exim4 + Bind, so I can add/list/remove domains from my server with ease. Nothing terribly complex, but nice to use.
Probably they will never be useful to other people since they work with my perculiar setup:
- Websites beneath /home/www/example.com/{ htdocs logs cgi-bin}
- Create new sites and create a webalizer configuration file.
- Mail handling for local users only via /etc/exim4/virtual - as described here: multiple domains + exim4
If I had the patience I'd make a pretty front-end, but I have no intention of getting in any kind of conflict-of-interest situation with work, and also I know for any "hosting control panel" the polish is almost more important than the facilities - too many people are very very new to server management and I'm not really good at dealing with that kind of audience.
If there is any interest I could share the CVS repository, but it is mostly simple stuff.
No tags
|
9 July 2006 21:50
This weekend I've started getting militant about fighting spam.
Every single spam mail I've recieved today and yesterday I have reported to the originators ISP.
Most likely this won't achieve much, but it made me feel slightly better. It also gave me a new appreciation for exactly how much spam I receive, and where from.
My top three sources of spam are:
To combat this I've done two things:
- Removed the "freshmeat" email alias, and replaced the address with a link to a "contact me" page + email address in an image.
- Started adjusting my mailserver.
My mailserver will now refuse to accept mails from hosts without reverse DNS. I think that is a legal thing to do, but I've never done it before. That combined with greylisting has cut my spam counts by about 200 messages a day.
The only other thing I've done this weekend which was at all computery was to start writing a test suite for the Apache module I've been working on - which is now included in Debian sid.
No tags
|
10 July 2006 21:50
Edinburgh Wins!
No tags
|
11 July 2006 21:50
Over the past two days I've started two community things:
- The Debian Administration website now allows users to submit adverts which will be intermixed with the Google Adsense ones.
- I'm looking at renting a dedicated host to share out as a semi-co-op with about six people.
The adverts are basically modelled after Kuro5hin.org's community adverts - the difference is these are free. (Should remain free, but no promises.)
The idea of sharing out a Xen host with a few people means I'd get some seperation and wouldn't overload my existing host which is getting a little strained with the Debian-Admin site, mostly because of my own lazy coding, and popularity.
Still work in progress. I've priced a couple of companies for the hardware and support and figure that it can be run just above cost with 6x (£10 a month). Still waiting for a few people to get back to me about whether they'll commit to a years worth of cash up front..
No tags
|
13 July 2006 21:50
Sad to see another compromise of a Debian host machine. Sad because there exist people who do this, rather than because we got caught out.
Would now be a good time to suggest restricting *.debian.org to key-based-logins only, and avoiding SSH password logins?
I don't know if all the services could be updated but I figure most could.
Yes this does mandate keeping an SSH key secure, and private, but we already require Debian Developers to do the same thing for a GPG key. Right?
Hell publish your public and private keypairs encrypted to your GPG key ;)
Right that is my post for the day.
Other news:
- Community adverts seem to be working out nicely. Suprising clickthough rate, I was expecting higher.
- xen hosting work is progressing. Almost at decision time.
No tags
|
15 July 2006 21:50
My Apache module for filtering incoming HTTP requests, mod_ifier, has had a lot of loving. Yesterday I reworked the structure of the code to make it more generic and extensible.
Taking advantage of the cleanup I added a new match-target. In addition to matching Referers, User-Agents, headers, Paths, and CGI parameters/values it will now also allow you to match on the HTTP Request method. (ie. GET|POST|OPTIONS|PROPFIND|SEARCH|TRACE).
I've made a 0.5 release, and a new package will be uploaded to unstable shortly.
There was a tiny bugfix too - parsing/matching of CGI POST variables will work 100% correctly!
ObAudit: I looked over the Debian Mentors Website and reported an XSS attack against it.
Package names/descriptions were not filtered before being displayed so anybody with a mentors.debian.net account could upload a package causing an XSS attack - stealing the login session of any user who viewed the package details.
No tags
|
18 July 2006 21:50
How not to prompt for passwords in your code:
skx@desktop:/tmp/retchmail-1.0$ grep system\( *.cc
retchmail.cc: system("stty -echo 2>/dev/null");
retchmail.cc: system("stty echo 2>/dev/null");
(Since anybody can trojan PATH.)
Still otherwise the code looks good :)
No tags
|
18 July 2006 21:50
Spam Is Killing Me
Guess how much spam arrived today for security@debian.org?
Goan. Guess.
So far over 4000. ffs.
grep To: Mail/backup/18-07-2006 | grep security| grep debian| wc -l
4026
(OK a couple of false-positives there, but not a lot.)
How do people cope with this volume of mail?
And the day isn't over ..
No tags
|
18 July 2006 21:50
Cron should not read and process core files, or anything else which contains non-ASCII contents. This would prevent exploits such as that used against CVE-2006-2451.
Provisional patch here:
Comments?
Applies to cron version 3.0pl1-94.
Could also test file size too I guess, but that might lead to more false-positives.
If it looks reasonable I'll file it as a wishlist bug.
Updated: new patch to allow non-ASCII character sets/locales.
No tags
|
19 July 2006 21:50
The cron patch I posted previously attempted to discard any crontab file which contained non-ASCII characters was a flawed approach.
Lots of people told me that this would break scripts with foreign character sets, and that was something I'd not considered.
A real solution would be to read each line and test for :
- Lines beginning with "#" and containing anything after that.
- Lines containing "valid" crontabe entries.
Looking at the code for cron is hard because it is written in a "strange" style, so I'm not even going to attempt it this level of validation.
However I have produced an updated patch which should work on ASCII + foreign character sets equally well. Instead of testing for the presense of non-ASCII characts it looks for NULL characters ('\0').
Binary files should contain at least one NULL character - as a string terminator, for example - and text-files should never contain them. So I think this simple test will work for 99% of cases.
Regardless of whether this patch, or another like it, is accepted and applied I do believe strongly that whilst being liberal in what you accept is a good thing being too liberal is asking for trouble.
No tags
|
20 July 2006 21:50
If I were to purchase a USB (or PS/2) based barcode reader is there magical software which will read the ISBN and search Amazon for book + film + music details?
So far I've just seen alexandria which does only books.
Whilst I have a lot of books I'd be interested in scanning audio-cds and dvds too.
Update: maybe I'm wasting my time already. Alexandria fails to find both the following ISBN numbers: 1-85471-227-6 + 0-7088-1358-5.
No tags
|
22 July 2006 21:50
Ugh. I broke my blog, but I think I've fixed it now with a quick hack to redirect people to the correct RSS2 feed.
I was enjoying everything until the serendipity import gave me bogus HTML, and the rewriting rules made all my entries 404s.
No tags
|
22 July 2006 21:50
Thanks to Faidon Liambotis for his nice patch, and Javier Fernandez-Sanguino Pen~a for accepting it we now have a cron which will no longer execute core files.
Another small step towards improving security in Debian GNU/Linux!
No tags
|
23 July 2006 21:50
Collection Management
I like to collect things, books, audio cds (which I buy exclusively second-hand/used then rip), and films.
I've had a lot of fun putting my film collection online (Warning image-heavy). Although I admit the reason I did it in the first place was because I found myself buying DVDs I already owned more than once.
I do the same thing with books. I can recognised covers easily, so if I see a book which is by an author I like I will look at the cover and think "Hmmm got this", or "Hmmm thats new". This leads me to buy duplicates too often.
This leads me to wanting to organise the hundreds of books I have, so I can lookup what I have/dont have easily.
My recent query the other day about scanning ISBN numbers with a barcode reader seemed to suggest that using the hardware is trivial. However the next step is hard. I can't find a decent tool for using storing the data in.
So far I've looked at:
- alexandria
I loved this when I started it up and imported a few books by ISBN. It found the title, the publisher, a cover image, and more.
However the backend seems to be a bit hit and miss. Picking books at random I soon found major gaps.
e.g. Adding Terry Pratchett's Mort gave me all the details. Adding Witches Abroad gave a blank image and just the title, all the other details were wrong/missing.
- tellico
Tellico I've just ruled out. It allows you to create collections of things, but you must enter all the details yourself.
I've neither the time nor the patience to do that.
So I'll postpone this project for a while. Probably just as well since I've discovered that a suprisingly large number of my books do not actually contain ISBN numbers!
Mostly the older paperback fiction books I have such as "H.G.Wells the valley of the spiders &; other stories", but even modern books like some of Steven Brust's Vlad Taltos series are free of ISBN numbers.
No tags
|
26 July 2006 21:50
I'm resisting the temptation to tell people to use real words when they make posts to mailing lists like this:
If u get full debian disk(2 DVDs), u can install them(binary &; source)
...
U can choose fast mirrors to ur computer, &; here is the list.
I appreciate that English is not the first language for everybody, but reading things like that just makes me want to slap people.
In other news I'm enjoying work a lot this week. Compared to last week having multiple distractions this week I've been left alone/undisturbed enough to create code and design things is a lot of fun. I couldn't do it non-stop, which is why I sysadmin instead of work as a developer, but I do enjoy coding.
On a related note today somebody mailed me a patch to get my lua networking extension to build upon MingW which was a pleasant suprise.
No tags
|
28 July 2006 21:50
According to the documentation it should be possible to setup a shared SSH key for logins to Debian.org machines.
However after sending the request several days ago nothing appears to have happened. No confirmation/reject mail sent, and no key-based logins accepted on the random machines I tested against.
Is this something that was tightened up post-compromise?
My intention was twofold:
- Setup a shared key for logins to Debian machines.
- Then determine how many people use such a key - as an argument towards removing password auth if the number was sufficiently high.
I expected to be able to use the LDAP search to determine how many people had keys set (without getting access to the keys themselves). My attempted LDAP searchs failed, although I can't tell whether they failed because support is removed/restricted, or if my queries were just malformed/bogus.
Anybody who can post statistics on the number of keys setup, or a working LDAP query would earn a virtual beverine.
No tags
|
29 July 2006 21:50
Tonight I shall be mostly playing dress-up games and weight training.
Simultaneously.
My intention is to wear my larger boots (2+2kg total) along with a nice chainmail top (1+5kg).
Including beer (how much does that weight?) I'll expect to be carrying about 10Kg / 1.5 Stones of extra weight .. whilst dancing.
I'm going to be sore tomorrow but it will be worth it.
Now to go shave my head before I get ready to go out ..
No tags
|
|
