ctrl-alt-del.cc

Fixing HAProxy configuration in pfSense

Sat, 19 May 2012 15:03:54 +0000

Some time ago I was experimenting with pfSense and HAProxy to deploy both as firewall and load balancer for one of the websites I was working on at the time. The key incentive was that pfSense is great BSD based firewall distribution with amazing features offered out of the box, and if that was not enough, you can install additional packages to add features you need.
One of those packages is HAProxy (proxy/load balancer) and both work together very nicely but...

Problem
I have installed pfSense with HAProxy several times, more than several in fact... and every time I did it, the configuration file generated using HAProxy web configurator (integrated with pfSense interface) was broken. First row in the table showing defined backends was empty - the configuration file itself had just variables but no values. The second entry was just fine... Obviously HAProxy refused to start.

Quick fix
Just so I remember next time what I did. Get shell on pfSense console or install file manager package and edit /usr/local/pkg/haproxy.inc to add the line highlighted below:

Not a rocket science, just shift() the first (empty) backend definition and let the script do the rest.

Note
Manually fixing config file is pointless because new config is generated every time HAProxy (re)starts and the code above is used to generate it.

Raspberry Pi meets Edimax EW-7811Un wireless adapter

Tue, 08 May 2012 21:49:56 +0000

This post contains my notes - what I did to make it work properly, so next time I build the system, I have a step by step guide. In case you lived under the rock for the last months and don't know what Raspberry Pi is, you should visit www.raspberrypi.org now.

I bought Edimax EW-7811Un adapter for my Pi - small factor, b/g/n type, so why not... especially when vendor says it provides Linux drivers (wohoo!). Sadly as it turns out, compiling drivers on x86 or x64 and ARM architectures can be totally different experience - especially with Raspberry Pi being in it's software infancy. In all seriousness - Pi is for those that like to solve problems (at least at the current stage), but the community works hard to catch up very quickly - great stuff!

Logfile tail the web way

Sun, 04 Mar 2012 01:47:50 +0000

Recently I needed something like web based equivalent of tail -f and tail -n commands, so I could display running tail or last N lines from specific log file. To avoid reinventing the wheel I started looking at previous works on-line and found some interesting bits here and there - one of the most useful being AJAX Logfile Tailer & Viewer, so I based my work on this one.

The trick is, that as far as it does exactly what I needed, this solution requires web server with PHP... and installing web server (not to mention PHP) is not really what I want on my logserver.

Mojolicious to the rescue!

Mojolicious is a very powerful Perl web framework that comes without bloat (almost unheard of these days!) - all you need is standard Perl interpreter and core Perl modules as they come preinstalled with your Linux distro and you can install Mojolicious - no other dependencies. On Debian systems installation is as simple as

apt-get install libmojolicious-perl

and we're up and running. Writing Mojolicious::Lite app is really simple and the best part is that it comes with it's own, built in web server (operating in several different modes if needed). Sounds like nice way to go - no dedicated web server on the machine, self-contained application, etc. One more thing - writing, testing and deploying the whole code to actual machine took less than 10 minutes!

Secure backup of untrusted remote hosts

Thu, 23 Feb 2012 22:06:15 +0000

I didn't blog for a long time, so it will be a long post caused by some nightmares I had about not doing proper backups on some of my hosts.

Servers - all those small and big machines most of the geeks own, run or operate. As VPS pricing drops, we see more and more of those low-end, resource strapped servers. Organic growth usually means you start with empty server, some kind of definition what it will be doing and... from there it just goes downhill. How do you backup such VPS? Here is something I use myself.

My backup requirements

Automated - it has to run without supervision in roughly regular time intervals, if it's not automated it will never be done (read no backup)
Off-site - in case I loose the whole machine for some reason (because RAID is not backup and what fire doesn't destroy, water poured by firemen will)
No Cross-Backups - because they require trust relationship between machines and if you think about using cheap VPS'es for cross-backups, remember that you get what you pay for!
Automatically delete old backups - to save space, (my) time and money
Append only - machine can only write data to its own, designated backup volume but can not delete or modify other volumes (accidents and rogue users do happen)
Confidentiality - no unauthorized access backed up data
Availability - storage volume has to be highly available so I can not only write to it knowing it's there, but also access backups when I need them
Access controls - ability to define granular access rules and enforce append-only usage
Economy - it has to have reasonable cost

How To Outrun A Lion?

Thu, 17 Feb 2011 09:26:56 +0000

You don't have to outrun a lion - it's enough you outrun the guy running next to you.

Funny enough, the same stands for securing your IT infrastructure - if you are in the "low hanging fruit" category, you get owned for sure - possibly before you even notice anything shady going on behind your shiny website. When you raise the bar a bit and step out of the damned circle, most of the attackers will give up on you and move to find some other target that is easier to compromise.Of course that doesn't work for determined attackers that want YOU and nobody else, but that's a story for another time.

What's that smell?

It's a smell of FAIL my friend...

Just recently I was helping two of my friends and doing some forensics on their servers (or rather on what was left out of them) after they noticed something strange was going on. Long story short, the key part is that the attackers owned those boxes for months before they were discovered. They got in via path of the least resistance - badly written PHP web apps (there's so many of them!), dropped c99 or similar shell and owned the box to their liking.

In general, we suck really bad if it takes us months to detect such hacks.

Here come the benefits of scale

Wherever and whenever I look at any shared hosting providers, dedicated servers and alike, their default configuration is wide open by default. As long as the box is on-line and Nagios doesn't report issues, nobody is actually checking what's going on that box. Basically operators don't care - they provide functionality and they charge you for it. Oh yes, that's exactly what they do - charge you first and then provide a ton of stuff you don't need and don't use - unless you are an attacker that is :-)

Building cheap console server

Wed, 24 Nov 2010 22:15:01 +0000

This time from the department of almost wasted time...

We all know that serial ports come very handy when you need to (re)configure something like a switch/server/firewall or similar device. In theory you can do that over TCP/IP nowadays with one hint - you need to have connectivity. All would be ok if not the fact that those very switches/firewalls you want to reconfigure actually provide the connectivity you need :-)

The Idea

Now... why spend hundreds of pounds/dollars on off-the shelf kit? Sure, it's cool, properly built and works unless you mess it up, but where's the fun part?! Today I needed a very very quick and cheap solution, so:

SheevaPlug - £114.00
13-port USB hub - £19.99
USB-serial dongles (pl2303) - £14.99 each

This way I have fully networked console server with 4 ports just under £200 - acceptable, especially when the whole thing is running off DHCP and calls home via OpenVPN - very easy to deploy!

Tricky bits

Generic Sheeva has one USB host port and hub has 13 of them - I want to send it off to remote location and have somebody plug it in and not mess up what's where. Trick is to write appropriate udev rules to detect adapters and give them ttyUSBn names according to physical port on the hub.

All would be fine and easy if it worked as documented - sadly it doesn't. First problem was that ATTRS{devpath} (as returned by udevadm info --attribute-walk -n /dev/ttyUSBn that allows to distinguish usb ports) was used by rule in tests but wasn't propagated properly on none of my Debian or Ubuntu boxes. Then I tried to match KERNELS for parent devices - nope... if you go too far up the tree it doesn't see s**t :-/

Making new friends with kippo

Sat, 31 Jul 2010 01:59:22 +0000

Less than two weeks ago I've sent a tweet asking for honeypot recommendations. I wanted to play a bit with something new, something I never did before, mostly because I never had time for it (right, like I have it now). Anyway, thanks to all the great people that replied to my tweet I've learned a lot and found some great software. Now it's time to give something back to the community.

Kippo - simply amazing

First honeypot I've reached for was kippo. It is a medium interaction SSH honeypot designed to log brute force attacks and log the whole session as it goes - including timings, typos, etc. The magic sauce is that you can play the session back (with typos!) and see what the attackers are made of. Believe me - playing back those session is totally amazing! Some samples are available on project's page.
There are also other features to like, like trapping sessions and not disconnecting them even if bad guys do logout, logging ssh client used (very easy to tell scanning bots apart from real people), quite nice interaction and most of all easy way to extend your honeypot it with your own commands.

Coder vs Security - friend or foe?

Tue, 25 May 2010 10:45:22 +0000

Certainly 140 characters is not enough to express all the thoughts around recent CSRF flaw in OpenCart and how it was handled (in my humble opinion it even deserves nomination for Pwnie Awards), although some people had a good go at Daniel Kerr.

Above is just a selection of comments that you can find on Twitter and in all of this negative karma there is some good thing going on. This incident got quite a lot of people to write some really good posts about the incident. Some of my favorite posts are Humble Helps and Psychology of "Secure Code" - definitely worth reading.

Although I'm not an expert in either coding or security (but I did quite a lot of both) I think there is also a bit more to it.

RTFM - there's and app for that

Wed, 24 Mar 2010 14:31:06 +0000

What can be better to do on the tube than to kill some time reading manuals or books? Of course in IT quite a lot of that stuff comes as PDFs or other non-paper formats, so good eBook reader or an app for whatever terminal you have is an advantage.

During one of the DC4420 meetings one of the guys gave a very good recommendation for an iPhone app that copes very well with PDFs and some other formats. The app is called Good Reader and I have to say, it's really good (for what I need it to do).

Usually the problem is how to deliver the files of interest to the reder. You want to be able to read when off-line and have flexibility in delivery methods of course. Here is the thing that sold me to the Good Reader - you can upload the files over wifi directly to the iPhone, using nothing more than a web browser. Yes - the app functions as a web server to do it! Just to make sure it doesn't turn your phone into public web server, you have to confirm that you want to allow the given IP to connect and you get that question every time you turn the wifi upload option on.

AirView2 Spectrum Analyzer

Tue, 15 Dec 2009 22:42:13 +0000

Recently I had some serious problems with wi-fi at home - especially one of the laptops was dropping off and couldn't come back. Quick survey using Kismet and other tools to scan what's flying around has proven that my network is in less populated part of the spectrum (at least here) but still, problems are getting worse and worse.

I was fully aware of Wi-Spy by Metageek, seen it in action previously but never had a chance to buy one. Part of the decision was the price back then, maybe now it would be another game, but anyway - I got myself another device, made by well known wi-fi vendor Ubiquiti and it's called AirView2.

What's so special about this one? Why it's better than Wi-Spy?

First of all I didn't say it's better. It's different, woks with Linux, Mac OS X and Windows, has a nice price tag and does pretty much the same as Wi-Spy. Let's have a closer look then, shall we?

The Hex Factor at SANS London 2009

Sat, 05 Dec 2009 09:32:23 +0000

The competition is now officially over and I have to say it was AWESOME!

Those that made it to BruCON had a chance to play it, those that came to SANS London 2009 also had their fun, all the rest of you - bad luck :-/ maybe next time.

The Hex Factor was run for four evenings/nights at The Fox Bar and Restaurant located literally next to the Excel center where SANS courses were hosted. What can be better than beer, hacking and a spirit of competition?!

Tasks set by the authors were varied in difficulty and topics they covered. One category was about history and culture of hacking with a bit of general teaser tasks and was called Once Upon A Time, like finding a name of candy shop at , so that was a soft introduction.

My favorite category was Out Of The Box category (also known as Pure Leetness), where questions were really 'out of the box' and solving them was the best fun I had for a long time! First 100 points for finding a number 'hidden' in the message was really simple and here's how I did it:

I didn't have time to do the one for 200 points, but finally after some time I managed to solve the 300 points one - finding a secret number hidden in the PDF file - hats off to Didier Stevens for this task - it was amazing! Didier's blog was a great guide and help in the process.

CONFidence09.02 - post mortem

Sat, 28 Nov 2009 09:45:34 +0000

Well... my plan to blog live from the CONFidence was good but still remained to be more of a plan than a reality. Twitting went much better (possibly because you can twitt between chats with people, drinks, etc) so I'll wrap up what happened and how it went.

The conference was great - I really liked the lectures (those I actually made to), loved the chat with speakers and it was awesome to meet some old friends and make some new contacts. Overall, if you didn't come to Warsaw for CONFidence09.02 you missed quite a lot.

Day 1 summary
There was very nice presentation by Felix "FX" Lindner on how 'awesome' Cisco IOS is, Claudio Criscone (@paradoxengine) talked about security in virtualization environments, Frank Breedijk renamed hist AutoNessus to Seccubus (new twitter feed at @seccubus), Leonardo NVE Egea showed us how you can use the satellites to work as your downlink (and it seemed much easier than actually you would think), Pavol Luptak pretty much owned the RFID there (yes, the basic cloning kit is just €30), Elisa dropped the pressure a bit with Power Point Karaoke where Felix "FX" Lindner was presenting about detecting unknown alcohols, Raoul Chiesa gave great presentation about knitting (yes, knitting) and I was rolled into a presentation about IT slang/acronyms and there was something about insulting someone :-) and that was just the first day.

Day 2 summary
For those that survived the 'afterparty' on the evening/night/morning you had a chance to see nice explanation of the cold boot attack given by Nadia Heninger, Nick DePetrillo discussed 'what could go wrong' with intelligent power grids and believe me... there's a lot! Jacob Applebaum (@ioerror) gave us some TOR love and a lot of TOR laptop stickers. Alessio "mayhem" Penasilico (@mayhemspp) and Raoul Chiesa gave nice presentation on history of hacking telcos - there was some good info there... just before Raoul killed it all with final presentation dissecting the underground economy (with some slides show just after the cameras and other recording equipment was turned off). That was a really good one...

Finishing off, Frank has posted a bunch of posts about presentations we saw in Warsaw. They are:

Fusing 3rd party threat feeds to obtain better threat intelligence - Eddie Schwartz
Router Exploitation - Felix "FX" Lindner
My Seccubus slide deck (slides from Frank's presentation)
My TLS renegotiation vulnerability slides (Frank's lightning talk during one of the breaks)
Mifare Classic anaysis - Pavol Luptak
Power Hungy People - Nick DePetrillo
The Tor Project - Jacob Appelbaum
Underground economy - Raoul Chiesa

That's it for now - just make sure you get there next time :P

Claudio Criscione - Virtualization security

Thu, 19 Nov 2009 16:11:17 +0000

Claudio gave today brilliant presentation about virtualization security... Just a few bullet points from the presentation.

It turned out that VMWare hypervisor is running Tomcat to give you the admin interface - oldie (shall I read it 'unpatched') but goldie, right?
You can do MiTM against VMWare VI Client... and as presented at the demo, that works like a charm, plus...
... if you can MiTM you can pwn the box - clients.xml that is served by the server contains a URL of the client .exe to be executed - boom, you can change that!

Just to give you the idea - during live demo Claudio forced the admin PC (the one running VI Client) to format drive C: and there was no option to stop it, it pretty much kicked off right away.

There was much more than that - also Xen and Ubuntu got their share here but the practical demo was based on VMWare.

Lessons learned?
Treat VM hosts and their apps just as another computer, another system and make sure you secure them the same way as any other system. Think of patch management and what happens when you revert to a snapshot (it may be old and unpatched so you bring back unpatched or already compromised system), think of separation of duties and access (physical and logical).

CONFidence09.02 - day 1 kicked off

Thu, 19 Nov 2009 13:41:43 +0000

Almost half of the day at CONFidence09.02 has already passed. Some interesting stuff of course...

Starting with Dragorn's and RenderMan's "Wireless threats; They're not dead yet!" we've heard once again how bad and how dead WEP really is. Good refresher for some people I guess. Best part was discussing client side attacks via wifi - airpwn style but without goats this time, using malicious JS with such a nice feature like browser side caching, defeating SSL, hiding all of that in plain sight with call-home feature that will be very hard to notice in most of environments.

Then I skipped several presentations - I really needed a reboot :-)

Next one I made to was Felix "FX"Lindner talking about how sweet hacking Cisco IOS can be. Frank (@autonessus) has already blogged about this one so I'll just put a few notes here.

Cisco's HTTP admin interface runs off their understanding of HTTP and not Apache.
IOS doesn't have recovery procedure for software crashes due to it's monolithic structure - the only remedy is to reboot the whole box (quite easy to spot even by untrained admin - the networkz are down!) which takes time (even several minutes).
Cisco has added TCL scripting in some versions of IOS :-)

More to follow... and yes, we use #confidence0902 as hashtag.

Twitter, SPAM and zombie hookers

Tue, 27 Oct 2009 12:46:20 +0000

Came out of a blue - no context, nothing... BTW - we've got new URL shortening service.
All would be almost 'fine' but WTF is that? Not that I wouldn't guess but I'm just curious how owned you can get :-)

As a matter of fact, you can get owned pretty bad and what I've seen I would expect to be just a starter... the main course is coming soon!

WARNING: All the information provided in this post is available on the Internet. Links presented on screen shots should be considered malicious - do not visit them unless you really know what you are doing. You have been warned.