I’ll go through a false positive example I found on my blog. False positives are inevitable, so it’s not a bad idea to run mod_security for a few weeks on detect only.

Here’s the url that was raising the alarm. The trigger was in the url.

http://chesterton.id.au/blog/2007/11/20/blue-tongue-harmonica-talk-cd/

Here’s what modsec_audit.log looked like

--f8a03521-A--
[21/Mar/2011:07:54:47 +1100] TYZpl0LcAZkAAHCLBPIAAAAA ::ffff:124.169.31.22 34169 127.0.0.1 81
--f8a03521-B--
GET /blog/2007/11/20/blue-tongue-harmonica-talk-cd/ HTTP/1.0
Host: chesterton.id.au
X-Real-IP: ::ffff:124.169.31.22
X-Forwarded-For: ::ffff:124.169.31.22
Connection: close
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.26 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.709.0 Chrome/12.0.709.0 Safari/534.26
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

--f8a03521-Z--


Section B –f8a03521-B– contains the request headers, and you can see the GET is /blog/2007/11/20/blue-tongue-harmonica-talk-cd/.

Section H is the audit log, why it was blocked in this case.
[msg "System Command Injection"] [data "cd/"] so it didn’t like cd/, I’m not sure that cd/ (without a space between the cd and the directory) would do much on a unix system, but perhaps it does on windows, where apache also runs.

It also tells you the pattern that matched, the file where the rule is located and the rule id.
Pattern match “\bcd\b\W*?[\/]” at REQUEST_FILENAME. [file "/etc/apache2/modsecurity_crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "396"] [id "958821"]

What we can do, is when REQUEST_FILENAME = /blog/2007/11/20/blue-tongue-harmonica-talk-cd/ remove rule id 958821.

SecRule REQUEST_FILENAME "^/blog/2007/11/20/blue-tongue-harmonica-talk-cd/(index.php)?$" "nolog,pass,ctl:RuleRemoveById=958821"


Add this rule to your local rules, the reason we don’t modify the base_rules is they get overwritten when there’s an update to the rules.

“pass” above means if the rule matches, keep processing other rules, so it will still catch xss for example:

http://chesterton.id.au/blog/2007/11/20/blue-tongue-harmonica-talk-cd/?a=%3Cscript%3Ealert(1)%3C/script%3E

I’d like to come back to this later and lock it down a little.

In my previous post I didn’t mention how to turn on the audit log, so without explanation, you put the following in your config.


SecAuditEngine RelevantOnly
SecAuditLogType serial
SecAuditLogParts ABCFHZ


We already set SecAuditLog to /var/log/modsecurity/SecAuditLog/modsec_audit.log in the previous post, which has to be writable by the web server user, www-data for ubuntu/debian. So after a reload, you should start seeing entries when mod_security denies a request.

I’m going to modify SecAuditLogType setting in a future post so we can enable the console.

Some time ago, I changed my setup from nginx + spawn-fcgi to nginx + apache so I could play with mod_security. Well, one of my clients got pwned by some sql injection vulnerability, so I finally got to put it in practice.

In a nut shell, mod_security is an apache module that scans http(s) traffic for suspicious strings. It can catch suspicious strings entering apache or leaving apache. It’s a firewall for http(s), it blocks bad traffic, and lets good traffic pass through.

mod_security is one of those applications that doesn’t fit the package model well. I guess it comes in two parts, the apache module and the rules. Packages don’t seem to even attempt to manage the rules, you download them separately and they come with a util to update them. Then you have your local rules that add to, disable, or override the upstream rules to fit your environment.

In ubuntu, the mod_security package is a little outdated, it always will be, especially on LTS, and it’s one of those packages that needs constant updates. The clever and motivated security researchers eventually find weakness in mod_security which are addressed in updates. So you either use the packages, and hope fixes are backported in a timely manner, which hasn’t appeared to of happened in ubuntu, or you install by source.

Installing by source increases your workload and moves the burden of keeping it up to date to yourself. But it’s a pretty straightforward process, and if you have only one or two machines to admin, it’s no issue.

It’s basically a matter of downloading the source, checking the signature, running apt-get build-dep libapache-mod-security, untaring, ./configure; make;make test;make install, then enable the module in apache. It’s pretty well covered in the docs and blogs found in google.

That takes care of the module, but it does nothing without the rules. I downloaded the core rules from OWASP. There some documentation in the package, but there’s a few gotchas, so I’ll try and document step by step the process I went through.

1. unpack the rules in your home directory
2. sudo mkdir /etc/apache2/modsecurity_crs/
3. cd modsecurity-crs_2.1.2
   sudo cp -a *_rules *.example /etc/apache2/modsecurity_crs/
4. cd /etc/apache2/modsecurity_crs/
   sudo mv modsecurity_crs_10_config.conf{.example,}
5. You have to edit modesecurity_crs_10_config.conf and uncomment a few lines, I think the main one being SecRuleEngine.
6. I created two files in /etc/apache2/mods-available
   0modsecurity.conf
   <IfModule security2_module>
Include modsecurity_crs/*.conf
Include modsecurity_crs/base_rules/*.conf
</IfModule>
   0modsecurity.load
   LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
7. sudo a2enmod 0modsecurity
8. create a file called /etc/apache2/modsecurity_crs/modsecurity_localconfig.conf with the following
   SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir

9. Make all the directories in /var/log/modsecurity, which have to be owned by www-data
   sudo mkdir -p /var/log/modsecurity/{SecUploadDir,SecAuditLog,SecAuditLogStorageDir,SecDebugLog,SecDataDir,SecTmpDir}
sudo chown -R www-data: /var/log/modsecurity

That will do for now, I think. To modify the rules I feel it’s best to slow down and buy a book for learning, I’m not sure docs and blogs are the best way to learn this, but it’s up to your learning style. I keep updated by following @ModSecurity on twitter.

When watching a TV series on the laptop, I often lose track of what episode I’m up to, especially after a reboot, so I use nautilus emblems to keep track for me.

The idea is when I double click a video file, instead of it launching a video player, I configure it to launch a script, which adds the emblem to the file and then launches the video.

The script is pretty complicated

#!/bin/sh
gvfs-set-attribute -t stringv "$1" metadata::emblems generic &&
vlc "$1"

OK, I lied, it’s pretty simple, gvfs-set-attribute which can be found in the gvfs-bin package sets the emblem then vlc (or totem, or whatever gets your freak on) launches.

So you put the script somewhere sane, like /usr/local/bin/markvideo and click a
video file you want to the script to work on, and then select properties -> open with, and put your script in, it will work with all video files of that extension from then on.

Only one minor pain, you need to refresh nautilus after double clicking a file to see the emblem. I did a similar thing on snow leopard using automator and it didn’t need refreshing. But at least the emblem is there if I need to reboot, or whatever, so the next time I open that folder (or refresh it) I will see it.

About five years ago, I bought a macbook pro2,2 as my main connection to the internet. It started out with tiger. It was a struggle to get used to the differences from a gnome desktop. But I got there, and started liking it. I tried ubuntu on it when i first got it, and didn’t like the single mouse button, so went back to tiger.

Then came leopard and snow leopard, all good. But started pining for my open source interface. Eventually, after years of pining, I got sick of how slow my macbook had become. It probably just needed a reinstall, but I wanted to go back to ubuntu. All it had become over the years was a browser, a terminal and a video player.

One problem, my cd drive didn’t work, so usb install was the only way. Well, there was the option of netboot, but the simple instructions I found didn’t work, so I concentrated on usb which had more documentation. I can’t put into words how frustrating and hard it was to get ubuntu booting on it, it took a full day of trial and error, reading blogs and howtos, etc.

At one stage it was “bricked” (but not totally bricked), I couldn’t boot anything. It just sat there on a grey screen cycling through different icons. A usb bootable refit rescued me that time.

To cut a long story short, I couldn’t get ubuntu booting from the usb. So now I have a partition for snow leopard install dvd (I put that on when the cd drive died), a partition of snow leopard for refit, a partition of ubuntu alternative install cd, a partition for ubuntu root and a partition for linux swap.

I tried for most of the time to get ubuntu desktop on there, it wasn’t happening, eventually tried the alternate cd and got further, although I had to manually force grub to install on the partition outside of the install process. Now it boots, and I’m extremely happy about it.

I’m trying to not modify it too much, to stay with the ubuntu defaults, but firefox went for chromium. That and two finger scroll are about the only changes I’ve made. It’s good, feels nice, I need to get used to expose corners not being there, and copy and paste being different, but that’s about it. everything else feels natural.

I’ve reinstalled apache and I’m in the process of cutting over my sites. Not completely, just for non static files, mainly php. Nginx is infront of apache serving static content and is a reverse proxy to apache which runs on 127.0.0.1:81

The reason? I want to give mod_security a spin. It’s loaded now, but it doesn’t seem to do much atm. Will read up on it in due season ;)

Basically, you google for nginx apache proxy wordpress wp-super-cache and you hit the right sort of pages to set it up. It wasn’t smooth sailing though, I used http://tech.nocr.at/tech/how-to-speed-up-wordpress-with-nginx-and-wp-super-cache/ which has a flaw.

It contains the lines at the end on the nginx config sample.
# all other requests go to WordPress
if (!-e $request_filename) {
rewrite . /index.php last;
}
and funnily enough, every url opened the front page of my blog. It took me a bit of head scratching before I commented the lines out, enabled mod_rewrite in apache, and toggled a wordpress permalink setting to get .htaccess written.

After I got it working, I read the comments and someone had already discovered the flaw. Plus another page I read is basically the same, except it’s missing those lines (it wasn’t as good looking, so I didn’t use it).

So I’m pretty happy that I understand the config now, and I’ll continue to cut over the remaining sites, then turn off php5-cgi. I’m also happy apache is back, I went a bit anti apache there for a while, but it has its uses, like mod_security for example.

Sheesh, I write one post on security, mention a security expert in it, and he tries to exploit my server. It’s not an original idea, but if you want to test your server for vulnerabilities, come out and say you’re a security expert.

Anyway, I finished Cyber War, feeling very satisfied since it’s been a long time since I had the will to read a book. Twitter’s 140 character limit has taken a toll.

I think the conclusion the author made was regulation, which will erode privacy, and treaties. Also a new protocol where there are no anonymous users (except for the bad guys, i guess).

The author has no doubt that our critical systems already have backdoors and logic bombs installed, waiting for the day. One thing that struck me is no matter how secure my own network is (which it isn’t very, no need to test), if someone else is vulnerable, it could affect me and millions of others.

On to the next book. This one is lower level I think.

I’ve recently become more interested in security. I always had an interest in it, locking down linux servers and firewalls, trying to avoid common sql injection and XSS bugs while coding. But I guess that’s more of a passive interest or approach, I’m now interested in a more active way, deep packet inspection, etc.

In the past, I locked down a server and assumed it would take care of itself, be crack proof, as crack proof as anything connected to the internet can be. I wasn’t fooling myself, I knew it could still be cracked.

Now I’m looking at it more from position where I believe the hosts are vulnerable, and I want to examine the traffic coming in and out. Trying to secure the network rather than (or as well as) the hosts. Because, well, some hosts can’t be secured, there’s always going to be 0day exploits, old unpatched exploits, and social hacking. Not just trying to stop attacks, but trying to detect owned boxes. Some attacks happen out of band, like from infected usb sticks. Want to sneak some worm onto a target? Do it in plain sight, stand outside their premises and give away usb sticks in a fake promotion, or do it in some conference.

I guess I’ve got to send props to David Bl (Security Expert) for sparking the interest.

I’m half way through Cyber War, the first book I’ve read in a very long time. It’s not a technical manual on security, it’s more of a look at how vulnerable the USA and other countries are from attacks coming in through the internet. It talks about political and military tactics and strategy. It’s more about securing a nation, rather than a network.

It seems the only reason we don’t see a lot of countries launching attacks on other countries through the internet is the countries who have the ability to attack a potential adversary, also have an interest, be it in trade, or bonds or whatever, in the potential adversary. It’s not in their best interest to attack at the moment. Things are going to change though.

You don’t need to be a country to take on someone like the USA, a single person, or a small group with the right know how can do a lot of damage to the military or public infrastructure. Remotely damaging electric generators that take months to replace, crippling banks, whatever. Anything that is connected in someway to the internet is a target. Australia and USA are looking at smart grids, the electric grid is already connected to the internet and it’s going to get a lot more connected and complicated with the added bonus of more attack vectors.

What can be done by the government to protect its citizens in an attack? Nothing, really. Except for China, who have a big firewall they can use to shut off attacks. Anything a government might do to strengthen its internet defence is going to be an attack on citizens privacy. Who in their right mind would trust a government to do the right thing with all the power they would hold over their citizens, if they had the control they needed to defend themselves and their citizens from internet attacks?

Which brings me to the question of Australia’s proposed filter. Filter bad, Conroy bad, and all that, but the filter is a firewall between Australian citizens and the internet, it could be used as a defensive measure against attacks. Not necessarily the technology Conroy is proposing, but a suitable firewall could.

But it’s like the government being able to listen in on every phone call, every conversation. It’s not going to happen, but something needs to happen.

I dare say the font on the security tag on this blog is going to get large in the tag cloud. These are young thoughts, they may change and I’ll be talking about security a lot more.

For a while now, I had not being using FreeSWITCH for my VoIP, but just logging into PennyTel directly with my Nokia E65. It worked OK, but the voice quality wasn’t as good as going through FreeSWITCH.

A month ago my old ADSL router died, so I bought a Billion 5200N to replace it. Since then, I’d been having weird problems with VoIP not working, and the Wifi to LAN bridging stopping dead whenever there was a bit of traffic over it.

It took me a while to sort out all the peculiarities of the Billion.

1. A change of ethernet ports on the router fixed the bridge locking up problem. It took a lot of time and weird theories before I fixed that.
2. When setting up the router from factory defaults, I have to save the wireless interface twice when I change the SSID before it will allow my wireless devices to authenticate.
3. UPnP was interfering with FreeSWITCH, and probably my Nokia. Turning that off on the router fixed FreeSWITCH.
4. Selecting some settings on the router made the routers wireless interface disappear, and the only way to get it back was a factory reset.

So, FreeSWITCH is a breeze to set up for PennyTel now. It takes editing two files.
conf/vars.xml and conf/dialplan/default/000pennytel.xml.

In conf/vars.xml I changed the following

<X-PRE-PROCESS cmd="set" data="default_password=whateveryouwant"/>

That password is used for phones authenticating to FreeSWITCH, it has nothing to do with PennyTel.


<X-PRE-PROCESS cmd="set" data="domain=switch.gruntnet"/>


What the phones use as their realm, it should be in the DNS with the ip pointing to FreeSWITCH.


<X-PRE-PROCESS cmd="set" data="default_provider=sip.pennytel.com"/>
<X-PRE-PROCESS cmd="set" data="default_provider_username=61281955555"/>
<X-PRE-PROCESS cmd="set" data="default_provider_password=55555/>
<X-PRE-PROCESS cmd="set" data="default_provider_from_domain=sip.pennytel.com"/>
<!-- true or false -->
<X-PRE-PROCESS cmd="set" data="default_provider_register=true"/>
<X-PRE-PROCESS cmd="set" data="default_provider_contact=1000"/>


All the PennyTel setting goes above, I use 1000 to receive incoming calls, my only phone on the network.

Then in conf/dialplan/default/000penntel.xml


<extension name="pennytel">
<condition field="destination_number" expression="^(.*)$">
<action application="set" data="effective_caller_id_number=61281955555"/>
<action application="bridge" data="sofia/gateway/sip.pennytel.com/$1"/>
</condition>
</extension>


I recently upgraded to snow leopard and noticed some DNS weirdness. I couldn’t ssh to hosts defined in my local DNS, it wouldn’t resolve, but I could resolve them with the host command.

Turns out Snow Leopard made quite a few changes to the resolver, it no longer uses /etc/resolv.conf but mDNSResponder, at least for apple supplied applications.

Unlike every other OS I’ve come across, including Leopard, Snow Leopard doesn’t use the order of DNS servers as first listed, first used. It swaps which DNS it’s going to use around, seemingly at random times. Some sort of load balancing miss feature?

I had two DNS servers configured, the first one, my local DNS server, the second, my ADSLs DNS server as a backup. The simple fix is to only have one DNS server configured.

There’s more information here Snow Leopard Resolver.

I’m not unhappy with OS X, but lately I’ve been pining to return to a linux based laptop. I think this will be my first and last Mac.