BASH Script – Blank Out CC Details

October 27th, 2009

Edit: I should have pointed out originally, as I have now received feedback on this. This is NOT the best or optimal way of performing this task. I was trying to illustrate as many shell scripting principles as possible in terms of ‘if’, ‘for’, counters, etc, and how such a one liner has been put together. Perhaps I should have thought of a better way of illustrating such principles, but nevertheless, here it is!

Here’s a quick one liner, can’t think why anyone would ever have any use for it, but maybe the principle itself could be of use to someone! This will take a file containing listings of 16 digit numbers, i.e. 1234123412341234 and replace it with XXXXXXXXXXXX1234

for I in ` cat mylist `; do P=””; ctr=0; for I in `echo $I|grep -o .`; do let ctr=$ctr+1; if [ $ctr -gt 12 ]; then P=${P}${I}; else P=${P}”X”; fi; done; echo $P|tr -d ‘n’; echo -ne “n”; done

Duly spaced and indented:

for I in `cat mylist`; do

P=””
ctr=0;
for I in `echo $I|grep -o .`; do

let ctr=$ctr+1;
if [ $ctr -gt 12 ]; then

P=${P}${I};

else

P=${P}”X”;

fi;

done;
echo $P|tr -d ‘n’;
echo -ne “n”;

done

Would love anyone to comment with variations.


Move Xen Guest from loopback filesystem to LVM

October 25th, 2009

Moving a Xen Guest into an LVM container from a loopback sparse image is easy enough.

You’ll need to power down the VM using xm shutdown mymachine

Once done, create the logical volume with: lvcreate –name mymachine-disk –size 10G myvg 10G should match the exact size (if not more) of your current VM. Now create the same for the swap file: lvcreate -name mymachine-swap -size 128M myvg. Now edit your machine’s config (/etc/xen/mymachine.cfg), replacing the disk part from:

disk        = [
‘file:/xen/mymachine/mymachine-swap,sda1,w’,
‘file:/xen/mymachine/mymachine-disk,sda2,w’,
]

to

disk        = [
‘phy:/dev/myvg/mymachine-swap,sda1,w’,
‘phy:/dev/myvg/mymachine-disk,sda2,w’,
]

And use dd to write the disk to your new LVM filesystem:

dd if=/xen/mymachine/mymachine-disk of=/dev/myvg/mymachine-disk
dd if=/xen/mymachine/mymachine-swap of=/dev/myvg/mymachine-swap

Remembering that you can use killall -SIGUSR1 dd at any time to gain a status update on dd’s IO.

Once done, power up your VM again with xm create mymachine.cfg

Setting up an LVM filesystem

October 20th, 2009

Setting up an LVM filesystem is quite easy assuming you have the right tools installed and a recent kernel. LVM has a lot of advantages, most notably the ability to take snapshots of the current filesystem – this is why LVM is often used in live database environments.

Assuming a Debian Lenny machine, get the relevant packages. Some may already be installed:  apt-get install lvm2 dmsetup mdadm

In this example, we will assuming that /dev/sda is your boot drive, and that you want to leave it out of your LVM array, but include /dev/sdb and /dev/sdc. Both /dev/sdb and /dev/sdc should be of equal sizes.

Firstly, using fdisk, remove any existing partitions with ‘d’, on /dev/sdb and /dev/sdc, and create one new partition to span the drive. Change the partition type to ‘8e’ which is the LVM type.

Now prepare your physical disk for LVM with the ‘pvcreate’ tool:

pvcreate /dev/sdb1 /dev/sdc1

Note that you can reverse this with pvremove. You can also use pvdisplay now to display information on all physical volumes.

Oh – you do realie that you can use /dev/mdX just as easily to create LVM on your RAID devices?

Now, we need to create a ‘volume group’: vgcreate myvg /dev/sdb1 /dev/sdc1

Read the rest of this entry »

Installing and Configuring Xen with guests

October 18th, 2009

Installing and Configuring Xen on a Debian Lenny machine is pretty easy. Firstly, install the system:

apt-get install xen-tools xen-utils-3.2-1 xen-linux-system-2.6.26-2-xen-686

xen-linux-system-2.6.26-2-xen-686 comes with the Xen kernel that you’ll need. It should install a new kernel as the default, and therefore you’ll now need to reboot.

Once rebooted, issue uname -a to ensure that your new Xen kernel is running:

apnic01:~# uname -a
Linux apnic01 2.6.26-2-xen-686 #1 SMP Wed Aug 19 08:47:57 UTC 2009 i686 GNU/Linux

You now have Xen installed! Now, you’ll need to make a few changes. Firstly, none of my new guest VMs had working console, apparently this is a known issue in Lenny with Lenny guests. The work around is to change the inittab on the guest. I wanted to create guests without modifications, so in this case, I edited /etc/xen-tools/xen-tools.conf and uncommented:

#serial_device = hvc0 #default

It’s listed as the default, but uncommenting this seemed to solve my issues.

Now, you’re ready to create your first guest:
Read the rest of this entry »

dd progress update

October 14th, 2009

While a long `dd’ is running, how can you get a progress update?

kill -USR1 `pidof dd`

This will send the SIGUSR1 signal to dd, which according to it’s man page causes it print it’s progress to STDERR. Useful to know..

Copy/Export MySQL User Priviledges

October 13th, 2009

I’m often asked how to copy or export MySQL Users from one machine to another. The following SQL query will show your users:

SELECT DISTINCT CONCAT (‘show grants for `’, user, ‘`@`’, host, ‘`;’) AS query FROM mysql.user;

In my case on my test server, this shows:

SHOW GRANTS FOR ‘root’@’127.0.0.1’;
SHOW GRANTS FOR ‘debian-sys-maint’@’localhost’;
SHOW GRANTS FOR ‘root’@’localhost’;

Now, I’ll need to execute each one of these as separate statements. The output of SHOW GRANTS FOR ‘root’@’localhost’; is:

GRANT ALL PRIVILEGES ON *.* TO ‘root’@’localhost’ IDENTIFIED BY PASSWORD ‘*XXX…XXX’ WITH GRANT OPTION;

Copy and paste each ‘GRANT’ statement to your new SQL server, with the hashed password intact and you should be ready to go.

Linux Consultant – How to recover a compromised server

October 11th, 2009

As a security consultant I often have to deal with machines that are already compromised. The ‘official’ standpoint is always to wipe the machine alltogether, reinstall your OS, and restore your data and configurations from the backups that you obviously have.

The above not always being possible, and as a second best alternative, you’ll have to recover the machine.

The first thing to do is compare each command line utility to that of a known good identical system before using it, so you can rely on the results that it returns. A hacker will often drop a modified ‘ls’, ‘lsmod’, ‘ps’ and various other tools onto your system to hide the various other things that he may have installed.

You’ll need to use md5sum and ls to check the size and checksum of each utility before you use it, although of course, md5sum and ls themselves could be hardcoded with predefined responses. You could also use ‘strings’ to check the ASCII contents of those tools, although the ‘strings’ could just as easily be rigged. If you’re that paranoid, you’ve got no choice but to wipe the machine alltogether.

So firstly, check the integrity, of each of your core utilities. If your Debian 5.0 with the latest updates installed system was compromised, you’ll need to check against another Debian 5.0 system with the same updates and tools installed. Or, if you can find a listing online somewhere of what binaries should be what sizes and have what MD5s then you should be fine.

Once you have confirmed your ‘md5sum’ utility, you should be able to just start comparing MD5s and not worrying about file sizes and strings. Check your package management utilities and check that you’re happy with them, then apt-get install rkhunter this will check a number of issues. There are other ‘root kit hunters’ that you can use as well if you wish. Once this has been run, check your ps utility and ensure that it is as you expect. Then once done just run ps auxw and check each running process in the same way. Assuming that all of that is done and has not shown up anything, all is good so far. If something has been found and one of your binaries is compromised. Assuming your package manager is in good order, dpkg -P <package> and reinstall. If it is a core package that can not be removed/purged without affecting the rest of the system, then just scp over a new binary. Check again that the libc6 version and package version is IDENTICAL, and check of course that scp itself is in good order.

At this point, we can assume that your binaries themselves are in good order. Check for any new SUID utilities with find / -perm +4000 and once done, firstly make sure that everything on that list is as expected, and secondly, double check your md5sums of each and everyone of those.

This all being OK, continue to check by looking at your /etc/passwd, /etc/group and /etc/shadow files checking for user accounts that you don’t recognise. Then check syslog, wtmp, lastlog, etc, and check the IPs and last logins of each account. Also check directories such as /tmp/ especially with ls -al to check for directories beginning with a ‘.’ which would otherwise be hidden.

If everything above returns success, then it’s unlikely that your system was directly compromised. There is always the chance that your web application or database was compromised, but then that’s outside of the scope of this article. In short though, check your webserver log files as that should give you the information on what was compromised, and how it was done. Obviously ensure that any 3rd party software that you may be using such as wordpress, vBulletin, etc, etc are always up to the latest version.

Edit/Addition:
In response to a reader’s comments, I would add that should you be able to remove the network connection to the compromised machine and still access it, then do. Your login and anything you type could be being sent to an attacker without you even realising it.

Additionally, there is no point in simply recovering a hacked server without knowing how it was compromised in the first place. Arguably you should have worked it out though by following the steps above.

Recursive FTP/HTTP Download

October 10th, 2009

wget is a great tool. Here’s a short example on how to recursively get a directory from an FTP or HTTP server, also specifying credentials if required.

In short, wget -r http://www.domain.com/directory/ – this works the same with FTP: wget -r ftp://www.domain.com/directory/

If you need to specify a username and password to the FTP server: wget -r ftp://username:password@www.domain.com/directory/

To resume an existing session, specify -c and each file downloaded will attempt to resume from where it left off, if necessary.

PHP Programmer – Modulo Operator

October 5th, 2009

All major programming languages have it, it’s the modulo operator, and it has multiple uses. First I’m going to explain what it is, then I’m going to demonstrate one very simple, very powerful use.

Programatically, the modulo operator is most commonly denoted with a percentage ‘%’ symbol. Given two numbers as input, the modulo operator returns the remainder after division. p = a%b; will return the remainder after a is divided by b.

Here are some examples:

2%2 = 0 (2 divided by 2 = 1 remainder 0)
6%2 = 0 (6 divided by 2 = 3 remainder 0)
7%2 = 1 (7 divided by 2 = 3 remainder 1)
18%4 = 2 (18 divided by 4 = 4 remainder 2)

The modulo operator is used extensively in cryptography, Diffie-Hellman (DH) Key Exchange is just one example.

As a PHP Programmer, what can this be useful for?
Read the rest of this entry »

Linux C setuid setgid tutorial

October 3rd, 2009

Here’s a very brief example of how to use setuid() and setgid() functions in your C program.

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
	int current_uid = getuid();
	printf("My UID is: %d. My GID is: %dn", current_uid, getgid());
	system("/usr/bin/id");
	if (setuid(0))
	{
		perror("setuid");
		return 1;
	}
	//I am now root!
	printf("My UID is: %d. My GID is: %dn", getuid(), getgid());
	system("/usr/bin/id");
	//Time to drop back to regular user privileges
	setuid(current_uid);
	printf("My UID is: %d. My GID is: %dn", getuid(), getgid());
	system("/usr/bin/id");
	return 0;
}

The program above should be pretty self explanatory, now:

adam@staging:~$ gcc -O2 -ggdb -o setuid setuid.c
adam@staging:~$ ls -al setuid
-rwxr-xr-x 1 adam adam 9792 2009-10-03 18:09 setuid
adam@staging:~$

Read the rest of this entry »

Linux Security Freelancer – Securing a node – Where to start?

October 3rd, 2009

As a Linux Security Freelancer, I’m often asked where best to start when securing a single linux host. Whereas most would suggest configuring iptables or similar, the most effective first step in my opinion is to remove unnecessary services.

There are a number of methods that you can use to show open sockets at least:
lsof -U will list open sockets
nmap -sT -sU localhost will scan your local machine for open TCP or UDP ports
netstat -a | grep LISTEN will show all listening sockets.

Forgive me for stating the obvious, but the first thing to do is disable any open sockets or services that aren’t required. On a default install, this could include the likes of the portmapper service, identd and an smtpd.

Next, you want to suitably lock down user accounts, check passwords, and perhaps consider enforcing a secure password policy, at minimum I generally prefer at least 8 characters, at least one uppercase, one lowercase and one integer. Obviously this shouldn’t be easily guessible, nor should it just end in a ‘1’.

Once done, the next thing that you want to do is to suitably firewall the services that you do require open, and perhaps also restrict the rate of ICMPs, etc, with iptables.
Read the rest of this entry »

Linux Consultant – Disk Speed

October 2nd, 2009

Using hdparm it’s pretty easy to find out your disk’s readLinux Consultant – Disk Speed speed. hdparm is actually an entire IDE/SATA management utility.

Firstly, ensure that you have the tool – apt-get install hdparm

Once done, quite simply use hdparm with -t or -T options to time buffered reads and cache reads respectively. Be VERY careful about other options that hdparm offers, some are very dangerous and can completely corrupt your data.

apnic03:~# hdparm -t /dev/sda

/dev/sda:
Timing buffered disk reads:  200 MB in  3.00 seconds =  66.57 MB/sec
apnic03:~# hdparm -T /dev/sda

/dev/sda:
Timing cached reads:   4372 MB in  2.00 seconds = 2187.38 MB/sec

Security Consultant – Man In The Middle Attacks (MITM)

October 2nd, 2009

A Man In The Middle (MITM) attack is a popular network based attack in order to hijack a connection or to sniff traffic. A MITM attack actually covers a variety of different methods. A MITM attack is literally positioning yourself as the attacker between the two communicating parties. Whether you do that via an ARP attack, some type of cryptographic attack, or a physical attack depends on the requirements and scenario. As a security consultant it is important to ensure that the network and it’s communications are as secure as possible against this type of attack. I will cover a simple physical MITM attack, then an ARP attack, and then prevention techniques.
Read the rest of this entry »