MySQL Master-Master Replication, Heartbeat, DRBD, Apache, PHP, Varnish MegaHOWTO

October 8th, 2014

I created this HOWTO while building a new development environment today. The intention is to take a single Apache2/Varnish/MySQL environment and scale it to two servers, with one effectively a “hot-standby” – increase redundancy and continuity whilst maintaining current performance. This HOWTO is based on Linux Debian-76-wheezy-64-minimal 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

Our current server has IP 192.168.201.1/24 and our new server has IP 192.168.201.7.

Section #1: Set up MySQL Master/Master Replication


First, we’ll set up MySQL master to master replication. In this configuration, data can be written and read from either host. Bear in mind that issues may exist with autoincrement fields when written to at the same time. There are other caveats with replication so ensure to research them along with how to deal with corruption and repair before considering this setup for a live application. Also be sure to be using the same version of MySQL on both servers – this may not always be necessary, however unless you are very familiar with any changes between versions, not doing so could spell disaster.

Read the rest of this entry »

Multithreaded TCP Proxy Tunnel Code

August 18th, 2013

Further to my earlier article, I went ahead and developed this application. Here’s a beta!

File: tcp_tun.c
Version: 0.3-beta
Title: TCP reassembling client-server application
Date: 17 Aug 13
Author: Adam Palmer <adam [AT] sasdataservices [DOT] com>
URL: http://www.adampalmer.me/iodigitalsec/
Read the rest of this entry »

Mitigating the Wireless Hacking Station

October 19th, 2012

I covered an all in one wireless exploit device previously, and will now cover some mitigation ideas. There is no individual exploit to mitigate but a series of weaknesses and insecurities that can lead to attack. To cover each step of the attack;

Attack Step
The device entices clients to connect, by responding to all wireless probes.

Prevention
Client wireless implementations should be more careful when beacons are sent out. Beacons should not be sent out for all stored wireless networks indiscriminately. Clients should use broadcast probes where appropriate instead. iOS 6 seems to now implement broadcast probes as standard. Whilst this is a positive move, most mobile wireless devices have connected to at least one wireless hotspot. Beaconing for popular SSIDs in the local area such as “BTOpenzone”, “FON”, “Boingo Hotspot” in the UK and so on will continue to attract most wireless devices. Another option would be to require that open networks are manually connected to by default unless that setting is manually overridden along with associated warning. In the mean time, not connecting at wireless hotspots, removing saved wireless hotspot profiles, and turning WiFi off when not in use are all options.

Attack Step
Once connected, assign the device an IP via DHCP and use DNAT to redirect all traffic to all hosts back to the device itself.

Prevention
The device should perhaps perform some tests to see if traffic manipulation is in use. This could be legitimate, but at least warn the user that something strange could be going on.

Attack Step
The device will answer iPhone or Blackberry’s HTTP test for internet access and return the expected response

Prevention
I suspect this feature is supposed to detect if an internet hotspot login is required. It should either be removed or secured better to avoid just opening an arbitrary page on connection to a hotspot. This feature alone could be exploited in other ways.

Attack Step
Client attempts to check email and perhaps contact other servers based on apps installed.

Prevention
Tighter verification of protocol implementations should be performed. User should be specifically warned if SSL is not in use.

Attack Step
SSL hijack.

Prevention
The client should display an SSL warning that clearly explains that the session may be being hijacked. Rather than a weak informational type message, the warning should be clear and explicit, and require the user to specifically accept that the connection may be being intercepted. The user should be particularly careful to note any out of character behavior such as suddenly prompting with identity or verification issues

Raspberry Pwn

October 15th, 2012

I’ve recently acquired two Raspberry Pi boards along with power supplies and a nice case. I was attracted by the price and the processing power/RAM vs power consumption. The first thing I was interested to install was the Raspberry Pwn release. I wouldn’t call it a distro as such, it’s more of a script that just downloads tools that most pen testers would download themselves at some point. The Raspberry Pwn site advises that it is not compatible with ‘Raspbian’ which is the newer release shown on the Raspberry Pi site, although I couldn’t see a reason why. I downloaded the installer and ran it manually line by line some time ago, and I remember it running correctly and without issue. There were a few changes to the aptitude installs to address missing packages and I also gave up trying to download the exploitdb through SVN at the end of the script as it seems to be permanently down. I also downloaded aircrack, dnsmasq, compat-wireless, mdk3-v6, nmap, mitmproxy, reaver, and sqlmap.

[nggallery id=3]
Read the rest of this entry »

Zeroshell Router

October 13th, 2012

Routerboard 532aI’ve been using Zeroshell on a Routerboard 532a as my office LAN router for over a year now. It’s one of the best router operating systems that I’ve used and it’s really easy to set up. I’ve configured an OpenVPN connection to a remote office that I work with on a daily basis, and then set routing rules for the VPN’s internal IPs so that my office LAN can connect transparently to the remote LAN. Next, I’ve set up an OpenVPN server so that I and other users can log in remotely to my own office LAN. Routing and firewalling is set up between both VPN connections. Above that, we have the usual local routing, firewalling, DHCP and caching DNS server, inbound port mapping and so on.

Zeroshell runs on a regular Linux kernel, and SSH can be opened for full shell access. It doesn’t do anything that can’t be done manually via the Linux command line, but it’s an excellent and easy to use system that gets it done far quicker. It’s also proven to be completely stable, and allows me to max out the 65mbit DSL without issue.

root@zeroshell root> uptime
18:27:36 up 257 days, 55 min,  1 user,  load average: 0.16, 0.05, 0.01

Highly recommended and only takes as long to set up as writing the image to your CF card. Also compatible with Vmware.

Wireless Power Experimentation

October 11th, 2012

It’s been a while since I made a post here as I’ve been a little busy working on my new venture http://www.expertinternetsecurity.com/ but I’m going to try and get back to it again. I’ve been messing around with some cool projects from the Pololu robot, to wireless power, to a wireless network exploit station built around the raspberry pi.

Anyway, some time ago, I became interested in wireless power. I don’t know a huge amount about electronic theory, but thought I’d give it a go. The circuit is really simple and really really REALLY inefficient. I use a signal generator to drive a high power transistor at about 10kHz square wave and then have 24VDC pulsed through the coil. The receiver is just a coil with a noisy weak AC current and some LEDs. I can increase efficiency slightly using a capacitor.

Of course, there are some far better circuits out there like http://iteadstudio.com/application-note/wireless-power-transmission-or-charge-module/ or http://www.youtube.com/watch?v=2ODW-ntPHSU but this was just a quick hacked together test without going too much into the electronic theory of it. Here’s some pics..

[imagebrowser id=1]

Linux robot automatically charging

May 2nd, 2011

Since the robot’s rebuild, I finally tackled the automatic charging situation. There are a number of ways to get the device to autocharge. If it always has line of sight to it’s charger, it can spin until it finds it using infra red, then follow the beam – this however doesn’t work without line of sight. It could use a compass, although there are too many magnetic fields, and this requires advance knowledge of positioning. The simplest method would be to always start on charge, and just store movement history, reversing it when it was necessary to charge. Problem here is that even with good wheel alignment, AND accelerometers, even after few movements, simply reversing them is often not good enough to get it even close to it’s original position.
Read the rest of this entry »

Rebuilding the Robot

May 1st, 2011

It had been a while since I’d worked on the robot, and I wanted to work on some movement algorithms. I’ve done some AI work lately on a separate project, and thought that this would help with the automated movement task. Unfortunately, the Robot had a little accident, namely falling out of the loft whilst I was bring it down. It’s been long overdue the removal of some of the excess hardware, and also needed some bugfixes that I now had no choice but to perform.
Read the rest of this entry »

Ethernet over mains power lines

July 26th, 2010

I’ve been using a really clever device for the last few years that a lot of people seem to be unaware exists. It’s an ethernet over powerlines adapter – one such example is the Devolo dLAN. In a nutshell, you plug it into the mains, and connect the Ethernet socket to your network device. You can then plug as many others as you like to various other powerpoints and extend your network wherever the power stretches. Devolo do ones that run up to 200mbit. It’s a theoretical maximum, although I’ve got 177mbit before which is impressive. It has a couple of downsides:

1. It won’t traverse 3 phase power. I’ve tried it, and I’ve ended up with a very weak/nonexistant signal which is probably more inductance than anything else.
2. Obviously it doesn’t handle bad cables well – it doesn’t much like extension cables either.
3. Different circuits work about as well as 3 phase power, the only signal you will get is probably inductance between the two circuits.

Some advantages:
1. It travels pretty far. I’ve had over 150mbit between adapters at opposite ends of the house.
2. No new cabling
3. Fully supports standard Ethernet so all network protocols will work just fine over it.
4. I love it

For anyone running a home or office network and not fortunate to have Ethernet points cabled in, I strongly recommend these devices, you’ll never know the difference.

Redirecting all HTML files to PHP files

July 18th, 2010

Let’s say that you want to rename all your HTML files to PHP files to begin PHP Programming. However, you don’t want to lose all your inbound links to your HTML files. Here’s a quick and easy way to automatically convert all .html incoming addresses to .php files on your server, allowing you to switch to PHP and also keeping all your existing .html links working.

Create a .htaccess file, and enter:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*).html $1.php [R=301,NC]

This creates a permanent working 301 redirect (Search Engine Friendly) to your new .PHP file.

Passing PHP variable data through POST

July 16th, 2010

Recently, I was developing an API for a PHP application I’d built, to be utilized by other php programmers. Essentially, the php programmer passes a load of data to our API though a POST variable. This is as follows:

$api->process($to_process, $data, $opt1, $opt2);

$to_process is an array, as follows;

$to_process = Array( Array(“FOO”, “BAR”, 1, 2), Array(“BAR”, “FOO”, 5, 3), Array(“HELLO”, “World”, 9, 10) );

And $data is a ~5k string containing HTML code.

My best option so far, has been $data_array = Array(); $data_array[] = $to_process; $data_array[] = $code; $data_array[] = $opt1; $data_array[] = $opt2;

We can then send urlrawencode(serialize($data_array)); from our PHP script to the web API via curl through POST data. On the remote API server, we don’t need to use urlrawdecode() as the web server handles this for you. It’s also worth ensuring that magic_quotes_gpc is off. Simply, $data_array = unserialize($_POST[‘variable’]); should do just fine.

SSL increases confidence

July 9th, 2010

If you run a commerce website, you’ve probably heard about SSL certificates. Depending upon the level of certificate that you have, they verify the validity of your domain, up to detailed information about your company. An SSL certificate isn’t handy just for commerce sites, however. It’s a vital website security component for any site that deals with personal information of any sort.

These days, attacks on severs are commonplace, and website users are wary, especially when it comes to entering sensitive information. That’s where an SSL certificate comes in handy. It increases consumer confidence, and confidence of visitors in general. It shows that you’re serious about what you’re doing.
Read the rest of this entry »

Cross Site Scripting XSS

June 30th, 2010

As a website security consultant, Cross Site Scripting or XSS vulnerabilities are something that I see just as often as the always popular SQL Injection attack.

Cross Site Scripting seems to have originally meant, placing some malicious code on your victim site, that would pull code (usually javascript, but sometimes vbscript) from another malicious domain. Each client that visited the victim site, would end up unknowingly having 3rd party malicious script code executed on his own browser. Now, it has become a term used to describe any type of malicious scripting attack.

The first example is a simple one. Many sites allow user comments. A user could quite easily enter:
This is my comment!<script type=”text/javascript”>
alert(“script!”);
</script>

Any user that hits this affected page, will now see a popup box with the text “script!”. The user could also just as easily have entered a script source of http://www.nastydomain.com/nastyscript.js which will be downloaded and executed.

The second option is to place some javascript code that steals the user’s cookies for that particular site, and then post them to a 3rd party site. His cookies may contain a login and password, or more likely a login hash. The attacker can then use these cookies to hijack the user’s session, and access possible sensitive areas of a site under that user’s account, as that hijacked user.

Fortunately the solution is simple. Either use htmlentities() to ‘escape’ HTML entities, i.e. converting <‘s to &lt; etc. Or, use strip_tags, to remove all HTML tag input.

MySQL – Find Duplicates Only

June 25th, 2010

Within MySQL, we may want to select duplicate records, instead of just selecting unique records. Assuming a table name of ‘table’ and the field to check on being ‘field’;

To select UNIQUE rows only:
SELECT DISTINCT field FROM table;

To select DUPLICATE rows only:
SELECT field FROM table GROUP BY field HAVING ( COUNT(field) = 2 )

To select DUPLICATE, TRIPLICATE or more rows only:
SELECT field FROM table GROUP BY field HAVING ( COUNT(field) > 1 )

PHP, MySQL and memcached

June 24th, 2010

According to memcached is a distributed object memory caching system. It can be used to set and get data by keys by any application that supports sockets.

As a website security consultant I advise you to ensure that your memcache server runs on 127.0.0.1 only and that you secure your server. Anyone with access to the server can telnet to the server’s local interface and get/set your memcache data.

I’ve used memcached for a number of PHP/MySQL projects, where I want greater cache control on database queries, than just relying on MySQL’s inbuilt caching abilities.

Now, whilst memcached should not be used to mask bad database design and optimization, or badly written SQL queries, it can help dramatically with queries that simply take a long time and have already been optimized as far as possible.

Assume that you had a simple database query wrapper:
Read the rest of this entry »