Saturday, August 17, 2013

VERY basic iptables rules in a shell script.

I'm just putting this here for future reference.
#!/bin/sh

DEVICE=eth0

# Flush current rules.
iptables -F

# Set default policy to DROP for input, forward, and output.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow all incoming SSH connections.
iptables -A INPUT -i $DEVICE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow all incoming traffic for port 80(HTTP)
iptables -A INPUT -i $DEVICE -p tcp --dports 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sports 80 -m state --state ESTABLISHED -j ACCEPT

# Allow all incoming traffic for port 443 (HTTPS)
iptables -A INPUT -i $DEVICE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Allow all outgoing traffic over HTTP, HTTPS, FTP, MySQL
iptables -A OUTPUT -o $DEVICE -p tcp --dports 21,80,443,3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $DEVICE -p tcp --sport 21,80,443,3306 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow incoming ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS connections.
iptables -A OUTPUT -p udp -o $DEVICE --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $DEVICE --sport 53 -j ACCEPT

# Allow mail traffic (port 25)
#iptables -A INPUT -i $DEVICE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $DEVICE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 500/min -j LOG --log-prefix "Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

Reference: http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

Friday, August 16, 2013

librtmp and rtmpdump SRPM

In my current project I require librtmp for building cURL. I was not able to find a readily available source RPM nor was it in the CentOS repos. I built this on CentOS, but since there are no build dependencies you should be able to rebuild this on any RPM based distro.

You can find the source RPM here: rtmpdump-2.3-1.el6.src.rpm

If you prefer to build directly from the source, it can be found bundled with rtmpdump which can be found at mplayerhq.

Monday, July 29, 2013

Getting PHP Info without phpinfo function.

Recently I was able to reproduce a fairly good duplicate of the output of the phpinfo() without actually using the function as it has been disabled on the server. You can see the result here.

How I did this was fairly simple and can easily be trumped by changing a few settings if you are a sysadmin of a web hosting server. I will explain the methods I used, but I will not release the source (yet) as getting this done involved me snooping around the host's server. I will note I was not and do not condone the use of this for malicious purposes. I have been with this company for four or five years now and sometimes I enjoy playing around with their free hosting.

The first section of this phpinfo page contains information about the PHP binary itself such as the build date and configure command. The two aforementioned values are hardcoded right into the PHP binary itself and I used some simple regex matching to find them. I did test with a few different binaries on CentOS 6.4 (which the host uses as well) and found that the regex works regardless of the binary suggesting that it is put into the binary in the same order in that environment at the very least.

Instead of explaining in length how I figured out the rest, I will post some links for you and briefly cover it so I can get to the solution to prevent this method of getting phpinfo.

PHP: stream_get_wrappers - Manual
PHP: Reflection - Manual
PHP: get_loaded_extensions - Manual
PHP: stream_get_transports - Manual
PHP: get_defined_constants - Manual
PHP: phpcredits - Manual

Basically that was all I really needed to retrieve the rest of the data. I looped through the result of get_loaded_extensions and passed them through the ReflectionExtension class, which actually prints formatted HTML about the extension.

As far as solutions go, if you REALLY, REALLY don't want people to be able to do this you could disable the ReflectionExtension class to prevent getting the information on the extensions in php.ini:

disable_classes = ReflectionExtension,ReflectionZendExtension

You could disable the functions I used, but some scripts may actually use them to determine if they can run or not so it may not be advisable. It really is up to the administrator and how many complaints they are willing to deal with if it comes to it.

To prevent grabbing information from the PHP binary itself, if you don't need it to be readable you can just remove the read permissions on it from a command line:

chmod -r /usr/bin/php 

I am currently not aware of any problems that this would bring up, aside from functions like those in libmagic.

This little project wasn't to try and bypass the security by obscurity that disabling the phpinfo function... well, okay, maybe it was. It was rather annoying to not have that function available when I needed to know more about the extensions and such. It also proves that on a standard installation, disabling the phpinfo function does absolutely nothing.

From here, I am going to eventually release a pure php package with a few different ways of getting as much information as possible, including the methods I used plus fallbacks to not have to rely on the functions and classes I used in this method. I will also include a bit of magical detection and methods on how to harden your php installation. The latter being the original motivation of taking on this little project.

Wednesday, June 5, 2013

Protecting packages in yum

In my last post I gave a nice bit of advice on how to remove packages using sed, rpmorphan and yum but also warned that you could easily erase sshd or other programs that you might want.

In this short post I just want to mention that you can protect individual packages from being removed in yum. All you need to do is create a .conf file in /etc/yum/protected.d and add the names of the packages you wish to have protected. This is good for adding important things like your ssh server, or other programs that you might accidentally erase using the method I showed you, or by just using yum. It has happened to me before and I am glad this has been put into yum as a feature.

You can read more in the Fedora documentation.

Using rpmorphan on CentOS 6.4

So I just spent the night compiling and rebuilding RPMs on CentOS to get the exact set up that I would like and now I am left with several *-devel packages along with other development tools and libraries that I do not need any longer. Since this is a production environment, I would prefer to have as little extraneous packages as possible for various reasons.

Enter rpmorphan.

This nifty little tool will list all "orphaned" packages on your system. It would be VERY wise to add the packages that you wish to keep to the exclude list since common programs like wget don't have anything depending on them and will be listed in the output with each package to a line.

Adding a package to the exclude list is simple:

rpmorphan -add-keep wget

The above will add wget to your exclude list.

After you have all the packages you want to keep in your exclude list, removing all orphaned packages with yum is extremely simple:

yum remove `rpmorphan -all | sed ':a;N;$!ba;s/\n/ /g'`

This will run the output of rpmorphan through sed and replace all new lines with a space and use that as the argument list for yum remove. You should be very careful when doing this because I also noticed it listed openssh-server as an orphaned package. Be sure to add that in your exclude list. If not, I feel bad for you and hope you have console or physical access to your box because that would really suck.

Again, I will repeat: Use this at your own risk. If you remove something like your sshd you won't have access to your box. If you're sure that you can handle not doing something like that, this saves a lot of time and stress in the long run. Enjoy!

I would like to acknowledge Zsolt Botykai for his answer on stackoverflow in regards to the sed command. It was very helpful and explained very well.

Tuesday, June 4, 2013

Loading keys automatically with Pageant on Windows.

For those who work remotely on Linux from a Windows machine, they are probably familiar with the PuTTY set of tools for SSH connection management.

For managing keys in the PuTTY client you use pageant which, by default, when you open it will not load any keys. This is easily fixed just by creating a shortcut to the actual pageant program and in the box labelled 
"Target" you should see the path to the executable in double quotes. To load a key automatically when you click this shortcut, just type the full path to the key that you wish to load after the quotes. To add more than one key give a space separated list of full paths to each key you wish to load. 



Here are a couple of examples:

"C:\Program Files (x86)\PuTTY\pageant.exe" D:\SSH\mykey.ppk
The above will load the key "mykey.ppk" when you click on the shortcut.

"C:\Program Files (x86)\PuTTY\pageant.exe" D:\SSH\mykey1.ppk D:\SSH\mykey2.ppk D:\SSH\mykey3.ppk
The above will load the three keys when run from the shortcut.

As an added bonus, you could even place the shortcut in the startup start menu folder to have pageant start up on boot with all your keys loaded. Hopefully this saves someone some time. :)

SFTP Integration with Windows Explorer

I've come to notice that I very rarely use FTP for file transfers and have turned to using SFTP (FTP over SSH) instead for the two following reasons:
First, it is one less bit of software that I need to manage for my servers and second it is more secure. While I generally use Filezilla for most of my general purpose file transfer needs, I have also come across a nice little shell extension that integrates with Windows Explorer called Swish.

With Swish, you are able to log in to your servers through SSH either using password authentication, or through key authentication using pageant key manager. Upon logging in, you are able to navigate through your directories and files directly from Windows Explorer.

While it's a very useful and nice-to-have application, it is still in alpha. For the most part, I have not noticed any major errors that make it a shaky program to have. I think it's really worth a shot. Check it out at the Swish SFTP Homepage.

Wednesday, May 29, 2013

Apache Descriptions for Autoindexing

I've compiled a list of common just for my local instance of Apache and I thought I would share it since I haven't seen something like this before. It may be out there, but I haven't seen it. If you have any suggestions for additions or corrections post them in the comments and I will add them in and credit you.

These descriptions would go in the autoindex configuration file. It is commonly in a subdirectory where you find find httpd.conf. Usually in extras or conf.d or something to that effect. Enough talk, here is the list!

AddDescription "3GP Video" .3gp
AddDescription "3GP2 Video" .3g2
AddDescription "7-Zip Archive" .7z
AddDescription "Adobe Flash Application" .swf
AddDescription "Adobe Flex Project" .fxp
AddDescription "Adobe Portable Document Format" .pdf
AddDescription "Assembler Source File" .s
AddDescription "Audio Interchange File" .aif
AddDescription "Audio Video Interleave Video" .avi
AddDescription "Binary CPIO Archive" .bcpio
AddDescription "Binary Data" .bin
AddDescription "Bitmap Image File" .bmp
AddDescription "BitTorrent File" .torrent
#AddDescription "Blackberry COD File" .cod
AddDescription "Bourne Shell Script" .sh
AddDescription "Bzip Archive" .bz
AddDescription "Bzip2 Archive" .bz2
AddDescription "C Shell Script" .csh
AddDescription "C Source File" .c
AddDescription "Cascading Style Sheet" .css
AddDescription "CPIO Archive" .cpio
AddDescription "Debian Package" .deb
AddDescription "Document Type Definition" .dtd
AddDescription "Electronic Publication" .epub
AddDescription "E-Mail Message" .eml
AddDescription "Flash Video" .f4v .flv
#AddDescription "Fortran Source File" .f .f77 .f90
#AddDescription "GhostScript Font" .gsf
#AddDescription "GNU Tar File" .gtar
#AddDescription "GNU Texinfo Document" .texinfo
AddDescription "GIF Image" .gif
#AddDescription "H.261 Video" .h261
#AddDescription "H.263 Video" .h263
AddDescription "H.264 Video" .h264
AddDescription "HTML Document" .html .htm
#AddDescription "HyperText Application Language" .hal
AddDescription "Icon Image" .ico
AddDescription "Image Exchange Format" .ief
AddDescription "Java Archive" .jar
AddDescription "Java Class" .class
AddDescription "Java Source File" .java
AddDescription "Java Serialized Object" .ser
AddDescription "JavaScript File" .js
AddDescription "JSON File" .json
AddDescription "JPEG Image" .jpg .jpeg
#AddDescription "JPGVideo" .jpgv
#AddDescription "LaTeX File" .latex
AddDescription "M3U Playlist" .m3u
AddDescription "M4V Video" .m4v
#AddDescription "Microsoft Access Database"
AddDescription "MS Executable File" .exe
#AddDescription "MS Cabinet File" .cab
AddDescription "MS Excel File" .xls .xlsx
#AddDescription "MS HTML Help File" .chm
#AddDescription "MS Information Card" .crd
#AddDescription "Microsoft Money" .mny
#AddDescription "MS Powerpoint Presentation" .ppt
AddDescription "MS Windows Media Audio" .wma
AddDescription "MS Word Document" .doc .docx
#AddDescription "MPEG Audio" .mpga
AddDescription "MPEG Video" .mpeg .mpg
AddDescription "MP3 Audio" .mp3
AddDescription "MPEG-4 Audio File" .mp4a
AddDescription "MPEG-4 Video File" .mp4
#AddDescription "MPEG4 Application" .mp4
AddDescription "Ogg Audio" .oga
AddDescription "Ogg Video" .ogv
#AddDescription "MS Windows DLL File" .dll
AddDescription "Open Web Media Audio File" .weba
AddDescription "Open Web Media Video File" .webm
AddDescription "OpenType Font" .otf
AddDescription "TrueType Font" .ttf
AddDescription "Pascal Source File" .p
AddDescription "Adobe Photoshop Document" .psd
AddDescription "PNG Image" .png
AddDescription "PostScript File" .ai
#AddDescription "Adobe Illustrator File" .ai
AddDescription "PGP Signature" .pgp
AddDescription "Quicktime Video" .qt
AddDescription "RAR Archive" .rar
AddDescription "Rich Text File" .rtf .rtx
AddDescription "SVG Image" .svg
AddDescription "PHP Archive" .phar
AddDescription "TIFF Image" .tiff
AddDescription "Tar Archive" .tar
AddDescription "TeX File" .tex
AddDescription "Plain Text File" .txt
#AddDescription "URI List" .uri
AddDescription "vCard" .vcf
AddDescription "UUEncoded File" .uu
AddDescription "Windows Help File" .hlp
AddDescription "X.509 Certificate" .der .crt .x509
AddDescription "XML File" .xml .atom .rss
AddDescription "XSLT File" .xslt
AddDescription "YAML File" .yml
AddDescription "Python Script" .py
AddDescription "Perl Script" .pl .perl .cgi
AddDescription "PHP Script" .php .php1 .php2 .php3 .php4 .phtml
AddDescription "PHP Source File" .phps
AddDescription "PHP Test File" .phpt
AddDescription "SQL Dump File" .sql
AddDescription "Zip Archive" .z .Z .zip
AddDescription "C Header File" .h
AddDescription "C++ Source File" .cpp .c++ .cxx
AddDescription "Patch File" .patch
AddDescription "Diff File" .diff
AddDescription "Gzip Compressed File" .gz
AddDescription "XZ Compressed File" .xz
AddDescription "Server Parsed HTML File" .shtml
AddDescription "File Manifest" .manifest

Check if number is odd PHP

This is just a quick, simple function to check if a number is odd in PHP.


function odd($int) {
    if ($int === 0) {
        return false;
    } else {
        return true;
    }
}

Sunday, April 28, 2013

My poor, forgotten blog.

I have abandoned you for almost a year. Perhaps I will post more VirtualBox and Linux goodies on you so I can forget about you for another year. I may or may not reply to comments. I apologize for the tardiness.