VERY basic iptables rules in a shell script.

I'm just putting this here for future reference.

#!/bin/sh

DEVICE=eth0

# Flush current rules.
iptables -F

# Set default policy to DROP for input, forward, and output.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow all incoming SSH connections.
iptables -A INPUT -i $DEVICE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow all incoming traffic for port 80(HTTP)
iptables -A INPUT -i $DEVICE -p tcp --dports 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sports 80 -m state --state ESTABLISHED -j ACCEPT

# Allow all incoming traffic for port 443 (HTTPS)
iptables -A INPUT -i $DEVICE -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $DEVICE -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Allow all outgoing traffic over HTTP, HTTPS, FTP, MySQL
iptables -A OUTPUT -o $DEVICE -p tcp --dports 21,80,443,3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $DEVICE -p tcp --sport 21,80,443,3306 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow incoming ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS connections.
iptables -A OUTPUT -p udp -o $DEVICE --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $DEVICE --sport 53 -j ACCEPT

# Allow mail traffic (port 25)
#iptables -A INPUT -i $DEVICE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $DEVICE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 500/min -j LOG --log-prefix "Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

Reference: http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

librtmp and rtmpdump SRPM

In my current project I require librtmp for building cURL. I was not able to find a readily available source RPM nor was it in the CentOS repos. I built this on CentOS, but since there are no build dependencies you should be able to rebuild this on any RPM based distro.

You can find the source RPM here: rtmpdump-2.3-1.el6.src.rpm

If you prefer to build directly from the source, it can be found bundled with rtmpdump which can be found at mplayerhq.

Getting PHP Info without phpinfo function.

Recently I was able to reproduce a fairly good duplicate of the output of the phpinfo() without actually using the function as it has been disabled on the server. You can see the result here.

How I did this was fairly simple and can easily be trumped by changing a few settings if you are a sysadmin of a web hosting server. I will explain the methods I used, but I will not release the source (yet) as getting this done involved me snooping around the host's server. I will note I was not and do not condone the use of this for malicious purposes. I have been with this company for four or five years now and sometimes I enjoy playing around with their free hosting.

The first section of this phpinfo page contains information about the PHP binary itself such as the build date and configure command. The two aforementioned values are hardcoded right into the PHP binary itself and I used some simple regex matching to find them. I did test with a few different binaries on CentOS 6.4 (which the host uses as well) and found that the regex works regardless of the binary suggesting that it is put into the binary in the same order in that environment at the very least.

Instead of explaining in length how I figured out the rest, I will post some links for you and briefly cover it so I can get to the solution to prevent this method of getting phpinfo.

PHP: stream_get_wrappers - Manual
PHP: Reflection - Manual
PHP: get_loaded_extensions - Manual
PHP: stream_get_transports - Manual
PHP: get_defined_constants - Manual
PHP: phpcredits - Manual

Basically that was all I really needed to retrieve the rest of the data. I looped through the result of get_loaded_extensions and passed them through the ReflectionExtension class, which actually prints formatted HTML about the extension.

As far as solutions go, if you REALLY, REALLY don't want people to be able to do this you could disable the ReflectionExtension class to prevent getting the information on the extensions in php.ini:

disable_classes = ReflectionExtension,ReflectionZendExtension

You could disable the functions I used, but some scripts may actually use them to determine if they can run or not so it may not be advisable. It really is up to the administrator and how many complaints they are willing to deal with if it comes to it.

To prevent grabbing information from the PHP binary itself, if you don't need it to be readable you can just remove the read permissions on it from a command line:

chmod -r /usr/bin/php 

I am currently not aware of any problems that this would bring up, aside from functions like those in libmagic.

This little project wasn't to try and bypass the security by obscurity that disabling the phpinfo function... well, okay, maybe it was. It was rather annoying to not have that function available when I needed to know more about the extensions and such. It also proves that on a standard installation, disabling the phpinfo function does absolutely nothing.

From here, I am going to eventually release a pure php package with a few different ways of getting as much information as possible, including the methods I used plus fallbacks to not have to rely on the functions and classes I used in this method. I will also include a bit of magical detection and methods on how to harden your php installation. The latter being the original motivation of taking on this little project.

Protecting packages in yum

In my last post I gave a nice bit of advice on how to remove packages using sed, rpmorphan and yum but also warned that you could easily erase sshd or other programs that you might want.

In this short post I just want to mention that you can protect individual packages from being removed in yum. All you need to do is create a .conf file in /etc/yum/protected.d and add the names of the packages you wish to have protected. This is good for adding important things like your ssh server, or other programs that you might accidentally erase using the method I showed you, or by just using yum. It has happened to me before and I am glad this has been put into yum as a feature.

You can read more in the Fedora documentation.

Using rpmorphan on CentOS 6.4

So I just spent the night compiling and rebuilding RPMs on CentOS to get the exact set up that I would like and now I am left with several *-devel packages along with other development tools and libraries that I do not need any longer. Since this is a production environment, I would prefer to have as little extraneous packages as possible for various reasons.

Enter rpmorphan.

This nifty little tool will list all "orphaned" packages on your system. It would be VERY wise to add the packages that you wish to keep to the exclude list since common programs like wget don't have anything depending on them and will be listed in the output with each package to a line.

Adding a package to the exclude list is simple:

rpmorphan -add-keep wget

The above will add wget to your exclude list.

After you have all the packages you want to keep in your exclude list, removing all orphaned packages with yum is extremely simple:

yum remove `rpmorphan -all | sed ':a;N;$!ba;s/\n/ /g'`

This will run the output of rpmorphan through sed and replace all new lines with a space and use that as the argument list for yum remove. You should be very careful when doing this because I also noticed it listed openssh-server as an orphaned package. Be sure to add that in your exclude list. If not, I feel bad for you and hope you have console or physical access to your box because that would really suck.

Again, I will repeat: Use this at your own risk. If you remove something like your sshd you won't have access to your box. If you're sure that you can handle not doing something like that, this saves a lot of time and stress in the long run. Enjoy!

I would like to acknowledge Zsolt Botykai for his answer on stackoverflow in regards to the sed command. It was very helpful and explained very well.

Loading keys automatically with Pageant on Windows.

For those who work remotely on Linux from a Windows machine, they are probably familiar with the PuTTY set of tools for SSH connection management.

For managing keys in the PuTTY client you use pageant which, by default, when you open it will not load any keys. This is easily fixed just by creating a shortcut to the actual pageant program and in the box labelled 

"Target" you should see the path to the executable in double quotes. To load a key automatically when you click this shortcut, just type the full path to the key that you wish to load after the quotes. To add more than one key give a space separated list of full paths to each key you wish to load. 

Here are a couple of examples:

"C:\Program Files (x86)\PuTTY\pageant.exe" D:\SSH\mykey.ppk
The above will load the key "mykey.ppk" when you click on the shortcut.

"C:\Program Files (x86)\PuTTY\pageant.exe" D:\SSH\mykey1.ppk D:\SSH\mykey2.ppk D:\SSH\mykey3.ppk
The above will load the three keys when run from the shortcut.

As an added bonus, you could even place the shortcut in the startup start menu folder to have pageant start up on boot with all your keys loaded. Hopefully this saves someone some time. :)

SFTP Integration with Windows Explorer

I've come to notice that I very rarely use FTP for file transfers and have turned to using SFTP (FTP over SSH) instead for the two following reasons:
First, it is one less bit of software that I need to manage for my servers and second it is more secure. While I generally use Filezilla for most of my general purpose file transfer needs, I have also come across a nice little shell extension that integrates with Windows Explorer called Swish.

With Swish, you are able to log in to your servers through SSH either using password authentication, or through key authentication using pageant key manager. Upon logging in, you are able to navigate through your directories and files directly from Windows Explorer.

While it's a very useful and nice-to-have application, it is still in alpha. For the most part, I have not noticed any major errors that make it a shaky program to have. I think it's really worth a shot. Check it out at the Swish SFTP Homepage.