Security in an Insecure Environment

Auto Restore Virtualbox

For the security class I’m teaching we recently had a box to pwn. Problem is, they would sometimes get the address wrong and crash the virtual system. I probably would have just distributed the vdi, but not all of them have machines robust enough to run a vm, so I had to set something up.
First off, I gave the virtual vulnerable box a public IP by bridging.

/etc/network/interfaces

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
    address 134.50.1.2
    netmask 255.255.0.0
    gateway 134.50.1.254
    bridge_ports eth0 vbox0 vbox1

# The loopback network interface
auto lo
iface lo inet loopback

/etc/vbox/interfaces

vbox0 lundeen br0
vbox1 lundeen br0

Awesome, now firewall rules work. In the vulnbox, I give myself an ip address. On the host, I set up very strict firewall rules using iptables.

Another big issue is auto-restore. Since the class often gets an address wrong, the vulnbox often crashes.

The following will shut the box down, revert to a snapshot, and turn it back on.

/usr/bin/VBoxManage controlvm vulnxp poweroff;
sleep 5;
/usr/bin/VBoxManage snapshot vulnxp discardcurrent -state
sleep 10;
/usr/bin/VBoxManage startvm vulnxp</pre>

Anyway, I put this in crontab to do every 20 minutes.

0,20,40 * * * * /path/to/virtualscript

md5check directories

This is a python script that recursively md5sums all the files in your directory and compares it with another directory.  It is similar, and probably less good than

find /dirone -type f -print0 | md5sum

but this was coded to check if the directory structure copied cleanly to a *windows* box.  It seems to work ok.  TODO: only read line by line if file is over a certain size, else read line by line like it does now.

#!/usr/bin/env python

import os, sys, getopt
from Crypto.Hash import MD5
from Crypto.Hash import SHA

def usage():
  print """
  DESCRIPTION
    compares topdir1 to topdir2 using a hash algorithm

  USAGE
    hashsum.py -h 
      prints this message
    hashsum.py topdir1 topdir2 [sha1|md5]

  """

def sumcont(hasharg, dirname, fnames):
  for file in fnames:
    try:
      myfile = open(os.path.join(dirname, file))
      for i in myfile.readlines():
        hasharg.update(i)
      myfile.close()
    except:
      pass
  print "*",

if len(sys.argv) 3:
  if sys.argv[3].lower() == 'sha1':
    print "HASH ALGORITHM: sha1"
    md5_1 = SHA.new()
    md5_2 = SHA.new()
  else:
    print "HASH ALGORITHM: md5"
else:
  print "HASH ALGORITHM: md5"

os.path.walk(sys.argv[1], sumcont, md5_1)
os.path.walk(sys.argv[2], sumcont, md5_2)
print 'n'
print 'First  dir (',sys.argv[1],') hash : n', md5_1.hexdigest()
print 'Second dir (',sys.argv[2],') hash : n', md5_1.hexdigest()

ldap by hosts

These are some things I recently ran into when trying to restrict a certain ldap user to a certain number of hosts.

For example, at the school we have a cluster where we may only want the parallel processing students to have access, cadence where we may only want vlsi students to have access, and our main server where we want everyone to have access.

Here’s the preliminary way that seems to work.  Here, I assume most of your ldap is setup.

First, add the account objectclass to your user.  You may need to do some mangling here (for example if you use the inetorgperson objectclass).  You can create your own joined schema for this.  The reason you want the account objectclass is so you have access to the host attribute.

Next, for every user, add the restricted hosts you want that user to have access to.  For example, for the cluster I add a host=skynet.coe.isu.edu attribute.

Finally, on skynet.coe.isu.edu, in ldap.conf, add

pam_check_host_attr yes
pam_filter |(host=skynet.coe)

Then on our main server do not add these, as these entries only restrict access to users with the applicable host attributes.

The easiest way to backup an ldap database

slapcat.

There are a lot of ways to do this, and I have experimented with several.

For example, you can copy the master’s database files to the replica.  But this comes with some restrictions. 1. Both hosts must have compatible versions of the dbm libraries2 both hosts must be roughly the same architecture 3 some methods of copying sparse dbm files (eg copy) will fill in the holes, making the files larger.

A more general way to backup  an ldap database or to replicate the db is slapcat.  eg.

root@master # slapcat -b “dc=myldap,dc=org” -l backupcontents.ldif
#… copy backupcontents.ldif to backup or slave
#Then, to restore or add or whatever
root@slave # slapadd -l backupcontents.ldif

Follow

Get every new post delivered to your Inbox.

Join 33 other followers