Security in an Insecure Environment
April 22, 2009 Leave a comment
Colored Hat Stuff. New post about once a month
April 22, 2009 Leave a comment
March 18, 2009 1 Comment
For the security class I’m teaching we recently had a box to pwn. Problem is, they would sometimes get the address wrong and crash the virtual system. I probably would have just distributed the vdi, but not all of them have machines robust enough to run a vm, so I had to set something up.
First off, I gave the virtual vulnerable box a public IP by bridging.
/etc/network/interfaces
auto eth0 iface eth0 inet manual auto br0 iface br0 inet static address 134.50.1.2 netmask 255.255.0.0 gateway 134.50.1.254 bridge_ports eth0 vbox0 vbox1 # The loopback network interface auto lo iface lo inet loopback
/etc/vbox/interfaces
vbox0 lundeen br0 vbox1 lundeen br0
Awesome, now firewall rules work. In the vulnbox, I give myself an ip address. On the host, I set up very strict firewall rules using iptables.
Another big issue is auto-restore. Since the class often gets an address wrong, the vulnbox often crashes.
The following will shut the box down, revert to a snapshot, and turn it back on.
/usr/bin/VBoxManage controlvm vulnxp poweroff; sleep 5; /usr/bin/VBoxManage snapshot vulnxp discardcurrent -state sleep 10; /usr/bin/VBoxManage startvm vulnxp</pre>
Anyway, I put this in crontab to do every 20 minutes.
0,20,40 * * * * /path/to/virtualscript
July 12, 2008 Leave a comment
This is a python script that recursively md5sums all the files in your directory and compares it with another directory. It is similar, and probably less good than
find /dirone -type f -print0 | md5sum
but this was coded to check if the directory structure copied cleanly to a *windows* box. It seems to work ok. TODO: only read line by line if file is over a certain size, else read line by line like it does now.
#!/usr/bin/env python import os, sys, getopt from Crypto.Hash import MD5 from Crypto.Hash import SHA def usage(): print """ DESCRIPTION compares topdir1 to topdir2 using a hash algorithm USAGE hashsum.py -h prints this message hashsum.py topdir1 topdir2 [sha1|md5] """ def sumcont(hasharg, dirname, fnames): for file in fnames: try: myfile = open(os.path.join(dirname, file)) for i in myfile.readlines(): hasharg.update(i) myfile.close() except: pass print "*", if len(sys.argv) 3: if sys.argv[3].lower() == 'sha1': print "HASH ALGORITHM: sha1" md5_1 = SHA.new() md5_2 = SHA.new() else: print "HASH ALGORITHM: md5" else: print "HASH ALGORITHM: md5" os.path.walk(sys.argv[1], sumcont, md5_1) os.path.walk(sys.argv[2], sumcont, md5_2) print 'n' print 'First dir (',sys.argv[1],') hash : n', md5_1.hexdigest() print 'Second dir (',sys.argv[2],') hash : n', md5_1.hexdigest()
May 26, 2008 Leave a comment
These are some things I recently ran into when trying to restrict a certain ldap user to a certain number of hosts.
For example, at the school we have a cluster where we may only want the parallel processing students to have access, cadence where we may only want vlsi students to have access, and our main server where we want everyone to have access.
Here’s the preliminary way that seems to work. Here, I assume most of your ldap is setup.
First, add the account objectclass to your user. You may need to do some mangling here (for example if you use the inetorgperson objectclass). You can create your own joined schema for this. The reason you want the account objectclass is so you have access to the host attribute.
Next, for every user, add the restricted hosts you want that user to have access to. For example, for the cluster I add a host=skynet.coe.isu.edu attribute.
Finally, on skynet.coe.isu.edu, in ldap.conf, add
pam_check_host_attr yes
pam_filter |(host=skynet.coe)
Then on our main server do not add these, as these entries only restrict access to users with the applicable host attributes.
May 22, 2008 Leave a comment
slapcat.
There are a lot of ways to do this, and I have experimented with several.
For example, you can copy the master’s database files to the replica. But this comes with some restrictions. 1. Both hosts must have compatible versions of the dbm libraries2 both hosts must be roughly the same architecture 3 some methods of copying sparse dbm files (eg copy) will fill in the holes, making the files larger.
A more general way to backup an ldap database or to replicate the db is slapcat. eg.
root@master # slapcat -b “dc=myldap,dc=org” -l backupcontents.ldif
#… copy backupcontents.ldif to backup or slave
#Then, to restore or add or whatever
root@slave # slapadd -l backupcontents.ldif