browsing with firefox, tor, refcontrol, and noscript on ubuntu

May 8, 2009 Leave a comment

This is a topic that’s been covered a lot. However, it took a bit of research to find a solution that worked for me, so I thought I’d write about it here.

I am doing some research that involves a *lot* of google searches. Because this research involves a significant number of directed queries, it seems logical to hide this information as much as practical. If there is a web host who notices sequential names in a Google referer URL repeatedly, this might raise suspicion or alter behavior which could skew results. Similarly, it is desirable to hide IP information from both the web host (for similar reasons) and possibly even search engines.

First, to avoid any changes to usual browsing, a new firefox profile was created using:

firefox -ProfileManager

Additionally, to run both firefox profiles at once, the first was run as normal, which the second has the additional options:

firefox -P <new-profile> -no-remote

I add this to my taskbar alongside the regular old firefox %u so I can choose a profile with a click.

To hide the HTTP referer, a firefox extension called RefControl was selected  https://addons.mozilla.org/en-US/firefox/addon/953. This simply replaces the referer for every query with one that is configurable. Although this is certainly possible with a more traditional proxy (like paros), RefControl’s ease of use is essential with the shear number of queries that were performed for this research. For this research, I changed the referer passed several times from names like “yahoo.com”, “cnn.com”, etc. Although the traffic patterns may still seem suspicious to an administrator who carefully monitors his logs, it reveals virtually no information about what it is that is being searched for.

To obfuscate the IP address, tor and privoxy were used. Tor bounces the HTTP requests around a distributed network of relays all around the world. An in depth discussion of Tor is out of the context here, but in a nutshell “it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location” http://www.torproject.org/. Privoxy is additionally used to prevent applications like flash or dns from leaking information. Since both privoxy and tor are required, you need to install these:

apt-get install tor privoxy

and to get privoxy to work with tor, I uncommented the following line (if it’s not there just add it):

forward-socks4a / localhost:9050 .

Despite the advantages, this did make browsing for names quite slow. I really like torbutton. In the not so distant future I remember having to modify proxy settings every time I wanted to go back and forth using tor. With tor

Lastly, the noscript firefox plugin was used to mitigate all javascript based attacks that might be used to obtain IP information http://noscript.net/.

Filed under Pentest Tagged with , , ,

php multiuser system – the www-data problem

March 19, 2009 Leave a comment

On a lot of multi-user systems, like the one at the school where we have 300+ users all with usermod enabled, we also happen to have other web services running. It’s inconvenient and in insecure for everyone to be running their dynamic web stuff as the same user. I understand this is nearly impossible to do with good security, but this is a university and the point of this server is to let students learn, which means being able to host code.

One security problem in particular is php. suexec was built for cgi-bin stuff – but php is a whole other beast. That’s what I’m talking about here – getting php to run as the user who owns it. More specifically, this will show how /home/user/public_html/myphp.php will run as “user”, but stuff in /var/www will still run as www-data.

One good article I found describing this is here: http://alain.knaff.lu/howto/PhpSuexec/

First things first – mod_php needs to be disabled. This can be done globally, but it’s better to just disable it for public_html dirs. This can be done by adding the following to /etc/apache2/apache2.conf.

<Directory /home>
 php_admin_flag engine off
</Directory>

Now, to enable suphp.

First install php-cgi. and the apache2 prefork which has some things we’ll need later on.

apt-get install php-cgi apache2-prefork-dev

Do not install libapache2-mod-suphp – at least not on 8.04. This older version lacks some of the things most people need… like having more than one directory.

Download the latest suphp module from http://www.suphp.org/Home.html.  Compile this like:

tar xfzv suphp-SNAPSHOT-2008-03-31.tar.gz
cd suphp-SNAPSHOT-2008-03-31
./configure --with-apxs=/usr/bin/apxs2 --with-setid-mode=owner
make
make install

Modify apache’s config

LoadModule suphp_module /usr/lib/apache2/modules/mod_suphp.so
<Directory /home>
AddHandler application/x-httpd-php .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-php
suPHP_Engine on
</Directory>

Now in /usr/local/etc/suphp.conf

[global]
webserver_user=www-data
docroot=${HOME}/public_html
check_vhost_docroot=false

[handlers]
;Handler for php-scripts
application/x-httpd-php="php:/usr/bin/php-cgi"

Restart apache. To debug, check /var/log/apache2/errors.log.  To test create scripts in public_html directories and in /var/www that exec(‘whoami’) and make sure they’re called with the correct permissions.

It’s a start, but then there’s always stuff like XSS, etc.

Filed under Misc Tagged with , ,

Small Steps

March 12, 2008 Leave a comment

These are some small steps you can take to make it harder for an attacker to figure out what version of some things you have running. These are specific to ubuntu:

apache

Go into /etc/apache2/apache2.conf and change

ServerTokens Full

to

ServerTokens Prod

This will change your info for things like 404s, so instead of listing your exact os, version of apache, etc, it will only say something like ‘Apache Server at progeny.isu.edu Port 80’

postfix

change the smtpd_banner line to something like “smtpd_banner = $myhostname ESMTP $mail_name (Linux)” which will be much harder to figure out than all the crap this normally prints, which, once again, is the exact version of postfix you are running along with the os.

bind

By default, bind also lets people know all this info.  You can change this by changing the version = lines as follows

options {

version “back off, dirt bag!”;

}

Though many of these services can still be fingerprinted without too much effort, not reporting your version info for every service you run is probably a good idea.  So, for example, because of this, you may have a harder time figuring out that this server is running apache2.2 on ubuntu7.04 and postfix2.5… damn it.

Filed under Misc, Security Tools Tagged with , , , ,

Getting rid of the Lame Ubuntu Splash screen

July 31, 2007 Leave a comment

Is there any reason for that lame splash screen on bootup for ubuntu?  No! You know the one I’m talking about. Luckily, it is very easy to get rid of.

Go to /boot/grub/menu.lst

Change:

# defoptions=quiet splash

to

# defoptions=

and type, as root

update-grub

Now you will have text, and that is good.

Filed under Misc Tagged with ,

Boot Ubuntu into Runlevel 3

February 11, 2007 Leave a comment

I have servers that I like to boot into runlevel 3 with. Here’s how in Ubuntu from a regular desktop install.

I guess I should clarify.

First of all, I kind of accidently installed gnome on my firewall. I got the alternate cd and just clicked on install – not install text only. I don’t really care – I have the disk space. I could reinstall, but nah. What I don’t want to do is run in level 2. I’d rather boot into text since 99% of the time that’s all I’ll use. If I ever do need gnome or X I can always startx.

Naturally, I went to /etc/inittab (which didn’t exist before) and created the following:

id:3:initdefault

This was fairly stupid of me. Since Edgy, Ubuntu has been into this upstart thing which actually kicks ass. The above did actually work (it boots into level 3) but a better way would have been to modify the script in /etc/events.d/ which handles all the old inittab stuff.

So we’re done, right? No way jose, cuz in ubuntu, runlevel 3 happens to look a heck of a lot like runlevel 2.

So go into /etc/rc3.d/. These are links to your sysV /etc/init.d/ scripts. You should see a lot of Sxxblah links. The ‘S’ stands for start and the number stands for the order things are run. To not start these, you probably want to move some things (like gdm, X, your nvidia drivers) to start with a ‘K’ for kill. The number can probably stay the same, since that’s just the order that things are executed in. So something like:

# mv S10xserver-xorg-input-wacom K10xserver-xorg-input-wacom
# mv S13gdm K13gdm
# mv S20nvidia-kernel K20nvidia-kernel

You can probably move a lot of these. I’m probably not using bluetooth on my server, for example. If you ever do happen to need it, just change to runlevel 2 with init.

Next time you boot, you should now get a text login. Good job.

Filed under Misc Tagged with , ,