Rawr!!!

sudo (brief history — & installation) — Part one of multipart series

October 25th, 2011 by

There was a time in all of our lives when we needed to login to a root account to install packages, or for the smarter amongst linux noobs were the people that used su – ;) I don’t actually recall when I started using sudo (Super User Do — Pronounced soo-doo), but I know I’ve been using it long enough to forget when I started using it :0 The powers of sudo with multi-user environments are endless. Being able to restrict programs to categorical execution rights is fantastic. Especially when you only want to allow a user to view logs; and do nothing else with the system (dev team); or allow someone to add users so you don’t have to, yet not worry about them dicking anything else up.

This tutorial is short, sweet, and simple, and based primarily on using sudo with scripts in a single user environment. Yet I’ll go into a short detail on how to expand for multi-user machines (it’s fairly straightforward)

Lets start with a little intro to sudo:

Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. It ran on a VAX-11/750 running 4.1BSD. An updated version, credited to Phil Betchel, Cliff Spencer, Gretchen Phillips, John LoVerso and Don Gworek, was posted to the net.sources Usenet newsgroup in December of 1985.

http://www.sudo.ws/sudo/history.html

Sudo has been around for a long time, maintained by a lot of different people, and taken gradual changes until Todd C. Miller took hold of the project. A constant stream of updates is provided by Quest Software, and their sponsorship of sudo by paying Todd to manage sudo.

Sudo Setup:

Before starting anything, lets start by setting sudo up.


pacman -S sudo

## this will add your username to group wheel

## We'll use this group assignment later

gpasswd -a <your_username> wheel

Sudo Configuration:
Now that everything’s all setup, we need to dive into /etc/sudoers (carefully), and edit some things.
DO NOT EDIT /etc/sudoers DIRECTLY…

su -
visudo

Instead of showing you the default /etc/sudoers file, I’ll instead show you what you could easily replace it with:

#
# /etc/sudoers -- visudo
#

Cmnd_Alias    SUSPEND = /usr/sbin/pm-suspend
Cmnd_Alias    INTERNET = /usr/bin/netcfg, /sbin/ifconfig, /usr/sbin/iwconfig, /usr/sbin/iwlist, /usr/sbin/dhcpcd
Cmnd_Alias    SAVEPOWER = /home/fsk141/.scripts/autopower

root ALL=(ALL) ALL

%wheel ALL=(ALL) ALL, NOPASSWD: SUSPEND, NOPASSWD: INTERNET, NOPASSWD: SAVEPOWER

Lets break this down into simple little bits. I’m using Cmnd_Alias’ for a simple purpose, and I have a very stripped down visudo. I have all of my necessary programs that live in my misc scripts in Cmnd_Alias’ and then call them from the wheel group selector (%wheel)

The simplest solution would to have just two lines in your /etc/sudoers file:


#root can login & has all permissions

root ALL=(ALL) All

#Users of group wheel can login & has all permissions

%wheel ALL=(ALL) ALL

This will allow you to say ‘sudo su -’, from your standard prompt, and be dropped into a nice root prompt. Or easily run ‘sudo rc.d start nginx’ to start your webserver without having to login to root first…

——

This is just a starter in a multi-part series for sudo, I plan on writing a more complicated write up for multi-user applications, and multi-system applications (restricting users to certain apps, certain servers, etc) I also have an interview lined up with Todd C. Miller, and hope to get some insightful comments out of him.

[tutorial] Disable ssh password login; Enable ssh key auth

October 23rd, 2011 by

So you have a Linux server accessible to the outside network? Oh, have you checked your auth logs lately? Bet not… Well go ahead and check; if you have a server publicly accessible your auth log should be full with potential login attempts. Hopefully all of them failed attempts; I would recommend going ahead and checking your Accepted logins, make sure it’s not at 3 in the morning on a Saturday; or sometime you’d never login :)

Anywho; You could spend a whole lot of time and effort setting up a software or hardware mitigation solution. While this can be efficient in finding users that shouldn’t have access to your servers, and can help you with overall blacklists, you can still get leaks through. Say someone happens to guess your password in less than 3 times and you limit is set to 3? What a bummer, server compromised. Anywho, this solution should prevent EVERYONE (except you of course) from accessing your server. Well via password auth anyways…

  1. Lets start on the local machine that plans on connecting to the ssh server: 
    ssh-keygen

    Result (this isn’t my key; or hostname :) :

    [fsk141@oHai ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fsk141/.ssh/id_rsa): .meh
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
a4:fb:92:4b:33:a5:f6:5b:b8:ce:f7:a1:78:73:4a:f0 fsk141@oHai
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|        .        |
|       o         |
|      . S        |
|       + +       |
|      B.. E .    |
|     oo* =+...   |
|      .+O+o=.    |
+-----------------+
  2. Now that we have our ssh public key available, lets copy it to the server: 
    ## if you have ssh-copy-id ##
ssh-copy-id myserver.com

## if you don't have ssh-copy-id ##
## you can run the ssh "commands" on you server
## I just made it so everything
## could be done from connecting localhost
ssh me@myserver.com 'if [ ! -d ~/.ssh ]; then mkdir ~/.ssh; fi'
scp .ssh/id_rsa.pub me@myserver.com:.ssh/authorized_keys
ssh me@myserver.com 'chmod 600 ~/.ssh/authorized_keys'
  3. Now that we’re all ready, test things out; make sure you can login w/o password auth 
    ssh me@myserver.com
  4. Onto disabling password auth (WARNING: make sure you can login first, otherwise you’ll lock yourself out!

    Edit /etc/ssh/sshd_config & add the following:

    PermitRootLogin no ##(optional) enable this if you don't want root login (strongly advised)
PasswordAuthentication no
  5. Restart sshd server 
    sudo /etc/rc.d/sshd restart
  6. Test everything on another terminal, before closing your session:

    If everything works, hooray, enjoy a secure system.

[tutorial] Squid Proxy [with digest authentication]

October 7th, 2011 by

After posting a simple method of setting up squid proxy with basic authentication, I figured I’d post a little more secure method. The digest authentication procedure is simple, instead of transmitting your username/password in plaintext, you use an md5summed answer that protects your credentials. While some traffic could be sniffed (will address that with another post about ssl encrypting your squid proxy), your credentials will be safe. Anywho lets dive right in

  1. Install squid & continue to step 2
  2. Configure a new /etc/squid/squid.conf 
    # Digest Squid Auth -- better method
# /etc/squid/squid.conf
#

http_port 3129

auth_param digest program /usr/lib/squid/digest_pw_auth -c /etc/squid/digest_passwd

# Make /etc/squid/digest_password this way:
## First get a script...
## wget http://dl.dropbox.com/u/52078/digest_passwd.sh
## Execute something similar to the following
### sh ./digest_passwd.sh your_username_here your_password_here 'Squid proxy-caching web server' > /etc/squid/digest_passwd # need to execute as root/sudo
## This will give you a happy digest_passwd file

auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50

acl authenticated proxy_auth REQUIRED
http_access allow authenticated
  3. Save the file, don’t forget to create /etc/squid/digest_passwd 
    # Make /etc/squid/digest_password this way:
## First get a script...
## wget http://dl.dropbox.com/u/52078/digest_passwd.sh (contents below)
------
#!/bin/sh

user=$1
pass=$2
realm=$3

if [ -z "$1" -o -z "$2" -o -z "$3" ] ; then
        echo "Usage: $0 user password 'realm'";
        exit 1
fi

ha1=$(echo -n "$user:$realm:$pass"|md5sum |cut -f1 -d' ')
echo "$user:$realm:$ha1"
------
## Execute something similar to the following
### sh ./digest_passwd.sh your_username_here your_password_here 'Squid proxy-caching web server' > /etc/squid/digest_passwd # need to execute as root/sudo
## This will give you a happy digest_passwd file
  4. Startup squid, and enjoy a slightly more protected experience…

[tutorial] Setup your very own squid proxy [with basic authentication]

October 7th, 2011 by

So, after being trained in the dark arts of pentesting, hacking, and other nefarious computer skills; I suppose I should secure my webtraffic when out and about.  I know there are many ways to do this (ssh being one: http://fsk141.com/simple-socks-5-proxy-ssh-tunnel, but I figure setting up a proxy is one of the easiest things to access & use.

  1. Lets start by installing squid 
    pacman -Sy squid #for Arch Linux -- use apt or whatever for other distros
  2. Then lets do a little configuration additions (make a new file /etc/squid/squid.conf): 
    # Plaintext Authentication Squid Setup
# /etc/squid/squid.conf
#
http_port 3129 #default port to connect with

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd # might need to change paths dependant on distro

#make /etc/squid/passwd with the following:
## htpasswd /etc/squid/passwd your_username_here # execute as root/sudo

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# acl allow rules
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
  3. Save the file, and don’t forget to create /etc/squid/passwd 
    htpasswd /etc/squid/passwd your_username_here # execute as root/sudo
  4. If everything is happy and giggly, then you can startup squid and have a ball browsing (sudo rc.d start squid)

[Tutorial] How to unencrypt kindle books

October 9th, 2010 by

IMAG0082

So you want a brand new kindle book & you can’t find it on your favorite torrent/rapidshare/ftp? ;) Well that’s too bad, but there is a giantious amazon store that sell books… But I have two kindles, and when I buy a book, I want to be able to share it without restrictions between my kindles. The old version of the unencrypt hack was a little complicated and required you to find your PID, enter it in a program, and then a program would spit out a decrypted book for you. Well the new Kindle4Pc method is fantastic. It’s easy, and gives you what you’re looking for with the least effort necessary.

First off download the file that I packaged up with all the pieces that you need:

unencrypt.zip
Included in the zip file is:

  1. Python 2.6.6 (version that will work)
  2. KindleForPC-installer(beta) [you NEED this version of kindle4PC for this hack to work]
  3. unswindle.pyw (initiator for the whole process)
  4. mobidedrm.py (magic file)

The process is painfully simple:

  1. Install python
  2. Install Kindle4PC if you don’t have it installed & download your book(s) to be undrm’d
  3. Uninstall Kindle4PC
  4. DISCONNECT FROM THE INTERNET (if you don’t then when you install Kindle4PC(beta) it will upgrade & you DONT want the newest version)
  5. Install Kindle4PC(beta) from the zip file
  6. Execute unswindle.pyw (either by double clicking or dragging to cmd prompt)
  7. This will startup Kindle4PC & all you need to do now is open the book that you would like to decrypt
  8. Now exit Kindle4PC and wait for the magic to happen
  9. Magic will show up in the form of a “save as” window. Just select where you would like to save the decrypted .mobi && enjoy.
  10. To finish everything up just drop it on your kindle with all your other books, and happy reading

[Tutorial] OpenVZ – Debian – Zenoss (monitor your world)

October 8th, 2010 by

openvz-debian-zenoss

Do you have an OpenVZ HN (Host Node) & have no idea what’s happening with your nodes? Well get out of the dark ages & add a Zenoss installation to monitor your VE’s (Virtual Environments). Why did I choose debian when zenoss supports a bunch of distros? Well there are repos for debian/ubuntu (which will auto-setup for the most part), and I’m not a fan of ubuntu. Thus we’ll use debian. The whole setup only takes a few minutes, so lets jump right in…

1) Make a new VE with Debian 5:

# On your HN run:

# Download the debian 5 template
sudo wget -c http://download.openvz.org/template/precreated/debian-5.0-x86_64.tar.gz -o /vz/template/cache/debian-5.0-x86_64.tar.gz

# Create debian VE
sudo vzctl create 1 --ostemplate debian-5.0-x86_64

# Hooray your VE is setup, now move onto configuration >>

2) Set VE options:

# Configure debian VE (naibed-zen is debian backwards with a lil zen added)
# You can enter this all on one line, I just spread it out to make it easier to read
sudo vzctl set 1
--hostname naibed-zen
--ipadd <ipaddress>
--searchdomain <yoursearchdomain>
--nameserver "<your nameserver/nameservers (separated by spaces)>
--vmguarpages $((256 * 4096))
--privvmpages $((256 * 6144))
--swappages $((256 * 1024))
--meminfo none
--onboot yes
--save

#--vmguarpages $((256 * 4096)) # guaranteed memory (4GB)
#--privvmpages $((256 * 6144)) # burst memory (6GB)
#--swappages $((256 * 1024)) # swap memory
#--meminfo none # I was having memory listing issues, and this fixed it

This will configure the empty shell of a VE that we setup & make is more usable:

VEID: (Virtual Environment ID) == 1 in our case, but you can set it to whatever you want
Hostname: naibed-zen
IP Address: (eg. 192.168.1.2)
Search Domain (/etc/resolv.conf): (eg. google.com *this is optional)
Nameserver(s) (/etc/resolv.conf): (eg. 192.168.1.1)
Guaranteed Memory: (change the last number, 4096 == 4GB)
Burst Memory: (change the last number, 6144 == 6GB)
Turn on at boot: yes
Don’t forget to save: if you don’t –save then your HN won’t remember the settings when rebooted

If I were you I would enter the VE (sudo vzctl enter 1) && test to make sure networking is working… ping google or something, if not, then make sure your HN is setup correctly & that your dns servers are correct

3) Setup Zenoss:

Now that we have our VE all ready to go, lets setup zenoss…

# Enter the VE
sudo vzctl enter 1
echo "deb http://dev.zenoss.org/deb main stable" >> /etc/apt/sources.list
apt-get update
apt-get install zenoss-stack
/etc/init.d/zenoss-stack start

It should look something like this:

[jgerold@jg-iMac ~]$ sudo vzctl enter 2
entered into CT 2
naibed:/# echo "deb http://dev.zenoss.org/deb main stable" >> /etc/apt/sources.list
naibed:/# apt-get update
... updating pkg-database ...

naibed:/# apt-cache search zenoss-stack # just verifying that the repo is correct
zenoss-stack - Zenoss Stack with all requirements.

naibed:/# apt-get install zenoss-stack
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed:
  zenoss-stack
0 upgraded, 1 newly installed, 0 to remove and 14 not upgraded.
Need to get 110MB of archives.
After this operation, 386MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  zenoss-stack
Install these packages without verification [y/N]? Y
Get:1 http://dev.zenoss.org main/stable zenoss-stack 3.0.2-0 [110MB]
Fetched 110MB in 11s (9756kB/s)
Selecting previously deselected package zenoss-stack.
(Reading database ... 23039 files and directories currently installed.)
Unpacking zenoss-stack (from .../zenoss-stack_3.0.2-0_amd64.deb) ...
Setting up zenoss-stack (3.0.2-0) ...

naibed:/# /etc/init.d/zenoss-stack start
nohup: redirecting stderr to stdout
Starting mysqld.bin daemon with databases from /usr/local/zenoss/mysql/data
/usr/local/zenoss/mysql/scripts/ctl.sh : mysql  started at port 3307
Daemon: zeoctl .
daemon process started, pid=2050
Daemon: zopectl .
daemon process started, pid=2061
Daemon: zenhub starting...
Daemon: zenjobs starting...
Daemon: zenping starting...
Daemon: zensyslog starting...
Daemon: zenstatus starting...
Daemon: zenactions starting...
Daemon: zentrap starting...
Daemon: zenmodeler starting...
Daemon: zenperfsnmp starting...
Daemon: zencommand starting...
Daemon: zenprocess starting...
Daemon: zenwin starting...
Daemon: zeneventlog starting...
naibed:/#

# You're done, move onto testing & pat yourself on the back

4) Test & Enjoy:

To test just go to a web browser & enter the IP that you choose for the machine followed by :8080 (eg. 192.168.1.2:8080) If everything went as expected you should be greeted with a zenoss setup page
Success

[Tutorial] Add more RAM to an OpenVZ container

October 7th, 2010 by

extra ram

It seems like a simple idea, but adding ram to an OpenVZ container is a little bit tricky.

Lets say we would like to have 512MB dedicated & 1024MB Burst

In OpenVZ l33t Sp3ak it would look something like this:

vzctl set <vpsid> --vmguarpages 131072 --save # 512MB Dedicated (Guaranteed)

vzctl set <vpsid> --privvmpages 262144 --save # 1024 Burst (Granted)

For the longest time it was a pain in the ass to grasp this concept, and I would use someone else’s config file & just copy those properties when I knew they allocated 512MB ram, or the like. Anywho I don’t know why the OpenVZ wiki can’t be simpler, or their ‘vzctl’ program for that matter. Why can’t you just specify the KB/MB/GB value that you want??? Well they don’t make it easy, and here’s “The Easy Way”

vzctl set <vpsid> --vmguarpages $((256 * 512)) --save #  512MB Dedicated (Guaranteed)
// 512MB * <whatever_MB_you_want>

vzctl set <vpsid> --privvmpages $((256 * 1024)) --save # 1024 Burst (Granted)
// 1024MB * <whatever_MB_you_want>

Q:

Why & how does this sorcery work?

A:

Lets pick apart the commands declaration (--vmguarpages 131072)

131072 (number of pages)*4096(how big a page is)/1024 (knock up to KB)/1024 (knock up to MB)

((131072*4096)/1024)/1024

Oh, ok great, that really explains things? (you might say)? Well lemme go a little deeper & give you a little example to execute on your Host Node (HN)

// Find the pagesize of your machine (x86/x86_64 should be 4096)

#include <unistd.h>
#include <stdio.h>

int main(int argc, char* argv[])
{
long sz = sysconf(_SC_PAGESIZE);
printf("Memory pagesize on this box : %i Bytesn", sz);
return 0;
}

// compile & execute
// copy to a file (pages.cpp) g++ -o pages pages.cpp ; chmod +x ./pages ; ./pages
// you "should" get 4096 Bytes (unless you're on ia64 hardware)

Now that you’ve verified your page size, lets move onto how 512MB computes to 131072 pages:

4096 Bytes = 1 page = 4 Kilobytes
Since there are 1024 KB in a MB lets calculate for pages which is 1024/4 (where 1024 is a MB we are calculating for one page (4 part groups of 1024) == 256

What is 256? 256 is the number of pages in a MB, so if we multiply 256 * <number of MB’s RAM we want> that will give us the number of pages to correctly give OpenVZ the amount of pages it needs.

// some examples
1GB (1024 * 256) = 262144
vzctl set <vpsid> --vmguarpages 262144 --save // if you pre-calculate
vzctl set <vpsid> --vmguarpages $((256 * 1024)) --save // this just calculates with bash

16GB (18432 * 256) = 4718592
vzctl set <vpsid> --vmguarpages 4718592 --save
vzctl set <vpsid> --vmguarpages $((256 * 18432)) --save

Well I hope this helped someone like me that couldn’t for the life of me understand what the hell they were talking about on the OpenVZ wiki. It wasn’t until I hit a tiny tidbit of happiness from the linux.com article (where they did 256 * 256), then it took me a little longer reading the Setting_UBC_parameters to figure out page size, and after I knew pages were 4KB, I thought it would be nice to outline my findings. Enjoy :)

Sources:

http://wiki.openvz.org/Setting_UBC_parameters
http://wiki.openvz.org/UBC_primary_parameters
http://wiki.openvz.org/UBC_secondary_parameters
http://www.linux.com/archive/articles/114214

[Tutorial] SSL IIS > Apache (Export Windows Server SSL Cert to Apache)

July 15th, 2010 by

Export Keys from a windows server to apache server:

1) Startup mmc
    a] File > Add/Remove Snap in > Certificates:
        a1} Computer Account > Local Computer (Finish with “OK”
    b] Select Certificates >> Personal >> Certificates
    c] Select Certificate (*.domainname.com)
        b1} Right click > All Tasks > Export
[simage=11202,max,n,center,]

        b2} “Yes, Export the private Key”
[simage=130,max,n,center,]

        b3} next (use defaults [PKCS #12 no boxes checked})
        b4} password (<enter anything>) << you are setting this password
        b5} Name your export && Finish

2) Extract the Key & Certificate from the pkcs file & enjoy
    a] Export the Private key:
        

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

    b] Export the certificate file:
        

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

    c] Remove the passphrase from the key so apache won’t prompt for passphrase:
        

openssl rsa -in key.pem -out server.key