Donnerstag, 16. Oktober 2014

SSL issues again

Here is a blogpost on the issue called POODLE, which was discovered by Google some days ago.
It is not Heartbleed but it could lead to an impact again.

Montag, 11. August 2014

[Raspberry, Arduino] First Project

Now its the first weekend of my vacation and i thought it would be a great idea to play around with some "toys" (my wife would say) i bought a while ago.

So i have:

  • Raspberry pi B
  • Arduino Uno rev3
  • analog temperature sensor
  • breadboard
  • a lot of wires :-)

First of all installed raspbian on the raspberry. Raspbian was downloaded from the official raspberry side and written to the sd card. Not that hard.

Arduino and the sensor


First i started with the arduino and the analog sensor.
The TMP36 sensor has three connections,
  1. 5V
  2. GND
  3. Analog 0 (A0)
Its quite easy when everything was connected i startet the first programm:

int sensorPin = 0; // to use A 0
void setup()
{ Serial.begin(9600);  // baud rate for serial console
} 
void loop()  {
 int reading = analogRead(sensorPin);  // read the sensor
 float voltage = reading * 5.0;
 voltage /= 1024.0; 
 Serial.print(voltage); Serial.println(" volts");
 float temperatureC = (voltage - 0.5) * 100 ;  
 Serial.print(temperatureC); Serial.println(" degrees C"); // print to console
  delay(5000);

The program will write the actual temperature to the serial console.

Raspberry and Arduino

So, now i would like to have the output on my raspberry pi. Taking a look around i found the idea to connect it via i2c.

The connection raspberry <---> arduino is as follows

SDA <---> A 4
SDL <---> A 5
GND <---> GND

Now we need to install i2c-devel and python-smbus on the raspberry. Arduino just needs to include Wire.h.
Please see the guide above for the single steps.

What you need on Arduino side is basically:
#include <Wire.h>
#define SLAVE_ADDRESS 0x04
for gettint and recieving data you need
Wire.onReceive(receiveData);
 Wire.onRequest(sendData);
 I wrote a combination from the old script and a new one, maybe you get the idea
#include 
 
#define SLAVE_ADDRESS 0x04
int output = 0;
int input = 0;
int state = 0;
int sensorPin = 0;
 
double temp;
double c1;
double c2;
 
void setup() {
 pinMode(13, OUTPUT);
 // initialize i2c as slave
 Wire.begin(SLAVE_ADDRESS);
 Serial.begin(9600);
 
 // define callbacks for i2c communication
 Wire.onReceive(receiveData);
 Wire.onRequest(sendData);
}
 
 
 void loop(){
  delay (1000);
  double c1 = GetExtTemp();
  double c2 = GetIntTemp();
  Serial.print(c1); Serial.print(" : ");Serial.println(c2);
 }
 
// callback for received data
void receiveData(int byteCount){
 
 while(Wire.available()) {
  input = Wire.read();
  Serial.print(input);Serial.println(" in");
  if (input == 1){
   if (state == 0){
    digitalWrite(13, HIGH); // set the LED on
    state = 1;
   } else{
    digitalWrite(13, LOW); // set the LED off
    state = 0;
   }
  }
 
  if(input == 2) {
   output = (int)c1;
   Wire.write(output);
  }
  
  if(input == 3) {
   output = (int)c2;
  }
  
 }
}
 
// callback for sending data
void sendData(){
 Wire.write(output);
}
 
// Get the internal temperature of the arduino
double GetExtTemp(void)
{
 delay (100);
 int reading = analogRead(sensorPin);
 double voltage = reading * 5.0;
 voltage /= 1024.0;
 double temperatureC = (voltage - 0.5) * 100 ;
 temp = temperatureC;
 return (temp);
}

double GetIntTemp(void)
{
 unsigned int wADC;
 double t;
 ADMUX = (_BV(REFS1) | _BV(REFS0) | _BV(MUX3));
 ADCSRA |= _BV(ADEN); // enable the ADC
 delay(20); // wait for voltages to become stable.
 ADCSRA |= _BV(ADSC); // Start the ADC
 while (bit_is_set(ADCSRA,ADSC));
 wADC = ADCW;
 t = (wADC - 324.31 ) / 1.22;
 return (t);
}
On raspberry side you can do (python):
import smbus
bus = smbus.SMBus(1)
deviceaddy = 4x04 // same addy as above
bus.read_byte_data(deviceaddy, 2) // 1,2,3 should work
With the arduino programm above you should be able to recieve:


  1. Switch LED ON/OFF
  2. Get external tempereature from analog sensor
  3. get internal arduino temperature

Update: Well, i killed it somewhere, i dont get an correct data on my raspberry while the arduino serial output is all good. If someone has an hint :-)

Donnerstag, 3. Juli 2014

How i see a website

Sometimes i visit a website (yes i really do) and sometimes i like to take just another look onto it.

So i come around one of mine for example, i can see a nice owncloud login page. Well lets dig a bit deeper

#> curl -I oc.XXX.de
HTTP/1.1 302 Found
Date: Thu, 03 Jul 2014 10:07:22 GMT
Server: Apache/2.4.6 (Ubuntu)
Location: https://oc.XXX.de
Content-Type: text/html; charset=iso-8859-1

Okay, running Ubuntu and Apache. Nice to know but there is a redirect? 302, so lets see

#> curl oc.XXX.de
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://oc.XXX.de">here</a>.</p>
<hr>
<address>Apache/2.4.6 (Ubuntu) Server at oc.XXX.de Port 80</address>
</body></html>
Ah, you want me to use https, okay lets go
curl -I -k https://oc.XXX.de
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 09:58:15 GMT
Server: Apache/2.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.3-1ubuntu2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *
Set-Cookie: oc29fecb4bf3=vjqdmo6ltkct6s23utu92c2l21; path=/; HttpOnly
Content-Type: text/html; charset=utf-8
So, you use PHP, lets google the version number.... 
Okay so its saucy.

Nice security flags by the way :-)


and the stories go on ....

Mittwoch, 25. Juni 2014

some security features

I have a tiny vserver running an "RedHat like OS". Mostly i use it for my owncloud stuff, saving some files and reading my RSS files. So it is a nice playground for features especially in case of security.

Today i installed two tools:

  1. suricata
    (http://suricata-ids.org/) is an IDS/IPS system which was originally founded by the homeland security. It is free and open source, the advantage regarding Snort is that it is able to use multiple CPUs.
  2. mod_security
    (http://www.modsecurity.org/) is an apache module which adds some security extensions like XSS prevention.
Suricata needs to be installed by hand, as the packages are not available on the repos. But it isnt that hard if you follow some instructions and the documentation.
When you have all the files you need there are some additional steps.
  1. create  /etc/suricata/ and /etc/suricata/rules
  2. any copy all the .config files to /etc/suricata, you will find them within the suricata source package
  3. change to suricata and fetch all the files from https://rules.emergingthreats.net/open/suricata/rules/
  4. Now we need to adjust some settings within the suricata.yaml file, for example which modules you will use. Important is to enable the logging to file and syslog, so we can run suricata in daemon mode. Just take a look on the other options. Basically you can adjust settings for everything suricata can handle.
  5. Finally start it: suricata -c /etc/suricata/suricata.yaml -i eth0 -D
  6. It will log all it output to /var/log/suricata
mod_security can be installed via repos.
yum install mod_security_crs.noarch mod_security_crs-extras.noarch

after restart of the httpd it will be running by default. You can find the output for debugging and auditing within the httpd log directory.

Mittwoch, 11. Juni 2014

Good News: RHEL 7 with default MariaDB

I really think these are good news, in the upcoming release of RedHat Enterprise MariaDB will be the default MySQL Database Server.

http://www.bytebot.net/blog/archives/2014/06/11/rhel7-now-with-mariadb 

MariaDB 5.5

MariaDB is the default implementation of MySQL in Red Hat Enterprise Linux 7. MariaDB is a community-developed fork of the MySQL database project, and provides a replacement for MySQL. MariaDB preserves API and ABI compatibility with MySQL and adds several new features; for example, a non-blocking client API library, the Aria and XtraDB storage engines with enhanced performance, better server status variables, and enhanced replication.

Detailed information about MariaDB can be found at https://mariadb.com/kb/en/what-is-mariadb-55/.

Freitag, 6. Juni 2014

ALTER TABLE ADD INDEX: What can go wrong?

Answer: EVERYTHING!!
(@Groves really everything)

So, i just found out that doing an alter table to add an index without an maintenance is the worst decision you can make.

What happens,

  1. You fire the alter command
  2. InnoDB will alter its own engine, before altering the table itself
  3. all queries against the database will complain about an index issue
  4. All queries (alter and select) will  go to state : "Waiting for table metadata lock"
lesson learned!

Mittwoch, 23. April 2014

Heartbleed revisited

So, now the Heartbleed Bug is some days old and the work is nearly done.

So letst talk a bit about the history.
  1. on Sun, 1 Jan 2012 00:59:57 +0200 somebody committed an heartbeat extension to the openssl git repository.
  2. on last sunday/monday google found a bug within these extension, or at least openssl.org finally reported about the bug.
  3. On late monday and early tuesday we had a tiny little website which could identify if your server is affected by these bug
  4. Some hours later a golang code was available , so we can check even more systems
  5. Finally a nmap plugin was available, and now we can scan the full ip range and every port
  6. Most SSL ca's were unable to handle the re-certification (or re-signing) of the certs via api, a solution was available on early thursday.
So what have we done within these lovely days (and what you should have done too)?
  1. We started to close the ssl vulnerability by patching all our systems
  2. We recreated our private ssl keys and recertificated these
  3. We started to call the Bug "Fingerbleed"-Bug
  4. We exchanged all of our certs
  5. We talked to some customers and helped them identify the bug and provided solutions
  6. We changed all our passwords

So finally i guess we can say it with Atkins lyrics

If you're goin' through hell keep on going
Don't slow down, if you're scared don't show it
You might get out before the devil even knows you're there

Mittwoch, 9. April 2014

Yet Another Heartbleed post

Well, as i spended hours on the heartbleed bug currently, i just need to tell you this:

Update your openssl libary now!

I guess the bug could be one of the most urgent bugs we had.

What you should do:

And dont forget to restart your apache/nginx/lighttpd/postfix/whatever server. 

As i normally maintain a higher range of ip addresses i just wrote a short script

Step 1: fping -g IPRANGE > ips.txt
Step2:  sh test.sh > test.txt 
#!/bin/bash
for line in `cat ips.txt | cut -d ' ' -f1`
do
        ./heartbleeder $line:443
done;
Step 3: login to the server and solve the issue

have fun!

Donnerstag, 3. April 2014

[Note to myself] Raspberry PI, playing around (Android, Chromeos)

So, now i have my raspberry pi for more than a week. I am still looking for something "awesome" to do with it. There are two operating systems which i really would like to us on it.
  • Chrome OS
  • Android
Well, as Android is normally build to run on ARM systems i thought it should be the first try. Sad enough the first try yesterday failed, and i still dont know why. The screen just stays black and the light on my raspi stay red. 

So, this blog post is mainly a "Note to myself" so i can find all the links again :-) Maybe some of you find it useful too 

ChromeOS


  • https://raspberrypi.stackexchange.com/questions/1578/how-do-i-install-chrome-os
  • http://www.slideshare.net/yyquest/running-chromeandroid-os-on-raspberry-pi
  • https://github.com/m943040028/chromiumos_overlay
So, so its a mix of link (1) and link (2). 
While doing all teh needed chroot stuff you can easily see that its a gentoo underneath, well okay, i can live with that. The compilation for the cross compiler takes a while.  Okay, actually everything takes a while.

Android

Some useful links which i might need again
  • http://androidpi.wikia.com/wiki/Android_Pi_Wiki
  • http://blog.broadcom.com/chip-design/android-for-all-broadcom-gives-developers-keys-to-the-videocore-kingdom/?utm_source=Twitter&utm_medium=Official%20Company%20Account
  • http://www.raspberrypi.org/archives/1700
  • http://www.raspberrypi.org/phpBB3/viewforum.php?f=73
  • http://headlessandroid.blogspot.hu/2012/07/android-raspberry-pi-kernel-build.html
  • http://www.intorobotics.com/raspberry-pi-android-guides-resources/
  • http://community.arm.com/groups/android-community/blog/2013/09/18/from-zero-to-boot-porting-android-to-your-arm-platform
  • http://androidpi.wikia.com/wiki/CM7_Compilation
Well i tried the mentioned version, but it failed, it does not even boot with only a black screen. So i played around a bit more and took the kernel from my pidora SD card. So the kernel boots but goes into an endless boot loop.
As i know now, there are a lot of prerequisites you need for the Android Kernel, so the pidora kernel is just to "small". Well, i will try to compile it on my own. But without an working config to import it will be the hell of a work.
While i am writing my Blog entry, broadcom has given the source for acceleration drivers to the community and someone already solved the Quake II Quest and ported it
So, whats next?

Conclusion, as everything seems to be strange i guess best idea would be to take the pidora build (or maybe something smaller, we will see) and add the new dma driver (see broadcom link in Android) and build an own system. 

I think about something which includes
  • chrome
  • fvwm
Okay, so that's my link list,
enjoy!

Montag, 31. März 2014

AWS Amazon webservices

Last week i took a short look on the AWS cloud system, basically because there was a free 12 month offer (750 hours a month). There are just a few types supported by this offer, so i created a "micro" machine.

You can choose between different operating systems, such as RedHat , Centos an one of amazones own distribution (Amazon Linux AMI 2013.09.2), which basically is another "fork" of RedHat/Centos.

So starting with documentation, i always like documentation and there are some really good whitepapers around, you can find them here. I guess you also should take a look at the overview whitepaper which is here.
Amazon pushed a lot of services into their cloud, like many different databases (mongoDB, DynamoDB, MySQL) and load balancers. The system is full scalable, so there is no need to buy a huge infrastructure, you can scale it to your needs. The paying is based on the amount of resources you need.

Currently there are two promos running

  • one promo where amazon and Intel are giving you 600 hrs compute time
  • and a basic 720hrs and 12 months free usage here

AWS comes around with some really nice features, for example security, so when you create anew instance you _must_ create a public key to login, and be sure to save it you cant access it twice.

Lets talk about Amazon Linux AMI

  • kernel 3.4.73-64.112.amzn1.x86_64
  • you can use yum 
  • nginx is available in 1.4.3 release 1.14.amzn1
  • mysql in version 5.5.34
As it seems selinux is available but not installed by default. I dont know if this is good or bad. You can use the micro instance within the 720hrs free offer.


So lets try it!
Enjoy!

Donnerstag, 27. März 2014

Vyatta Cluster

Have you ever tried vyatta?

Vyatta is an open source network operating system providing advanced IPv4 and IPv6 routing, stateful firewalling, IPSec and SSL OpenVPN, and more.

So basically its the software you want when it comes down to run your own core router or firewall. The configuration style is pretty close to JUNIPER. It has a creat structure and a very good autocomplete. There are two versions available an opensource and free to use one, and of course an enterprise version.

Now lets assume that you have your two machines installed, the installation is quite easy, you can run it from cd. login via user: "vyatta" and password: "vyatta" and type

install image

there is a short text interface which asks you some questions. Right after that you can reboot the system and enjoy the basics. Lets start with configuring the network.
ets say that our tw machines wil run with the ip 192.168.123.3 and  192.168.123.4 and we want to have 192.168.123.2 on both machines as an failover address between these two machines. Currently we dont think about what service will use this address as it could be everything from ipsec to outside NAT.

set interfaces ethernet eth0 address <x.x.x.x/x>

is the command you use to set these addresses.
Now we setup an vyatta cluster via (!the numbers in braces are just for my documentation!)

set cluster group myfirstcluster (1)
set cluster group myfirstcluster primary 'first-router' (2)
set cluster group myfirstcluster secondary 'second router' (3)
set cluster group myfirstcluster service '192.168.123.2/24/eth0' (4)
set cluster group myfirstcluster monitor '192.168.2.1'(5)
set cluster interface 'eth0'(6)
set cluster keepalive-interval '2000' (6)
set cluster dead-interval '10000'(7)
set cluster pre-shared-secret '!somesecret!'(8)


So what do we do in here?
In (1) we just name our cluster so the instance will be "myfirstcluster". 
In (2) and (3) we definde the primary and secondary system, please set them to the name you have given to your systems. 
In (4) we set the service IP, so here we say that we want to have the ip 192.168.123.2/24 on interface eth0 be the ip for the cluster instance.
(5) is just to add an monitor to the system. Wehenever one node cant connect to the other node it will check if the monitor is available, if not the node will not obtain the service ip as it seems that the machine itself has a problem. You can add as many nodes as you want to.
In (6) we definde the keepalive interval, so in which interval are keepalive pakets sended here it is set to 2000ms.
(7) the deadinterval, how many ms do we wait before we asume the node to be death.
And (8) of course we need a pass, as we dont want an other node to shutdown our system.

Basically you do this on both machines.

No something very useful. As vyatta is just an debian, you can always use "sudo -i" to be root and tcpdump or something like that. When being root you can also perform failovers by hand, you will find the scripts at:
  •  /usr/share/heartbeat/
    • hb_standby - will set the node into standby mode
    • hb_takeover - will let the node be master again

Dienstag, 25. März 2014

'Fedora Security Lab' - Spin

While looking around i found a very nice spin which is worth talking about. "Fedora Security Lab"

The fedora security lab combines all software you need for forensic or security testing in one fedora spin.
The Fedora Security Lab provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies in universities and other organizations.
The spin is maintained by a community of security testers and developers. It comes with the clean and fast Xfce Desktop Environment and a customized menu that provides all the instruments needed to follow a proper test path for security testing or to rescue a broken system. The Live image has been crafted to make it possible to install software while running, and if you are running it from a USB stick created with LiveUSB Creator using the overlay feature, you can install and update software and save your test results permanently.
I tested it during the last days, and it really looks good, there really just a few improvements i would like to see. But i guess i can help that :-)

Currently the spin uses XFCE and works quite nice with 1200 MB RAM (i installed it in virtualbox). The software is located in an own subfolder. If you select a package the console open and will display the "-h" output. So you can easily start to use the software.

As i would like to support the spin, i currently think about an documentation system, in basic an man2html output of the packages, so you can pick you toll of choice via browser and have an "handout" of the config.

In my opinion fedora Security Lab is a great tool for forensics and security testing issues. You can run from LiveCD or USB stick and perform tests on potential infected systems.

Some software you may want to use is

  • rkhunter - a tool which is looking for root kits on your system
  • nmap - of course the ultimate port scanner tool :-)
and many many more

Enjoy!

Mittwoch, 19. März 2014

Fedora on Raspberry PI (Pidora)

After quite a long time i finally bought an Raspberry Pi Model B. Many people i know use them for months (or a year) now, and we already use them at the company where we dont need a huge machine.

As i would like ferdora to run on it, let me introduce you to Pidora.
Its an fedora remix to run on Raspberry and  currently version Fedora 18 is available.

The installation (which is currently ongoing) seems to be quite and easy. Lets take a look of the steps you need to do

  1. Follow the instractions on the Fedora Raspberry side and install "fedora arm-installer 
    yum install fedora-arm-installer
  2. You can obtain the Pidora version from here
  3. Now its easy, open the installer, choose the .img file, choose the target device and press install
So, now i will connect it to my television and see what happen

[...some minuits later...]

Okay, worked, after booting (or actually powering the system) a setup menu showed up, one powercycle later the system was available.

Some things to mention:
  • sshd starts automatically
  • the network is set to dhcp
  • the firewalld is off by default
so you can start using ssh to yourvi /et box :-)

Enjoy!

Dienstag, 18. März 2014

Travelreport: Chemnitzer Linux Tage

So, this is my first conference where i am wearing a different jersey, i switched from a green one to a brand new blue one.

On Friday i started my journey. I stopped in Frankfurt for a short meeting and made my way to Chemnitz right after that (571km, 5:10 hrs). It was a nice day to it the 'autobahn' and except for 12km stop and go while leaving Frankfurt there was no interruption.

Saturday, first day of CLT, it started right at 8:30 in the morning. I was quite impressed by the amount of people visiting the CLT. As always, many people stopping by to ask questions about fedora or just to tell that they are already using Fedora and like it.
Very few people just came around to get some technical support or ask about the next features (maybe i should say Fedora.NEXT features).

As a note to myself:
  • someone should write a "Kickstart Fedora"-Book, there was a guy who asked for it and thought the documentation is just to much as a starting guide
  • I must do a feature request or "loook", which seems to be available in a new version, a friendly lady at the OpenOffice booth asked for it
Sunday, means sleeping a bit longer, as the CLT starts at 9:00 am. Mostly the same as on Saturday :-)

I drove home 4:50 hrs, and arrived on 22:15.
3 days, 1142 km across the republic, i really enjoyed it :-)

As you can easily see, we have an 3D printer :-)

Freitag, 7. März 2014

Running devstack on Fedora (Heisenbug)

Last week i played around with devstack on my home development server (actually an old Core2Duo notebook). I have tried it once on an Centos 6.5 machine, but as it seems the differ a bit, so it was not easy to get it going.

First the basics, i cloned devstack via git to my home folder
git clone https://github.com/openstack-dev/devstack.git
now, we need to create a stack user. There is a command available for this
/home/devstack/tools/create-stack-user.sh
and we need to change the ownership of the stack folder
chown -R stack:stack /home/stack
now we need to create a local.conf file. I choosed the minimal and added some lines, as the rabbitmq didnt work out on my setup i changed the used erlang server
[[local|localrc]]
ADMIN_PASSWORD=secret
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD
SERVICE_TOKEN=a682f596-76f3-11e3-b3b2-e716f9080d50
#FIXED_RANGE=172.31.1.0/24
#FLOATING_RANGE=192.168.20.0/25
#HOST_IP=10.3.4.5
DEST=/home/stack
LOGFILE=$DEST/logs/stack.sh.log
RECLONE=yes
disable_service rabbit
enable_service qpid

IMAGE_URLS="http://berrange.fedorapeople.org/images/2012-02-29/f16-x86_64-openstack-sda.qcow2"
right after that we run
./stack.sh local.conf
to compile it, everything went fine so far. Quite nice, devstack opens a screen with all the output which is given by the different components.
Then there was some trouble accessing the webinterface, caused by SELinux, so for a short workaround it just did a
setenforce 0
and the login side showed up.