by R.I. Pienaar | Nov 3, 2005 | Code
Portaudit is intended to run daily against your ports directory identifying known vulnerabilities against a central database. Each night it produce an email that gets sent out and requires inspection.
The problem with this is with many FreeBSD hosts the emails can just be too many and I tend not to look at them.
Portaudit Central provides a means for delivering portaudit output to a central email box which will then produce a simple HTML based report of all machines. You can view a Sample Report produced using these scripts.
The server side script will call logger(1) with some useful diagnostic messages but the lines being logged will include some variables from the environment. I developed this under exim and the environment variables it logs are set by Exim. This will still work under another MTA, the worst that will happen is you’d have some logging entries thats missing details like the sender and message id.
I’ve taken some steps to prevent man-in-the-middle attacks. An attacker can in theory produce a report that says you have no vulnerabilities on a host when in fact you do have some. In order to combat this a few things are done:
- Only 1 report per host per day, any reports after the first one will result in errors being logged, this should be a clear indication that you’ve either configured multiple clients with the same $hostname or someone is up to no good.
- Each email being sent has a very simple crypto signature, the signature is basically a MD5 hash of the body of the message and a passphrase md5(body, passphrase) this means as long as your passphrases are secure – they aren’t being sent along in the email so no-one can sniff them – someone else should not be able to produce a report that will pass this check regardless of report content. Even if your passphrase gets compromised you should be alerted about tampering by the log entries produced by the duplicate checking mechanism above. As long as you monitor your log files.
I’ve used this system myself now for around a month and have been quite happy, but no-one else has had a look at it yet so I’d appreciate feedback if anyone use it. In the future I hope to make the output from the report generator themed, right now it’s very ugly but it does what it should. I will also move to a actual configuration file rather than editing some perl variables. I’m open to other suggestions.
Version 1.0 can be downloaded here: portauditcentral-current.tgz the full documentation including installation instructions can be found at the Wiki
by R.I. Pienaar | Nov 2, 2005 | Usefull Things
I’ve previously posted about Truecrypt and mentioned how much I like it and how I’m using for my OTFE needs.
Today they released version 4 which comes with a very long list of enhancements the most significant new feature is support for Linux and binaries for a number of distributions. There are so many enhancements in this version that I won’t attempt to go into much detail here the history file does a great job. If you use Truecrypt then check out the new version today.
by R.I. Pienaar | Nov 1, 2005 | Code
I run a number of jail on my servers and each of these have the same files over and over, the biggest problems are of course /usr/ports and /usr/src, they’re a total waste of space and a lot of work running multiple portsnap’s etc to keep them all synced.
BJE mentioned he is using nullfs to mount his main /usr/ports into the jails. I did some hunting of information on this and found its a bit thin on the ground, the main reason is that up till 6.0 it’s considered broken, though testing shows it works ok, at least for normal use.
FreeBSD 6.0 will have extensions to its rc.conf to make all of this easy.
You can create per-jail fstab files, by default they are stored in /etc/fstab.jailname but you can override the filename using jail_example_fstab. Below is a sample fstab file for one of my jails:
/usr/ports /jails/example/usr/ports nullfs rw 1 1
/usr/src /jails/example/usr/src nullfs ro 1 1
To enable the mounting of these file systems at boot time if you use the rc.conf method of booting your jails simply add a jail_example_mount_enable=”YES” to your jail section. A full rc.conf extract to start one example jail below:
jail_enable=”YES”
jail_list=”example”
jail_socket_unixiproute_only=”YES”
jail_sysvipc_allow=”NO”
jail_example_rootdir=”/jails/example”
jail_example_hostname=”example.com”
jail_example_ip=”192.168.1.100″
jail_example_exec=”/bin/sh /etc/rc”
jail_example_devfs_enable=”YES”
jail_example_fdescfs_enable=”NO”
jail_example_procfs_enable=”YES”
jail_example_devfs_ruleset=”devfsrules_jail”
jail_example_mount_enable=”YES”
I’ll investigate also sharing /bin, /sbin, /lib, /libexec, /usr/sbin, /usr/sbin and a few others between jails but it gets a bit tricky if you want to install other versions of perl from ports since they maintain symlinks in /usr/bin etc. This could however simplify world upgrades a lot.
While researching this I came across ezjail which is a script compatible with FreeBSD 6.0 and later to maintain jails that uses nullfs extensively to share a lot of directories from a base jail install. This gives a big potential security improvement because you can mount the system directories read only to give further protection in the event of a compromise. Will definitely investigate this before I start building my new hosted server once FreeBSD 6.0 is out.
by R.I. Pienaar | Oct 24, 2005 | Usefull Things
After fiddling a bit with Flock I really liked the bookmarks integration but hated the rest of it so I figured I’ll try find some plugins for Firefox that does something similar, it has to be said these is a major gap here for plugins in that area, sigh.
So while doing that I came across Customize Google, it’s a fantastic little plugin that fixes up Google search results, some of its features:
- Use Google Suggest (suggest words while you’re typing) on all searches
- Add links to competitors that lets you search on other search engines for the same term
- Rewrite links to point straight to the images in Google Images
- Removes image copying restrictions in Google Print
- Secure Gmail, switch to https
- Remove ads, including gmail
- Anonymize your Google userid
- Filter spammy websites from search results
- Add links to WayBack Machine (webpage history)
- Remove click tracking
These are all fantastic features though I think the spammy link filter deserves special attention. I previously wrote a frontend to Google using the Google API to filter out those annoying user review sites, this does the same just right there in the actual google interface. Supports regex and all that, fantastic.
Check it out. There is an animated gif demo on their front page, that should get you hooked immediately.
by R.I. Pienaar | Oct 10, 2005 | Usefull Things
It is time for a site redesign and I’ve been investigating DHTML menus. Till now I’ve used Visual Menu, it is nice but has this windows wizard type tool for building the menu otherwise you need to use a pretty complex but flexible config file format. Currently I’m on a mac so its just annoying, so I figured it’s time for something new.
A bit of browsing found TwinHelix a site with a couple of DHTML based menu’s and other gizmos, some really nice there, its donation ware but you can use it for free if you provide a link back to the author.
I’ll launch my new design once the new Movable Type is out with its tags and other new stuff since incorporating those will require a bit of template hacking, will get it all done in one go.
