WTF *Nix

Going to break these down into parts for each of you to understand if you are new in this area… I know for a fact there are some gurus out there that may read this and say something along the lines… “What a waste of time…” Well this this isn’t for you ole Mighty Gurus

So lets start with…

Web and FTP Servers

Every network that has an internet connection is at risk of being compromised. While there are several steps that you can take to secure your LAN, the only real solution is to close your LAN to incoming traffic, and restrict outgoing traffic.

However some services such as web or FTP servers require incoming connections. If you require these services you will need to consider whether it is essential that these servers are part of the LAN, or whether they can be placed in a physically separate network known as a DMZ (demilitarized zone). Ideally all servers in the DMZ will be stand alone servers, with unique logons and passwords for each server. If you require a backup server for machines within the DMZ then you should acquire a dedicated machine and golden rule is to keep the backup solution separate from the LAN backup solution.

The DMZ will come directly off the firewall, which means that there are two routes in and out of the DMZ, traffic to and from the internet, and traffic to and from the LAN. Traffic between the DMZ and your LAN would be treated totally separately to traffic between your DMZ and the Internet. Incoming traffic from the internet would be routed directly to your DMZ.

Then if any hacker were to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The hacker would have little or no access to the LAN. It would also be the case that any virus infection or other security compromise within the LAN would not be able to migrate to the DMZ.

In order for the DMZ to be effective, you will have to keep the traffic between the LAN and the DMZ to a minimum. In the majority of cases, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need some sort of remote management protocol such as terminal services (SSH, RDC and etc..) or VNC.

Database servers

If your web servers require access to a database server, then you will need to consider where to place your database. The most secure place to locate a database server is to create yet another physically separate network called the “secure zone,” and to place the database server there!!! Not in the UNSECURED ZONE!

The “secure zone” is also a physically separate network connected directly to the firewall. The Secure zone is by definition the most secure place on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if required).

Exceptions to the rule

The dilemma faced by network engineers (monkeys) is where to put the email server. It requires SMTP connection to the internet, yet it also requires domain access from the LAN. If you where to place this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, making it simply an extension of the LAN.  My opinion, the only place you can put an email server is on the LAN and allow SMTP traffic into this server. However I would recommend against allowing any form of HTTP access into this server. If your users require access to their mail from outside the network, it would be far more secure to look at some form of VPN solution. (a brief on why using the VPN solution, is to have the firewall handle the VPN connections. LAN based VPN servers allow the VPN traffic onto the network before it is authenticated, which is NEVER a good practice.)

I know this doesn’t cover EVERYTHING under the sun for security on web servers, however this is just a “brief” overview on why to secure and what to place where in my own experiences…  So get secured and if you have any questions, you know this blog is WIDE-OPEN for you to post up to seek help, and surely I don’t know EVERYTHING yet… I’ll damn sure try to find the answer for you regardless. =)

WTF get’r done!!!

Install phpMyAdmin on Fedora via Yum:

1. From the command line: # yum -y install phpMyAdmin

2. Setting up access (Security Defaults are a pain!)

# cd /etc/httpd/conf.d/

#vim /phpMyAdmin.conf

Inside this file you will find the following:

# phpMyAdmin – Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
order deny,allow
deny from all
allow from 127.0.0.1
</Directory>

# This directory does not require access over HTTP – taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc.  This may break your mod_security implementation.
#
#<IfModule mod_security.c>
#    <Directory /usr/share/phpMyAdmin>
#        SecRuleInheritance Off
#    </Directory>
#</IfModule>

To gain access too it from another place or IP, which if you are on a network, and there are a series of workstations, you will add in the following ONE LINE if your IP Address is: 192.168.0.90

# phpMyAdmin – Web based MySQL browser written in php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other than localhost should be considered
# dangerous unless properly secured by SSL

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
order deny,allow
deny from all
allow from 127.0.0.1
allow from 192.168.0.90
</Directory>

# This directory does not require access over HTTP – taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries>
Order Deny,Allow
Deny from All
Allow from None
</Directory>

# This configuration prevents mod_security at phpMyAdmin directories from
# filtering SQL etc.  This may break your mod_security implementation.
#
#<IfModule mod_security.c>
#    <Directory /usr/share/phpMyAdmin>
#        SecRuleInheritance Off
#    </Directory>
#</IfModule>

3. Setting up Normal Authorization to phpMyAdmin:

Edit the following lines to ensure you can login to phpMyAdmin under /etc/phpMyAdmin/config.inc.php:

$cfg['Servers'][$i]['auth_type'] = ‘http’; // Authentication method (config, http or cookie based)?
$cfg['Servers'][$i]['user'] = ‘USERNAME’; // MySQL user
$cfg['Servers'][$i]['password'] = ‘PASSWORD’; // MySQL password (only needed

Replace USERNAME and PASSWORD with your MySQL username and password respectively.

By default, PHPMyadmin connects to MySQL via localhost with default port and socket. If you wish to modify these settings, change the below similar lines

$cfg['Servers'][$i]['host'] = ‘localhost’; // MySQL hostname or IP address
$cfg['Servers'][$i]['port'] = ”; // MySQL port – leave blank for default port
$cfg['Servers'][$i]['socket'] = ”; // Path to the socket – leave blank for default socket

4. View it via any webbrowser by going to http://localhost/phpMyAdmin or via IP or Hostname

See any other settings need changing to fit your requirements? If so feel free on doing so, and make sure you check out their documentation.

WTF phpMyAdmin it up!

The urlparse module included with Python makes it easy to break down URLs into specific components and reassemble them. This is very useful for a number of purposes when processing HTML documents.

The urlparse(urlstring [, default_scheme [, allow_fragments]]) function takes the URL provided in urlstring and returns the tuple (scheme, netloc, path, parameters, query, fragment). The tuple can then be used to determine things such as location scheme (HTTP, FTP, and so on), server address, file path, and so on.

The urlunparse(tuple) function accepts the tuple (scheme, netloc, path, parameters, query, fragment) and reassembles it into a properly formatted URL that can be used by the other HTML parsing modules included with Python.

The urljoin(base, url [, allow_fragments]) function accepts a base URL as the first argument and then joins whatever relative URL is specified in the second argument. The urljoin function is extremely useful in processing several files in the same location by joining new filenames to the existing base URL location.

Try this example out within your PY environment yourself and see:

import urlparse
parsedTuple = urlparse.urlparse(
"http://www.google.com/search?hl=en&q=urlparse&btnG=Google+Search")
unparsedURL = urlparse.urlunparse((URLscheme, \
        URLlocation, URLpath, '', '', ''))
newURL = urlparse.urljoin(unparsedURL,
"/module-urllib2/request-objects.html")

If you are looking to have a list of commands to keep handy, figured I would share these here with others that need a starting point with VIM:

1. The cursor is moved using either the arrow keys or the hjkl keys.
h (left)    j (down)       k (up)        l (right)

2. To start Vim from the shell prompt type:  vim FILENAME <ENTER>

3. To exit Vim type:       <ESC>   :q!     <ENTER>  to trash all changes.

OR type:   <ESC>   :wq     <ENTER>  to save the changes.

4. To delete the character at the cursor type:  x

5. To insert or append text type:

i   type inserted text   <ESC>        insert before the cursor
A   type appended text   <ESC>         append after the line

NOTE: Pressing <ESC> will place you in Normal mode or will cancel an unwanted and partially completed command.

Here is VIM’s Part II

Name

macchanger – MAC Changer

Synopsis

macchanger [options] device

Description

macchanger is a Linux utility for viewing/manipulating the MAC address for network interfaces.

Options

macchanger accepts the following options:

-h, –help
Show summary of options.
-V, –version
Show version of program.
-e, –endding
Don’t change the vendor bytes.
-a, –another
Set random vendor MAC of the same kind.
-A
Set random vendor MAC of any kind.
-r, –random
Set fully random MAC.
-l, –list[=keyword]
Print known vendors (with keyword in the vendor’s description string)
-m, –mac XX:XX:XX:XX:XX:XX
Set the MAC XX:XX:XX:XX:XX:XX

Example

macchanger -A eth1

See Also

ifconfig (8)

Author
Alvaro Lopez Ortega <alvaro@alobbs.com>.