Posts from ‘Programming’

Sep
27

The Problem

After the bash exploit ‘shellshock’ was released a few days ago I’ve been going around my servers and applying the required patches, however after doing a ‘apt-get update’ on one of the web servers PHP based requests were no longer working.

Having a look in the Nginx error logs I found that the issue appeared to be at the PHP-FPM layer of the server (which I kind of expected), as it did have an update included in the bulk install and it was PHP that seemed to be broken, heres an example log:

2014/09/26 05:24:28 [crit] 26963#0: *19 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 46.226.191.96, server: subnet.im, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "subnet.im"
2014/09/26 05:24:29 [crit] 26963#0: *19 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 123.226.191.96, server: subnet.im, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "subnet.im"
2014/09/26 05:24:30 [crit] 26963#0: *19 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 123.226.191.96, server: subnet.im, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "subnet.im"
2014/09/26 05:24:32 [crit] 26964#0: *28 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 123.226.191.96, server: subnet.im, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "subnet.im"
2014/09/26 05:24:38 [crit] 26964#0: *37 connect() to unix:/var/run/php5-fpm.sock failed (13: Permission denied) while connecting to upstream, client: 123.226.191.96, server: subnet.im, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "subnet.im"

After some digging around I found that this was caused by a PHP bug fix #67060 (linky here), the bug was basically providing possible privilege escalation on the web server which they’ve fixed, however this changes some of the permissions stopping Nginx connecting to the required stocket used for PHP processing.

The Fix

Fortunately the fix is fairly simple, edit the PFP-FPM configuration.

 nano /etc/php5/fpm/pool.d/www.conf

Add in these three lines, they are probably already there and just need the comment marks removing.

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

Finally re-start the PHP-FPM service and you should be back in business.

sudo service php5-fpm restart
Mar
23

bwMeterCaseThe home and small business routers these days that us geeks would be interested in buying are shipping with SNMP server functionality built in as standard, and when their not there’s normally some way of breaking into the Busybox Linux distro (that most of them use) and installing some kind of SNMP daemon.

However there’s always cases where that options not available for some reason or another, in these cases you can use a setup like Kurt’s, where he decided to build a passive bandwidth monitor (even through the router in his pictures does support SNMP?!).

See a basic video of it in operation here:

The basic setup consists of a passive network tap; This is basically just a fancy way of saying that you’ve cut into the pairs of a Cat5e network cable and added in an extension of the pairs to your own device. The device that you add in should be doing nothing other than monitoring, so that it’s not transmitting any data on to the cable that would confuse the other two host which assume their are directly connected to each other with no other hosts on the network segment. The limitation of this setup is you need physical access to the cable, and due to the nature of high speed ethernet it would only work on 100Mbps connections or less.

The electronic brains behind the setup is a ENC624J600 chip to interface with the ethernet layer, chosen because of it’s raw ethernet functionality, this was connected up to an Atmega128 using the SPI interface which would run the core code to count packets and plot on the LED display.

To have a look at Kurt’s full write up on the project, head over to here.

Jan
22

What is MemCache?

Some of you have probably just stumbled along this post without actually knowing what MemCache does, so here is a bit of technical context before I dive into the implementation methods, problems and of course solutions.

In it’s most basic form MemCache is a normal program that runs on top of your operating system, typically you run this on something like your web server as a separate service, just like you would Apache, NTP, MySQL etc.

The service has a very simple aim, you provide it with a key and some corresponding data, this is then saved in memory via the MemCache process and you can access it at a later date. You leverage the benefit in two ways, firstly because the data is held in RAM which is much faster than other storage options, and secondly because the data is typically already in a usable format and therefore requires little extra processing by your application, saving time and physical resources.

How do I use it?

Well I did start of by writing an explanation, however here is an example (with some inline comments):

// We will start by making a new MemCache instance, and assign it to the variable $mc
$mc = new Memcache;

// Using the $mc instance we will connect to our server, normally this will be on port 11211 (localhost)
$mc->connect('127.0.0.1', 11211) or die ("Could not connect");

// Memcache will save data to a specific unique key, you can set this to almost anything
$thekey = "PostCount";

// Now we are going to define the data, this will be saved to our $thekey
$thedata = "12340";

// Now to actually pass the key and data to memcache, note '0' means we are not going to have this expire after a specified amount of time.
$mc->set($thekey, $thedata, false, 0);

// Using $thekey we will get the memcache data back, this will be saved into our variable $result
$result = $mc->get($thekey);

echo $result; //will return 12340

Problems?

The majority of todays applications are built on top of relational databases such as MySQL, therefore adding a basic key/data technology on top of them for cacheing can be hell for programmers. With Key based data you have to know the exact key otherwise you will get nothing returned, MySQL however allows you to search by almost any method you can think of using the saved data.

Another problem is building a solution to define keys that’s going to be accurate, scalable and easy to implement. For example i could save web based user information to memcache using a key based on their numeric user-id (Eg: Key = 412, UserName = Bob), however I then need to go through all of my code and before performing a SQL lookup, perform a memcache lookup, that’s going to be a headache. Plus some things such as the login progress might want to convert ‘bob’ into the userid ‘412’, that’s not possible as ‘bob’ is my memcache data, which you can’t search by, you can only request data by using the Key.

Solution, Hash Key

The solution is fairly simple to implement, you leave almost all of your code as it is and go to your database class (I am assuming that you have one, most developers use one), below is an example extract of what yours could look like, before we get started changing it.

// Function: pass some SQL and it will return the result
// (Insecure, just shown as an example)
function sql_search($sql){

  // Connect to my database
  mysql_connect("localhost", "root", "password") or die(mysql_error());
  mysql_select_db("testdb") or die(mysql_error());

  // Run the SQL query
  $result = mysql_query($sql) or die(mysql_error());
  return mysql_fetch_array( $result );

}

Solution: So what you do is accept the $sql string, run it through an md5() hash function, and check if there is any memcache result using the hash as your key, if there is skip the SQL, if there isnt run the SQL but then add the result to memcache.

// Function: pass some SQL and it will return the result
// (Insecure, just shown as an example)
function sql_search($sql){

  // Create the hash key
  $thekey = md5($sql);

  // Connect to memcache server
  $mc = new Memcache;
  $mc->connect('127.0.0.1', 11211) or die ("Could not connect");
  $result = $mc->get($thekey);

  // If there was a memcache hit, return the cache result
  if(!empty($result)) return $result;

  // Connect to my database, there was no cache hit
  mysql_connect("localhost", "root", "password") or die(mysql_error());
  mysql_select_db("testdb") or die(mysql_error());

  // Run the SQL query
  $result = mysql_query($sql) or die(mysql_error()); 

  // Save the result to memcache
  $mc->set($thekey, $result, false, 0);

  return mysql_fetch_array( $result );

}

Overview

As you can see it’s a simple solution, no matter what application your using if there is a SQL backend and also a SQL class/function memcache can be added in with very minimal work, here are a few last tips:

  • Build a variable into your SQL function to disable/enable cache, I have a few applications that only use it in high server load times.
  • Consider building a function to clear the cache for some of your variables, for example if you add a blog comment you might want to clear blog comment cache.
  • Sometimes just use memcache code if the data isn’t valuable, i have done this with stat’s information before, and just poll/clear memcache every few hours.
  • Don’t forget cache will be deleted after some time, so make sure your application doesn’t error if this happens.
  • Build some checks in to returned memcache data, don’t just assume that its worked
Dec
22

I have recently been playing around with python in my lack of “spare time”, it’s quite a powerful and very useful programming language to have knowledge of, as it’s fairly platform independent meaning no matter what servers I am working on the scripts should work, if python is installed of course.

Further more the structure of the code is designed to be “hacker friendly”, and I don’t mean that it’s great for script kiddies that want to run port scans etc, i mean it’s designed for the people that quickly want to write a program to hack together a solution for a problem, something thats probably going to give me some real world value. This can be seen when you look into the coding further:

What Semicolon?

Most program languages dont really pay much attention to how humans structure their code, this means things have to me made clear to them. An example of this is most languages will request an end of line to be marked with a semicolon “;”. Python is more intuitive and actually looks for where a new line starts/ends, therefore semicolons are now optional. Infact it’s considered bad practice by Python coders to use them at all in their scripts.

In PHP:

echo "Hello world!";

In Python:

print "Hello world!"

Belt and Braces, no thanks!

Another great example is the use of indentation, typically developers will have to wrap functions and statements in braces “{}”, they will then also indent the code using tabs/spaces to make it more humanly readable. In reality this becomes redundant as your trying to please both the interpreter and the human reading your code.

Python therefore removes the braces in favour of what humans are already going to use, indentations! Another advantage of this is your code becomes more readable, as good structure no longer becomes a best practice it actually becomes a requirement for your code to run as you intend!

In PHP:

function test(){
  echo "test";
}

In Python:

def test():
  print "test"

Finally probably one of the best things is that is so easy to learn, because they have embraced what many programers already do most of the coding becomes almost natural, and there are less language rules or idiosyncrasies to incorporate into your code.

I will probably be doing some more posts on python as my knowledge hopefully expands in it.

Jun
26

CentOS

CentOS Logo

This guide on how to secure you tmp directory is written for a CentOS 64Bit VPS running on OpenVZ.

Server administration is a constant battle with security, however there are a few key process that can be done to a server to decrease it’s attack footprint; one of these is to secure the temp directory on your server, which is actually a very simple process. So we will discuss two things here, first why do I need to secure my tmp directory, and finally how do I secure the tmp directory on my Linux server?

The tmp directory (/tmp) is an area on the Linux server that scripts can (as the name suggests) hold temporary files; normally you would expect this to be something such as cached images or database results. However malicious scripts might use this data store to hold some compromising code, with aim to execute it on the system and perhaps install some kind of root kit.

There is a fairly simple fix for this, you can still use the /tmp directory however by creating it as a standalone partition you separate it from the rest of your file system. This will then allow you to define some fairly low level and basic access permissions to block malicious script execution.

Onto to the how, most of my systems at the moment are OpenVZ based virtual servers, unfortunately due to the hypervisor this makes the process slightly more complicated, however just follow the guide below.

NOTE: You will be performing some file system changes here, which are very risky if done incorrectly or are incompatible with your OS. As always I take no responsibility for the results from running these commands, you should always have a full back up, test the process in a lab, and make sure you know what the commands actually do!

First thing that we need to do is open up the fstab file for editing, we are going to use nano for this, however any editor will do the job.

nano -w /etc/fstab

Now we need to create a new line, so navigate to the bottom of the file using your arrow key’s and append the following line, I recommend copying & pasting to ensure you don’t get it wrong.

none /tmp tmpfs nodev,nosuid,noexec 0 0

If you opened using nano you can now close using ctrl+x and then answering “y” to save.

So our changes have been applied to the configuration file, we just now need to remount the temp directory to make the changes become live on the system. Double check the changes before running this command:

mount -o remount /tmp

There is also another temp directory which is wise to secure (/var/tmp dir)
So make a backup (don’t skip this step, you need the files in a bit)

mv /var/tmp /var/tmpfiles

We can now make a link to map /tmp to /var/tmp

ln -s /tmp /var/tmp

Restore the files from the backup you made before

cp /var/tmpfiles/* /tmp/

Restore the files from the backup you made before, and make sure that the files in tmpfiles are now in tmp.

ls /var/tmpfiles
ls /var/tmp

If it looks ok, you can remove the tmpfiles directory.

Rm -rf /var/tmpfiles

That’s it! You should now be a bit more secure!

Our Sponsors