Category Archives: Security

Responding to search terms

Got a few good search terms to respond to again, so here goes:

twiki install centos 5.1: Don’t do it unless you know what you’re getting into. I had a bad security experience likely caused by Twiki, and I’ve seen a lot of people reporting similar experiences that they are convinced was Twiki’s fault. At the very least, google “twiki security” before you do it. The codebase is much too large for a single person to audit it in a reasonable amount of time. If you need a good Wiki in general, give Moin a try. Consider using a Wiki hosting service, where someone else has to worry about the security of the underlying machine. Or just don’t use a Wiki at all — unless you truly want what a Wiki in specific has to offer.

iphone unofficial toolchain easiest way: There is no easy way. There is drudge’s way that I point to in another entry, but aside from that I didn’t find any way that was at all easy. binutils can be convinced to generate (possibly-working) tools for arm-apple-darwin fairly easily, but I think GCC is a bit trickier. Don’t try to do it on your own unless you want to spend a lot of time making the tools work rather than using them.

do peanuts have gluten?: Nope, peanuts don’t have gluten in them. They may have gluten on them, though — it depends on how they’ve been processed or flavoured. When in doubt, read the label and assume that “spices” includes something gluten-based. I’ve seen some with and some without gluten, so have a look around.

A million monkeys…

They say that a million monkeys on a million typewriters would one day reproduce the works of Shakespeare. There seem to be a million script kiddies on a million crappy PCs trying dictionary-based ssh login attacks on my VPS these days, and they won’t accomplish anything at all.

Since I reinstalled my VPS earlier this month I’ve chalked up over 110’000 failed login attempts. Some of them are understandable — attempts at root, mostly. Some of them are stupid — since when did the postgres user get a password? The rest are beyond moronic. What are the chances that a completely random server has a user named “avayo”? Do these people really think “frank” is a common name any more? I don’t personally know anyone named Frank who is under 60 years of age, and he certainly wouldn’t be on-line pretending to be a sysadmin in his mid-30s.

Days like this I wish I had a cattle prod that worked over the ‘net.

The clean-up

After all of the “excitement” I’ve resolved to embrace the KISS principle a little more. There are certainly limits — I can’t personally vouch for every line of code in Linux and Apache, but I’m pretty sure they’re safe bets. Same with mod_perl andPerl itself.

There are enough people using them on public production servers that the security problems are largely known and documented. If I had to put forward a guess as to where things went wrong it was probably with TWiki. It seems to have a tendency to be used behind corporate firewalls, and has a much smaller installed base than Linux or Apache.

Of course, it’s entirely likely that it was a more familiar demon (not daemon) at work — inexperience. That was perhaps my second TWiki installation, as opposed to the Linux or Apache installations I’ve done, which number in the thousands. It’s easy to imagine that I missed some important step in securing the installation. It may have even been one of those things that would have even a moderately-experienced TWiki-er rolling their eyes and saying “oh, you didn’t miss that huge, important step with all the blinking lights and police tape”.

That being said, I’m not too terribly interested in seeing how my third TWiki installation attempt would stand up to the world. I’m looking at some alternatives that I can vouch for. I trust my building blocks. I certainly don’t think that I can do large-scale software security better than the TWiki folks — indeed, I’d argue for their abilities over mine any day of the week. I don’t intend to do anything large-scale. I intend to do it as small and simple as I can get away with.

Someone who is a lot smarter me said something to the effect of there being two ways to build software. You can build complex software that has no obvious defects, or you can build simple software that obviously has no defects. I’m going to make a play at the latter. I’d sooner risk taking my lumps along the way and learn as I do it, rather than fiddle with a huge piece of software that I will use 15% of the capability of and don’t have the time to fully learn and understand.

So what’s next? Some software, obviously. But not before I bring back the blog entries that were on the wiki and make sure I can keep writing them. Where once there was TWiki there is now vi, and I can handle that. So first things first — the archives!

The break-in

Signs of trouble? Time to use the VPS advantage and pull the plug. Someone defaced my wiki with 1 x 1 divs with porn links — too bad that doesn’t actually do much for one’s Google PageRank. I logged in to investigate that and discovered someone ssh’d into the system from a machine in France. I couldn’t find any evidence besides the connection from the remote machine and didn’t have known-good system utilities handy, so I deep-sixed the installation. No sense in taking stupid risks.

So what’s next? Re-installed CentOS 5.1, uninstalled pretty much everythingg that isn’t a dependency of something I use, and I won’t be bothering with a wiki any more. I’d sooner do it by hand that worrying about whether someone or another decides to try to pump their porn site.

As for how the intruder (if there was one) got in — no clue. I didn’t have a known-good set of tools handy, and I wasn’t in the mood to do a whole lot of forensic work that would likely turn up nothing. He (I’m assuming that women can figure out more useful things to do) was probably logged in from a similarly broken-into machine, and those trails don’t lead anywhere unless you’ve got the cooperation of pretty much the whole
world, and that doesn’t happen.

There are also too many unknowns for me to make too many guesses — could it be a violation of Xen paritioning? Could it be a bug in Xen itself that showed me something that wasn’t really there (in my instance, at least)? The connection was to one of my spare IP addresses, and those don’t fall into any sort of order that I can make out. Indeed, the address he was connected to is in a different class A than the rest of the IPs on my instance.

Oh well — there’s naught that can be done about it. I took SHA-256 sums of every file that matters and will be installing a little thing or two to keep an eye on the system for me. I’m also going to follow the KISS principle when I get more dynamic web stuff up. No big wikis (as much as I do like TWiki), and I’m probably going to have a bad case of “if it’s not Apache and not Perl and
NIH, then screw it” for a while.

My girlfriend asked what was going on and I explained it to her. I likened it to going to your cottage and finding out that someone had broken in and shit on your couch. In a lot of ways it’s true — my next job was to change the locks, clean up some stuff, take pictures of my tools to make sure they stay as I left them, and a bunch of other things that one shouldn’t have to do but has to do because there are still people out there who get a rush out of breaking into peoples’ cottages and shitting on the couch.

And that, my friend, is sad indeed.

A couple of Q nits

The first is not being able to type a pipe symbol (‘|’). I can’t even do it through Symbol-Shift. Fortunately my ssh client has a menu item for it. It would still be nice to be able to use it in any program without a lot of cutting and pasting (which are a pain in the butt on a smartphone).

The second is not having a dedicated Control key. The balance of the paragraph above applies to this, too.

The third is that I can’t seem to find out where to manage imported certificates. I imported the CAcert root certificate, but I still get a warning when I access my website. Now it just claims that I have asked to be warned. I want to convince it otherwise. Hopefully I’ll get it figured out.

TLS by choice

Over the past couple of days Lauren Weinstein has covered some of the problems of unencrypted web traffic. The example he gives is Rogers, a national ISP/cable TV conglomerate interfering with users’ use of Google. What Rogers is doing in this case is annoying and arrogant, but fairly benign. It does clearly show what they’re capable of, though.

Today he makes a good point about self-signed certificates. This is interesting to me because I recently moved to a VPS so I could be in control of such things, and I made sure to get a few extra IP addresses to make sure I could do a couple of flavours of TLS when the time came.

Today I was reading up on how to generate self-signed certs (the openssl command-line tool has never been a strong point of mine) and came across CAcert, which provides some of the benefits of a commercial certificate with none of the cost and only a small amount of the hassle.

The result for now is that I can get six-month TLS certificates with CAcert vouching for my identity. If I go to some identity-verification parties I can collect points and eventually get up to a two-year term on a certificate, but I probably won’t. I haven’t read up on how they avoid people gaming the system at these events, but I’ll bet it isn’t hard. I’ll just stick with my six-month certs for now, and when I start selling my prints I’ll pony up the money for a commercial certificate for that and keep going with the six-month certs for the sites where no money changes hands.