Category Archives: Security

Security

WHO DID WHAT WITH ROOT?!

When you are not sure who is using SUDO on a server, and you really need to know who keeps making that annoying change.  You can install something to watch them, and maintain that software and related logs. Keep it setup in your package management system, and make sure it doesn’t have any patches.

OR

You could use the little-known (at least those I have asked in the field) modifications I will list below.  They are two fold.  One, you will enable to record who logs in and uses SUDO, and records their session. Much like many pieces of software out there today.  The one catch to my method is simple.  You already have the software installed, yup this has been a feature of SUDO since version 1.7.4p4.  So nothing else to install, worry about, or maintain.  It is also very easy to setup, see below:


/etc/sudoers modifcation:
All you need to do is to add 2 tags to all required sudoers entries.
*(where "su" specified, either with command or alias). 
LOG_INPUT and LOG_OUTPUT
Example: 
%admins ALL=(ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL

It will add the following default log dir structure to sudoers: Defaults iolog_dir=/var/log/sudo-io/%{user}
Note:
Output is logged to the directory specified by the iolog_dir option (/var/log/sudo-io by default) using a unique session ID that is included in the normal sudo log line, prefixed with TSID=.  The iolog_file option may be used to control the format of the session ID.  Output logs may be viewed with the
sudoreplay(8) utility, which can also be used to list or search the available logs.   Keeping in mind that if the user has a really long session you will be viewing it like a movie, it will replay as if he is sitting there typing.  With this in mind, sudoreplay gives you the ability to play back at faster speeds.  This makes it easier to find where things happened in a long recording.

So that is one good method to help find a culprit, but what if you are just looking at history of root?  Can you tell me who ran what? Can you tell me when they ran the commands you see when you type ‘history’?  By default, no.  The next tidbit of info is very useful, and extremely easy to add to your machines.  Simply add the following to your /etc/profile:

export HISTTIMEFORMAT="%m.%d.%y %T "

Yes, that is a space at the end.  If you do not put that in there you will end up with it running together with the actual command typed in history.  So your history should look like the example below:

1995 06.10.15 13:08:05 top
1996 06.10.15 13:08:05 clear
1997 06.10.15 13:08:05 df -h
1998 06.10.15 13:08:05 umount /media
1999 06.10.15 13:08:05 sudo umount /media
2000 06.10.15 13:08:05 sudo su –
2001 06.10.15 13:08:07 history

I hope this helps someone save some time, as it has me.  Please feel free to share with others.

-M

 

Site Updates

Just a heads up to all out there that care.

MattCurry.Com was down for a bit, while I installed the SSL Certificate, and updated my site.

Again, thank you to all the regular users.  Please don’t forget to subscribe to my RSS for updates.

Sincerely,
Matthew Curry

 

Handy One-Liners – Full Debian Update

This one is great for a “Full Update” on debian / ubuntu machines.

It calls the script without ever installing anything (assuming curl is installed).  Be sure to run as root, either with sudo or as root directly.

As you can see in the snippet; it uses a script that is remotely hosted (in a github gist).  This is great because you  can see exactly what it does by looking at the script.  It just calls system commands, so it can’t do anything malicious.  Just run sudo, then the above command and it will run the below script:

Another trick you can do with something like this, is copy it to  /usr/bin/fullupdate (as root of course), and ensure its executable “sudo chmod +x /usr/bin/fullupdate”.  Then you can call “sudo fullupdate”, from anywhere and use it when needed. Alternatively, you can use it on a cron to run on a schedule!  If you don’t want all the options, just download the script and change it for your liking.

 

Welcome to open source.

Don’t forget! Linux Learning Resources

This is kept under the Linux Learning Project and Learning Resources section of the site, and is updated occasionally with new links.  Feel free to suggest one by contacting me directly.


LEARNING RESOURCES

Help/Chat:

Resources:

Need DevOps Help?

  • Had issues with your DevOps pipeline?
  • Need help streamlining automation or configuration management?
  • Need to green field or “lift and shift” applications into the cloud?

If you are trying to do any of these, and running into issues please contact me.  I am now open to consulting directly.  Fixing even a few small inefficiencies can have a huge impact on the bottom line.  Not only that, if the DevOps philosophies are really taken up, its likely that the employee base will also be happier, and proud of their accomplishments as a team.

As far as technologies I support, please take a look at my Technologies page.  (Updated often)  I am also happy to take on new ones for a project if needed.

Creating an efficient pipeline is what I do; and a fully functional system that is working well can be an amazing thing.

 

Matthew Curry
MattCurry.Com

 

12 Years without Microsoft and loving it!

As of April, 2004 I stopped using all Microsoft products.

For many reasons. I know people like to debate about microsoft products. However, for me its not a debate.

Examples [Just a tiny bit]:

  • If I was a contractor and came into your company and said, “I am going to record all your keystrokes, and put them on my server every 30min”, you would laugh me out the door. Especially in software, where the source can be recreated from the key logs.  Well, Microsoft does it.
  • If I was a contractor and came in to your company and found a security bug, and then sold it on the black market making you vulnerable before there is a patch to hackers.  You would probably sue me; and maybe even press charges of some kind, as it can put you out of business.  Well, Microsoft does it.
  • If I was a contractor and came in during the night and upgraded all your desktops to an OS you haven’t tested… well I think you get the point by now…
  • UEFI – Just look into it…
  • Severe security issues; and poor coding.
    • Keep in mind even if they don’t use the keylog maliciously, with the poor security wrapped around it, it is within reason to think it would be compromised.

Please keep in mind I am just looking at the black and white of things. This has nothing to do with how I ‘feel’ about them.  From a business standpoint, I can not simply fathom the use of any Microsoft product in any serious company; especially a software development one.

Now, I am experienced in IT/Software Development/DevOps; and anyone will tell you security is a trade off with convenience.  That is true.  However, between the cost (which is high); and the constant worry about security and stability with each patch.  Its something people really need to ask themselves, ” Is this really convenient/cost effective”; and 15 years ago it might have been yes. Now, there is no excuse.

 

Reason #… I’ve lost count…not to use Microsoft.

image

Welcome all windows, and samba users. Please read badlock.org for why poor decisions have led to this day.

There is a known vulnerability with samba, please read the site listed. If time permits I will update this article with better info.  However, if you are running Samba the shame on you… especially the old version. I have not “had to run samba”, for anything in several years now.

Please read my article on using AFPd in linux to use it as a time machine  backup.  Works great! Or my preference is NFS on a LAN.

Either way, I  hope this helps a few people. Please share the article if it helped.  There is a patch with CVE on the way according to their site.

Sincerely,
M

Be Careful with LetsEncrypt!

 

I must say, like a lot of people I love the idea of a free SSL Certificate.  So I thought this would be great for my site.  So I downloaded the LetsEncrypt package on to an Ubuntu 15.10 box.  The server was running Apache2, and was pretty much stock.  When I applied the cert to the site, it was super easy.  I was very impressed with the ‘–apache’ option.  I then updated my URLs in WordPress to HTTPS.  That’s it I was up and running in a few min.  I was pretty happy at this point.

Then, I realized it broke all of the other services I had on the machine that were public facing.  I had several.  Even ones with their own certs were breaking.  So I decided to remove it…. After removing it from Apache completely I noticed an issue.  All of my users that had been to the site; were getting redirected still.  Somehow it is keeping the redirct with the cert/data that is installed when the cert is installed from visiting the site.

Long story short, I had many people that thought my site was down.  I even moved servers; and it still happened. I tried clearing browser cache, DNS Cache on my MAC, from another IP. Finally after a reinstall (probably not needed, but quicker); I was able to actually load my site without the redirect.  I am sure there is something here I am not seeing; but to be honest I didn’t feel like spending all my time dealing with browser settings.

If anyone would like to let me know how they get around this I would like to know.

I hope this helps those who are thinking of trying out LetsEncrypt.  I am not saying its a bad product; or idea.  I love the install and the idea of it.  However, the practical implementation is not there yet.  For those reading this keep in mind that it is still in Beta as of this article.  So this might eventually go away.

P.S. – To those on the LetsEncrypt project, I appreciate all the work; and I hope you take this criticism positively. A good uninstall path is needed before I think this will go mainstream on monolithic boxes.  Maybe its ok with a 12 factor applications.

Sincerely,

Matthew Curry

Quick Tip of the Day.

Not that I have them daily, but I might if I get a good response.

Have you ever tried logging into an SSH server, and get a weird error:

/.ssh/config: line 22: Bad configuration option: 342200202

This is a very simple issue but it can be a huge PITA if you can’t fix it quickly.  This is especially true for those of us that have to use an enormous amount of keys in our daily lives.  I know, I have a fairly simple config for SSH, but I still ran into this issue when I pasted a block of text in  ~/.ssh/config.  I opened the file with VI, and NANO. I was only able to get it to work when I removed the spaces before each line it complained about.  I then just put them back as normal, and saved.

It turns out, that copying from another place can have the spaces not interpreted properly. They are tabbed indentations actually.  Once manually removed they are replaced by a normal “space” in the code and it should work properly.  I hope this saves some time for some people.

 

Thanks,
Matthew D. Curry

 

Search entire server for Q4 2015 obfuscated PHP malware of unknown origin.

This is just a snippet I have used before to identify some malicious code on web servers.  This will not work on everything; but it will give you a way to find suspect files.  It is easy to cron in a script with others to make a nice daily report if you have those concerns.

#!/bin/bash
# Malware Search Script
# 11/1/15 – Matthew D. Curry
# Matt@MattCurry.com

echo “Search entire server for Q4 2015 obfuscated PHP malware of unknown origin.”

find / -name *.php -exec grep -Hn .1.=…….0.=…….3.=…….2.=…….5.= {} ;

 

Hope this helps, enjoy.