If you get this message, you have to change your “listen” statement from
listen 94.229.77.82:80; listen [2a01:348:226:dead:beef:dead:beef:dead]:80;
to
listen 94.229.77.82:443; listen [2a01:348:226:dead:beef:dead:beef:dead]:443 ipv6only=on;
For some add reason the first statement (without “ipv6only”) was working for me for some time… odd.
If you want to enable HSTS on your nginx webserver, this is how you do it:
add_header Strict-Transport-Security "max-age=315360000; includeSubdomains";
You need to put this only on the https server, not on the http only server – it wont work on http only.
I wrote – quite some time ago about those strange DNS queries what I have seen when Chromium (with the latest version of 17.0.963.79 (Developer Build 125985 Linux) Ubuntu 11.10 as well) is running, like this one:
mmxavuhjug.home.lan.
I was still puzzled and wanted to know whats going on, what this is for.
First problem was, I needed an easy configurable DNS server to respond to all those queries, to respond with something I am in control. My assumption was that they are quite likely HTTP requests – maybe even POST requests, but that would be scary and potentially for another post on here.
After some searching I came across a mini DNS server written in Python, downloaded and – it just works. Ok, so lets have a look. I changed that mini DNS server to respond to any query with my machine’s IP and made sure that a webserver is running on that, at least for serving just /, I only wanted to see the initial query from Chromium.
Fired up Wireshark (brilliant tool!) and Chromium. Visiting any site was kinda funny, as I always ended up on my local machine… anyway, Wireshark was collecting nicely data and here you go:
HEAD / HTTP/1.1
Host: asdclvxexk
Connection: keep-alive
Content-Length: 0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML,
like Gecko) Ubuntu/11.10 Chromium/17.0.963.79 Chrome/17.0.963.79
Safari/535.11
Accept-Encoding: gzip,deflate,sdch
HTTP/1.1 200 OK Date: Wed, 28 Mar 2012 20:02:54 GMT Server: Apache/2.2.20 (Ubuntu) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 20 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html;charset=UTF-8
Nothing exciting here. RFC 2696 states for HEAD:
The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. The metainformation contained in the HTTP headers in response to a HEAD request SHOULD be identical to the information sent in response to a GET request. This method can be used for obtaining metainformation about the entity implied by the request without transferring the entity-body itself. This method is often used for testing hypertext links for validity, accessibility, and recent modification.
Puzzled. Confused. Why oh why?
You could say the HEAD request is some sort of a “Ping” request on a high level – does this URI exist? But where does this lead us to? The hostname of the queries I have seen so far is always 10 characters long.
I fired my tools up again, checked whether it is all still “working” and closed Chromium, at least no data is sent someplace else.
I noticed something strange lately, when Google Chrom(ium) 12.0.742.112 (90304) on my up-to-date Ubuntu 11.04 is running, it sends in 10 seconds interval always DNS queries out similar to these:
09:28:54.892711 IP linux.home.lan.52626 > ipv4gw.home.lan.domain: 55443+ AAAA? www.google.com. (32)
09:28:54.899660 IP linux.home.lan.33455 > ipv4gw.home.lan.domain: 13122+ PTR? 1.1.168.192.in-addr.arpa. (42)
09:28:54.900955 IP ipv4gw.home.lan.domain > linux.home.lan.33455: 13122* 1/0/0 PTR ipv4gw.home.lan. (74)
09:28:54.901153 IP linux.home.lan.50369 > ipv4gw.home.lan.domain: 21436+ PTR? 229.1.168.192.in-addr.arpa. (44)
09:28:54.902997 IP ipv4gw.home.lan.domain > linux.home.lan.50369: 21436* 1/0/0 PTR linux.home.lan. (75)
09:28:54.944839 IP ipv4gw.home.lan.domain > linux.home.lan.52626: 55443 1/0/0 CNAME www.l.google.com. (52)
09:28:54.945042 IP linux.home.lan.41788 > ipv4gw.home.lan.domain: 60563+ A? www.google.com. (32)
09:28:55.003016 IP ipv4gw.home.lan.domain > linux.home.lan.41788: 60563 3/0/0 CNAME www.l.google.com., A 209.85.143.99, A 209.85.143.104 (84)
09:28:55.894074 IP linux.home.lan.52008 > ipv4gw.home.lan.domain: 29437+ AAAA? mmxavuhjug.home.lan. (40)
09:28:55.894357 IP linux.home.lan.35436 > ipv4gw.home.lan.domain: 521+ AAAA? vhskgbyarv.home.lan. (40)
09:28:55.894595 IP linux.home.lan.45136 > ipv4gw.home.lan.domain: 53766+ AAAA? ksufeyycxa.home.lan. (40)
09:28:55.895823 IP ipv4gw.home.lan.domain > linux.home.lan.52008: 29437 NXDomain 0/0/0 (40)
09:28:55.895963 IP linux.home.lan.36059 > ipv4gw.home.lan.domain: 12946+ A? mmxavuhjug.home.lan. (40)
09:28:55.897602 IP ipv4gw.home.lan.domain > linux.home.lan.35436: 521 NXDomain 0/0/0 (40)
09:28:55.897676 IP ipv4gw.home.lan.domain > linux.home.lan.45136: 53766 NXDomain 0/0/0 (40)
09:28:55.897765 IP linux.home.lan.44839 > ipv4gw.home.lan.domain: 64206+ A? ksufeyycxa.home.lan. (40)
09:28:55.897835 IP linux.home.lan.41554 > ipv4gw.home.lan.domain: 45782+ A? vhskgbyarv.home.lan. (40)
09:28:55.899852 IP ipv4gw.home.lan.domain > linux.home.lan.36059: 12946 NXDomain 0/0/0 (40)
09:28:55.899993 IP ipv4gw.home.lan.domain > linux.home.lan.44839: 64206 NXDomain 0/0/0 (40)
09:28:55.900277 IP linux.home.lan.37840 > ipv4gw.home.lan.domain: 24605+ AAAA? ksufeyycxa.home.lan. (40)
09:28:55.900530 IP linux.home.lan.38511 > ipv4gw.home.lan.domain: 59521+ AAAA? mmxavuhjug.home.lan. (40)
09:28:55.902077 IP ipv4gw.home.lan.domain > linux.home.lan.41554: 45782 NXDomain 0/0/0 (40)
09:28:55.902148 IP ipv4gw.home.lan.domain > linux.home.lan.37840: 24605 NXDomain 0/0/0 (40)
09:28:55.902503 IP linux.home.lan.36729 > ipv4gw.home.lan.domain: 26133+ AAAA? vhskgbyarv.home.lan. (40)
09:28:55.902630 IP linux.home.lan.37400 > ipv4gw.home.lan.domain: 39639+ A? ksufeyycxa.home.lan. (40)
09:28:55.904271 IP ipv4gw.home.lan.domain > linux.home.lan.38511: 59521 NXDomain 0/0/0 (40)
09:28:55.904344 IP ipv4gw.home.lan.domain > linux.home.lan.36729: 26133 NXDomain 0/0/0 (40)
09:28:55.904469 IP linux.home.lan.38786 > ipv4gw.home.lan.domain: 4130+ A? mmxavuhjug.home.lan. (40)
09:28:55.904570 IP linux.home.lan.42703 > ipv4gw.home.lan.domain: 52825+ A? vhskgbyarv.home.lan. (40)
09:28:55.906403 IP ipv4gw.home.lan.domain > linux.home.lan.37400: 39639 NXDomain 0/0/0 (40)
09:28:55.906547 IP ipv4gw.home.lan.domain > linux.home.lan.38786: 4130 NXDomain 0/0/0 (40)
09:28:55.907959 IP ipv4gw.home.lan.domain > linux.home.lan.42703: 52825 NXDomain 0/0/0 (40)
I had a play what is causing this, and I figured that it is definitely Chrome. I closed down all the tabs, and it was still happening. The queries are always different, they never repeat themselves. I wonder what would happen if one of these resolves to an actual internal IP….
Just a quick tip: You have Postfix running and want to enable IPv6 for your email as well? After quite some playing around I finally got it right:
inet_interfaces = 127.0.0.1, 94.229.77.82, 2a01:348:6:315::2, ::1 inet_protocols = ipv4, ipv6
This makes Postfix listen only where you actually need it to – I dont like daemons listening on interfaces where they are not serving any requests.
Just go to here and off you go. Dont forget to put a fancy text in there what you can show off with… *g
I have to admit, I really loved Apache with ModSecurity (with the CoreRuleSet), it gave me “peace at night”. But then I noticed that this actually eats quite a lots of memory… and as a heavy TinyTinyRSS user I noticed that TTRSS is sometimes quite sluggish loading articles. So I had another look on Nginx again. I did have a look at it in the past, but I gave up on it, as the provided version from Debian Lenny didnt support IPv6, the version for Squeeze does though.
So initially I installed Nginx with PHP-FASTCGI. It was good, fast, memory problems were sorted. The sluggishness with TTRSS was solved as well. (Now after some weeks running it, I still notice “phew, memory isnt used at all, how does this work actually?”.)
(Preface: I wont be posting configuration details on here, just my experience and some pointers. I dont like repetition and with the search engine of your choice speckled with some common “sysadmin sense”, you will find what you need.)
I already found some hints that PHP-FPM is much better than PHP-FASTCGI. (I was surprised that this was not good enough.) And so I came recently across dotdeb.org (again), which gives you the ability
which is even better. I also enabled APC as an PHP opcode cache which helps further (I actually configured the latter one that it does write a logfile (I still want to know when something goes wrong), but the actual service is not restarted, just the new logfile is opened. You can do this by sending SIGUSR1 to the php5-fpm master process. This doesnt empty the cache. At the time of writing I have 473362 Hits vs. 656 Misses (99.9% / 0.1%), I wonder when I have 100%.).
If I did some tests to show you some fancy numbers which prove that this is faster? I am sorry, but I have to disappoint you.
I can give you some hard facts:
I am happy with my choice. Anything on the internet should be kept up2date anyway – despite the fact you are running ModSec.
And it is faster and uses less memory – what more does a sysadmin want?
PS: I forgot: Next step is enabling the Caching plugin in Nginx this should speed it up even further. When you are serving a lots of static objects, like pictures, Varnish is your friend and very easy to configure.
Post-PS: WordPress optimizations are the next thing! CDN – here I come!
I just fixed a quite common problem what most of us have at home – the wireless signal is not that great in other places in the house. I wanted to do two things initially:
Item 1 doesnt need further explanation I suppose. In regards to item 2, I just love OpenWRT, it is slick, fast, easy to configure, very minimalistic, shortly: it does its job perfectly fine.
I had a bit mixed feelings whether these work fine, that I get decent througput without errors and such. Now they are here, installed and work perfectly fine…
So initially I went with the most obvious setup, WRT54GL number 2 (W2) is connected via its WAN port to a LAN port on WRT54GL number 1 (W1). This gave me various headaches, a different network behind W2 and as such a separate DNS namespace, so I would have to query both routers to get the IP of a connected client. There are various other hacks to get around this issue, but none of them was good enough.
After this you have only one network, where one DHCP and DNS is doing its thing.
I have not really done any speed tests or whether the Solwise powerline adapaters are really doing what they promise. The reason is quite simple: I got 200Mbps Solwise adapters and none of my machines have a Gbit NIC in it, so… *g I mentioned earlier that the Solwise introduce 3 to 4 ms latency between directly connected devices. Thats good enough for me, I am not a Gamer or crave for zero latency.
I actually just tried a speed test, but the problem is that on both ends are WRT54GLs, ie. embedded devices, and the speed I got was just about 4Mbps.
PS: One thing to note, just when I started writing this article I reinstalled W2, ie. plugged everything into the power socket again. The connection rate was shown as “good” the whole time, and just now it has gone to “best”. The speed between the routers has not improved.
PPS: I completely forgot – IPv6 just-works with this setup as well… *g
Alec Muffett mentions in his article “The Security Backlog” that there may be another B-Sides later in the year, and we can expect a big London security conference this autumn.
Thanks for linking, Alec.
I am pleased to present that BSidesLondon was I great success. Awesome technical talks, awesome people, very good conversations there, and most importantly, it was very well organized! I really appreciated it that there was no alcohol allowed, Club-Mate as the “Hacker-drink” was available.
It started by explaining where BSides came from originally (here). As Lenny Zeltser mentions on his blog it is ok to
and this went really well.
The first talk after the introduction I attended was “DNS Tunneling: It’s all in the name!” from Arron “finux” Finnon. DNS is usually allowed in corporate or “commercial” environments and it showed some nice ways how to tunnel through DNS (“TXT” records) back out to the internet. He pointed out that some crazy fella even transferred shellcode this way. SysAdmins: Are you watching your DNS traffic?
Chris Rook about "pownerizing"
It went on then with “Jedi Mind tricks For Building Application Security Programmes” by David Rook & Chris Wysopal. We as security aware people, we must not come down with “you must not / do not” explaining to developers what security is. Most importantly we need to explain properly what this all is about. David pointed out that “SQL injection”, “jacking” or “pwnerizing” (see the picture) could be easily mistunderstood by developers, which is true I would say and was quite amusing.
The next one was “Practical Crypto Attacks Against Web Applications” by Justin Clarke. This was about how EBC and CBC works and practical attacks against those. Unfortunately I missed some of his talk, I need to get the slides from somewhere.
Xavier Mertens had his talk about “All your logs are belong to you!”. You can find the slides here. All systems are logging something and most importantly, they are your logs. Dont shy to ask your cloud provider to get logs about the services you are using. I can only agree with him that OSSEC is a great and wonderful open-source tool to analyze your logs automatically. The OSSEC Dashboard looks like a brilliant solution and I have to give that a try!
After the lunch break, Steve Lord was explaining in his talk “Breaking, Entering and Pentesting” the career path of a pentester. Starting as a “Nessus Monkey”, going through various stages and finally ending up as a professional pentester (aka “Jedi Master”) – and not in management. Brilliant talk. Steve was also at DC4420 btw.
Wicked Clown had then his talk about “Breaking out of restricted RDP”. It was good to see that you dont need “restricted” literally and how easy it easy to break out of it. Have a look at his websites for the slides, videos and more information.
David Rook presented then his second talk about “Agnitio: its static analysis, but not as we know it”. Slides are here. If you are into source review then this is something for you, you can find it here.
Manuel Leithner was then presenting “Your money, your media – a DRMtastic Android reverse (re)engineering tutorial”. It points out once again DRM is just “scary” and can be circumvented if you want to.
And the final one was Security YMCA by Chris John Riley, The Suggmeister, Arron “finux” Finnon and Frank Breedijk presenting the developer survey about security in a little bit different way, wan you can see here. It seems that most developers are not security aware – and we must communicate A.S.A.P:
Young man, I was once in your shoes.
I said, I was down and out with the blues.
I felt no man cared ‘ bout se-cu-ri-ty
There’s just too much in-du-vi-du-a-li-ty
That’s when someone came up to me,
And said, young man, take a walk in the street.
I really, want to know what you say
If only I could only un-der-stand you
You must communicate A.S.A.P
[..]
Finally, I want to say thank you to Matt Summers (@dive_monkey) for organizing this event. As I mentioned in the intro, perfectly organized, there was nothing missing. Looking forward to the next one.
PPS: Thanks Tomasz!
https://twitpic.com/photos/tomaszmiklas
https://twitpic.com/4n44lm http://yfrog.com/z/h0m0vzjj
m0n0wall is a good product for running a firewall/gateway on an embedded device. It is based on BSD, very slick and reliable. I was using it a couple of years back, but unfortunately my hardware didnt had wireless integrated, so I had to give it up and get a WRT54GL – running OpenWRT of course.
Until now my IPv6 endpoint was this OpenWRT router, unfortunately it didnt had a full IPv6 firewall integrated – I never seriously tried the 2.6 branch of it, but this would support a proper ip6tables firewall.
When m0n0wall announced version 1.33 there was this “major ipv6 improvements” and I just couldnt resist to try it. The phoneline (not cable unfortunately) is connected to my ISP’s router which is then connected to my OpenWRT wireless router. I really didnt want to put the m0n0wall router (ie. “ipv6 router”) in line, so I decided to install it parallel to the OpenWRT router. The internal port of m0n0wall is connected to the switch on the OpenWRT router and the external to the ISP’s router.
Configuring IPv6 with a Hurricane Electric tunnel was easy going – the only problem I had was that I did not realized IPv6 was already enabled. I misinterpreted the interface configuration details of m0n0wall and expected to see some tunnel information (tunnel-endpoint information). I was wondering why the m0n0wall was always complaining about a duplicate IPv6 (nifty feature!) but then I saw that the same IPv6 was configured on the OpenWRT.
Removing then IPv6 completely from the OpenWRT and rebooting the m0n0wall box did the trick then – voila, IPv6 through a dedicated IPv6 only gateway works like a charm.
Thinking about it, this would be actually a good way to implement IPv6 in the business/enterprise, as this wouldnt cause any downtime, as long you ensure that your resolver doesnt give out IPv6 addresses *g.