preissler.co.uk

I have to admit, I really loved Apache with ModSecurity (with the CoreRuleSet), it gave me “peace at night”. But then I noticed that this actually eats quite a lots of memory… and as a heavy TinyTinyRSS user I noticed that TTRSS  is sometimes quite sluggish loading articles. So I had another look on Nginx again. I did have a look at it in the past, but I gave up on it, as the provided version from Debian Lenny didnt support IPv6, the version for Squeeze does though.

So initially I installed Nginx with PHP-FASTCGI. It was good, fast, memory problems were sorted. The sluggishness with TTRSS was solved as well. (Now after some weeks running it, I still notice “phew, memory isnt used at all, how does this work actually?”.)

(Preface: I wont be posting configuration details on here, just my experience and some pointers. I dont like repetition and with the search engine of your choice speckled with some common “sysadmin sense”, you will find what you need.)

I already found some hints that PHP-FPM is much better than PHP-FASTCGI. (I was surprised that this was not good enough.) And so I came recently across dotdeb.org (again), which gives you the ability

1. to install a more recent Nginx than Debian Squeeze one
2. Update PHP to 5.3.6
3. install PHP-FPM

which is even better. I also enabled APC as an PHP opcode cache which helps further (I actually configured the latter one that it does write a logfile (I still want to know when something goes wrong), but the actual service is not restarted, just the new logfile is opened. You can do this by sending SIGUSR1 to the php5-fpm master process. This doesnt empty the cache. At the time of writing I have 473362 Hits vs. 656 Misses (99.9% / 0.1%), I wonder when I have 100%.).

Tests and results

If I did some tests to show you some fancy numbers which prove that this is faster? I am sorry, but I have to disappoint you.

I can give you some hard facts:

1. The system never ran out of memory  with Nginx and it is now running for maybe 5+ weeks.
2. The sluggishness with TTRSS (ie. browsing quickly through different RSS articles is much faster, as TTRSS is loading everytime the article and if I did this fast enough, TTRSS was locked up for some time, as Apache didnt deliver the actual article fast enough). On a subjective note: it is definitely faster.

I am happy with my choice. Anything on the internet should be kept up2date anyway – despite the fact you are running ModSec.

And it is faster and uses less memory – what more does a sysadmin want?

PS: I forgot: Next step is enabling the Caching plugin in Nginx this should speed it up even further. When you are serving a lots of static objects, like pictures, Varnish is your friend and very easy to configure.

Post-PS: WordPress optimizations are the next thing! CDN – here I come!

I just fixed a quite common problem what most of us have at home – the wireless signal is not that great in other places in the house. I wanted to do two things initially:

1. Using Solwise powerline adapters, I dont want to drill in walls to install long ethernet cables. (a friend of mine pointed me in that direction)
2.  Use a second Linksys/now Cisco WRT54GL, as I definitely want to run OpenWRT on it.

Item 1 doesnt need further explanation I suppose. In regards to item 2, I just love OpenWRT, it is slick, fast, easy to configure, very minimalistic, shortly: it does its job perfectly fine.

Solwise powerline adapters

I had a bit mixed feelings whether these work fine, that I get decent througput without errors and such. Now they are here, installed and work perfectly fine…

1. They come preconfigured with a common Private Network Name. I didnt really like that, so I randomized that, what was really easy todo: press “Connect” for 10s on one unit, then “Connect” for 2s on the other unit.
2. The connection rate was initially only “good” over a longer distance, when I had the in the same room the connection rate was “best”, as it shared the same electrical circuit. After some time (hours) the connection rate is now “best” even on a longer distance, which is very good.
3. They introduce a latency of 3 to 4 ms…

Using a second WRT54GL to extend wireless

So initially I went with the most obvious setup, WRT54GL number 2 (W2) is connected via its WAN port to a LAN port on WRT54GL number 1 (W1). This gave me various headaches, a different network behind W2 and as such a separate DNS namespace, so I would have to query both routers to get the IP of a connected client. There are various other hacks to get around this issue, but none of them was good enough.

Alec Muffett mentions in his article “The Security Backlog” that there may be another B-Sides later in the year, and we can expect a big London security conference this autumn.

Thanks for linking, Alec.

I am pleased to present that BSidesLondon was I great success. Awesome technical talks, awesome people, very good conversations there, and most importantly, it was very well organized! I really appreciated it that there was no alcohol allowed, Club-Mate as the “Hacker-drink” was available.

It started by explaining where BSides came from originally (here). As Lenny Zeltser mentions on his blog it is ok to

• Join a conversation in progress
• You need to let them into the conversation
• Introduce yourself
• Move from group to group
• Have a business card or even better, a “calling-card” available with your contact details
• Wear an name-tag

and this went really well.

The first talk after the introduction I attended was “DNS Tunneling: It’s all in the name!” from Arron “finux” Finnon. DNS is usually allowed in corporate or “commercial” environments and it showed some nice ways how to tunnel through DNS (“TXT” records) back out to the internet. He pointed out that some crazy fella even transferred shellcode this way. SysAdmins: Are you watching your DNS traffic?

Chris Rook about "pownerizing"

It went on then with “Jedi Mind tricks For Building Application Security Programmes” by David Rook & Chris Wysopal. We as security aware people, we must not come down with “you must not / do not” explaining to developers what security is. Most importantly we need to explain properly what this all is about. David pointed out that “SQL injection”, “jacking” or “pwnerizing” (see the picture) could be easily mistunderstood by developers, which is true I would say and was quite amusing.

The next one was “Practical Crypto Attacks Against Web Applications” by Justin Clarke. This was about how EBC and CBC works and practical attacks against those. Unfortunately I missed some of his talk, I need to get the slides from somewhere.

Xavier Mertens had his talk about “All your logs are belong to you!”. You can find the slides here. All systems are logging something and most importantly, they are your logs. Dont shy to ask your cloud provider to get logs about the services you are using. I can only agree with him that OSSEC is a great and wonderful open-source tool to analyze your logs automatically. The OSSEC Dashboard looks like a brilliant solution and I have to give that a try!

After the lunch break, Steve Lord was explaining in his talk “Breaking, Entering and Pentesting” the career path of a pentester. Starting as a “Nessus Monkey”, going through various stages and finally ending up as a professional pentester (aka “Jedi Master”) – and not in management. Brilliant talk. Steve was also at DC4420 btw.

Wicked Clown had then his talk about “Breaking out of restricted RDP”. It was good to see that you dont need “restricted” literally and how easy it easy to break out of it. Have a look at his websites for the slides, videos and more information.

David Rook presented then his second talk about “Agnitio: its static analysis, but not as we know it”. Slides are here. If you are into source review then this is something for you, you can find it here.

Manuel Leithner was then presenting “Your money, your media – a DRMtastic Android reverse (re)engineering tutorial”. It points out once again DRM is just “scary” and can be circumvented if you want to.

And the final one was Security YMCA by Chris John Riley, The Suggmeister, Arron “finux” Finnon and Frank Breedijk presenting the developer survey about security in a little bit different way, wan you can see here. It seems that most developers are not security aware – and we must communicate A.S.A.P:

Young man, I was once in your shoes.

I said, I was down and out with the blues.

I felt no man cared ‘ bout se-cu-ri-ty

There’s just too much in-du-vi-du-a-li-ty

That’s when someone came up to me,

And said, young man, take a walk in the street.

I really, want to know what you say

If only I could only un-der-stand you

You must communicate A.S.A.P

[..]

Finally, I want to say thank you to Matt Summers (@dive_monkey) for organizing this event. As I mentioned in the intro, perfectly organized, there was nothing missing. Looking forward to the next one.

PPS: Thanks Tomasz!

https://twitpic.com/photos/tomaszmiklas

m0n0wall is a good product for running a firewall/gateway on an embedded device. It is based on BSD, very slick and reliable. I was using it a couple of years back, but unfortunately my hardware didnt had wireless integrated, so I had to give it up and get a WRT54GL – running OpenWRT of course.

Until now my IPv6 endpoint was this OpenWRT router, unfortunately it didnt had a full IPv6 firewall integrated – I never seriously tried the 2.6 branch of it, but this would support a proper ip6tables firewall.

When m0n0wall announced version 1.33 there was this “major ipv6 improvements” and I just couldnt resist to try it. The phoneline (not cable unfortunately) is connected to my ISP’s router which is then connected to my OpenWRT wireless router. I really didnt want to put the m0n0wall router (ie. “ipv6 router”) in line, so I decided to install it parallel to the OpenWRT router. The internal port of m0n0wall is connected to the switch on the OpenWRT router and the external to the ISP’s router.

Configuring IPv6 with a Hurricane Electric tunnel was easy going – the only problem I had was that I did not realized IPv6 was already enabled. I misinterpreted the interface configuration details of m0n0wall and expected to see some tunnel information (tunnel-endpoint information). I was wondering why the m0n0wall was always complaining about a duplicate IPv6 (nifty feature!) but then I saw that the same IPv6 was configured on the OpenWRT.

Removing then IPv6 completely from the OpenWRT and rebooting the m0n0wall box did the trick then – voila, IPv6 through a dedicated IPv6 only gateway works like a charm.

Thinking about it, this would be actually a good way to implement IPv6 in the business/enterprise, as this wouldnt cause any downtime, as long you ensure that your resolver doesnt give out IPv6 addresses *g.