Donnerstag, 3. Juli 2014

How i see a website

Sometimes i visit a website (yes i really do) and sometimes i like to take just another look onto it.

So i come around one of mine for example, i can see a nice owncloud login page. Well lets dig a bit deeper

#> curl -I oc.XXX.de
HTTP/1.1 302 Found
Date: Thu, 03 Jul 2014 10:07:22 GMT
Server: Apache/2.4.6 (Ubuntu)
Location: https://oc.XXX.de
Content-Type: text/html; charset=iso-8859-1

Okay, running Ubuntu and Apache. Nice to know but there is a redirect? 302, so lets see

#> curl oc.XXX.de
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://oc.XXX.de">here</a>.</p>
<hr>
<address>Apache/2.4.6 (Ubuntu) Server at oc.XXX.de Port 80</address>
</body></html>
Ah, you want me to use https, okay lets go
curl -I -k https://oc.XXX.de
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 09:58:15 GMT
Server: Apache/2.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.3-1ubuntu2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: Sameorigin
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *
Set-Cookie: oc29fecb4bf3=vjqdmo6ltkct6s23utu92c2l21; path=/; HttpOnly
Content-Type: text/html; charset=utf-8
So, you use PHP, lets google the version number.... 
Okay so its saucy.

Nice security flags by the way :-)


and the stories go on ....

Mittwoch, 25. Juni 2014

some security features

I have a tiny vserver running an "RedHat like OS". Mostly i use it for my owncloud stuff, saving some files and reading my RSS files. So it is a nice playground for features especially in case of security.

Today i installed two tools:

  1. suricata
    (http://suricata-ids.org/) is an IDS/IPS system which was originally founded by the homeland security. It is free and open source, the advantage regarding Snort is that it is able to use multiple CPUs.
  2. mod_security
    (http://www.modsecurity.org/) is an apache module which adds some security extensions like XSS prevention.
Suricata needs to be installed by hand, as the packages are not available on the repos. But it isnt that hard if you follow some instructions and the documentation.
When you have all the files you need there are some additional steps.
  1. create  /etc/suricata/ and /etc/suricata/rules
  2. any copy all the .config files to /etc/suricata, you will find them within the suricata source package
  3. change to suricata and fetch all the files from https://rules.emergingthreats.net/open/suricata/rules/
  4. Now we need to adjust some settings within the suricata.yaml file, for example which modules you will use. Important is to enable the logging to file and syslog, so we can run suricata in daemon mode. Just take a look on the other options. Basically you can adjust settings for everything suricata can handle.
  5. Finally start it: suricata -c /etc/suricata/suricata.yaml -i eth0 -D
  6. It will log all it output to /var/log/suricata
mod_security can be installed via repos.
yum install mod_security_crs.noarch mod_security_crs-extras.noarch

after restart of the httpd it will be running by default. You can find the output for debugging and auditing within the httpd log directory.

Mittwoch, 11. Juni 2014

Good News: RHEL 7 with default MariaDB

I really think these are good news, in the upcoming release of RedHat Enterprise MariaDB will be the default MySQL Database Server.

http://www.bytebot.net/blog/archives/2014/06/11/rhel7-now-with-mariadb 

MariaDB 5.5

MariaDB is the default implementation of MySQL in Red Hat Enterprise Linux 7. MariaDB is a community-developed fork of the MySQL database project, and provides a replacement for MySQL. MariaDB preserves API and ABI compatibility with MySQL and adds several new features; for example, a non-blocking client API library, the Aria and XtraDB storage engines with enhanced performance, better server status variables, and enhanced replication.

Detailed information about MariaDB can be found at https://mariadb.com/kb/en/what-is-mariadb-55/.

Freitag, 6. Juni 2014

ALTER TABLE ADD INDEX: What can go wrong?

Answer: EVERYTHING!!
(@Groves really everything)

So, i just found out that doing an alter table to add an index without an maintenance is the worst decision you can make.

What happens,

  1. You fire the alter command
  2. InnoDB will alter its own engine, before altering the table itself
  3. all queries against the database will complain about an index issue
  4. All queries (alter and select) will  go to state : "Waiting for table metadata lock"
lesson learned!