There are a number of ways to block attacks using the recent request range byte attack, best of all is upgrading or patching Apache to fix the issue.
Some versions are easier than others to confgure if you can not patch or upgrade.
In particular Apache 2.0.49 does not have some of the features required such as the option to use RequestHeader with an environment variable.
Below is the code I have used to block requests with more 10 or more byte ranges or using the HEAD method to request byte ranges (as that seems a little pointless).
It also logs all such requests to a specific log file.
SetEnvIf Range (^bytes) bad-range=1
SetEnvIf Request-Range (^bytes) bad-range=1
SetEnvIf Request_Method "GET" !bad-range
SetEnvIf Range (,.*?){9,} bad-range=1
SetEnvIf Request-Range (,.*?){9,} bad-range=1
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
#Not available in Apache 2.0.49
#RequestHeader unset Range env=bad-range
#RequestHeader set Range "badrange" env=bad-range
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]
I've simply put this in httpd.conf using an include file before my NameVirtualHost options and then in each virtual host I've added
RewriteEngine On
RewriteOptions Inherit
Hope its of some use!
Tuesday, 6 September 2011
using recaptcha with sun one (chilisoft) asp
I've visited using recaptcha (captcha) with sun one asp a number of times and never got it to work but finally I worked it out and here is how.
You can use the standard classic asp code on googles web site.
http://code.google.com/apis/recaptcha/docs/asp.html
All you then need to change is one line of code
Replace
Set objXmlHttp = Server.CreateObject("MSXML.XMLHTTPRequest")
with
Set objXmlHttp = NewJavaObject("com.sun.msxml.XMLHttpRequest")
You then need to update the bean policy file and add two new lines.
/opt/casp/asp-server-3000/bean.policy
permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "*", "connect,resolve";
You then need to configure sun one asp to enable java beans and enable the java security manager via the management interface. It will prompt you to restart the asp server which needs to be done to pick up the changes.
Once thats all done your captcha code should work on sun one asp 4.0.3.
You can use the standard classic asp code on googles web site.
http://code.google.com/apis/recaptcha/docs/asp.html
All you then need to change is one line of code
Replace
Set objXmlHttp = Server.CreateObject("MSXML.XMLHTTPRequest")
with
Set objXmlHttp = NewJavaObject("com.sun.msxml.XMLHttpRequest")
You then need to update the bean policy file and add two new lines.
/opt/casp/asp-server-3000/bean.policy
permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "*", "connect,resolve";
You then need to configure sun one asp to enable java beans and enable the java security manager via the management interface. It will prompt you to restart the asp server which needs to be done to pick up the changes.
Once thats all done your captcha code should work on sun one asp 4.0.3.
Thursday, 6 May 2010
sendmail disable authentication on external interface
Since we opened some of our servers to accept incoming mail we have noticed that we get a lot of AUTH attacks.
This results in messages like the following in our maillog
May 6 08:41:18 asa3 sendmail[20544]: o468f4FG020544: [189.3.123.235]: possible SMTP attack: command=AUTH, count=4
I've not found a way of simply telling sendmail to block an ip for a period when it detects more than 'n' AUTH failures.
As we don't use AUTH on the external interface as we just accept incoming email for a limited number of accounts I decided to disable AUTH on the external interface.
I edit /etc/mail/sendmail.mc and modified the Daemon Port settings as follows:-
Original
========
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
Amended
=======
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=x.x.x.x, Name=MTB, M=A')dnl
As you can see I simply updated MTA for the loopback address and created a new MTB which tells sendmail to listen on the external IP (x.x.x.x) but disables AUTH by specifying the M=A option.
Once thats done, I simply ran make and restarted sendmail.
Everything works as before except the AUTH command is now rejected by sendmail on the external interface as can be seen below.
# telnet x.x.x.x 25
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 x.x.x.x ESMTP Sendmail 8.13.8/8.13.8; Thu, 6 May 2010 09:56:49 GMT
helo yyyyy
250 x.x.x.x Hello yyyyy, pleased to meet you
AUTH PLAIN AGptczFAam1zMS5uZXQAbm90Lm15LnJlYWwucGFzc3dvcmQ=
503 5.3.3 AUTH not available
This results in messages like the following in our maillog
May 6 08:41:18 asa3 sendmail[20544]: o468f4FG020544: [189.3.123.235]: possible SMTP attack: command=AUTH, count=4
I've not found a way of simply telling sendmail to block an ip for a period when it detects more than 'n' AUTH failures.
As we don't use AUTH on the external interface as we just accept incoming email for a limited number of accounts I decided to disable AUTH on the external interface.
I edit /etc/mail/sendmail.mc and modified the Daemon Port settings as follows:-
Original
========
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
Amended
=======
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=x.x.x.x, Name=MTB, M=A')dnl
As you can see I simply updated MTA for the loopback address and created a new MTB which tells sendmail to listen on the external IP (x.x.x.x) but disables AUTH by specifying the M=A option.
Once thats done, I simply ran make and restarted sendmail.
Everything works as before except the AUTH command is now rejected by sendmail on the external interface as can be seen below.
# telnet x.x.x.x 25
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 x.x.x.x ESMTP Sendmail 8.13.8/8.13.8; Thu, 6 May 2010 09:56:49 GMT
helo yyyyy
250 x.x.x.x Hello yyyyy, pleased to meet you
AUTH PLAIN AGptczFAam1zMS5uZXQAbm90Lm15LnJlYWwucGFzc3dvcmQ=
503 5.3.3 AUTH not available
Tuesday, 2 March 2010
iphone 3gs signal issues - don't buy one!
I waited a long time before deciding to buy an iphone, it was the perfect choice for what I needed to do and meant I could carry one device rather than a number, it fitted by purpose for work and pleasure. I avoided jumping on the bandwagon as an early adopter and thought the 3GS would be no problem.
How wrong I was! From the moment I switched it I had signal issues, there was of course the customary run around from Vodafone and Apple, denial of issues, then a sort of acknowledgement from Vodafone of issues but still no acceptance of a fault from Apple. Anyway after a week of frustration, phone calls, emails, a trip to the apple store to see a genius and swap the phone I've had enough and returned it.
The issue.
My work is 0.5 of a mile from a mast, pretty much clear line of sight, my home is 0.9 of a mile away from the same mast.
On a normal nokia phone I get a good signal, have no issues making calls, getting texts etc.
Move over to the iPhone 3GS using the same sim and I basically can't make a call or send a text.
Sat on my desk the iPhone 3GS shows 2, sometimes 3 bars, if I am unlucky it will roam to 3G where it just has a signal. Picking the phone up results in the loss of at least 2 bars of signal within 30 seconds or so. You can see the problem can't you, lose 2 to 3 bars of signal and guess what you have no signal the call is dropped and the phone starts searching for a signal.
It appears having the phone in your hand covers the aerial and reduces the signal, hardly a clever design for a hand held device.
I also tested the same sim in a friend's iPhone 3G, sat in the same place on the desk it shows 4-5 bars much like my nokia.
Surprisingly it also exhibits the pick up issue, when in hand it loses up to 2 bars of signal depending on how you hold it. Its not of course so noticeable as you have 4 or 5 to start with so can still make and receive calls.
There is also an issue with the way both phones roam from 3G to 2G, it takes the phone an age to realise its lost its 3G signal and then swap to 2G, in my experience it normally says searching in between, so you can expect to drop a call if it happens. This can easily be reproduced by switching off your suresignal box and seeing how long after that it is before it drops the 3G signal and reverts to 2G on your local mast.
So it would appear:-
The iPhone 3GS can only be used in very high signal areas (5 bars +).
The iPhone 3G can only be used in medium signal areas (3-4 bars +).
Signal loss detection is poor and switching between 2G and 3G is poor.
Switch off 3G on a 3GS unless you are using it and are stood by a mast. The 3GS appears to strongly favour a 3G signal even when it only has one bar, if you then pick up the device you will lose your signal and it will roam to 2G. Better to have it on 2G all the time - but then why have a 3G phone!
Vodafone will offer you a suresignal box to 'boost' your signal, except it doesn't boost your signal it creates you your own mast in your house routed over your internet connection. What doesn't occur to Vodafone is that if you have a signal issue at home you likely have one down the local pub, the gym, and everywhere else you go locally. So in reality it solves nothing, probably why no one else has adopted them. It also means you somehow need to keep 1mb/s of your bandwidth free per phone, how do you accomplish that? If someone starts a large download you can forget using your phones!
After much pressing I've finally managed to be allowed to return the item to Vodafone and cancel the contract without paying a £500 early termination fee. My suggestion is you mention the distance selling act (if you bought it remotely) and the consumer protection laws (such as being fit for purpose which it clearly isn't).
Apple seem to be in denial and trying to cover the issues with the iPhone and in particular the 3GS up. My phone was swapped instantly at the Genius bar but the new one was no different. I rang the next day to see if anything could be done but other than offer a suresignal there was no alternative and although the staff member could not admit to an issue you could tell that there was and I wasn't the first to have such problems.
I'm hoping its just either a particular batch of faulty phones or a software issue that can be resolved but I fear its a physical design issue/flaw with the iPhones aerial and on the S series some form of extra interference from the faster processor. Time will tell.
For the moment and until the issue can be demonstrated to be resolved I'm returning back to my Nokia.
Sadly having done some searching on the net since it seems other modern devices like the iPhone can also suffer from similar signal loss when picked up so choose your device carefully and do some research before signing up.
How wrong I was! From the moment I switched it I had signal issues, there was of course the customary run around from Vodafone and Apple, denial of issues, then a sort of acknowledgement from Vodafone of issues but still no acceptance of a fault from Apple. Anyway after a week of frustration, phone calls, emails, a trip to the apple store to see a genius and swap the phone I've had enough and returned it.
The issue.
My work is 0.5 of a mile from a mast, pretty much clear line of sight, my home is 0.9 of a mile away from the same mast.
On a normal nokia phone I get a good signal, have no issues making calls, getting texts etc.
Move over to the iPhone 3GS using the same sim and I basically can't make a call or send a text.
Sat on my desk the iPhone 3GS shows 2, sometimes 3 bars, if I am unlucky it will roam to 3G where it just has a signal. Picking the phone up results in the loss of at least 2 bars of signal within 30 seconds or so. You can see the problem can't you, lose 2 to 3 bars of signal and guess what you have no signal the call is dropped and the phone starts searching for a signal.
It appears having the phone in your hand covers the aerial and reduces the signal, hardly a clever design for a hand held device.
I also tested the same sim in a friend's iPhone 3G, sat in the same place on the desk it shows 4-5 bars much like my nokia.
Surprisingly it also exhibits the pick up issue, when in hand it loses up to 2 bars of signal depending on how you hold it. Its not of course so noticeable as you have 4 or 5 to start with so can still make and receive calls.
There is also an issue with the way both phones roam from 3G to 2G, it takes the phone an age to realise its lost its 3G signal and then swap to 2G, in my experience it normally says searching in between, so you can expect to drop a call if it happens. This can easily be reproduced by switching off your suresignal box and seeing how long after that it is before it drops the 3G signal and reverts to 2G on your local mast.
So it would appear:-
The iPhone 3GS can only be used in very high signal areas (5 bars +).
The iPhone 3G can only be used in medium signal areas (3-4 bars +).
Signal loss detection is poor and switching between 2G and 3G is poor.
Switch off 3G on a 3GS unless you are using it and are stood by a mast. The 3GS appears to strongly favour a 3G signal even when it only has one bar, if you then pick up the device you will lose your signal and it will roam to 2G. Better to have it on 2G all the time - but then why have a 3G phone!
Vodafone will offer you a suresignal box to 'boost' your signal, except it doesn't boost your signal it creates you your own mast in your house routed over your internet connection. What doesn't occur to Vodafone is that if you have a signal issue at home you likely have one down the local pub, the gym, and everywhere else you go locally. So in reality it solves nothing, probably why no one else has adopted them. It also means you somehow need to keep 1mb/s of your bandwidth free per phone, how do you accomplish that? If someone starts a large download you can forget using your phones!
After much pressing I've finally managed to be allowed to return the item to Vodafone and cancel the contract without paying a £500 early termination fee. My suggestion is you mention the distance selling act (if you bought it remotely) and the consumer protection laws (such as being fit for purpose which it clearly isn't).
Apple seem to be in denial and trying to cover the issues with the iPhone and in particular the 3GS up. My phone was swapped instantly at the Genius bar but the new one was no different. I rang the next day to see if anything could be done but other than offer a suresignal there was no alternative and although the staff member could not admit to an issue you could tell that there was and I wasn't the first to have such problems.
I'm hoping its just either a particular batch of faulty phones or a software issue that can be resolved but I fear its a physical design issue/flaw with the iPhones aerial and on the S series some form of extra interference from the faster processor. Time will tell.
For the moment and until the issue can be demonstrated to be resolved I'm returning back to my Nokia.
Sadly having done some searching on the net since it seems other modern devices like the iPhone can also suffer from similar signal loss when picked up so choose your device carefully and do some research before signing up.
Monday, 16 March 2009
backscatter with sendmail
One of our mail servers recently got listed in backscatter.org for creating back scatter (Non Deliver Reports (NDR) to people who have been listed as the sender of spam).
I was pretty surprised at this as I had configured sendmail such that it should not produce back scatter.
However on closer investigation it was true we were sending back scatter.
The problem lay in the fact that we relay a few accounts to the users isp accounts. One in particular (Demon) issue a 509 if they reject the email as spam.
This was causing our mail server to send an NDR to the from address of the original email.
To solve this problem I used procmail and formail to rewrite and then forward the email rather than simply allowing sendmail to relay it.
By re writing the 'Return-Path' option it means that the NDR is sent to a local address (which is actually /dev/null) rather than the FROM address.
To do this I simply created an account for the user and then created a .procmailrc in the home directory with the following entry
:0fw
| /usr/bin/formail -i "Return-Path: postmaster@mydomain.co.uk" | /usr/lib/sendmail -f postmaster@mydomain.co.uk yyyyyyyy@myotherdomain.co.uk
postmaster@mydomain.co.uk is simply sent to 'junkmail'
junkmail is an alias (in aliases) for /dev/null
The original Return-Path can be seen in the mail header as Old-Return-Path should you ever need it.
You can verify everything is working by simply checking your maillog (and the fact you have no more NDR mail sat for days in your outgoing queue!)
If you need to monitor your mail server check out www.ippatrol.com
I was pretty surprised at this as I had configured sendmail such that it should not produce back scatter.
However on closer investigation it was true we were sending back scatter.
The problem lay in the fact that we relay a few accounts to the users isp accounts. One in particular (Demon) issue a 509 if they reject the email as spam.
This was causing our mail server to send an NDR to the from address of the original email.
To solve this problem I used procmail and formail to rewrite and then forward the email rather than simply allowing sendmail to relay it.
By re writing the 'Return-Path' option it means that the NDR is sent to a local address (which is actually /dev/null) rather than the FROM address.
To do this I simply created an account for the user and then created a .procmailrc in the home directory with the following entry
:0fw
| /usr/bin/formail -i "Return-Path: postmaster@mydomain.co.uk" | /usr/lib/sendmail -f postmaster@mydomain.co.uk yyyyyyyy@myotherdomain.co.uk
postmaster@mydomain.co.uk is simply sent to 'junkmail'
junkmail is an alias (in aliases) for /dev/null
The original Return-Path can be seen in the mail header as Old-Return-Path should you ever need it.
You can verify everything is working by simply checking your maillog (and the fact you have no more NDR mail sat for days in your outgoing queue!)
If you need to monitor your mail server check out www.ippatrol.com
Monday, 23 February 2009
asa5505 top 10 feature
The latest version of ASDM fails with an error when you try to enable the ASA5505 top 10 feature.
It tries to execute the command "threat-detection statistics host number-of-rate 0" which is not valid.
To enable it execute the command "threat-detection statistics" using the cli interface.
Save the config and then disconnect and reconnect ASDM.
Should now be working!
Its not always obvious its fully working as many of the windows show zero values for parameters when there is no attack.
Both issues have been logged with Cisco.
It tries to execute the command "threat-detection statistics host number-of-rate 0" which is not valid.
To enable it execute the command "threat-detection statistics" using the cli interface.
Save the config and then disconnect and reconnect ASDM.
Should now be working!
Its not always obvious its fully working as many of the windows show zero values for parameters when there is no attack.
Both issues have been logged with Cisco.
Thursday, 22 January 2009
Allowing for a timeout on check_nrpe
check_nrpe allows for a timeout to be set using the -t option. The default is 10 seconds. Often this might not be enough. There is no way of specifying the timeout option when configuring a host.
example
=======
define service{
use generic-service
# Hostname of remote system
host_name mynode.mydomain.com
service_description Load
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 1
# Change to your contact group
contact_groups admins
notification_options w,u,c,r
notification_interval 10
notification_period 24x7
check_command check_nrpe!check_load
}
To get round this problem simply add a new command definition to commands.cfg below the existing check_nrpe definition
define command{
command_name mycheck_nrpe
command_line /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -t $ARG2$
}
mycheck_nrpe allows for a 2nd parameter to be passed on the service definition.
example
define service{
use generic-service
# Hostname of remote system
host_name mynode.mydomain.com
service_description Load
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 1
# Change to your contact group
contact_groups admins
notification_options w,u,c,r
notification_interval 10
notification_period 24x7
check_command mycheck_nrpe!check_load!30
}
The above example specifies a 30 second timeout.
Problem solved!
example
=======
define service{
use generic-service
# Hostname of remote system
host_name mynode.mydomain.com
service_description Load
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 1
# Change to your contact group
contact_groups admins
notification_options w,u,c,r
notification_interval 10
notification_period 24x7
check_command check_nrpe!check_load
}
To get round this problem simply add a new command definition to commands.cfg below the existing check_nrpe definition
define command{
command_name mycheck_nrpe
command_line /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -t $ARG2$
}
mycheck_nrpe allows for a 2nd parameter to be passed on the service definition.
example
define service{
use generic-service
# Hostname of remote system
host_name mynode.mydomain.com
service_description Load
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 1
# Change to your contact group
contact_groups admins
notification_options w,u,c,r
notification_interval 10
notification_period 24x7
check_command mycheck_nrpe!check_load!30
}
The above example specifies a 30 second timeout.
Problem solved!
Subscribe to:
Posts (Atom)
