All posts tagged Ubuntu

Per canviar permissos d’arxius en Linux emprem chmod i el tipus de permís que volem atorgar:

ugo/a -> per a user, group, other i all
rwxs -> per a read, write, execute i suid

També hi ha la manera octal de representació d’aquests permisos i s’empra sobretot en les màqueres de creació d’arxius en sistemes de fitxers externs i samba per exemple.

És el que es coneix com a sistema octal, el primer dígit de la dreta per a other, el segon per a group i el tercer per a user.

Cada xifra el que vol dir:

7 -> rwx read, write, execute (+rwx)
6 -> rw- read, write (-x+rw)
5 -> r-x read, execute (-w+rx)
4 -> r-- read (-wx+r)
3 -> -wx write, execute (-r+wx)
2 -> -w- write (-rx+w)
1 -> --x execute (-rw+x)
0 -> --- no permissions (-rwx)

Captura-MySQL-Query-Browser

De vegades, ja sigui per seguretat o per necessitat de saltar-se proteccions d’accés a xarxa de servidors MySQL, necessitem accedir-hi al servidor a través d’un tunel assegurat amb ssh.

Seguin les passes indicades per Marion Bates a l’article MySQL ssh tunnel Quickstart crearem ràpidament una connexió per ssh cap a un servidor MySQL.

Només cal picar en una terminal:

ssh -L 3307:nom.servidor.mysql:3306 usuari@nom.servidor.ssh

Això obre un tunel a localhost:3307 que apunta al servidorMySQL:3306 via connexió ssh.
Hem indicat el port local 3307 pq a la màquina on fem això tenim un servidor MySQL de proves.
Si la màquina oberta a ssh és la mateixa que te el servidor MySQL, nom.servidor.mysql serà localhost.
Aquesta connexió la deixarem oberta, mentre estigui activa la terminal, estarà actiu el tunel.
Per a connectar-nos, obrim el MySQL QueryBrowser i indiquem host 127.0.0.1, port el 3307 i un usuari i contrasenya vàlid per a connectar-se a la base de dades MySQL.
captura-Team-Viewer-per-a-Linux

Ja està disponible la versió per a Linux (βeta) del capturador d’escriptoris remot TeamViewer.

Hi ha un paquet de TeamViewer per a Ubuntu de 32 i de 64 bits. A Corretgé.com hem provat, molt satisfactòriament, el TeamViewer de 32 bits.

TeamViewer permet la captura d’escriptoris sense haver de modificar routers i firewalls, si es te accés a la navegació per InterNet, es pot fer servir TeamViewer.

TeamViewer encripta la sessió amb una codificació de 256-bit AES.

Fins ara es podia fer servir el TeamViewer via Wine, només per a capturar escritoris d’altri.

Es tracta d’una molt bona notícia! Gràcies TeamViewer!

sf_name

Skipfish és un scanner de vulnerabilitats en aplicacions web de Google.

És força ràpid (prop de 2000 peticions per segon a una LAN) i exhaustiu, li farem un seguiment sobretot per la senzillesa a l’hora d’executar-ho.

Per a instal·lar-ho a Ubuntu, cal descarregar el programa des del Google Code SkipFish i descomprimir-ho.

Prèviament necessitarem tenir instal·lades algunes llibreries, farem:
sudo apt-get install apt-get install libssl-dev zlibc zlib-bin libidn11-dev libidn11

I iniciarem la compilació de l’aplicació amb un senzill
make

Copiem el diccionari a emprar, com que estem fent proves ho fem amb el complete :-)
cp dictionaries/complete.wl ./skipfish.wl

I procedim a fer el test de seguretat
./skipfish -o ../test.skipfish http://url.projecte.dev

Amb l’opció C podem indicar una cookie que contingui l’ID de sessió. És a dir que podem loginejar-nos normalment i un cop autentificats, executar l’scanner.

És important que les primeres proves les fem en entorns de desenvolupament local i desconnectem els logs del servidor web, no sigui cas que iniciem un auto atac DoS!

Una revisió complerta d’un web relativament petit, en xarxa local amb infraestructura a Gigabit, ha trigat més de 12 hores.

Una curiositat: per temes de seguretat el resultat no es visualitza correctament amb el Chromium i sí amb el Firefox si s’executa directament desde file://. Per a visualitzar-ho desde Safari o Chrome cal posar el resultat en una carpeta gestionada per un servidor web.

Aquesta setmana hem rebut al despatx de Corretgé.com l’esplèndid PHP Security Poster editat per l’empresa alemanya especialitzada en seguretat SektionEins.

SektionEins és l’empresa que ha creat el paquet de seguretat Suhosin. Si hem instal·lat el PHP desde la paqueteria d’Ubuntu, al fer un phpinfo(), segurament veurem que al PHP instal·lat se li ha aplicat el patch de Suhosin, és fàcil de detectar, per les lletres en coreà 수호신 al final de la plana, que ve a ser la traducció de una deïtat guardiana… sí, és la traducció literal, no és cap de les deïtats guardianes que el budisme assigna segons l’any de naixement a la seva parròquia.

Suhosin logoThis server is protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 Hardened-PHP Project

Així doncs, els ubuntaires ja tenim el PHP preparat de sèrie per al Suhosin i no hem de compilar ni aplicar cap patch.
Per a instal·lar aquesta extensió de PHP, farem

sudo apt-get install php5-suhosin

A /etc/php5/apache2/conf.d/suhosin.ini podrem parametritzar aquest guardià protector.

En properes edicions comentarem alguns dels paràmetres de configuració:


Directive Local Value Master Value
suhosin.apc_bug_workaround Off Off
suhosin.cookie.checkraddr 0 0
suhosin.cookie.cryptdocroot On On
suhosin.cookie.cryptkey [ protected ] [ protected ]
suhosin.cookie.cryptlist no value no value
suhosin.cookie.cryptraddr 0 0
suhosin.cookie.cryptua On On
suhosin.cookie.disallow_nul 1 1
suhosin.cookie.disallow_ws 1 1
suhosin.cookie.encrypt Off Off
suhosin.cookie.max_array_depth 50 50
suhosin.cookie.max_array_index_length 64 64
suhosin.cookie.max_name_length 64 64
suhosin.cookie.max_totalname_length 256 256
suhosin.cookie.max_value_length 10000 10000
suhosin.cookie.max_vars 100 100
suhosin.cookie.plainlist no value no value
suhosin.coredump Off Off
suhosin.disable.display_errors Off Off
suhosin.executor.allow_symlink Off Off
suhosin.executor.disable_emodifier Off Off
suhosin.executor.disable_eval Off Off
suhosin.executor.eval.blacklist no value no value
suhosin.executor.eval.whitelist no value no value
suhosin.executor.func.blacklist no value no value
suhosin.executor.func.whitelist no value no value
suhosin.executor.include.blacklist no value no value
suhosin.executor.include.max_traversal 0 0
suhosin.executor.include.whitelist no value no value
suhosin.executor.max_depth 0 0
suhosin.filter.action no value no value
suhosin.get.disallow_nul 1 1
suhosin.get.disallow_ws 0 0
suhosin.get.max_array_depth 50 50
suhosin.get.max_array_index_length 64 64
suhosin.get.max_name_length 64 64
suhosin.get.max_totalname_length 256 256
suhosin.get.max_value_length 512 512
suhosin.get.max_vars 100 100
suhosin.mail.protect 0 0
suhosin.memory_limit 0 0
suhosin.mt_srand.ignore On On
suhosin.multiheader Off Off
suhosin.perdir 0 0
suhosin.post.disallow_nul 1 1
suhosin.post.disallow_ws 0 0
suhosin.post.max_array_depth 50 50
suhosin.post.max_array_index_length 64 64
suhosin.post.max_name_length 64 64
suhosin.post.max_totalname_length 256 256
suhosin.post.max_value_length 65000 65000
suhosin.post.max_vars 200 200
suhosin.protectkey On On
suhosin.request.disallow_nul 1 1
suhosin.request.disallow_ws 0 0
suhosin.request.max_array_depth 50 50
suhosin.request.max_array_index_length 64 64
suhosin.request.max_totalname_length 256 256
suhosin.request.max_value_length 65000 65000
suhosin.request.max_varname_length 64 64
suhosin.request.max_vars 200 200
suhosin.server.encode On On
suhosin.server.strip On On
suhosin.session.checkraddr 0 0
suhosin.session.cryptdocroot On On
suhosin.session.cryptkey [ protected ] [ protected ]
suhosin.session.cryptraddr 0 0
suhosin.session.cryptua On On
suhosin.session.encrypt On On
suhosin.session.max_id_length 128 128
suhosin.simulation Off Off
suhosin.sql.bailout_on_error Off Off
suhosin.sql.comment 0 0
suhosin.sql.multiselect 0 0
suhosin.sql.opencomment 0 0
suhosin.sql.union 0 0
suhosin.sql.user_postfix no value no value
suhosin.sql.user_prefix no value no value
suhosin.srand.ignore On On
suhosin.stealth On On
suhosin.upload.disallow_binary 0 0
suhosin.upload.disallow_elf 1 1
suhosin.upload.max_uploads 25 25
suhosin.upload.remove_binary 0 0
suhosin.upload.verification_script no value no value

Un dels problemes detectats en l’actualització a Karmic, la versió 9.10 d’Ubuntu, ha estat que la cònsola web del servidor de màquines virtuals VMWare no li funcionava correctament el ratolí, fent-la inpracticable.

Afegint aquestes instruccions a l’inici de l’arxiu ~/.mozilla/firefox/uc7qje8k.default/extensions/VMwareVMRC@vmware.com/plugins/lib/wrapper-gtk24.sh

#patch pel tema del ratolí
VMWARE_USE_SHIPPED_GTK='force'
export VMWARE_USE_SHIPPED_GTK="force"

Els problemes amb el teclat els solventarem afegint aquesta instrucció a l’arxiu ~/.vmware/config
xkeymap.noKeycodeMap = "TRUE"

A DNS zone database is made up of a collection of resource records. Each resource record specifies information about a particular object. For example, address mapping (A) records map a host name to an IP address, and reverse-lookup pointer (PTR) records map an IP address to a host name. The server uses these records to answer queries for hosts in its zone. For more information, use the table to view DNS resource records.


Resource record Abbreviation Description
Address Mapping records A The A record specifies the IP address of this host. A records are used to resolve a query for the IP address of a specific domain name. This record type is defined in RFC 1035.
Andrew File System Database records AFSDB The AFSDB record specifies the AFS or DCE address of the object. AFSDB records are used like A records to map a domain name to its AFSDB address; or to map from the domain name of a cell to authenticated name servers for that cell. This record type is defined in RFC 1183.
Canonical Name records CNAME The CNAME record specifies the actual domain name of this object. When DNS queries an aliased name and finds a CNAME record pointing to the canonical name, it then queries that canonical domain name. This record type is defined in RFC 1035.
Host Information records HINFO The HINFO record specifies general information about a host machine. Standard CPU and operating system names are defined in the Assigned Numbers RFC 1700. However, use of the standard numbers is not required. This record type is defined in RFC 1035.
Integrated Services Digital Network records ISDN The ISDN record specifies the address of this object. This record maps a host name to the ISDN address. They are used only in ISDN networks. This record type is defined in RFC 1183.
IP Version 6 Address records AAAA The AAAA record specifies the 128-bit address of a host. AAAA records are used like A records to map a host name to its IP address. Use AAAA records to support IP version 6 addresses, which do not fit the standard A record format. This record type is defined in RFC 1886.
Location records LOC The LOC record specifies the physical location of network components. These records could be used by applications to evaluate network efficiency or map the physical network. This record type is defined in RFC 1876.
Mail Exchanger records MX The MX records defines a mail exchanger host for mail sent to this domain. These records are used by SMTP (Simple Mail Transfer Protocol) to locate hosts that will process or forward mail for this domain, along with preference values for each mail exchanger host. Each mail exchanger host must have a corresponding host address (A) records in a valid zone. This record type is defined in RFC 1035.
Mail Group records MG The MG records specifies the mail group domain name. This record type is defined in RFC 1035.
Mailbox records MB The MB records specifies the host domain name which contains the mailbox for this object. Mail sent to the domain will be directed to the host specified in the MB record. This record type is defined in RFC 1035.
Mailbox Information records MINFO The MINFO records specifies the mailbox that should receive messages or errors for this object. The MINFO record is more commonly used for mailing lists than for a single mailbox. This record type is defined in RFC 1035.
Mailbox Rename records MR The MR records specifies a new domain name for a mailbox. Use the MR record as a forwarding entry for a user who has moved to a different mailbox. This record type is defined in RFC 1035.
Name Server records NS The NS record specifies an authoritative name server for this host. This record type is defined in RFC 1035.
Network Service Access Protocol records NSAP The NSAP record specifies the address of a NSAP resource. NSAP records are used to map domain names to NSAP addresses. This record type is defined in RFC 1706.
Public Key records KEY The KEY record specifies a public key that is associated with a DNS name. The key could be for a zone, a user, or a host. This record type is defined in RFC 2065.
Responsible Person records RP The RP record specifies the internet mail address and description of the person responsible for this zone or host. This record type is defined in RFC 1183.
Reverse-lookup Pointer records PTR The PTR record specifies the domain name of a host for which you want a PTR record defined. PTR records allow a host name lookup, given an IP address. This record type is defined in RFC 1035.
Route Through records RT The RT record specifies a host domain name that can act as a forwarder of IP packets for this host. This record type is defined in RFC 1183.
Start of Authority records SOA The SOA record specifies that this server is authoritative for this zone. An authoritative server is the best source for data within a zone. The SOA record contains general information about the zone and reload rules for secondary servers. There can be only one SOA record per zone. This record type is defined in RFC 1035.
Text records TXT The TXT record specifies multiple strings of text, up to 255 characters long each, to be associated with a domain name. TXT records may be used along with responsible person (RP) records to provide information about who is responsible for a zone. This record type is defined in RFC 1035.
TXT records are used by iSeries DHCP for dynamic updates. The DHCP server writes an associated TXT record for each PTR and A record update done by the DHCP server. DHCP records will have a prefix of AS400DHCP:.
Well-Known Services records WKS The WKS record specifies the well-known services supported by the object. Most commonly, WKS records indicate whether tcp or udp or both protocols are supported for this address. This record type is defined in RFC 1035.
X.400 Address Mapping records PX The PX records is a pointer to X.400/RFC 822 mapping information. This record type is defined in RFC 1664.
X25 Address Mapping records X25 The X25 record specifies the address of an X25 resource. This record maps a host name to the PSDN address. They are used only in X25 networks. This record type is defined in RFC 1183.

Extret del manual d’IBM sobre DNS.

Captura-alexcor1-40peterpan-

Sovint al llogar un servidor ens trobem que generalment estan configurats amb horari UTC. Hi ha molts avantatges d’emprar aquest horari, sobretot el fet que sempre es manté, no te canvis d’horari a l’estiu ni a l’hiven.

Amb tot, si volem que el nostre servidor es regeixi per l’horari del país, executarem
sudo dpkg-reconfigure tzdata

Indicarem el continent on estem i el país per tal de que així ens assigni la data que toca:
dt set 15 08:44:02 CEST 2009

CEST vol dir Central European Summer Time.