May 10

Cracking Excel Protected Macros

Do you have a Excel file that has “Protection” enabled on the macros? Does this file populate a
SQL database? If so, you could use it to gain read/write access to a database server! Excel’s
“Protection” is feeble at best. When you see how easy it is to break, you will think twice about
using it for anything that contains sensitive information.

Step 1: Unzip!

A.xlsm file is essentially a zip file! Using this vital piece of knowledge, all you need to do is change
the extension to .zip and extract the contents.

Step 2: Find the macro file!

Once you have extracted the file, browse to the “xl” directory. You will see a bunch of files that
serve different functions. If you are going after the macros, then you can use any hex editor
(I use iHex on OSX) to open the vbaProject.bin file. It is important you use a hex editor, and not
notepad or VIM, because the file contains special characters that will not be displayed correctly.

Step 3: Find the password!!!!!

Using whatever text search capability your chosen hex editor has, look for the word “Protect”.
What you are looking for is a section that has: Protect “S0m3PassWord!!”. The password is
obviously the bit between the inverted commas. Now, you might have more than one of these.
Each worksheet can be protected with a different password. So, all you have to do is try each
password you find, until one of them unlocks the VB Editor (Tools -> Macros -> Visual Basic Editor) .

Step 4: Use you imagination!

Once you have access to the VB Editor (Where the macros are written), you can see what makes
your spreadsheet tick. Most of the time, if it is designed to take input and store it somewhere, it
is most likely using SQL. If this is the case, look for a section that contains a Provider, Data Source,
UID and Password. These are the login credentials for the SQL database that holds the information.
Now, if the person who wrote the macro is an idiot (They probably are) then they won’t have a clue
about basic security practices and they have used a UID of “sa” or “root”. If you see this, you can
dance a little jig, as you now have administrator level access to their database. Even if you don’t
find such a gem, the language the macro is written in (Visual Basic), is easy enough to read. You
can find all kinds of juicy info – After all, they must have “Protected” the spreadsheet for a reason!
Alternatively, you could always add some nasty VB malware to the code and send the file on to some
unsuspecting target.

Apr 11

Secure PHP input validation

I’ve been doing a lot of PHP work lately on a couple of side projects I have going and, being a security geek, I’ve been looking for simple ways to validate user input and prevent nasty injection attacks. Here are two functions that have stood up against every thing I’ve thrown at them… Enjoy :)

 

function clean_input($data) {
   $data = trim($data);
   $data = stripslashes($data);
   $data = htmlspecialchars($data);
   return $data;
 }

function validate_url($url)
{
   if( ! preg_match('/^http(s)?:\/\/[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(\/.*)?$/i', $url) ){
   return "INVALID";
   }
}

 

Oct 13

SPF to limit email spoofing

Sender Policy Framework (SPF) is a technology that has been around for some time. Essentially, you configure your DNS servers to advertise a TXT record, containing a list of IP addresses or subnets that are authorized to originate mail for your domain name. It is important to understand that not every mail server out there will check for SPF, however, it will make a big difference and, hopefully, go some way to preventing your name being associated with spam and malware activity.

Configuring SPF is pretty straight forward. Simple add the following a TXT record to your domain (on your authoritative nameservers) and replace the 127.0.0.1 with your own mail server’s IP:

v=spf1 a mx ip4:127.0.0.1 -all

You can do a lot more than just specify an IP address.. Check out http://spfwizard.com/ for a simple wizard that will enable you to create a very custom SPF record.

Oct 12

Separation Anxiety: A Tutorial for Isolating Your System with Linux Namespaces

This post was originally written by Mahmud Ridwan and published on the Toptal Engineering Blog.

With the advent of tools like Docker, Linux Containers, and others, it has become super easy to isolate Linux processes into their own little system environments. This makes it possible to run a whole range of applications on a single real Linux machine and ensure no two of them can interfere with each other, without having to resort to using virtual machines. These tools have been a huge boon to PaaS providers. But what exactly happens under the hood?

These tools rely on a number of features and components of the Linux kernel. Some of these features were introduced fairly recently, while others still require you to patch the kernel itself. But one of the key components, using Linux namespaces, has been a feature of Linux since version 2.6.24 was released in 2008.

Anyone familiar with chroot already has a basic idea of what Linux namespaces can do and how to use namespace generally. Just as chroot allows processes to see any arbitrary directory as the root of the system (independent of the rest of the processes), Linux namespaces allow other aspects of the operating system to be independently modified as well. This includes the process tree, networking interfaces, mount points, inter-process communication resources and more.

Why Use Namespaces for Process Isolation?

In a single-user computer, a single system environment may be fine. But on a server, where you want to run multiple services, it is essential to security and stability that the services are as isolated from each other as possible. Imagine a server running multiple services, one of which gets compromised by an intruder. In such a case, the intruder may be able to exploit that service and work his way to the other services, and may even be able compromise the entire server. Namespace isolation can provide a secure environment to eliminate this risk.

For example, using namespacing, it is possible to safely execute arbitrary or unknown programs on your server. Recently, there has been a growing number of programming contest and “hackathon” platforms, such as HackerRank, TopCoder, Codeforces, and many more. A lot of them utilize automated pipelines to run and validate programs that are submitted by the contestants. It is often impossible to know in advance the true nature of contestants’ programs, and some may even contain malicious elements. By running these programs namespaced in complete isolation from the rest of the system, the software can be tested and validated without putting the rest of the machine at risk. Similarly, online continuous integration services, such asDrone.io, automatically fetch your code repository and execute the test scripts on their own servers. Again, namespace isolation is what makes it possible to provide these services safely.

Namespacing tools like Docker also allow better control over processes’ use of system resources, making such tools extremely popular for use by PaaS providers. Services like Heroku and Google App Engine use such tools to isolate and run multiple web server applications on the same real hardware. These tools allow them to run each application (which may have been deployed by any of a number of different users) without worrying about one of them using too many system resources, or interfering and/or conflicting with other deployed services on the same machine. With such process isolation, it is even possible to have entirely different stacks of dependency softwares (and versions) for each isolated environment!

If you’ve used tools like Docker, you already know that these tools are capable of isolating processes in small “containers”. Running processes in Docker containers is like running them in virtual machines, only these containers are significantly lighter than virtual machines. A virtual machine typically emulates a hardware layer on top of your operating system, and then runs another operating system on top of that. This allows you to run processes inside a virtual machine, in complete isolation from your real operating system. But virtual machines are heavy! Docker containers, on the other hand, use some key features of your real operating system, including namespaces, and ensure a similar level of isolation, but without emulating the hardware and running yet another operating system on the same machine. This makes them very lightweight.

Process Namespace

Historically, the Linux kernel has maintained a single process tree. The tree contains a reference to every process currently running in a parent-child hierarchy. A process, given it has sufficient privileges and satisfies certain conditions, can inspect another process by attaching a tracer to it or may even be able to kill it.

With the introduction of Linux namespaces, it became possible to have multiple “nested” process trees. Each process tree can have an entirely isolated set of processes. This can ensure that processes belonging to one process tree cannot inspect or kill – in fact cannot even know of the existence of – processes in other sibling or parent process trees.

Every time a computer with Linux boots up, it starts with just one process, with process identifier (PID) 1. This process is the root of the process tree, and it initiates the rest of the system by performing the appropriate maintenance work and starting the correct daemons/services. All the other processes start below this process in the tree. The PID namespace allows one to spin off a new tree, with its own PID 1 process. The process that does this remains in the parent namespace, in the original tree, but makes the child the root of its own process tree.

With PID namespace isolation, processes in the child namespace have no way of knowing of the parent process’s existence. However, processes in the parent namespace have a complete view of processes in the child namespace, as if they were any other process in the parent namespace.

This namespace tutorial outlines the separation of various process trees using namespace systems in Linux.

It is possible to create a nested set of child namespaces: one process starts a child process in a new PID namespace, and that child process spawns yet another process in a new PID namespace, and so on.

With the introduction of PID namespaces, a single process can now have multiple PIDs associated with it, one for each namespace it falls under. In the Linux source code, we can see that a struct named pid, which used to keep track of just a single PID, now tracks multiple PIDs through the use of a struct named upid:

struct upid {
  int nr;                     // the PID value
  struct pid_namespace *ns;   // namespace where this PID is relevant
  // ...
};

struct pid {
  // ...
  int level;                  // number of upids
  struct upid numbers[0];     // array of upids
};

To create a new PID namespace, one must call the clone() system call with a special flag CLONE_NEWPID. (C provides a wrapper to expose this system call, and so do many other popular languages.) Whereas the other namespaces discussed below can also be created using the unshare() system call, a PID namespace can only be created at the time a new process is spawned using clone(). Once clone() is called with this flag, the new process immediately starts in a new PID namespace, under a new process tree. This can be demonstrated with a simple C program:

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <unistd.h>

static char child_stack[1048576];

static int child_fn() {
  printf("PID: %ld\n", (long)getpid());
  return 0;
}

int main() {
  pid_t child_pid = clone(child_fn, child_stack+1048576, CLONE_NEWPID | SIGCHLD, NULL);
  printf("clone() = %ld\n", (long)child_pid);

  waitpid(child_pid, NULL, 0);
  return 0;
}

Compile and run this program with root privileges and you will notice an output that resembles this:

clone() = 5304
PID: 1

The PID, as printed from within the child_fn, will be 1.

Even though this namespace tutorial code above is not much longer than “Hello, world” in some languages, a lot has happened behind the scenes. The clone() function, as you would expect, has created a new process by cloning the current one and started execution at the beginning of the child_fn() function. However, while doing so, it detached the new process from the original process tree and created a separate process tree for the new process.

Try replacing the static int child_fn() function with the following, to print the parent PID from the isolated process’s perspective:

static int child_fn() {
  printf("Parent PID: %ld\n", (long)getppid());
  return 0;
}

Running the program this time yields the following output:

clone() = 11449
Parent PID: 0

Notice how the parent PID from the isolated process’s perspective is 0, indicating no parent. Try running the same program again, but this time, remove the CLONE_NEWPID flag from within the clone() function call:

pid_t child_pid = clone(child_fn, child_stack+1048576, SIGCHLD, NULL);

This time, you will notice that the parent PID is no longer 0:

clone() = 11561
Parent PID: 11560

However, this is just the first step in our tutorial. These processes still have unrestricted access to other common or shared resources. For example, the networking interface: if the child process created above were to listen on port 80, it would prevent every other process on the system from being able to listen on it.

Linux Network Namespace

This is where a network namespace becomes useful. A network namespace allows each of these processes to see an entirely different set of networking interfaces. Even the loopback interface is different for each network namespace.

Isolating a process into its own network namespace involves introducing another flag to the clone() function call: CLONE_NEWNET;

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <unistd.h>


static char child_stack[1048576];

static int child_fn() {
  printf("New `net` Namespace:\n");
  system("ip link");
  printf("\n\n");
  return 0;
}

int main() {
  printf("Original `net` Namespace:\n");
  system("ip link");
  printf("\n\n");

  pid_t child_pid = clone(child_fn, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | SIGCHLD, NULL);

  waitpid(child_pid, NULL, 0);
  return 0;
}

Output:

Original `net` Namespace:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:24:8c:a1:ac:e7 brd ff:ff:ff:ff:ff:ff


New `net` Namespace:
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

What’s going on here? The physical ethernet device enp4s0 belongs to the global network namespace, as indicated by the “ip” tool run from this namespace. However, the physical interface is not available in the new network namespace. Moreover, the loopback device is active in the original network namespace, but is “down” in the child network namespace.

In order to provide a usable network interface in the child namespace, it is necessary to set up additional “virtual” network interfaces which span multiple namespaces. Once that is done, it is then possible to create Ethernet bridges, and even route packets between the namespaces. Finally, to make the whole thing work, a “routing process” must be running in the global network namespace to receive traffic from the physical interface, and route it through the appropriate virtual interfaces to to the correct child network namespaces. Maybe you can see why tools like Docker, which do all this heavy lifting for you, are so popular!

Linux network namespace is comprised of a routing process to multiple child net namespaces.

To do this by hand, you can create a pair of virtual Ethernet connections between a parent and a child namespace by running a single command from the parent namespace:

ip link add name veth0 type veth peer name veth1 netns <pid>

Here, <pid> should be replaced by the process ID of the process in the child namespace as observed by the parent. Running this command establishes a pipe-like connection between these two namespaces. The parent namespace retains the veth0 device, and passes the veth1 device to the child namespace. Anything that enters one of the ends, comes out through the other end, just as you would expect from a real Ethernet connection between two real nodes. Accordingly, both sides of this virtual Ethernet connection must be assigned IP addresses.

Mount Namespace

Linux also maintains a data structure for all the mountpoints of the system. It includes information like what disk partitions are mounted, where they are mounted, whether they are readonly, et cetera. With Linux namespaces, one can have this data structure cloned, so that processes under different namespaces can change the mountpoints without affecting each other.

Creating separate mount namespace has an effect similar to doing a chroot(). chroot() is good, but it does not provide complete isolation, and its effects are restricted to the root mountpoint only. Creating a separate mount namespace allows each of these isolated processes to have a completely different view of the entire system’s mountpoint structure from the original one. This allows you to have a different root for each isolated process, as well as other mountpoints that are specific to those processes. Used with care per this tutorial, you can avoid exposing any information about the underlying system.

Learning how to use namespace correctly has multiple benefits as outlined in this namespace tutorial.

The clone() flag required to achieve this is CLONE_NEWNS:

clone(child_fn, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | CLONE_NEWNS | SIGCHLD, NULL)

Initially, the child process sees the exact same mountpoints as its parent process would. However, being under a new mount namespace, the child process can mount or unmount whatever endpoints it wants to, and the change will affect neither its parent’s namespace, nor any other mount namespace in the entire system. For example, if the parent process has a particular disk partition mounted at root, the isolated process will see the exact same disk partition mounted at the root in the beginning. But the benefit of isolating the mount namespace is apparent when the isolated process tries to change the root partition to something else, as the change will only affect the isolated mount namespace.

Interestingly, this actually makes it a bad idea to spawn the target child process directly with the CLONE_NEWNSflag. A better approach is to start a special “init” process with the CLONE_NEWNS flag, have that “init” process change the “/”, “/proc”, “/dev” or other mountpoints as desired, and then start the target process. This is discussed in a little more detail near the end of this namespace tutorial.

Like what you’re reading?
Get the latest updates first.

Other Namespaces

There are other namespaces that these processes can be isolated into, namely user, IPC, and UTS. The user namespace allows a process to have root privileges within the namespace, without giving it that access to processes outside of the namespace. Isolating a process by the IPC namespace gives it its own interprocess communication resources, for example, System V IPC and POSIX messages. The UTS namespace isolates two specific identifiers of the system: nodename and domainname.

A quick example to show how UTS namespace is isolated is shown below:

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/utsname.h>
#include <sys/wait.h>
#include <unistd.h>


static char child_stack[1048576];

static void print_nodename() {
  struct utsname utsname;
  uname(&utsname);
  printf("%s\n", utsname.nodename);
}

static int child_fn() {
  printf("New UTS namespace nodename: ");
  print_nodename();

  printf("Changing nodename inside new UTS namespace\n");
  sethostname("GLaDOS", 6);

  printf("New UTS namespace nodename: ");
  print_nodename();
  return 0;
}

int main() {
  printf("Original UTS namespace nodename: ");
  print_nodename();

  pid_t child_pid = clone(child_fn, child_stack+1048576, CLONE_NEWUTS | SIGCHLD, NULL);

  sleep(1);

  printf("Original UTS namespace nodename: ");
  print_nodename();

  waitpid(child_pid, NULL, 0);

  return 0;
}

This program yields the following output:

Original UTS namespace nodename: XT
New UTS namespace nodename: XT
Changing nodename inside new UTS namespace
New UTS namespace nodename: GLaDOS
Original UTS namespace nodename: XT

Here, child_fn() prints the nodename, changes it to something else, and prints it again. Naturally, the change happens only inside the new UTS namespace.

More information on what all of the namespaces provide and isolate can be found in the tutorial here

Cross-Namespace Communication

Often it is necessary to establish some sort of communication between the parent and the child namespace. This might be for doing configuration work within an isolated environment, or it can simply be to retain the ability to peek into the condition of that environment from outside. One way of doing that is to keep an SSH daemon running within that environment. You can have a separate SSH daemon inside each network namespace. However, having multiple SSH daemons running uses a lot of valuable resources like memory. This is where having a special “init” process proves to be a good idea again.

The “init” process can establish a communication channel between the parent namespace and the child namespace. This channel can be based on UNIX sockets or can even use TCP. To create a UNIX socket that spans two different mount namespaces, you need to first create the child process, then create the UNIX socket, and then isolate the child into a separate mount namespace. But how can we create the process first, and isolate it later? Linux provides unshare(). This special system call allows a process to isolate itself from the original namespace, instead of having the parent isolate the child in the first place. For example, the following code has the exact same effect as the code previously mentioned in the network namespace section:

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <unistd.h>


static char child_stack[1048576];

static int child_fn() {
  // calling unshare() from inside the init process lets you create a new namespace after a new process has been spawned
  unshare(CLONE_NEWNET);

  printf("New `net` Namespace:\n");
  system("ip link");
  printf("\n\n");
  return 0;
}

int main() {
  printf("Original `net` Namespace:\n");
  system("ip link");
  printf("\n\n");

  pid_t child_pid = clone(child_fn, child_stack+1048576, CLONE_NEWPID | SIGCHLD, NULL);

  waitpid(child_pid, NULL, 0);
  return 0;
}

And since the “init” process is something you have devised, you can make it do all the necessary work first, and then isolate itself from the rest of the system before executing the target child.

Conclusion

This tutorial is just an overview of how to use namespaces in Linux. It should give you a basic idea of how a Linux developer might start to implement system isolation, an integral part of the architecture of tools like Docker or Linux Containers. In most cases, it would be best to simply use one of these existing tools, which are already well-known and tested. But in some cases, it might make sense to have your very own, customized process isolation mechanism, and in that case, this namespace tutorial will help you out tremendously.

There is a lot more going on under the hood than I’ve covered in this article, and there are more ways you might want to limit your target processes for added safety and isolation. But, hopefully, this can serve as a useful starting point for someone who is interested in knowing more about how namespace isolation with Linux really works.

Oct 05

Google Hacking Part 2

One particularly disturbing trend I see these days is people leaving their CV/Resumes lying around. In the hands of a competent social engineer, this kind of information can be the starting point for identify theft on a grand scale. Google is more than willing to assist those of us who enjoy finding confidential information:

Fire up your browser, head on to Google and type this in:

filetype:pdf “resume of” or “curriculum vitae of”

Now, imagine for a minute that you pick one of these poor fools as your target. You go to LinkedIn and search for people who worked with your mark a couple of years back. Perhaps you go create a Facebook profile under the name of one of these ex-colleagues. You spend some time sending Friend Requests other co-workers who are stupid enough to accept them. Use your role-playing skills and post some content.. Eventually, you have a realistic looking profile that your intended target won’t hesitate to click “Accept” on. This creates a high level of trust that can be leveraged through instant messages, phone calls, etc to gain more information. Information is power. I won’t go into what illicit activities can further arise from this, but anybody with an imagination should have a pretty good idea of the gravity of this.

Jan 20

Tunneling SSH over TOR

One of the biggest mistakes that new users of TOR make: They don’t realise that the browser bundle protects only their browsing. SSH leaves via the default gateway, allowing anybody who is watching your network to establish what server you are connecting to.

The easiest way to protect your privacy is to tunnel your SSH traffic over TOR through the SOCKS5 protocol. It’s pretty straight forward, just ensure your browser bundle is open (This starts the SOCKS component), open a new terminal and type this:

ssh -o ProxyCommand=’nc -x 127.0.0.1:9150 %h %p’ yourusername@remotehost.com

Jan 20

SSH Key Based Login

The first step in setting up SSH Key Based Authentication is to create a set of keys for yourself. This can be done using either PuttyGen on Windows or from the command prompt on Linux as follows:

ssh-keygen -t rsa

This will create a set of RSA type keys. Your public key (~/.ssh/id_rsa.pub) will be uploaded to the remote server and your secret key (~./id_rsa) will be kept on any device you will use as a client to connect to your server. You can now SCP your public key to the remote server using WinSCP or via the command prompt:

scp ~/.ssh/id_rsa.pub root@myserver.co.za:~

Now let’s login to our remote server via SSH and configure sshd to accept keys only. The first step is to create a .ssh directory (if it doesn’t exist already) and place the public key in the right place. We then set the required permissions:

cd ~
mkdir .ssh
cp id_rsa.pub .ssh/authorized_keys
chmod u=rwx,go= .ssh
chmod u=rw,go= .ssh/authorized_keys

With that setup, we need to open up our /etc/ssh/sshd_config file in our favourite editor:

vim /etc/ssh/sshd_config

Ensure these lines are uncommented and set to “yes”:

RSAAuthentication yes
PubkeyAuthentication yes

Restart the SSH server to apply these changes

/etc/init.d/sshd restart

Notice

VERY VERY NB… Test your key works 100% before going any further.

At this point, the server will accept either the key or a password. Once you are completely satisfied that your key is working, you can disable the password login by editing /etc/ssh/sshd_config and changing the PasswordAuthentication option as follows:

PasswordAuthentication no

Once this is done, restart the SSH server again to apply the changes and disable password logins. From this point on, you will ONLY be able to login with your key:

/etc/init.d/sshd restart

It is STRONGLY recommended you back your private key up (id_rsa) to ensure you don’t loose access to your server if your PC crashes.

Oct 14

General Security Tips

Over the last few months, I’ve been experimenting with various IT security applications and techniques. I’d like to present a few of my favorite. These are designed to compliment each other, so I recommend using all these applications for maximum benefit.

1. Password Management

Using the same password for more than one service is a huge security risk. All it takes is for somebody to get hold of your password and suddenly they have access to all your other online services (Facebook, Gmail, etc). Because this is such a common mistake, it is one of the first things a would-be intruder would attempt.

This is where a Password Manager comes in handy. I recommend Keepass for this – It’s open source and available on every platform imaginable (Android, IOS, Windows, Linux, OSX, etc). You create one secure “Master Password” that grants you access to your encrypted password safe where an entry for each of your accounts lives. I use the built-in password generator set to a length of 25 characters for each of my entries, ensuring I have unique and VERY secure passwords. Obviously, make sure the “Master Password” is sufficiently complex, as a poor choice here would compromise the security of all your other passwords. I store the file that Keepass creates on my personal cloud service or an encrypted flash drive (See below).

2. Personal Cloud

People love using Dropbox as an alternative to flash drives. It allows you to access your files anywhere, without having to carry around a physical device. This is all well and good, but how much do you trust Dropbox not to dig through your personal stuff?

All you need to host your very own storage cloud is a virtual or dedicated server and a free installation of ownCloud. While you can use the web-interface to manage your files, there are plenty of client apps for various platforms. Be sure to “force SSL” to prevent eavesdropping. Also, enable encryption in the settings menu. This will encrypt your ownCloud files on the server’s hard drive, preventing an intruder to your server from accessing your files.

3. File Encryption

One of the nicest ways to encrypt files is through TrueCrypt. It’s an open source, cross-platform application that creates encrypted devices and volumes. Essentially, you can either encrypt an entire device (flash drive) or create a volume that is mounted as a virtual drive upon successful decryption. You have many different options available, but I recommend using AES-Twofish-Serpent which is a cascading cipher. What this means is the volume is encrypted first with AES, then the result is done via Twofish and then via Serpent. This makes it incredibly hard to crack as you are effectively dealing with 3 layers of encryption.

As far as passwords go, obviously the strength of your encryption is only as good as the password you choose. TrueCrypt allows you to also include a “key file” in the mix. A “key file” can be any file at all. When chosen, the password is mixed with a hash of the first 1024 bytes of the chosen key file. The result of this is used to encrypt the volume. This effectively provides you with two-factor encryption as you need to know the password as well has have the key file to decrypt the volume.

Sep 03

MySQL Replication

Master/Slave MySQL replication is very simple. Let’s assume we have two servers (db01 and db02). There is a database called “mydatabase” setup on db01 that we wish to start replicating to db02.

First, let’s create a replication account on the master (db01) which the slave (db02) will use to connect. Change the username and password to whatever you need:

GRANT REPLICATION SLAVE ON *.* TO ‘db02replication’@’%’ IDENTIFIED BY ‘KJN2342ebwhwhq’;

Flush the privileges to ensure this account is still there when MySQL gets restarted in future:

FLUSH PRIVILEGES;

Connect to the master MySQL and lock the tables in the database to prevent somebody writing to the DB. We need to do this as we need a stable point where we can start the replication:

USE mydatabase;

FLUSH TABLES WITH READ LOCK;

With the DB locked, we need to get some information on the binary logfile and the position of the last write:

 

SHOW MASTER STATUS;

+——————–+———–+——————–+————————-+

| File                     | Position | Binlog_do_db | Binlog_ignore_db |

+——————–+————+——————-+————————-+

| mysql-bin.031 | 123456   | mydatabase   |                                   |

+——————–+————+——————-+————————-+

1 row in set (0.00 sec)

Write down the “File” and “Position” entries. “mysql-bin.031” is the name of the current binary log and “123456” is the position in that file where the last write statement was executed. If we neglected to lock the DB earlier and make it read only, this would change constantly and we would have no way to tell the slave where to start replication from.

Exit the SQL shell and do a mysqldump on the database in question. This will be shipped off to the slave, an empty database created and the mysqldump imported. From there we will begin the replication with both servers at exactly the same point. Here’s the commands for those of you who are too lazy to figure this out:

mysqldump -u root -p mydatabase > sqldump.sql

scp sqldump.sql root@db02:/root

ssh root@db02

mysql -u root -p -e “create database mydatabase”

mysql -u root -p < sqldump.sql

Now login to the SQL shell on db02 and run this (Substituting master server IP,username, password, bin-file and position as required):

CHANGE MASTER TO MASTER_HOST=’172.16.0.5′, MASTER_USER=’db02replication’, MASTER_PASSWORD=’KJN2342ebwhwhq’, MASTER_LOG_FILE=’mysql-bin.031′, MASTER_LOG_POS=123456;

Start the replication by typing:

START SLAVE;

Now go back to the master and unlock the tables to allow users to write to the DB:

UNLOCK TABLES;

The last step is to verify the servers are in sync. On the master, run

SHOW MASTER STATUS;

And on the slave:

SHOW SLAVE STATUS;

Confirm that the “position” changes on BOTH servers with each write to the master. If you are on a quiet machine, simple create a bogus database and then do a few insert or update queries. Remember, select queries (and anything else that doesn’t write to the DB) will not increment the position indicator as only database writes are replicated.

 

Jun 14

Open Source Encryption

I thought I would write a quick tutorial on setting up GPG on Ubuntu 13.04.

First step is to create some keys:

gpg –gen-key

Just follow the on-screen instructions. Now be sure to make a backup of your
public and private keys!!

 

gpg -a -o public_key.asc Your Name Goes Here
gpg -a -o secret_key.asc –export-secret-keys Your Name Goes Here

Obviously, keep the secret_key.asc file somewhere safe. It will require your
password if somebody tried to import the key, but never rely on just that.
Now, get hold of the ID for your public key.

gpg –list-key

You will see something that looks like this:

pub    2048D/B53F491E        2013-06-14 [expires: 2023-06-12]
uid Daniel Kritzinger <daniel@danielkritzinger.nom.za>
sub    2048g/0D37F039              2013-06-14 [expires: 2023-06-12]

Take the 8 digit hex entry from the “pub” key (Just after the first / – Mine is B53F491E).
Let’s send this to a few key servers so other people can easily contact encrypt stuff for us.

gpg –send-keys B53F491E gpg –send-keys –keyserver pgp.mit.edu B53F491E
gpg –send-keys –keyserver keyserver.ubuntu.com B53F491E

Typically, I would then install the Enigmail plugin for Thunderbird. The config is very simple.

Older posts «