Search This Blog

Thursday, December 22, 2011

Solving GCC Kernel error: ***mixed implicit and normal rules

I'm using an old kernel because is the last stable to use with the VServer patch.

evo src # ll
total 154344
lrwxrwxrwx  1 root root       15 Dec 22 20:07 linux -> linux-2.6.22.19
drwxrwxr-x 20 root root      840 Dec 22 20:07 linux-2.6.22.19
-rw-r--r--  1 root root 45108030 Nov 18  2009 linux-2.6.22.19.tar.bz2
-rw-r--r--  1 root root  1868800 Mar 17  2008 patch-2.6.22.19-vs2.2.0.7-grsec2.1.11-20080317.diff
evo linux # make
Makefile:1443: *** mixed implicit and normal rules.  Stop.
evo linux # make oldconfig
Makefile:1443: *** mixed implicit and normal rules.  Stop.
evo linux # vi Makefile 
.....
/ %/: prepare scripts FORCE
       $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
       $(build)=$(build-dir)
.....

Solution: here we have an implicit rule and an explicit rule in the same line, so we are going to split that rules.

# Modules #/ %/: prepare scripts FORCE # $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ # $(build)=$(build-dir) /: prepare scripts FORCE $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir) %/: prepare scripts FORCE $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \ $(build)=$(build-dir)

Wednesday, December 21, 2011

HowTo Clean and Re-build Squid cache

First, check your squid.conf file and locate the location of your cache directory, you should have a line starting with "cache_dir"

  1. Shutdown your squid server: squid -k shutdown
  2. Remove the cache directory: rm -r /squid/cache/*
  3. Re-Create the squid cache directory: squid -z
  4. Start the squid cache server
Thanks for reading.

Monday, December 12, 2011

IcePHP-3.2.1 Gentoo ebuild

The Internet Communications Engine, or Ice, is an object-oriented middleware that provides object-oriented Remote Procedure Call, grid computing and Publish/subscribe functionality developed by ZeroC and dual-licensed under the GNU GPL and a proprietary license. It supports C++, Java, . NET languages (such as C# or Visual Basic), Objective-C, Python, PHP, and Ruby on most major operating systems such as Linux, Solaris, Windows, and Mac OS X. A light variant of ICE runtime, called Ice-e, may run inside mobile phones. As its name indicates, the middleware may be used for internet applications without the need to use the HTTP protocol and is capable of traversing firewalls, unlike most other middleware.

Official Site: ICE
Wikipedia info: Wikipedia ICE info.


DEPRECATED HOW TO, CLICK HERE FOR THE CURRENT INFO.

Preparing the portage tree, more info HERE:

evo ~ # mkdir -p /usr/local/portage/profiles/ evo ~ # echo "Headup Overlay" > /usr/local/portage/profiles/repo_name evo ~ # mkdir -p /usr/local/portage/dev-php5/IcePHP/ evo ~ # echo "PORTDIR_OVERLAY=/usr/local/portage" >> /etc/make.conf evo ~ # cd /usr/local/portage/dev-php5/IcePHP/ evo IcePHP # wget http://headup.sytes.net/zbox/HeadupOverlay/dev-php5/IcePHP/IcePHP-3.2.1.ebuild evo IcePHP # ebuild IcePHP-3.2.1 manifest >>> Downloading 'http://www.zeroc.com/download/Ice/3.2/IcePHP-3.2.1.tar.gz' --2011-12-12 12:26:21-- http://www.zeroc.com/download/Ice/3.2/IcePHP-3.2.1.tar.gz Resolving www.zeroc.com (www.zeroc.com)... 184.73.227.248 Connecting to www.zeroc.com (www.zeroc.com)|184.73.227.248|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://download.zeroc.com/Ice/3.2/IcePHP-3.2.1.tar.gz [following] --2011-12-12 12:26:21-- http://download.zeroc.com/Ice/3.2/IcePHP-3.2.1.tar.gz Resolving download.zeroc.com (download.zeroc.com)... 216.137.43.110, 216.137.43.163, 216.137.43.119, ... Connecting to download.zeroc.com (download.zeroc.com)|216.137.43.110|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 78072 (76K) [application/x-tar] Saving to: `/usr/portage/distfiles/IcePHP-3.2.1.tar.gz' 100%[=================================================================>] 78,072 103K/s in 0.7s 2011-12-12 12:26:23 (103 KB/s) - `/usr/portage/distfiles/IcePHP-3.2.1.tar.gz' saved [78072/78072] >>> Creating Manifest for /usr/local/portage/dev-php5/IcePHP

Check the files

evo IcePHP # ll total 8 -rw-r--r-- 1 root root 994 Dec 2 15:04 IcePHP-3.2.1.ebuild -rw-r--r-- 1 root root 394 Dec 12 12:26 Manifest

 

Searching in our portage tree and portdir overlay:


evo IcePHP # emerge IcePHP -s Searching... [ Results for search key : IcePHP ] [ Applications found : 1 ] * dev-php5/IcePHP [ Masked ] Latest version available: 3.2.1 Latest version installed: [ Not Installed ] Size of files: 76 kB Homepage: http://www.zeroc.com Description: PHP bindings for the ICE middleware License: GPL-2

Preparing and making our system consistent (good practice):

evo IcePHP # echo dev-php5/IcePHP ~x86 >> /etc/portage/package.keywords evo IcePHP # emerge IcePHP -pv Calculating dependencies... done! >>> Verifying ebuild manifests >>> Emerging (1 of 1) dev-php5/IcePHP-3.2.1 from Headup-Overlay >>> Installing (1 of 1) dev-php5/IcePHP-3.2.1 >>> Jobs: 1 of 1 complete Load avg: 0.82, 1.89, 2.63 * Messages for package dev-php5/IcePHP-3.2.1: * Package: dev-php5/IcePHP-3.2.1 * Repository: Headup-Overlay * USE: elibc_glibc kernel_linux userland_GNU x86 * FEATURES: preserve-libs sandbox userpriv usersandbox * Package: dev-php5/IcePHP-3.2.1 * Repository: Headup-Overlay * USE: elibc_glibc kernel_linux userland_GNU x86 * FEATURES: preserve-libs sandbox userpriv usersandbox * * You must check the extensions configuration under the php.ini * file, and don't forget to restart your apache web server!! * * Removing /usr/share/info >>> Auto-cleaning packages... >>> No outdated packages were found on your system. * IMPORTANT: config file '/etc/dispatch-conf.conf' needs updating. * See the CONFIGURATION FILES section of the emerge * man page to learn how to update config files. * IMPORTANT: 6 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

Configure the ICE extension in the PHP extension language.

evo IcePHP # cat /etc/php/apache2-php5/php.ini ... extension_dir = /etc/php/apache2-php5/ext extension = IcePHP.so ice.profiles = /etc/php/apache2-php5/profiles.ini ...

Configure the project profile.

evo IcePHP # cat /etc/php/apache2-php5/profiles.ini [IceProject] ice.config=/home/to/project/configure/client.configure ice.slice=-I/usr/share/Ice/slice /usr/share/Ice/slice/Glacier2/Router.ice /home/to/project/Slice/project.ice

And restart the apache web server

evo IcePHP # /etc/init.d/apache2 restart * Stopping apache2 ... [ ok ] * Starting apache2 ... [ ok ]

Wednesday, November 30, 2011

PostgreSQL: ERROR: new encoding (UTF8) is incompatible with the encoding of the template database (SQL_ASCII)

Error:

sqlalchemy.exc.DataError: (psycopg2.DataError) new encoding (UTF8) is incompatible with the encoding of the template database (SQL_ASCII)
HINT: Use the same encoding as in the template database, or use template0 as template.

[SQL: CREATE DATABASE hydra ENCODING 'utf8' TEMPLATE template1]
(Background on this error at: http://sqlalche.me/e/9h9h)

Solution:
First, we need to drop template1. Templates can’t be dropped, so we first modify it so it's an ordinary database:

UPDATE pg_database SET datistemplate = FALSE WHERE datname = 'template1';

Now we can drop it:

DROP DATABASE template1;

Now its time to create a database from template0, with a new default encoding:

CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = 'UNICODE';

Now modify template1 so it’s actually a template:

UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template1';

Now switch to template1 and VACUUM FREEZE the template:

\c template1

VACUUM FREEZE;

The problem should be resolved now.

Tuesday, November 8, 2011

GRSecurity + Java = Killed + Headup = Running App

 When we work with hardened kernels and tools like grsecurity and PaX, we face problems like:

  1. The kernel kills applications.
  2. Some applications can not start.
  3. We can't compile applications.
  4. And many others.....

This problem depends on the security level configured in the kernel. We need to configure and tell the system that some blocked applications are reliable and trusted, this is because some legitimate applications will attempt to generate code at run time which is executed out of memory. PaX does not allow this and will promptly kill the offending application.

The most notable of these applications are XFree/Xorg, mplayer, and multimedia tools based on xine-lib and Java virtual machine.

homero / # java -version
Killed
homero / # uname -a
Linux homero 2.6.27.15-grsec-2.1.12-vs2.3.0.36.4 #11 SMP Fri Mar 25 17:30:38 CST 2011 i686 Intel(R) Xeon(TM) CPU 3.20GHz GenuineIntel GNU/Linux
homero ~ # tail -f /var/log/pax.log 
Aug  8 13:06:23 homero kernel: [7748633.853670] PAX: From X.X.X.X: execution attempt in: , 48f7f000-48fa7000 48f7f000
Aug  8 13:06:23 homero kernel: [7748633.853683] PAX: terminating task: /usr/local/jdk1.6.0_26/bin/java(java):18549, uid/euid: 0/0, PC: 48f7f040, SP: 4b05dddc
Aug  8 13:06:23 homero kernel: [7748633.853695] PAX: bytes at PC: f0 83 04 24 00 8b 44 24 0c c3 00 00 00 00 00 00 00 00 00 00 
Aug  8 13:06:23 homero kernel: [7748633.853718] PAX: bytes at SP-4:
homero bin # pwd
/usr/local/jdk1.6.0_26/bin

To solve this problem we need to work with some PaX utils and applications, such as paxctl and chpax, in order to change the rules of security but only with some applications.

homero bin # emerge pax-utils pax paxctl paxtest -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-apps/paxctl-0.5 0 kB [ebuild R ] app-misc/pax-utils-0.2.2 USE="caps" 0 kB [ebuild R ] app-arch/pax-3.3.4 0 kB [ebuild R ~] app-admin/paxtest-0.9.9-r2 0 kB Total: 4 packages (4 reinstalls), Size of downloads: 0 kB * IMPORTANT: 4 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

First, we need to create the PT_PAX_FLAGS

homero bin # paxctl -C *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file appletviewer got a new PT_PAX_FLAGS program header
file apt got a new PT_PAX_FLAGS program header
file extcheck got a new PT_PAX_FLAGS program header
file idlj got a new PT_PAX_FLAGS program header
file jar got a new PT_PAX_FLAGS program header
file jarsigner got a new PT_PAX_FLAGS program header
file java got a new PT_PAX_FLAGS program header
file java-rmi.cgi is not a valid ELF executable
file javac got a new PT_PAX_FLAGS program header
file javadoc got a new PT_PAX_FLAGS program header
file javah got a new PT_PAX_FLAGS program header
file javap got a new PT_PAX_FLAGS program header
file javaws got a new PT_PAX_FLAGS program header
file jconsole got a new PT_PAX_FLAGS program header
file jcontrol is not a valid ELF executable
file jdb got a new PT_PAX_FLAGS program header
file jhat got a new PT_PAX_FLAGS program header
file jinfo got a new PT_PAX_FLAGS program header
file jmap got a new PT_PAX_FLAGS program header
file jps got a new PT_PAX_FLAGS program header
file jrunscript got a new PT_PAX_FLAGS program header
file jsadebugd got a new PT_PAX_FLAGS program header
file jstack got a new PT_PAX_FLAGS program header
file jstat got a new PT_PAX_FLAGS program header
file jstatd got a new PT_PAX_FLAGS program header
file jvisualvm is not a valid ELF executable
file keytool got a new PT_PAX_FLAGS program header
file native2ascii got a new PT_PAX_FLAGS program header
file orbd got a new PT_PAX_FLAGS program header
file pack200 got a new PT_PAX_FLAGS program header
file policytool got a new PT_PAX_FLAGS program header
file rmic got a new PT_PAX_FLAGS program header
file rmid got a new PT_PAX_FLAGS program header
file rmiregistry got a new PT_PAX_FLAGS program header
file schemagen got a new PT_PAX_FLAGS program header
file serialver got a new PT_PAX_FLAGS program header
file servertool got a new PT_PAX_FLAGS program header
file tnameserv got a new PT_PAX_FLAGS program header
file unpack200 got a new PT_PAX_FLAGS program header
file wsgen got a new PT_PAX_FLAGS program header
file wsimport got a new PT_PAX_FLAGS program header
file xjc got a new PT_PAX_FLAGS program header
homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

- PaX flags: -------x-e-- [java]
    RANDEXEC is disabled
    EMUTRAMP is disabled

The problem is the mprotect flag, because it is enabled.

Name
mprotect - control allowable accesses to a region of memory

Synopsis
#include 
int mprotect(const void *addr, size_t len, int prot);

Description
The function mprotect() specifies the desired protection for the memory page(s) containing part or all of the interval [addr,addr+len-1]. If an access is disallowed by the protection given it, the program receives a SIGSEGV. 

The goal of MPROTECT is to help prevent the introduction of new executable code into the task’s address space. This is accomplished by restricting the mmap() and mprotect() interfaces.

The restrictions prevent:
     - Creating executable anonymous mappings.
     - Creating executable/writable file mappings.
     - Making an executable/read-only file mapping writable except for performing relocations on an ET_DYN ELF file (non-PIC shared library).
     - Making a non-executable mapping executable.

So we need to disable it.

homero bin # paxctl -m *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file java-rmi.cgi is not a valid ELF executable
file jcontrol is not a valid ELF executable
file jvisualvm is not a valid ELF executable
homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

- PaX flags: -----m-x-e-- [java]
    MPROTECT is disabled
    RANDEXEC is disabled
    EMUTRAMP is disabled
homero bin # java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) Client VM (build 20.1-b02, mixed mode)

And now we can run any java application on our hardened system.

Sunday, November 6, 2011

Timezone configuration guide for Mexico

This guide is to learn how to set correctly the timezone in a Gentoo Linux and Mexico/General timezone.

First copy or link the proper zone to localtime:

pluton ~ # ln -sf /usr/share/zoneinfo/Mexico/General /etc/localtime pluton ~ # ls -l /etc/localtime lrwxrwxrwx 1 root root 23 Jun 6 18:13 /etc/localtime -> /usr/share/zoneinfo/GMT

Now specify your timezone:

pluton ~ # cat /etc/conf.d/hwclock TIMEZONE="Mexico/General" clock="UTC" clock_systohc="YES" clock_hctosys="YES" clock_args=""

Restart the service:

pluton ~ # /etc/init.d/hwclock restart * WARNING: you are stopping a boot service * Caching service dependencies ... [ ok ] * Setting hardware clock using the system clock [UTC] ... [ ok ] * Setting system clock using the hardware clock [UTC] ...

And that's it:

pluton ~ # date Mon Jun 6 18:24:57 GMT 2011

Tuesday, October 25, 2011

Check 32 and 64 bits compatibility on 64bits Kernel

First, we need to check if we have a 64Bits Kernel running.

Some Linux distros use a release file to save the version, codename, and other information

alvaro@linux-a77o:~> cat /etc/SuSE-release openSUSE 11.4 (x86_64) VERSION = 11.4 CODENAME = Celadon

Or check the system information using uname

alvaro@linux-a77o:~> uname -a Linux linux-a77o 2.6.37.1-1.2-desktop #1 SMP PREEMPT 2011-02-21 10:34:10 +0100 x86_64 x86_64 x86_64 GNU/Linux

Or something a little more standard...

alvaro@linux-a77o:~> perl -MConfig -e 'print $Config{longsize}*8 . "\n";' 64

With this code, we are going to be testing system libraries and support.

alvaro@linux-a77o:~> cat test-bits.c #include int main() { long z; printf("Long int size is %i bytes long!\n", sizeof(z)); return 0; }

Without the 32bits support, we can only compile the 64bits binary.
The 32bits compilation will show some fatal errors, like this one:

alvaro@linux-a77o:~> gcc -m64 -o output64 test-bits.c alvaro@linux-a77o:~> gcc -m32 -o output32 test-bits.c In file included from /usr/include/features.h:371:0, from /usr/include/stdio.h:28, from test-bits.c:1: /usr/include/gnu/stubs.h:7:27: fatal error: gnu/stubs-32.h: No such file or directory compilation terminated.

In this example I used OpenSuse, so these are the steps to solve the problem in this version:

  • Software Management ->
  • View ->
  • Patterns ->
  • Search "Base Technologies" and then "32-bit runtime Library" ->
  • Activate some or all the checkboxes (you maybe need the CD, DVD or ISO image).

After installing or configuring the 32bits library support, we successfully compile and execute the binaries.

alvaro@linux-a77o:~> source /etc/profile alvaro@linux-a77o:~> rm output* alvaro@linux-a77o:~> gcc -m32 -o output32 test-bits.c alvaro@linux-a77o:~> gcc -m64 -o output64 test-bits.c alvaro@linux-a77o:~> ./output32 Long int size is 4 bytes long! alvaro@linux-a77o:~> ./output64 Long int size is 8 bytes long!

Thursday, October 6, 2011

Install IcePHP using Ice-3.4.1

First, you need to install the Ice libs.

zeus ~ # emerge Ice -av These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] dev-libs/Ice-3.4.1 USE="ncurses python -debug -doc -examples -mono -ruby -test" RUBY_TARGETS="ruby18" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB Would you like to merge these packages? [Yes/No]

And then copy the compressed file to a safe and different place, then go there and expand the file.

zeus ~ # cp /usr/portage/distfiles/Ice-3.4.1.tar.gz /root/ zeus ~ # cd /root/ zeus ~ # tar -xzvf Ice-3.4.1.tar.gz Ice-3.4.1/ Ice-3.4.1/CHANGES Ice-3.4.1/ICE_LICENSE Ice-3.4.1/LICENSE Ice-3.4.1/Makefile Ice-3.4.1/Makefile.mak Ice-3.4.1/README Ice-3.4.1/RELEASE_NOTES Ice-3.4.1/allTests.py Ice-3.4.1/certs/ Ice-3.4.1/certs/ImportKey.class Ice-3.4.1/certs/ImportKey.java Ice-3.4.1/certs/c_dsa1024_priv.pem Ice-3.4.1/certs/c_dsa1024_pub.pem Ice-3.4.1/certs/c_rsa1024.pfx Ice-3.4.1/certs/c_rsa1024_priv.pem Ice-3.4.1/certs/c_rsa1024_pub.pem Ice-3.4.1/certs/cacert.pem Ice-3.4.1/certs/cakey.pem Ice-3.4.1/certs/certs.jks Ice-3.4.1/certs/client.jks Ice-3.4.1/certs/dsaparam1024.pem ...

To compile the IcePHP library we need to go to the php directory.

zeus ~ # cd Ice-3.4.1/php/

In order to set the path of php libraries, we need to set it in the Make.rules.php file, but first, we must know where the libraries are.

zeus php ~ # locate php.h
/usr/lib/php5/include/php/main/php.h
/usr/share/doc/freetds-0.64/userguide/php.htm
zeus php ~ # vi config/Make.rules.php
PHP_HOME                ?= /usr/lib/php5

We have all configured, so we just need to compile the library.

zeus php ~ # make making all in src make[1]: Entering directory `/root/Ice-3.4.1/php/src' making all in IcePHP make[2]: Entering directory `/root/Ice-3.4.1/php/src/IcePHP' c++ -c -I. -I/usr/include -I/usr/lib/php5/include/php -I/usr/lib/php5/include/php/main -I/usr/lib/php5/include/php/Zend -I/usr/lib/php5/include/php/TSRM -Wall -D_REENTRANT -fPIC -g Communicator.cpp c++ -c -I. -I/usr/include -I/usr/lib/php5/include/php -I/usr/lib/php5/include/php/main -I/usr/lib/php5/include/php/Zend -I/usr/lib/php5/include/php/TSRM -Wall -D_REENTRANT -fPIC -g Connection.cpp Connection.cpp: In function 'bool IcePHP::connectionInit()': Connection.cpp:376: warning: deprecated conversion from string constant to 'char*' Connection.cpp:378: warning: deprecated conversion from string constant to 'char*' Connection.cpp:378: warning: deprecated conversion from string constant to 'char*' Connection.cpp:391: warning: deprecated conversion from string constant to 'char*' Connection.cpp:391: warning: deprecated conversion from string constant to 'char*' Connection.cpp:393: warning: deprecated conversion from string constant to 'char*' Connection.cpp:395: warning: deprecated conversion from string constant to 'char*' Connection.cpp:395: warning: deprecated conversion from string constant to 'char*' Connection.cpp:397: warning: deprecated conversion from string constant to 'char*' Connection.cpp:421: warning: deprecated conversion from string constant to 'char*' Connection.cpp:421: warning: deprecated conversion from string constant to 'char*' Connection.cpp:423: warning: deprecated conversion from string constant to 'char*' c++ -c -I. -I/usr/include -I/usr/lib/php5/include/php -I/usr/lib/php5/include/php/main -I/usr/lib/php5/include/php/Zend -I/usr/lib/php5/include/php/TSRM -Wall -D_REENTRANT -fPIC -g Endpoint.cpp Endpoint.cpp: In function 'bool IcePHP::endpointInit()': Endpoint.cpp:288: warning: deprecated conversion from string constant to 'char*' ...

if you got an error message like this.

zeus php ~ # make making all in src make[1]: Entering directory `/root/Ice-3.4.1/php/src' making all in IcePHP make[2]: Entering directory `/root/Ice-3.4.1/php/src/IcePHP' make[2]: *** No rule to make target `../../../cpp/include/Ice/CommunicatorF.h', needed by `Communicator.o'. Stop. make[2]: Leaving directory `/root/Ice-3.4.1/php/src/IcePHP' make[1]: *** [all] Error 1 make[1]: Leaving directory `/root/Ice-3.4.1/php/src' make: *** [all] Error 1

Is just because your ICE_HOME environment variable is missing, you can set this variable in the global profile or just for this build.

zeus php # export ICE_HOME=/usr/ && make

And our Dynamically Linked "Shared Object" library it will be in the lib directory.

zeus php ~ # ll lib/IcePHP.so -rwxr-xr-x 1 root root 3171151 Nov 1 23:11 lib/IcePHP.so

Now you need to copy this library in some directory and append this directory in the extensions section of the php.ini file.

zeus php ~ # cp lib/IcePHP.so /etc/php/apache2-php5/ext zeus php ~ # vi /etc/php/apache2-php5/php.ini extension_dir = /etc/php/apache2-php5/ext extension = IcePHP.so

Also in the lib directory, we will find all the PHP-ICE library files that our web apps need.

zeus php ~ # ll lib/ total 3152 drwxr-xr-x 2 root root 256 Nov 2 05:11 Glacier2 -rw-r--r-- 1 500 500 425 Jun 3 16:48 Glacier2.php drwxr-xr-x 2 root root 1152 Nov 2 05:11 Ice -rw-r--r-- 1 500 500 4279 Jun 3 16:48 Ice.php drwxr-xr-x 2 root root 80 Nov 2 05:11 IceBox -rw-r--r-- 1 500 500 379 Jun 3 16:48 IceBox.php drwxr-xr-x 2 root root 376 Nov 2 05:11 IceGrid -rw-r--r-- 1 500 500 612 Jun 3 16:48 IceGrid.php -rwxr-xr-x 1 root root 3171151 Nov 2 05:11 IcePHP.so drwxr-xr-x 2 root root 112 Nov 2 05:11 IcePatch2 -rw-r--r-- 1 500 500 386 Jun 3 16:48 IcePatch2.php drwxr-xr-x 2 root root 80 Nov 2 05:11 IceStorm -rw-r--r-- 1 500 500 383 Jun 3 16:48 IceStorm.php -rw-r--r-- 1 500 500 5293 Jun 3 16:48 Ice_ns.php -rw-r--r-- 1 500 500 5344 Jun 3 16:48 Makefile -rw-r--r-- 1 500 500 3488 Jun 3 16:48 Makefile.make

Now we need to copy these libraries in the PHP shared folder and append the new path of Ice libraries

zeus php ~ # cp -rfv lib/ /usr/share/php/Ice-3.4.1 `Ice-3.4.1/php/lib/' -> `/usr/share/php/Ice-3.4.1' `Ice-3.4.1/php/lib/Ice' -> `/usr/share/php/Ice-3.4.1/Ice' `Ice-3.4.1/php/lib/Ice/Current.php' -> `/usr/share/php/Ice-3.4.1/Ice/Current.php' `Ice-3.4.1/php/lib/Ice/FacetMap.php' -> `/usr/share/php/Ice-3.4.1/Ice/FacetMap.php' `Ice-3.4.1/php/lib/Ice/LoggerF.php' -> `/usr/share/php/Ice-3.4.1/Ice/LoggerF.php' `Ice-3.4.1/php/lib/Ice/ConnectionF.php' -> `/usr/share/php/Ice-3.4.1/Ice/ConnectionF.php' `Ice-3.4.1/php/lib/Ice/ObjectFactory.php' -> `/usr/share/php/Ice-3.4.1/Ice/ObjectFactory.php' `Ice-3.4.1/php/lib/Ice/RouterF.php' -> `/usr/share/php/Ice-3.4.1/Ice/RouterF.php' `Ice-3.4.1/php/lib/Ice/PropertiesF.php' -> `/usr/share/php/Ice-3.4.1/Ice/PropertiesF.php' `Ice-3.4.1/php/lib/Ice/Plugin.php' -> `/usr/share/php/Ice-3.4.1/Ice/Plugin.php' `Ice-3.4.1/php/lib/Ice/Endpoint.php' -> `/usr/share/php/Ice-3.4.1/Ice/Endpoint.php' `Ice-3.4.1/php/lib/Ice/Router.php' -> `/usr/share/php/Ice-3.4.1/Ice/Router.php' `Ice-3.4.1/php/lib/Ice/LocalException.php' -> `/usr/share/php/Ice-3.4.1/Ice/LocalException.php' `Ice-3.4.1/php/lib/Ice/Stats.php' -> `/usr/share/php/Ice-3.4.1/Ice/Stats.php' `Ice-3.4.1/php/lib/Ice/Locator.php' -> `/usr/share/php/Ice-3.4.1/Ice/Locator.php' `Ice-3.4.1/php/lib/Ice/Logger.php' -> `/usr/share/php/Ice-3.4.1/Ice/Logger.php' ...

zeus php ~ # vi /etc/php/apache2-php5/php.ini include_path = ".:/usr/share/php5:/usr/share/php:/usr/share/php/Ice-3.4.1"

Finally, do not forget to restart the apache web server.

zeus php ~ # /etc/init.d/apache2 restart * Stopping apache2 ... [ ok ] * Starting apache2 ... [ ok ]

If you got an error like this:

PHP Deprecated: Comments starting with '#' are deprecated in /etc/php/apache2-php5.4/php.ini on line 693 in Unknown on line 0 PHP Warning: PHP Startup: ice: Unable to initialize module\nModule compiled with module API=20090626\nPHP compiled with module API=20100525\nThese options need to match\n in Unknown on line 0

You should read the Gentoo Upgrading PHP guide.

Setup MX records with tinydns or djbdns and gmail

 Just modify the data file to look like this one.

evo ~ # vi /bla/bla/bla/tinydns-IPX/root/data
...
...
...
# myowndomain.com's MX Servers
@myowndomain.com::aspmx.l.google.com.:10:86400
@myowndomain.com::alt1.aspmx.l.google.com.:20:86400
@myowndomain.com::alt2.aspmx.l.google.com.:20:86400
@myowndomain.com::aspmx2.googlemail.com.:30:86400
@myowndomain.com::aspmx3.googlemail.com.:30:86400
@myowndomain.com::aspmx4.googlemail.com.:30:86400
@myowndomain.com::aspmx5.googlemail.com.:30:86400
...
...
...

Tuesday, September 27, 2011

DotDotPwn-2.1 Gentoo ebuild

DotDotPwn - The Directory Traversal Fuzzer.
It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as Web/FTP/TFTP servers, and Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in Perl programming language and can be run either under *NIX or Windows platforms.

Official Site: dotdotpwn
Download Link: **From Chatsubo (IN)Security Dark Labs Mirror **
Official E-mail: dotdotpwn@sectester.net

Last version:
DotDotPwn v2.1
Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences 2010)
Release date: 14/Oct/2010 *NON-PUBLIC Version*


DEPRECATED HOW TO, CLICK HERE FOR THE LAST VERSION EBUILD ON PENTOO GITHUB

Preparing the portage tree, more info HERE:

evo ~ # mkdir -p /usr/local/portage/profiles/ evo ~ # echo "Headup Overlay" > /usr/local/portage/profiles/repo_name evo ~ # mkdir -p /usr/local/portage/net-analyzer/dotdotpwn/ evo ~ # echo "PORTDIR_OVERLAY=/usr/local/portage" >> /etc/make.conf evo ~ # cd /usr/local/portage/net-analyzer/dotdotpwn/ evo dotdotpwn # wget http://headup.sytes.net/zbox/pkfiles/dotdotpwn-2.1.ebuild evo dotdotpwn # ebuild dotdotpwn-2.1.ebuild manifest >>> Downloading 'http://www.brainoverflow.org/code/dotdotpwn-v2.1.tar.gz' --2011-09-27 13:51:42-- http://www.brainoverflow.org/code/dotdotpwn-v2.1.tar.gz Resolving www.brainoverflow.org (www.brainoverflow.org)... 75.125.156.234 Connecting to www.brainoverflow.org (www.brainoverflow.org)|75.125.156.234|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27478 (27K) [application/x-gzip] Saving to: `/usr/portage/distfiles/dotdotpwn-v2.1.tar.gz' 100%[==================================================================>] 27,478 33.3K/s in 0.8s 2011-09-27 13:51:44 (33.3 KB/s) - `/usr/portage/distfiles/dotdotpwn-v2.1.tar.gz' saved [27478/27478] >>> Creating Manifest for /usr/local/portage/net-analyzer/dotdotpwn

Look the files

evo dotdotpwn # ll total 8 -rw-r--r-- 1 root root 398 Sep 27 13:51 Manifest -rw-r--r-- 1 root root 1478 Sep 27 13:51 dotdotpwn-2.1.ebuild

Searching in our portage tree and portdir overlay:

evo dotdotpwn # emerge dotdotpwn -s Searching... [ Results for search key : dotdotpwn ] [ Applications found : 1 ] * net-analyzer/dotdotpwn [ Masked ] Latest version available: 2.1 Latest version installed: [ Not Installed ] Size of files: 26 kB Homepage: http://dotdotpwn.blogspot.com Description: The Directory Traversal Fuzzer. License: GPL-3

Preparing and making our system consistent (good practice):

evo dotdotpwn # echo net-analyzer/dotdotpwn ~x86 >> /etc/portage/package.keywords evo dotdotpwn # echo net-analyzer/dotdotpwn os-detection >> /etc/portage/package.use evo dotdotpwn # echo perl-core/Switch ~x86 >> /etc/portage/package.keywords evo dotdotpwn # emerge dotdotpwn -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild N ~] perl-core/Switch-2.160.0 14 kB [0] [ebuild N ] net-analyzer/nmap-5.51 USE="ssl -gtk -lua" 16,474 kB [0] [ebuild N ] perl-core/Time-HiRes-1.97.19 86 kB [0] [ebuild N ] dev-perl/Log-Agent-0.307.0 54 kB [0] [ebuild N ] dev-perl/yaml-0.71 111 kB [0] [ebuild N ] app-portage/g-cpan-0.16.2 28 kB [0] [ebuild N ~] net-analyzer/dotdotpwn-2.1 USE="os-detection" 0 kB [1] Total: 7 packages (7 new), Size of downloads: 16,765 kB Portage tree and overlays: [0] /usr/portage [1] /usr/local/portage * IMPORTANT: 4 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

And now, we are good to go.... merging....!!!!!!

evo dotdotpwn # emerge dotdotpwn ....... ....... ....... >>> Emerging (7 of 7) net-analyzer/dotdotpwn-2.1 from Headup-Overlay * dotdotpwn-v2.1.tar.gz RMD160 SHA1 SHA256 size ;-) ... [ ok ] ........ ........ If you don't have CPAN installed, you will see a lot of lines with CPAN and CPAN Modules installation.... Do not worry, just hit enter in every question.... ........ ........ >>> Unpacking source... ........ ........ >>> Install dotdotpwn-2.1 into /var/tmp/portage/net-analyzer/dotdotpwn-2.1/image/ category net-analyzer >>> Completed installing dotdotpwn-2.1 into /var/tmp/portage/net-analyzer/dotdotpwn-2.1/image/ >>> Installing (7 of 7) net-analyzer/dotdotpwn-2.1 ........ ........ >>> Recording net-analyzer/dotdotpwn in "world" favorites file. ........ ........ * Messages for package net-analyzer/dotdotpwn-2.1: * Package: net-analyzer/dotdotpwn-2.1 * Repository: Headup-Overlay * USE: elibc_glibc kernel_linux os-detection userland_GNU x86 * FEATURES: preserve-libs sandbox userpriv usersandbox * Package: net-analyzer/dotdotpwn-2.1 * Repository: Headup-Overlay * USE: elibc_glibc kernel_linux os-detection userland_GNU x86 * FEATURES: preserve-libs sandbox userpriv usersandbox * nothing to compile * Removing /usr/share/info >>> Auto-cleaning packages... >>> No outdated packages were found on your system. * IMPORTANT: 4 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

And now everything is in place, libs and files.

evo dotdotpwn # cd evo ~ # ll /etc/dotdotpwn/ total 64 -rw-r--r-- 1 root root 606 Sep 27 14:09 AUTHORS.txt -rw-r--r-- 1 root root 3851 Sep 27 14:09 CHANGELOG.txt -rw-r--r-- 1 root root 6671 Sep 27 14:09 EXAMPLES.txt -rw-r--r-- 1 root root 35147 Sep 27 14:09 LICENSE.txt -rw-r--r-- 1 root root 2490 Sep 27 14:09 README.txt -rw-r--r-- 1 root root 2964 Sep 27 14:09 USAGE.txt -rw-r--r-- 1 root root 85 Sep 27 14:09 payload_sample.txt drwxr-xr-x 2 root root 48 Sep 27 14:09 retrieved_files evo ~ # ll /usr/bin/dotdotpwn* lrwxrwxrwx 1 root root 21 Sep 27 14:09 /usr/bin/dotdotpwn -> /usr/bin/dotdotpwn.pl -rwxr-xr-x 1 root root 9135 Sep 27 14:09 /usr/bin/dotdotpwn.pl evo ~ # ll `perl -e 'use strict; print map {"$INC{$_}"} keys %INC' | awk '{sub("strict.pm","") ; print }'`/DotDotPwn total 44 -rw-r--r-- 1 root root 2235 Sep 27 04:32 FTP.pm -rw-r--r-- 1 root root 796 Sep 27 04:32 File.pm -rw-r--r-- 1 root root 2134 Sep 27 04:32 Fingerprint.pm -rw-r--r-- 1 root root 1787 Sep 27 04:32 HTTP.pm -rw-r--r-- 1 root root 1739 Sep 27 04:32 HTTP_Url.pm -rw-r--r-- 1 root root 1818 Sep 27 04:32 Payload.pm -rw-r--r-- 1 root root 527 Sep 27 04:32 STDOUT.pm -rw-r--r-- 1 root root 2089 Sep 27 04:32 TFTP.pm -rw-r--r-- 1 root root 9681 Sep 27 04:32 TraversalEngine.pm

And finally.... have fun!!!!!

Thanks to @nitr0usmx and @chr1x for giving us dotdotpwn, and like they said... Happy fuzzing! ;)

Monday, September 12, 2011

Hiding .svn directories from web queries

 web-server / # cat /etc/apache2/vhosts.d/00_default_vhost.conf

...

<VirtualHost *:80>
...


        ###### You can...
	##
	# 	Deny access to .svn folders on Apache...
	#
	RedirectMatch 404 /\\.svn(/.*|$)

        ###### or ...
	##
	# 	Restrict access to .svn folders on Apache... 
	#
	<DirectoryMatch .*\.svn/.*>
		Order allow,deny
    		Deny From All
	</DirectoryMatch>

...

</VirtualHost>
...

Hardened environment running GRSecurity and VMWare Server

After a common install of vmware-server...
vm-win ~ # emerge vmware-server -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild Rf ] app-emulation/vmware-server-2.0.2.203138-r1 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB Fetch Restriction: 1 package * IMPORTANT: 3 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

... our vmware-server cannot start, to solve this problem we need to work with some PaX utils and applications, such as paxctl and chpax, in order to change the rules of security but only with some applications.

vm-win ~ # emerge pax-utils pax paxctl paxtest -pv These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] sys-apps/paxctl-0.5 0 kB [ebuild R ] app-misc/pax-utils-0.2.1 USE="caps" 0 kB [ebuild R ] app-arch/pax-3.3.4 0 kB [ebuild R ] app-admin/paxtest-0.9.9-r1 0 kB Total: 4 packages (4 reinstalls), Size of downloads: 0 kB * IMPORTANT: 4 news items need reading for repository 'gentoo'. * Use eselect news to read news items.

Here are some options.

vm-win ~ # chpax --help chpax 0.7 .::. Manage PaX flags for binaries Usage: chpax OPTIONS FILE1 FILE2 FILEN ... -P enforce paging based non-executable pages -p do not enforce paging based non-executable pages -E emulate trampolines -e do not emulate trampolines -M restrict mprotect() -m do not restrict mprotect() -R randomize mmap() base [ELF only] -r do not randomize mmap() base [ELF only] -X randomize ET_EXEC base [ELF only] -x do not randomize ET_EXEC base [ELF only] -S enforce segmentation based non-executable pages -s do not enforce segmentation based non-executable pages -v view current flag mask -z zero flag mask (next flags still apply)
The flags only have effect when running the patched Linux kernel.

vm-win ~ # paxctl -h PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team usage: paxctl options: -p: disable PAGEEXEC -P: enable PAGEEXEC -e: disable EMUTRMAP -E: enable EMUTRMAP -m: disable MPROTECT -M: enable MPROTECT -r: disable RANDMMAP -R: enable RANDMMAP -x: disable RANDEXEC -X: enable RANDEXEC -s: disable SEGMEXEC -S: enable SEGMEXEC -v: view flags -z: restore default flags -q: suppress error messages -Q: report flags in short format -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) -C: create PT_PAX_FLAGS (see manpage!)


The next script will change the security policy rules of the vmware-server-2.0.2.
First the config and opts file.

vm-win ~ # cat /etc/conf.d/grsecurity # /etc/conf.d/grsecurity CHPAX_CMD="/sbin/chpax" CHPAX_OPTIONS="-rsm" PAXCTL_CMD="/sbin/paxctl" PAXCTL_OPTIONS="-pemrxs" PAXCTL_OPTIONS_="-z" PAXCTL_CONVERT="-c"

Then the init script.

vm-win ~ # cat /etc/init.d/grsecurity #!/sbin/runscript # Copyright 1999-2010 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: $ depend() { before vmware } start() { ebegin "Setting grsecurity rules and options" ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-hostd ${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/lib/bin/vmware-hostd ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/bin/vmnet-bridge ${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/bin/vmnet-bridge ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-vmx ${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/lib/bin/vmware-vmx } stop(){ ebegin "Restoring default grsecurity rules and options" ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-hostd ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/lib/bin/vmware-hostd ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/bin/vmnet-bridge ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/bin/vmnet-bridge ${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-vmx ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/lib/bin/vmware-vmx } restart() { stop start }


I know!!!!.... This is an ugly script, but it worked at a "Hardened Gentoo [server] " security level.


┌────────────────────────── Security Level ──────────────────────────┐                                                                  
│  Use the arrow keys to navigate this window or press the hotkey of │                                                                  
│  the item you wish to select followed by the . Press    │                                                                  
│  > for additional information about this option.                 │                                                                  
│ ┌────────────────────────────────────────────────────────────────┐ │                                                                  
│ │           ( ) Low                                              │ │                                                                  
│ │           ( ) Medium                                           │ │                                                                  
│ │           ( ) High                                             │ │                                                                  
│ │           (X) Hardened Gentoo [server]                         │ │                                                                  
│ │           ( ) Hardened Gentoo [server no rbac]                 │ │                                                                  
│ │           ( ) Hardened Gentoo [workstation]                    │ │                                                                  
│ └───────────────v(+)─────────────────────────────────────────────┘ │                                                                  
├────────────────────────────────────────────────────────────────────┤                                                                  
│                                                    │                                                                  
└────────────────────────────────────────────────────────────────────┘                                                                  

Runing kernel

vm-win ~ # uname -a Linux vm-win 2.6.35-hardened #7 SMP Thu Sep 30 22:13:03 GMT 2010 x86_64 Intel(R) Xeon(R) CPU L5410 @ 2.33GHz GenuineIntel GNU/Linux


And now... all is running correctly.

vm-win ~ # ps ax PID TTY STAT TIME COMMAND 1 ? Ss 0:00 init [3] .......... 2010 ? Ss 0:00 /usr/bin/svscan /service 2038 ? Ss 0:00 /usr/sbin/cron 2125 ? Ss 0:00 /opt/vmware/server/bin/vmnet-bridge -d /var/run/vmnet-bridge-0.pid -n 0 -i eth0 2404 ? Ss 0:00 /opt/vmware/server/sbin/vmware-authdlauncher 2418 ? S 0:00 /bin/sh /opt/vmware/server/bin/vmware-watchdog -s webAccess -u 30 -q 5 /opt/vmware/server/lib/webAccess/java/jre1.5.0_15/bin/webAccess -client -Xmx64m -XX:MinHeapFreeRatio=30 2441 ? Ssl 0:29 /opt/vmware/server/lib/webAccess/java/jre1.5.0_15/bin/webAccess -client -Xmx64m -XX:MinHeapFreeRatio=30 -XX:MaxHeapFreeRatio=30 -Djava.util.logging.manager=org.apache.juli.Cla 2523 ? Ssl 0:21 /opt/vmware/server/lib/bin/vmware-hostd -a -d -u /etc/vmware/hostd/config.xml 2576 ? Ssl 9:31 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138; 2642 ? Ssl 3:34 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138; 2676 ? Ssl 3:48 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138;

Tuesday, September 6, 2011

Install grub in a HP Proliant Server

 Edit the file /boot/grub/device.map to look like this

(fd0) /dev/fd0 (hd0) /dev/cciss/c0d0

Run grub like this:

hercules ~ # /sbin/grub --batch --device-map=/boot/grub/device.map --config-file=/boot/grub/grub.conf --no-floppy

grub shell:

grub> root (hd0,0) grub> setup (hd0) grub> quit