Security-Related Bug in Ubuntu 7.10

Posted in Security on January 16th, 2008 by termina

Create a ‘Shared’ folder in /home/username
Create a ‘Shared 192.168.1.100’ folder in /home/username

Right click ‘Shared’ and go to ‘Share Folder’. Add a NFS share with no allowed IP addresses.
Right click ‘Shared 192.168.1.100’. Add a NFS share with no allowed IP addresses.

Go to ‘System’ – ‘Administration’ – ‘Shared Folders’

You will now see only one share, ‘/home/will/Shared’, that allows 192.168.1.100 to access this folder.

This does change the /etc/exports file, and I believe it may be a security vulnerability.

Doing this with a folder with three words (two spaces) adds each word after the space to hosts allowed to access (read-only) the share.

Seems like it would be important for users to share a folder with spaces in it, especially for everyday desktop use.

Lock Screen on Laptop Lid Close

Posted in Security on January 12th, 2008 by termina

This used to work on one of my old laptops, but ever since I started buying Dell laptops the screen wouldn’t lock when I closed the laptop lid.

To have your screen be locked when you close your lid, open a Termina and run gconf-editor

/apps

/gnome-power-manager

/lock

[x] blank_screen

Make sure that ‘Blank Screen’ is selected in Power Management Properties.

Debian/Ubuntu Apache2 + PHP5 + Mysql + SSL

Posted in Networking, Security, Services on January 8th, 2008 by termina

First let’s grab the packages we need for a basic LAMP setup:

apt-get install apache2 php5-cgi libapache2-mod-php5 mysql-server php5-mysql php5-common apache2.2-common ssl-cert

If using Ubuntu, be sure to install libapache2-mod-auth-mysql

apache2.2-common and ssl-cert are needed to generate a ssl cert

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf apache.crt
mkdir /etc/apache2/ssl
mv apache.crt /etc/apache2/ssl

cd /etc/apache2/mods-enabled
ln -s ../mods-available/ssl.conf ssl.conf
ln -s ../mods-available/ssl.load ssl.load

Make sure /etc/apache2/ports.conf is listening on 443

Listen *:443

In your 000-default file in /etc/apache2/sites-enabled (or where ever your VirtualHosts are managed) Change:

NameVirtualHost *
<VirtualHost *>

to

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>

Add a site for SSL:

<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot /var/wwws
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/wwws>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

/etc/init.d/apache2 restart

By default, the User/group is www-data so make sure all your website files are owned by this user/group.

chown -R www-data:www-data /var/wwws/

Will accomplish this

All website files should be located in /var/www and /var/wwws (you can choose different directories, of course, like /home/www but make sure you change the config)

Ban an IP using IP Tables

Posted in Networking, Security on January 8th, 2008 by termina

I’ve been doing this several different ways over the past few years, but I’ve found this works the best for banning an IP address. Remember, if you see a weird domain in netstat you can resolve the IP using traceroute.

A simple script (/usr/bin/ban) that I can use to ban IP addresses quickly and easily.

#!/bin/bash
iptables -I INPUT -s $1 -j DROP
echo $1 was banned

If you wished to make an ‘unban’ script, use the same script and replace -I with -D