Skip to main content

Posts

Showing posts from August, 2009

IPTABLES and M4

I manage high traffic web servers that are constantly under attack. To manage the security of these web servers, I need to routinely update my iptables rules, and by routinely, I mean every morning when I roll into the office.

When I searched for a solution that allowed me to dynamically define my rules with a merge option, nothing come to the forefront. There are some miscellaneous posts about using PERL and cat, but nothing really useful.

Then I remember M4. If you don't know about M4, then you should man it.

Here's what you do.

iptables.m4:


---- start ----

# Firewall configuration written by
# system-config-securitylevel
# Manual customization of this file is not
# recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
include(/root/iptables/iptables_special)
include(/root/iptables/iptables_reject)
include(/root/iptables/iptables_accept)
#
# The final rule that rejects ev…

Rookie Mistake

I've been fighting with an ASP.NET 1 conversion to ASP.NET 2 where for some unknown reason, the Global.asax code is no longer being run. No matter what I do, including making a Global class or even embedding the code into the asax file, the Application_Start is not being invoked when the app starts. No matter though.

What I am embarassed about though is a simple mistake:


public class Foo
{
private static Foo _Instance = new Foo();
private static KEY = null;

private Foo()
{
KEY = ConfigurationSettings.AppSettings["MyKeyValue"];
}

public static Foo Instance() { return(_Instance); }
}


Guess what value "Foo.KEY" has after you call Foo.Instance? Eight hours later, I finally realized why KEY is always null and the real fix is just to do the following:


public class Foo
{
private static KEY = null;
private static Foo _Instance = new Foo();

private Foo()
{
KEY = ConfigurationSettings.AppSettings["MyKeyValue…

Covert Communications

A recent experience with intermittent network failure started me thinking about how I could read data from a server without the NOC knowing about it. I could do this with a virus that replaces "netstat" and "syslog" and "ps" so that it never shows itself running. That's just too simple and blunt, a child could do that. No, what I wanted to do is create a method that goes undetected because it looks like a common attack that is easily thwarted and often ignored.

First, there is the ICMP ping relay attack. One way to communicate with a 3rd party covertly is to send ping packets to a server and spoof the source IP so that they are bounced to the 3rd party by the server. This way you never directly communicate with the 3rd party.

Secondly, you need to take advantage of subliminal channels [1] in network protocols. This is the super-secret spy stuff that makes this idea a reality. By utilizing a subliminal channel, I am able to send secret messages to the 3…