Since we are going on a small vacation tomorrow I wanted to get a couple picture galleries up before I start filling my drive up with new pictures. These are all from small trips/excursions we took over the summer. Unfortunately no pictures from the canoe on the st. croix river.
[album id=31 template=dopefish]
[album id=32 template=dopefish]
[album id=33 template=dopefish]
If you use keys for SSH authentication (and you should) then you have probably run into the situation that the auth.log shows that someone logged in, even which local user was used (e.g. root), but you have no idea which of the keys in ~/.ssh/autorized_keys was used. The first step you can do to see what is going on, is increasing the log level of the SSH daemon:
/etc/ssh/sshd_config
1 | LogLevel VERBOSE |
That will spit out the fingerprint of the SSH key used to log in. Example log entry for a successful login:
1 2 3 4 5 6 | Aug 15 11:47:40 security sshd[1924]: Connection from 192.168.199.1 port 39648 Aug 15 11:47:41 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c Aug 15 11:47:41 security sshd[1924]: Postponed publickey for root from 192.168.199.1 port 39648 ssh2 [preauth] Aug 15 11:47:42 security sshd[1924]: Found matching DSA key: df:45:12:ea:d2:92:a2:42:aa:ba:25:1a:90:82:1a:1c Aug 15 11:47:42 security sshd[1924]: Accepted publickey for root from 192.168.199.1 port 39648 ssh2 Aug 15 11:47:42 security sshd[1924]: pam_unix(sshd:session): session opened for user root by (uid=0) |
Now that we have the fingerprint of the ssh key used to login, we will need ssh-keygen to spit out the fingerprints of the public keys in ~/.ssh/authorized_keys to be able to compare them. So I wrote a little wrapper called ssh-fingerprint.sh around ssh-keygen to feed it all the public keys from authorized_keys (if you want you can even fit the whole while loop as a oneliner):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | #!/bin/bash initialize() { #{{{ # Treat unset variables as an error set -o nounset tempfile=$(mktemp) authorized_keys="${HOME}/.ssh/authorized_keys" trap cleanup TERM EXIT # clean up if script exits } #}}} cleanup() { #{{{ rm -f ${tempfile} exit 0 } #}}} #=============================================================================== # Main #=============================================================================== initialize if [ ! -e ${authorized_keys} ] then echo -e "\nERROR: ${authorized_keys} file not found\n" exit fi while read line do echo "${line}" > ${tempfile} ssh-keygen -l -f ${tempfile} done < ${authorized_keys} |
Here is a small bash function to check if a IP is valid (4 octets, each octet < 256). I find it somewhat elegant since instead of using a lot of case/if/then constructs or a crazy long regex it splits the IP into each octet (and stores them in an array, and then uses a combination of regex and bit shifting to check each octet.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | is_valid_ipv4() { local -a octets=( ${1//\./ } ) local RETURNVALUE=0 # return an error if the IP doesn't have exactly 4 octets [[ ${#octets[@]} -ne 4 ]] && return 1 for octet in ${octets[@]} do if [[ ${octet} =~ ^[0-9]{1,3}$ ]] then # shift number by 8 bits, anything larger than 255 will be > 0 ((RETURNVALUE += octet>>8 )) else # octet wasn't numeric, return error return 1 fi done return ${RETURNVALUE} } |
The function will return 0 if the IP is valid, and 1 or higher if it encountered an error (you can check with the $? variable directly after calling the function)
Example:
1 2 3 4 5 6 7 | is_valid_ipv4 ${ip} if [[ $? -gt 0 ]] then echo "invalid IP" else echo "valid IP" fi |
I was testing a PHP script for security flaws today and needed a way to check if it was possible to “accidently” leak sensitive data to an external server. So I threw together a small script to save the contents of the $_SERVER $_COOKIE $POST and $_GET arrays and dump them in a file. Since it worked so good I decided to leave the site online.
Why did I call it silica? Because silica gel absorbs and stores fluids like this website absorbs information thrown at it. How to use it? Just get your application to connect to silica.dopefish.de instead of where it intended to connect to (by overwriting variables, DNS foo, be creative) and see what happens.
Base Domain: silica.dopefish.de
The webserver will catch any URL (regardless what path or filename) and log the environment. The only exception is the logfile.
Logfile: http://silica.dopefish.de/access.log
The log is automatically emptied every 10 minutes, so save the output if you need it.
OSSEC is an open source HIDS (Host-based Intrusion Detection System), and a pretty darn good one too. It also has a simple web front-end to view what’s going on, search through alerts and stuff like that (called OSSEC Web UI, I’ll just call it “WUI” here). Unfortunately the code is a bit outdated (the last official update was from 2008 as far as I can tell) and it doesn’t support newer features of OSSEC like polling data from a database. Something I’d like to tackle if I find the time 😉
The latest version of OSSEC is 2.6, and due to some small changes to the format of the logs WUI no longer works out-of-the-box. I had a look at the code this weekend and am providing patches and downloads of the files needed to change to get everything running again with OSSEC 2.6.
List of changes:
Download changed files
Patch download