Monday, July 29, 2013

To View All SetUID Programs On A UNIX Machine

As a matter of fact, allowing normal users to run program with great permissions is somewhat dangerous.  
Therefore, we must set up carefully any program that is SetUID, especially those that are SetUID root to ensure that a user cannot exploit the program.  
Why? Because if the bad guys own an account on a system and can run SetUID programs, they can try to hack the SetUID program to gain increased privileges.

Those bad guys could try to provide bogus input to the SetUID program or crash it as trying to gain elevated privileges.  Because of this, SetUID programs must be carefully configured to minimize the access provided through the program to the user.  

Moreover, system administrators should take care of a list of all SetUID programs on a machine.  Newly added or modified SetUID root programs could be an indication that an attacker is present on the machine and has configured a SetUID program as a quick way to jump to root.

To view all SetUID programs on a UNIX machine, you can execute the following command as a root-level user:

root@ephraim:~# find / -uid 0 -perm -4000 -print

find is the name of the program
/ start looking at the root directory and continues through subdirectories
-uid look for files owned by accounts with UID 0.
-4000 Look for files with the SetUID bit set.
-print Print the results on the screen.


Wednesday, November 14, 2012

Saturday, September 20, 2008

How to create ISO image from your Harddisk, CD or DVD

Sometimes we want to do back up from our CD/DVD even files from our harddrive

Here are the how-to's:
dd if=/dev/dvd of=dvd.iso (if you want to back up from DVD)
dd if=/dev/cdrom of=cd.iso (if you back up from CDROM)
dd if=/dev/scd0 of=cd.iso (if you back up from SCSI CDROM)
mkisofs -o /tmp/cd.iso /tmp/backup/ (to make an ISO image from files on your hard drive)


Friday, September 19, 2008

Install Ubuntu 8.04.1 Hardy on ACER 4530 with Mac4Lin Leopard Desktop



Here are the captured screen of my laptop just installed Ubuntu 8.04.1 Hardy and tweaked to resemble Mac Leopard Desktop.



Acer 4530 is a great notebook with a good price comes with great graphic controller card GeForce 9100m G. However, you have to install the nvidia driver in order to get the 1280x800 resolution.

Currently, after recompile kernel using 2.6.26.5, I still cannot get the sound and wireless works even they're detected.

Here is for sound using ALSA taken from dmesg:
ALSA sound/pci/hda/hda_codec.c:728: hda_codec_cleanup_stream: NID=0x2 ALSA sound/pci/hda/hda_codec.c:728: hda_codec_cleanup_stream: NID=0x3

For wireless card here is what I've got from ifconfig, however, somehow, I just cannot connect
to my Access Point.

nprasetio@student1:~$ iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wmaster0 no wireless extensions.

wlan0 IEEE 802.11 ESSID:""
Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated
Tx-Power=27 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Here are the great links to follow in order to tweak your ACER 4530 to resemble Mac.

Recompiling Kernel To Detect Wireless Card, Sound and Other Cool Features

Turning your ACER 4530 to Mac OSX Leopard

Thursday, July 31, 2008

Secure Shell: SSH

The ability to authenticate with ssh keys, is the most powerful feature of SSH. As a result, the user has to produce a key pair and key in the so called public key into the ~/.ssh/authorized_keys file on the server. Basically, the key is protected by a password and controlled by the ssh-agent. Nevertheless if the key is utilized for automating task it must not include a password.

[georgia@georgia ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/georgia/.ssh/id_rsa):
Created directory '/home/georgia/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/georgia/.ssh/id_rsa.
Your public key has been saved in /home/georgia/.ssh/id_rsa.pub.
The key fingerprint is:
67:5a:60:ac:70:95:18:8d:02:1b:e1:c2:da:5c:88:81 georgia@georgia.rhce.test


[georgia@georgia ~]$ cat ~/.ssh/id_rsa.pub | ssh georgia@greg.rhce.test 'cat >>.ssh/authorized_keys'

Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:

Now, check your configuration by do the following:


[georgia@georgia ~]$ ssh georgia@greg.rhce.test

Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:
Last login: Thu Jul 31 16:23:42 2008

It should work as above.

Friday, July 18, 2008

Basic IPv4 Firewall Using iptables

Scenario: somebody wants to harden his/her stand-alone server using linux built-in firewall application: iptables. The server only has one NIC.

Here are the steps:
1. Create a custom chain named HOME-RULES and insert a rule on top of INPUT that will jump all packets to it. Remember, to save the firewall configuration when you're finished.
[root@greg ~]# iptables -N HOME-RULES
[root@greg ~]# iptables -A INPUT -j HOME-RULES
[root@greg ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@greg ~]# less /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat Jul 19 07:29:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CLASS-RULES - [0:0]
-A INPUT -j HOME-RULES
COMMIT
# Completed on Sat Jul 19 07:29:26 2008

2. In this tutorial, I am going to show you how to populate the HOME-RULES chain by directly editing /etc/sysconfig/iptables. (Note: I assume you understand how to use vim to edit files).
[root@greg ~]# vim /etc/sysconfig/iptables
Insert the following text below the -A INPUT lines.
-A HOME-RULES -i lo -j ACCEPT --> accepts all traffic on the loopback interface (lo)
-A HOME-RULES -p icmp -j ACCEPT --> accepts ping from other host
-A HOME-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT --> enable stateful replies
-A HOME-RULES -p tcp --dport 22 -j ACCEPT --> accepts packets destined for tcp port 22 (ssh)/accepts other host to ssh to the server
-A HOME-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT --> accepts packets with the NEW state destined for udp port 514 (syslog)
-A HOME-RULES -j LOG --> log all packets not matched by one of the above rules
-A HOME-RULES -j REJECT --> rejects all packets not matched by one of the above rules

3. Save the new configuration.
4. Load the new rules.
[root@greg ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]

5. You're all set.

Thursday, July 17, 2008

Installing a Simplistic DNS Server Using BIND

1. Install the required packages (please ignore the warning of a missing named.conf as this one is expected)
  • bind, bind-utils, bind-chroot, caching-nameserver
[root@greg ~]# yum -y install bind bind-utils bind-chroot caching-nameserver
... output omitted ...
2. Turn the iptables
[root@greg ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]

3. Enforcing the selinux
[root@greg ~]# vim /etc/selinux/config
Make sure the following line appears in your configuration
SELINUX=enforcing
4. Inspect what ports are usually used for domain name servers:
[root@greg ~]# grep domain /etc/services
domain 53/tcp # name-domain server
domain 53/udp
domaintime 9909/tcp # domaintime
domaintime 9909/udp # domaintime

5. Inspect if named affected by libwrapped. The result is supposed to be no result.
[root@greg ~]# ldd $(which named) | grep libwrap
6. Review the configuration at /etc/named.caching-nameserver.conf to see the default access control options. Pay attention to the listen on and allow-query directives. And if you forget a directive such as "allow", please go find in man 5 named.conf.
7. Prepare for a minimal configuration to meet the access requirements. First run the following commands to track the system messages when restarting a service after you change a configuration.
[root@greg ~]# tail -f /var/log/messages
... output omitted ...
[root@greg ~]# tail -f /var/log/audit/audit.log
... output omitted ...
8. Determine what directory is installed as the chroot:
[root@greg ~]# cat /etc/sysconfig/named
Look for the following output for the location of the chroot directory
ROOTDIR=/var/named/chroot
9. Use the named.caching-nameserver.conf as a starting configuration:
[root@greg ~]# cd /var/named/chroot/etc/
[root@greg etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key

[root@greg etc]# cp named.caching-nameserver.conf named.conf
10. Test the current configuration, check for the errors in the configuration in /var/log/messages:
[root@greg etc]# service named configtest
zone localdomain/IN: loaded serial 42
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
zone 255.in-addr.arpa/IN: loaded serial 42
zone 0.in-addr.arpa/IN: loaded serial 42

The above output means our initial config is OK.
11. Start the named service and make it automatically start
[root@greg etc]# service named start ; chkconfig named on
Starting named: [FAILED]

If you had the above output as mine, use tail -f /var/log/messages to see the message ERROR. Here is what I got from my screen:
Jul 18 06:50:20 greg named[3874]: loading configuration from '/etc/named.conf'
Jul 18 06:50:20 greg named[3874]: none:0: open: /etc/named.conf: permission denied
Jul 18 06:50:20 greg named[3874]: loading configuration: permission denied
Jul 18 06:50:20 greg named[3874]: exiting (due to fatal error)

19. It means the named service does not have a permission to load the configuration.
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root root 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf

20. Run this command
[root@greg etc]# chgrp named /var/named/chroot/etc/named.conf
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root named 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf

21. There you go the nameserver is running.
[root@greg etc]# service named start ; chkconfig named on
Starting named: [ OK ]

Check the log as well, supposed to be no error.
22. Try to use dig or nslookup for querying site like www.google.com, but remember to edit /etc/resolv.conf so for name server resolution it points to localhost.
[root@greg etc]# nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 209.85.175.99
Name: www.l.google.com
Address: 209.85.175.104
Name: www.l.google.com
Address: 209.85.175.147