HOWTO defend databases from SQL attacks with GreenSQL
UPDATE: as if to underscore the importance of this tool and approach, yesterday a story hit about a SQL Injection attack infecting over 132,000 systems in short order. Net-Security have the full details on this attack, including how it probes the host via JavaScript to check for known vulnerabilities, how it exploits them, and how it ultimately downloads a back-door trojan to get the game going. It’s really amazing to see how complicated and professional these things have gotten, and just adds to the reasoning that we have to step up to the plate and learn how to better defend against them.
I’ve been privy to some log dumps showing real, and successful, SQL attacks on some MSSQL servers before, and they weren’t pretty. Of course a SQL injection attack has little to do with the database (well, as long as it’s still SQL based at least (nod to CouchDB and MongoDB)), and more with the code that calls it, and how that code deals with sanitizing inputs. For this reason MySQL is just as vulnerable, after all, bad code is bad code. While a client of mine opted for a firewall ‘module’ they had to buy an additional licence for, that set them back many thousands of dollars, I knew there had to be cheaper/better ways to address this kind of vulnerability. One way of course is to fix the code, but with legacy sites that no one has touched for years, this may be impractcal (I didn’t say this, I only heard it), and the other idea is to proxy the SQL and ‘clean’ it before it hits the database. The advantage of this approach is that it protects against known attacks, as well as unknown attacks, since it limits so much of what an attack is allowed to accomplish when trying to get its’ foot in the door. This approach is what the folks over at GreenSQL have done, and it’s very impressive. They sum things up nice and sweet with, “GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.” (more…)
Ruby on Rails: gem install versus apt-get
UPDATE: Thanks to Ryan, Ant and Fern for the tips. With that in mind I found an online Slicehost tutorial that contained the steps and explained how to install ruby via apt-get, then get the latest rubygems, install that manually, ran gem to update itself, then run gem to install rails – as suggested. The steps I took from that page:
(more…)
HOWTO build your own open source Dropbox clone
UPDATE: Thanks to everyone who has contributed to this, and the Reddit thread, as it has provided some great ideas building off of my concept. I’m starting to rethink about how we could have version control on top of things, and I’ll update things when I have more to share. Also, does anyone have iFolder (thanks for the proper link working? It looks like you need SUSE Linux, which I don’t have access to, plus I know most Novell projects need a *ton* of Mono dependencies installed to have any of their stuff working, at least on the server side; but it sounds like they have Mac, Linux and Windows clients, which is encouraging. While for my needs something a bit more ‘close to the bone’ (as below) might be better for the server side, having it be inter-operable with something like iFolder could provide a lot more functionality for others.
First off, if you haven’t tried Dropbox, you should check it out; sync all of your computers via the Dropbox servers, their basic free service gives you 2Gigs of space and works cross-platform (Windows, Mac, Linux). I use it daily at home and work, and just having a live backup of my main data for my work workstation, my home netbook, and any other computer I need to login to is a huge win. Plus, I have various ’shared’ folders that distribute certain data to certain users that I’ve granted access to, this means work details can be updated and automatically distributed to the folks I want to review/use the data. I recommend everyone try it out, and see how useful it is, it’s turned into a game changer for me. So a few months ago they made headlines on supporting Linux as they released the client as open source. While this got hopes up for many, it was only the client that was open source, the server is still proprietary. While slightly disappointing, this is fine, they’re a company trying to make money. I don’t fault them for this, it’s just that a free, portable service like that would be a killer app. (more…)
File system full, but why?
UPDATE: posted my workaround code below, good feedback already from Ryan (djatoka dev) and I’ll be testing the proper fix on the server soon.
I’ve got a server that keeps filling up its disk space and failing to serve images after it gets to the file system full error message. First of all let me say, I don’t blame it in the least, if the admin (aka me) doesn’t do enough to secure the server enough disk space to do its job, I say, let me have it. But after I’ve set the suspect daemon to use a *reasonable* amount of space I stopped thinking of it as the culprit, so when this issue arose again, I looked elsewhere for the cause. Fast forward to today, the server’s file system filled up again, and refused to serve any more data, again, I totally understand where the server is coming from, if it doesn’t have enough disk space to do its job, it shouldn’t have to apologize to anyone; it’s all on the admin (again, aka, me), but what was going on? (more…)
Four free Linux eBooks
While looking for something else, (which is mainly when I find *other* interesting things) I found an article which included links for four free Linux eBooks. This is a great resource for anyone with some Linux experience, back to others who may be looking to get started with tux, and I would have loved to have this when I started, but that was before the Internet was available to most people. So, if you’re new to Linux, or want to get started (I used Red Hat Unleashed in 1996, here it is online!), here’s some great downloads to learn from: (more…)
HOWTO: serve jpeg2000 images with a scalable infrastructure
At the Biodiversity Heritage Library, we have replaced a proprietary jpeg2000 image server, that was straining under the load, with a new, open source jpeg2000 server, djatoka. Chris Freeland and Chris Moyers cover the background in far more detail on the BHL Blog, so here I’ll cover my rationale and decisions I made to provide a scalable, stable infrastructure to provide the images as efficiently as possible.
When I started sketching out how I wanted to run djatoka, I knew I wanted it to provide security, caching for performance and scalability and fault tolerance. Our server runs Tomcat, which I didn’t want to be public facing. Because of this I proxy Tomcat requests through Apache with the use of ajp_proxy, the successor to the old mod_jk. Initially I was using nginx in place of Apache, but after reading about all the functionality and performance improvements ajp_proxy offered, it was a no brainier; this is how to present Tomcat in a production environment.
HOWTO: disable IPv6 networking in Debian
IPv6 is ready?
Tonight I did ran netstat (`netstat -plunt`) on my Debian server and saw that I had some ports listening via IPv6. It’s a shame IPv6 hasn’t caught on as it’s better than IPv4 in virtually every way, and it should, especially since TCP/IPv4 was standardized in ARPANET RFC’s… in 1981! Also, IPv6 provides network level security via IPSec, which enables authentication of sender and encryption of communication path, to secure communications, all fun stuff, but while some point to the fact that the Beijing Olympics used IPv6 exclusively as a point in how far it’s come, that’s hardly saying much when the protocol went Alpha… in 1996! I mean I put things off and get distracted, sure, but come on! So while its adoption can be argued to be a case of the chicken before the egg, since I’m not using anything IPv6, nor do I or my ISP even have the capability to use it, it’s silly and perhaps dangerous to leave it running with open ports. So, if you’re not using it, disable it – it’s easy, just put on your pointy hat and follow along… (more…)
HOWTO: install Ruby on Rails on Debian or Ubuntu Linux easily
In the early days of this blog I used to run it on Typo, which *was* a great Ruby on Rails blogging platform (at one time). Unfortunately the project stalled (for years) and I ended up jumping ship after a few months of bugs and the ever crashing Rails server, WEBrick. Yes, if you search Netcraft you could see that was my *exposed* server at the time…not good! 
Now if you look, Typo is still kicking, and it *may* be a solid platform now, I hope it is, as I even contributed a ton of the achieved themes that live on in the ‘Theme Garden’ there. But on I moved into the world of MySQL/PHP front end sites via great apps like Drupal and Wordpress, fast forward, Ruby on Rails is a mature platform now, and I am evaluating webapps at work, so I needed to install Rails on Debian GNU/Linux (but of course these directions would work just as well in Ubuntu Linux. It’s amazing simple, I took some steps from the Ruby on Rails wiki, first install the dependencies for good measure: (more…)
How to become a hacker
The Glider: A Universal Hacker Emblem
There has long been a movement in the geek community to expunge the negative thoughts attached to the word hacker, the image to the right The Glider, being one of the latest and most visible. In the beginning there were hackers (people who worked on computers, programmed and made things work) and crackers (people who would use computers for nefarious purposes, crimes, viruses, etc), these were two distinct camps, with some miscreants jumping the fence back and forth to confuse the issue. Regardless, somewhere along the way popular culture (movies, news, your teachers probably) began to equate hacking as being the bad, crime ridden activity that cracker was supposed to cover. I think it’s a moot point now, as even my Dad was shocked when he learned my annual DefCon trip is billed as “largest hacking conference in the world”. I gave him the above explanation, but I’m unsure if he really believes it. Regardless, the original “How to become a hacker” paper written by Eric S Raymond is always cited as the quintessential word on the use of the word hacker. I found it mirrored online, and it’s a worthwhile read if you have any interest in the topic, or want to cement your own views of your hobby. For now, if you don’t want to read the entire verbiage, here’s the intro to learn and take with you. (more…)
HOWTO: conky config (conkyrc) for Debian Part 2
I changed around my Conky config, and it’s something you could do forever, but it’s great because it can be as heavy or light as you want it. Recently I dropped Gnome almost all together to run Openbox (full HOWTO on this forthcoming). I found a panel that will house things like nm-applet output, but was missing things like a simple clock, network activity, etc. So now, using most of the same code/look that I used here, I have a small, transparent strip at the bottom of the screen showing me time, date, proc, proc temp, network up, network down, and power status (battery, AC and the level of charge). It looks good, it’s light, it’s all I need. Nice to bring some of the memory requirements down from Gnome as well.
# Create own window instead of using desktop (required in nautilus)
own_window true
own_window_hints undecorated,below,skip_taskbar
background no
# Use double buffering (reduces flicker, may not work for everyone)
double_buffer true
# fiddle with window
use_spacer right
use_xft true
# Update interval in seconds
update_interval 3.0
# Minimum size of text area
minimum_size 10000 5
# Draw shades?
draw_shades yes
# Text stuff
draw_outline no # amplifies text if yes
draw_borders no
uppercase no # set to yes if you want all text to be in uppercase
# Stippled borders?
stippled_borders 8# border margins
border_margin 1
# border width
border_width 1
# Default colors and also border colors, grey90 == #e5e5e5
default_color white
default_shade_color black
default_outline_color white
own_window_colour brown
own_window_transparent yes
# Text alignment, other possible values are commented
#alignment top_left
#alignment top_right
alignment bottom_left
#alignment bottom_right
# Gap between borders of screen and text
gap_x 10
gap_y 5
# stuff after ‘TEXT’ will be formatted on screen
override_utf8_locale no
#xftfont Terminus:size=8
xftfont Terminus:size=10
xftalpha 0.8
#Mail:${color}${execi 300 python ~/scripts/gmail.py}
TEXT${offset 0}${color }${time %H:%M} ${color slate grey}${time %Z }Date: ${color }${time %a, } ${time %e %B %G} ${offset 0} ${offset 0} ${color slate grey}Proc:${color} $cpu%${offset 5}${acpitemp}C${offset 5}${cpugraph 16,100 000000 ffffff} ${offset 0} ${color slate grey}Net:${offset 5}${color}Up:${upspeed wlan0}k/s${offset 5}${upspeedgraph wlan0 16,100 000000 ffffff}${offset 0} ${color}Dn:${downspeed wlan0}k/s${color}${offset 5}${downspeedgraph wlan0 16,100 000000 ffffff} ${color slate grey} Power:${offset 5}${color}${battery}
Try it, you might like it – I’ll keep working on it, I’m sure I’ll find more things to add/improve. Conky rocks.
HOWTO: conky config (conkyrc) for Debian
If you run a Linux desktop you need to be using conky. It compiles all those shiny gadget you see on other desktops eating system RAM, down to what you need; information on what your system is doing. So try it out, install conky, and then drop this into your home directory as .conkyrc – then run conky. The file is pretty self explanatory, enjoy!
HOWTO: automatically reconfigure Xorg in Debian
If you’re like me, you’ve messed up your xorg.conf before and wanted to start over with the default that you know dpkg-reconfigure can set it to. Because of this I’m posting here because I’ve needed it multiple times in the past and have tired of looking it up! To automatically reconfigure Xorg in Debian or Ubuntu issue the following:
sudo dpkg-reconfigure -phigh xserver-xorg
Then logout/login or restart X via contrl-alt-backspace. As one who tweaks things a bit more than he should, this has saved me a few times now. Props go to a poster on this page.
Chat on Skype via Pidgin on Linux (or Adium on Mac)
This is a big deal for me, I played with Skype back in the day, but never really used it much since it required a second client, and I have always used Gaim (which is now Pidgin) to consolidate all of my accounts into one client and didn’t want to break out of that mold, but now I don’t have to. Using the Skype API, Eion Robb has created a Pidgin plugin called Skype API plugin for Pidgin/libpurple/Adium. Now I just add my user to the Pidgin accounts tab and I can now chat via Skype in Pidgin just like I chat with all my other contacts. Note that you can’t do the video of Skype on Pidgin. Mac users note that you can use this on Adium (my fav OS X chat client), which uses libpurple, which is the backend for Pidgin, on Mac. So now I’m using Skype again, which is a propreitary app, thanks to them providing an API for the Open Source community to latch on to. Ah, the circle of life…
HOWTO: Configure nginx for Debian / Ubuntu
UPDATE: I’m reworking my config blending in the security ideas found on camomel.org they’re really thought things through on this, this should make for a very secure environment.
I’m always trying new software, and with the webserver I’ve moved from Apache 1.3 to 2.0 to 2.2, and then later I moved everything over to Lighttpd, which I’ve liked, save for some memory issues that popped up. Now, enter a web server named nginx (engine x), written by a Russian hacker. It’s already proved it’s meddle by running some of the largest Russian sites for years now. It has the speed of Lighttpd, but with none of that memory weirdness, plus it uses a fraction of the CPU, so scaling should be smooth for highly visited sites. It also does cool things like load balancing, reverse proxy, IMAP and POP proxy, etc, so I can see it being used in a variety of ways on a network. It took me some time to understand how to configure it, which was a case of me just making it harder than it really is, so I wanted to post it here. Look for updates as we go along, but this is currently backing a Production site I manage.
user www-data www-data;
worker_processes 5;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr $host $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent" '
'"$request_time" "$gzip_ratio"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
sendfile on;
tcp_nopush on;
tcp_nodelay off;
keepalive_timeout 65;
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_buffers 16 8k;
#gzip_proxied expired no-cache no-store private auth;
gzip_proxied any;
gzip_min_length 1000;
gzip_types text/plain text/html text/css application/json application/x-javascript
text/xml application/xml application/xml+rss text/javascript;
server {
listen 80;
client_max_body_size 50M;
server_name server.domain.com;
root /var/www;
index index.html index.php;
access_log /var/log/nginx/access.log main;
error_page 500 502 503 504 /500.html;
location = /500.html {
root /var/www;
}
location ~* ^.+.(jpg|jpeg|gif)$ {
root /var/www;
expires 30d;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
}
}
}4 reasons why Macs are moving into the enterprise
With the barriers lowering, and other market factors creeping in, Macs are slowly making a move into the enterprise. While this may/may not solely be Apple driven, the fact is that people like choices, and the Macs are now far more compatible with other systems than they once were, so finally folks have options. In my recent travels to Woods Hole we had ~14-15 developers from around the world, and there were 4 Macs there. Of course we had the normal thing where someone couldn’t get something working in Windows, Mac folks would chime in with, “just works on a mac” and later when Mac folks couldn’t plug a projector into the certain Macs, the windows folks throw the, “just works in windows”, so it was all in good fun. So while I don’t consider these folks “enterprise” as in working for a corporation, it clearly shows that more people can use what they want, and have IT adapt for their needs. I talked to a friend up there about his MacBook Pro – it’s a beauty of a machine, and he loves it b/c he can do everything he needs, plus run windows for dev work that you can only do in Windows. Of course if I had such a beast it’d be running Linux, and that’s my argument for my buying my Dell laptop; while the Apple is nicer, it was also ~2500$ more than the Dell. Yes, maybe when my work buys me a ‘top I’ll rethink it – but now I’m thinking smaller again – and I really like the Xseries Thinkpads (used be by IBM, but now it’s Lenovo – but the same otherwise) and they’ve always had excellent Linux ability. two devs in WH had those, and I had to borrow them – not to work on them, just to pick them up – nice and light, thin, but with high screen resolution. of course for a full fledged system like thatI could also look at the MacBook which shares most of the Thinkpads features – but for a Mac I’d prefer the black MacBook after my long, drawn out suffering with my old iBook…but I digress. Now, what was the question? Oh yeah, more Macs in the workplace, yeah, it’s how I’ve always said it should be, and it’s more that way now. I run Debian Linux at work now, on my work provided HP desktop machine, on my personal Dell laptop when I bring it, on my Development server, and (soon) on my production server. What kind of support do I need from IT? Gimme an IP and a gateway IP and I’m all set. So, in conclusion, I believe four reasons for Apple’s success with people using more Macs at work is due to the following reasons:
- x86 processor which allows the bridge to those who still *think* they need Windows.
- Microsoft’s epic fail with Vista has frustrated users to no end, witness the stay of execution XP has recieved from Dell.
- Apple’s awesome design sense, which cannot be duplicated, puts it in that “wow, gotta have that gadget” bucket
- and lastly (and maybe to a lighter extent) the fact that Darwin is a Unix derivative, so *geeks* can use it and get the same thrill they do via Linux. I’ve seen this not only on my trip, but to the annual DefCon, where Macs are shown alongside the blocky black laptops of yore.
Look, business is like everything else, to survive it must evolve. Plus, choice is freedom, which makes it an inherint human desire. Wouldn’t you rather work somewhere that allowed, and TRUSTED, you to work with whichever OS you perferred?
Open Source is good for you
A recent study by a tech group talks about not only there being a positive monetary benefit for IT workers to know Open Source, but a more fulfilling sense of purpose as well. While this tells me nothing I don’t already know, it’s something that’s important as the next wave of IT geeks start knocking on the doors. “Want to make more money as an enterprise application developer? You’re in luck–if you know open source. According to a recent report from Bluewolf Consulting, enterprises increasingly deploy open-source software, and look to specialized application development on top of it, to drive business value:
The rise of open-source software in application development puts developers with a specialization in those technologies in a position to ask for a 30 (percent) or 40 percent pay increase, Kirven says. “We’ve gotten more requests from our permanent-placement division for open-source developers in the last six months than in the last five or six years combined,” he says. “It’s not as easy as getting free software; someone has to get it up and running. LAMP is everywhere now–these types of technologies no one heard of 18 months ago are all the sudden becoming a hot commodity.”
Indeed. Not only does open source bring developers more money, but it also apparently brings them more satisfaction. Jon Williams, chief technology officer of test preparation company Kaplan, made it very clear in an Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser. a month ago that open source is one of his best retention tools. Let people do interesting work, and they stick around. Make them mindlessly monitor that Windows machine, and they’ll bolt
HOWTO: sound after hibernate in Linux (Gusty/Lenny)
With all the tweaking to get my Dell Vostro 1500 working with Ubuntu, it’s still been an annoyance to get sound working evertime after hibernation. It goes to sleep fine, it wakes up fine, it obeys all of the power preferences I defined within Gnome fine too, it’s just that when it comes out of hibernation, the sound is usually off. It’s not muted, it’s off. Trying to restart alsa (the sound server) is a lession in frustration, so until now I’ve been ignoring it since it was rare that I would need it, but still…come on. This week I came across a solution in the Debian Forums that creates a new task for Linux to do before it shuts down and before it starts up.: “Create the file /etc/pm/sleep.d/49sound…
mkdir /etc/pm vi /etc/pm/sleep.d49sound
with the following contents:
function kill_sound_apps() {
pidsnd=$(lsof | grep /dev/snd | awk '{ print $2 }')
pidmixer=$(lsof | grep /dev/mixer | awk '{ print $2 }')
piddsp=$(lsof | grep /dev/dsp | awk '{ print $2 }')
kill $pidsnd $pidmixer $piddsp
}
case "$1" in
hibernate|suspend)
kill_sound_apps
modprobe -r snd_hda_intel
;;
thaw|resume)
modprobe snd_hda_intel
;;
*)
;;
esac
exit $?Then just make it executable:
# chmod +x /etc/pm/sleep.d/49sound
So before shutting down, Linux properly shuts down the sound, and when it comes back it, it properly starts the sound. As always, this *should* work, but the fact that it hasn’t been updated in Ubuntu Gusty is one of the reasons I’m shifting to Debian Lenny on this ‘top.
NOTE: yes, I am thinking of making Ignignokt my official HOWTO mascot. “Using a key to gouge expletives on another’s vehicle is a sign of trust and friendship“
Software support must evolve with Open Source
As a IT contractor I’m enjoying giving my opinion when asked, and sometimes even when I’m not asked; I have the confidence to be open and honest with everyone and want them to know that. Because of this I’ve been getting to do things I otherwise would not have since they would not have known I was interested or experienced in such things. One of the things I was hired for was to setup Apache on Linux to work with their web instances. It’s been fun, and while I’ve used Apache for over 10 years, there’s always new things to learn. Recently they asked for my opinion on ’support’ options for Apache. Keeping in mind, they already have support for the hardware and support for the Linux distribution, they still think they need another support channel for Apache. To me this a big waste of money and have somewhat made my case to them. While I understand their position that this support is a way to cover themselves if Apache ‘breaks’, the fact that this software is Open Source has to change the way they have traditionally considered support.
Hi, I'm fak3r and I've been online for over 15 years, blogging for 10. I work with open source software, various hardware and whatever else that I can hack on. I enjoy learning by doing, painting infrequently and listening to more music than the law allows. Feel free to follow me and comment on my thoughts and ideas; we're all in it together kid.
Day one, Obama calls for open government
Obama, keeping it real, as promised!
UPDATE: the memo is already posted on the whitehouse.gov site for anyone to review! How refreshing!
During this, his first day in office, President Obama called for open government, and issued a memorandum which spells out to approach the Freedom of Information Act (FOIA) “with a clear presumption: in the face of doubt, openness prevails.” This presumption of openness is in direct contrast with limits the Bush administration put in place, a fact driven home by the last line of the memo:
Sec. 6. Revocation. Executive Order 13233 of November 1, 2001, is revoked..
Now we’re talking! More of the memo reads:
But wait, there’s more… (more…)
Jan 22, 2009 | Categories: commentary, headline, obama, politics | Tags: barack obama, foia, linux, Microsoft, obama adminstration, open software, open source technologies, privacy, Scott McNealy | Comments