17 Jul 10 A PHP programmer indeed

You may be browsing through my site, or maybe you came here because you’re looking for a PHP programmer. Allow me to introduce myself. I am Adam Palmer, and I’m a freelance website security consultant, developer, and, of course, a PHP programmer. I’m willing and able to do most any web, Linux, or hosting-related project.

If you have something along those lines that needs to be done, simply contact me, and we can discuss your needs in greater detail.

In addition to doing this sort of work, I run APNIC Solutions, Ltd., which is a leader in network and business integration. You can be confident that when you hire me for your PHP, web, or other needs, you are getting a competent, skilled industry leader who will do a smashing job for a reasonable fee.

Feel free to browse through my blog and read my articles on a variety of PHP and security topics. Then, get in touch with me to see what I can do for you! If all you need is a consultant to point you in the right direction and help you get to to the finish line, I would be more than happy and honoured to be that person.

Tags: Linux, PHP, php programmer, web, website security consultant

02 Jul 10 The value of iptables

A system administrator’s work is never done, especially with DDOS attacks and other security concerns. How do you block traffic from malicious sources? With the iptables command line program, it’s quite easy for an administrator to set up rules based on IP addresses or blocks of addresses.

Rather than discuss the details of the program, let’s discuss the value of installing it on your server in the first place. The rules are easy to set up, and in essence, you can easily block traffic from sources that have proven to be malicious. In theory, you could block traffic on a preemptive basis, such as refusing traffic from blocks belonging to certain ISP’s or countries. The problem with this approach is that you run a severe risk of blocking legitimate traffic.
(more…)

Tags: bfd, brute force, command line, ddos, iptables, Linux, security

05 Feb 10 Linux LUKS Crypt HOWTO

Linux kernels now support encrypted filesystems. Setting one up should take 5 minutes, or 3 hours if you’re like me and can’t read.

Firstly, install the right tools: apt-get install cryptsetup

Make a new partition, and initialize it with: cryptsetup luksFormat /dev/sda3 mycrypto

Where /dev/sda3 is your newly created partition and ‘mycrypto’ is your name for the container.

You will be prompted to type YES in uppercase to confirm your understanding that your partition is about to be wiped. If, like me, you type ‘yes’ in lowercase, it will fail with “Command Failed.”. You’ll then spend hours checking for loaded kernel modules, log files, and trawling google for more information. The answer is to type ‘YES’ in uppercase as you’re told

Enter a passphrase, and you’re ready to go.

Next, ‘open’ the container. cryptsetup luksOpen /dev/sdb3 enter the passphrase, and you should at this point end up with a /dev/mapper/mycrypto

Format with your desired partition mkfs.ext3 /dev/mapper/mycrypto

Then, you can mount /dev/mapper/mycrypto as you would any other block device: mount /dev/mapper/mycrypto /mnt/my_mount_point

To close the container:
umount /dev/mapper/mycrypto
cryptsetup luksClose mycrypto

Easy

Tags: crypto, cryptsetup, Linux, luks, mount, umount

02 Nov 09 Easy Reverse Engineering

Compiling a program doesn’t protect it or necessarily hide the source. Take the following example C program. It serves no real life purpose and should never print anything to the console:

#include <stdio.h>

int main(void)
{
        const char *password = "secretpassword";
        const char *otherpassword = "othersecretpassword";

        if(!strcmp(password, otherpassword))
        {
                printf("This will never get evaluated");
        }
        return 0;
}

To assemble the code using gcc -S test.c leaves test.s. The important point being that all strings remain intact:
(more…)

Tags: C, gcc, Linux, ls, reverse engineering, strings

20 Oct 09 Setting up an LVM filesystem

Setting up an LVM filesystem is quite easy assuming you have the right tools installed and a recent kernel. LVM has a lot of advantages, most notably the ability to take snapshots of the current filesystem – this is why LVM is often used in live database environments.

Assuming a Debian Lenny machine, get the relevant packages. Some may already be installed:  apt-get install lvm2 dmsetup mdadm

In this example, we will assuming that /dev/sda is your boot drive, and that you want to leave it out of your LVM array, but include /dev/sdb and /dev/sdc. Both /dev/sdb and /dev/sdc should be of equal sizes.

Firstly, using fdisk, remove any existing partitions with ‘d’, on /dev/sdb and /dev/sdc, and create one new partition to span the drive. Change the partition type to ’8e’ which is the LVM type.

Now prepare your physical disk for LVM with the ‘pvcreate’ tool:

pvcreate /dev/sdb1 /dev/sdc1

Note that you can reverse this with pvremove. You can also use pvdisplay now to display information on all physical volumes.

Oh – you do realie that you can use /dev/mdX just as easily to create LVM on your RAID devices?

Now, we need to create a ‘volume group’: vgcreate myvg /dev/sdb1 /dev/sdc1

(more…)

Tags: dd, ext3, kernel, Linux, lvcreate, lvdisplay, lvm, lvremove, mkfs, mount, pvcreate, pvdisplay, pvremove, resize, tar, vgcreate, vgdisplay, vgremove, xen

18 Oct 09 Installing and Configuring Xen with guests

Installing and Configuring Xen on a Debian Lenny machine is pretty easy. Firstly, install the system:

apt-get install xen-tools xen-utils-3.2-1 xen-linux-system-2.6.26-2-xen-686

xen-linux-system-2.6.26-2-xen-686 comes with the Xen kernel that you’ll need. It should install a new kernel as the default, and therefore you’ll now need to reboot.

Once rebooted, issue uname -a to ensure that your new Xen kernel is running:

You now have Xen installed! Now, you’ll need to make a few changes. Firstly, none of my new guest VMs had working console, apparently this is a known issue in Lenny with Lenny guests. The work around is to change the inittab on the guest. I wanted to create guests without modifications, so in this case, I edited /etc/xen-tools/xen-tools.conf and uncommented:

#serial_device = hvc0 #default

It’s listed as the default, but uncommenting this seemed to solve my issues.

Now, you’re ready to create your first guest:
(more…)

Tags: apt-get, debian, lenny, Linux, uname, xen, xm

14 Oct 09 Xen, LVM and friends

I’m going to write 3 articles next, the first on installing Xen on a Debian Lenny host (Dom0) with Debian Lenny guests (DomU) on a regular loopback filesystem. Next I’m going to write about setting up LVM and some basic working examples, and then finally how to move your Xen over to LVM once you realise that you don’t want loopback. This is the same order in which I performed my installation, and covers Xen setup, LVM setup and migration from loopback to LVM which is a valid upgrade path. My Xen installation is entirely automated. Watch this space..

Tags: debian, lenny, Linux, lvm, xen

03 Oct 09 Linux C setuid setgid tutorial

Here’s a very brief example of how to use setuid() and setgid() functions in your C program.

The program above should be pretty self explainatory, now:

(more…)

Tags: C, gcc, Linux, setgid, setuid, System

03 Oct 09 Linux Security Freelancer – Securing a node – Where to start?

As a Linux Security Freelancer, I’m often asked where best to start when securing a single linux host. Whereas most would suggest configuring iptables or similar, the most effective first step in my opinion is to remove unnecessary services.

There are a number of methods that you can use to show open sockets at least:
lsof -U will list open sockets
nmap -sT -sU localhost will scan your local machine for open TCP or UDP ports
netstat -a | grep LISTEN will show all listening sockets.

Forgive me for stating the obvious, but the first thing to do is disable any open sockets or services that aren’t required. On a default install, this could include the likes of the portmapper service, identd and an smtpd.

Next, you want to suitably lock down user accounts, check passwords, and perhaps consider enforcing a secure password policy, at minimum I generally prefer at least 8 characters, at least one uppercase, one lowercase and one integer. Obviously this shouldn’t be easily guessible, nor should it just end in a ’1′.

Once done, the next thing that you want to do is to suitably firewall the services that you do require open, and perhaps also restrict the rate of ICMPs, etc, with iptables.
(more…)

Tags: buffer overflow, freelancer, icmp, identd, iptables, Linux, linux security freelancer, lsof, netstat, nmap, node, ping, portmapper, root, security, Security Consultant, setuid, smtpd, suid

02 Oct 09 Linux Consultant – Disk Speed

Using hdparm it’s pretty easy to find out your disk’s readLinux Consultant – Disk Speed speed. hdparm is actually an entire IDE/SATA management utility.

Firstly, ensure that you have the tool – apt-get install hdparm

Once done, quite simply use hdparm with -t or -T options to time buffered reads and cache reads respectively. Be VERY careful about other options that hdparm offers, some are very dangerous and can completely corrupt your data.

Tags: disk read, hdparm, ide, Linux, linux consultant, sata