Tag Archives: Security

Server setup: Setting up a firewall

A firewall is a basic filter that can provide an efficient protection to your server by only allowing the traffic in and out as the rules of the firewall allows it. Setting up a firewall on a Ubuntu Linux server does not need to be complicated – in fact the one used in this example is called “uncomplicated firewall”.

To get the firewall up and running make sure it’s installed through the package manager. Login and switch to a root shell, then install the firewall with this command:

apt-get install ufw

If everything goes okay, the firewall is installed but not configured nor enabled.

Firewall Configuration

I find the easiest way to mange the firewall is through a little script in the root home directory. The beginning script could look something like this:

1
2
3
4
5
6
#!/bin/sh
ufw reset
ufw allow from 127.0.0.1
#ufw allow ssh
ufw enable
ufw status

Line 2 resets any existing configuration rules in the firewall.

In line 3 you should change the 127.0.0.1 to you own fixed IP address if you have one (you really ought to). This line will allow any traffic from you ip-number into the server (assuming there is something able to receive it naturally).

If you haven’t a fixed IP number line 3 should be removed and line 4 used instead. It allows SSH connections from any outside IP-number to knock on the door – then well rely on the SSH daemon (and the configuration of this) to reject any unwanted visitors knocking on the server.

Line 5 enables the firewall and line 6 prints a list of the current status and configuration of the firewall.

Depending on what you are using your server to do, you’ll probably need a few more lines in the firewall script. If you’re running a webserver, you should at least add a line (just above the “ufw enable” line) allowing web traffic to pass through the server:

utf enable www

Are you using https on you’re webserver? – then you need to allow that too:

utf enable www

The simple enable lines above are suitable for “publicly accessible services”. If you’re running something the whole world should be able to use, UFW allows for that too. The Community documentation on UFW over at the Ubuntu site is quite helpful.

PHP best practice: Function Parameters

I’ve been developing web applications for some years now, and while I make no claims to being the world greatest developer, I do figure, that I do have some solid experience which may help others – or at least encourage thoughts and discussion. This is the first in a series of posts, and while it may be from a PHP developers point of view, it may applicable to other programming languages, and maybe even beyond web applications. Here are my four tips on function parameters.

Always have a default value on all parameters

Functions parameters are often used as input to SQL queries, calling webservices or computations. Null or non-existing values often tend to break these things and throws horrible messages to the end-user.

While the parts of the program using your function always should provide proper values, laziness, oversights or unexpected scenarios, may prove it not to be the case. If at all possible, always try to provide default values on all parameters to a function – and if you really can’t make sure it’s handled gracefully.

Choose reasonable defaults

When providing default values, don’t choose extremes. If you’re browsing in a list of usernames, don’t use a (pure) wildcard as default value – use an “A” to list all users starting with the letter A. If you’re function allows a limit on the number of rows returned form a database query (say for paging purposes), set the default to 10, 20 or some other low number, don’t go for worst case scenarios like 9999, or 999999.

If the developer using the function needs plenty of rows, it’s easy to pass a specific value, and if the developer forgets to specify the number of rows, expected, they get a reasonable result, which may help them to ask for more (if actually needed).

Always sanitize input

Even though a given function naturally only will be used with valid input and so on, every function should take steps to secure them selves.
One of the most basic steps is to make sure all input is sanitized. Protecting your function from making SQL injection threats or other security issues, is not the responsibility of the places utilizing the function, but the responsibility of the function it self, and thus it should take steps to make sure it doesn’t introduce security issues.

As basic validation of simple input parameters, look at the ctype functions in PHP. If you can always try to validate against a whitelist (which characters are allowed) instead of blacklists (these characters are not allowed) as missing things which may introduce issues in a black list is harder, than allowing what you expect, to pass through.

Accept an array of key value pairs

If a simple function accepts a single or two parameters, they may be passed as regular parameters, but once the list of possible parameters starts to grow, changing it a single parameter – which is an array with key/value-pairs, seems to be a much more solid long-term solution on keeping the interface developer friendly. Sure you can have endless lists of 10-15 parameters, but if you have default values on the first 14 values and just need to change the last, the code ought to be much more clean by being able to pass an array with the single key/value-pair needed to be changed from the default value.

That was the first four tips on function parameters. More on PHP and Security.

Browser handling of broken includes in an Ajax world?

In this mordern web 2.0 age, javascript includes are used more and more – and in some cases solutions often depend on included content from 3rd parties. While it is nice these 3rd parties may provide us with data (such as the latest tweets from twitter), it would be quite nice, if issues on their server didn’t break the fancy page we’re building.

So the question is this: If you build a page and include javascript from foreign scripts, will error messages on their part break your site? We’ve made the assumption, that the Web2.0 page will degrade gracefully, so that the content/functionality of the javascript-includes is just extra frosting, not needed to use the page

We did a simple little test, and in the most common browsers, a server error (that is an errror signaled in the http-header status code), will just cause the browser to ignore the included content. If the header is a “200 Ok” header, the content will break.

The answer, no – assuming, that their servers provides a http-header, that signals error. If you have a few spare seconds, please visit the test page, and if your browser reports a javascript error, please leave you browser (make and model) and operating system in a comment below.

Ubunutu Uncomplicated Firewall

I’m still enjoying the fresh new Ubunutu 9.04, and one of the nice new features is a firewall – which Canonical calls “Uncomplicated Firewall”. I’m usually not hooked on firewalls, but just for the fun of it I enabled the firewall on my laptop and it seems to work quite well. The firewall doesn’t seem to have any noticeable impact on system performance and as the laptop from time to time visits open wifi’s, it’s probably a good idea to have protection from other users on open networks.

Installing the firewall

The firewall should be available by default, but there isn’t a GUI application installed for the firewall. Open your favorite package manager and install the “gufw” package.

sudo apt-get install gufw

Ouncomplicated_firewallnce installed the firewall can easily be turned on and of – and controlled from the System -> Administration -> Firewall configuration menu item.
I set the current configuration to “Deny incoming traffic” and enabled the firewall (beneat the shield). This is probably all most desktop users needs to do.
On my laptop, I am running a SSH server. I do this as a way to fetch files I may have forgotten on the machine when leaving the laptop at the office – or use it as a jumpstation to other machines.
Adding a rule in the firewall, which allows incoming SSH traffic was a simple matter of choosing the “preconfigured” tab, and there adding a rule allowing SSH traffic.

The firewall can be configured with much more advanced options, but if you really need that, you probably (or hopefully) know what to do, but for regular users having an easy to use firewall and an uncomplicated interface to manage it, is just great and one of the cool new features of Ubuntu 9.04.

Security can be easy

It’s often the case that security is an inconvenience and gets in the way of usability and ease of use. There are exceptions though and for a number of weeks I’ve been playing with the Yubikey (thanks to Schack) from Yubico.

It’s a small device, which plugs into a USB port, and to the computer acts as a keyboard. It has some advanced security build-in with the ability to generate one-time verifiable passwords, but is incredible easy to use – plug it into the USB port and press the single button when you need to sign in to services supporting the Yubikey.

I’ve been useing it with OpenID sign-ins and WordPress logins, and it’s worked flawless everytime. The only important thing is to remember the Yubikey – without the little hardware token, you’re lost. If you need a secure sign-in solution, listen to security now to get the technology explained and contact Yubico, it’s seems to be as affordable as it is easy to use (and no, the post isn’t paid or sponsored, nor do I know anyone at Yubico).

Keeping the software current Windows

Modern computers contains al lot of software. A fully updated fresh windows installation contains well over 50.000 files – and before it being “usable” with the most common applications, plugins, addons and extensions for the software you use on a daily basis, you’ve probably added so much more, that you’ve completely lost count of what’s been installed.

It’s a pretty bad situation in terms of security and software maintenance/updating.

WindowsUpdate has come part of the way. It’s easy and simple for even common users to use and stay fairly current with the core windows system, but it only covers a small piece of the puzzle. While most windows machines I’ve encountered seem to have Office installed, WindowsUpdate doesn’t cover it – OfficeUpdate does, but how many people know of that? – and run it on a regular basis?

Some software (a lot it seems) have build-in phone-home functions, which allow them to check for updates on a regular basis – if it’s available and you have enabled the checks, another piece is solved.

Wouldn’t a one-stop solution seem much nicer?

Well it seems Secunia has come very close to providing just that with the Secuina PSI.
The PSI – Personal Software Inspector – is a little scanner, which scans your hard drive for installed software (windows, office, drivers, applications, utilities) and checks it against a database with software versions and security issues in the various versions. If it finds issues, it describes the issue and provide links to where updates for the software can be found.

I’ve played a with it while migrating one of the Windows Machines at home to new hardware, and so far it’s been quite impressive. Give it a try – it’s available for personal use  from Secunias website.

A note on Tinyurl and security

It seems some websites produce horrifically long url’s and others (such as twitter) imposes some strict boundaries, which has created the need for sites such as tinyurl.com. With tinyurl you can post a long (even really long) url on the site and have a short (redirect through tinyurl) instead. It’s pretty smart, but I really don’t like being redirected to a secret destination.

On tinyurl.com they luckily have an option (if you have cookies enabled) which allows you not to auto-redirect. Instead you reach a page on tinyurl.com, are shown the destination and must click proceed to go on to the destination.

While I’m not using internet explorer, and shouldn’t be receptive with too many browser bugs, trojans and other malware, it’s quite nice to be able to check the destination when being redirected through a popular redirection site.

Create a random password with PHP

Some websites require access control, and sometimes you may need to generate a password for a user. Here’s a simple function that can do just that.

The $base-variable contains the characters allowed in the password. The supplied string may be changed, but the selected charaters should exist on all keyboards (as far as I know). When calling the function, you can specify the lenght of the password you want. Simple, right?

1
2
3
4
5
6
7
8
9
10
function makePassword($desiredLenght = 8) {
$password = '';
$base = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
 
for($i=0;$i<$desiredLenght;$i++) {
$password .= $base[(rand(0, (strlen($base)-1)))];
}
 
return $password;
}

Cracking the Cryptex with PHP

In the book “the Davinci Code” there was a fun little device called a cryptex.. A Cryptex has 6 dials with 6  letters on each, and only one combination producing a word will open it. The most straight forward way to crack it would be to try every combination one by one, but there’s a substantial number of combinations and we know only those which a valid words is a candidate.

With PHP, a few nested loops and the aspell interface available, cracking the code is simple matter:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$pspell_link = pspell_new("da"); // Bring in the dictionarry
 
$array1 = Array("K", "M", "A", "D", "T", "J");  // First dial
$array2 = Array("B", "H", "R", "W", "Y", "E");
$array3 = Array("S","O","L","F","V","C");
$array4 = Array("X","T","N","U","Z","P");
$array5 = Array("E","D","Z","T","G","I");
$array6 = Array("N","G","L","D","Q","K");
 
foreach ($array1 as $a1) {
foreach ($array2 as $a2) {
foreach ($array3 as $a3) {
foreach ($array4 as $a4) {
foreach ($array5 as $a5) {
foreach ($array6 as $a6) {
$word = $a1 . $a2 . $a3 . $a4 . $a5 . $a6;
if (pspell_check($pspell_link,$word)) { // is the word in the dictionary?
echo $word;
echo "<br>";
}
}
}
}
}
}
}
 
exit();

This script prints out a list of all valid (Danish) words, that can occur with the given combination of letters.

Validation: black or white list

When you’re validating data – either client- or serverside – there are basically two strategies you can choose between. You can either blacklist data or white list data. Blacklisting seems to be the most popular way to validate data, but white listing is so much better. Here’s a brief description of the two strategies and why the white listing is better.
Continue reading Validation: black or white list