Following on from The Hooded Apache, I thought it was about time to cover Nginx configuration.
Nginx is not exempt from security issues, and as with apache certain versions can vulnerable to a specific attack, as such the first line of defense is you hide your nginx version.
This can be done via:
1234
server {
server_tokens off;
...
}
This changes the put from
1
Server: nginx/1.0.12
To
1
Server: nginx
You could if you are so inclined change the server string in the c code itself
Sometimes standard responses can be used for service fingerprinting as such error documents could still give away your running server version even if you were to edit the header code as per above, again this could be done by modifying the C code to only return “” for each error page, in which case you will need to edit
src/http/ngx_http_special_response.c
...staticcharngx_http_error_301_page[]="";
I’m not going to list all of them you should get the idea from the exmaple above; however this is not really required, you can also swap out the default error pages with standard configuration.
1
error_page 404 = /path/to/custom/404.html;
A strong Front …
Nginx ofetn gets used to proxy other services, as such you could be revealing the backend technologies in use due to the backend server sending headers such as X-Powered-By.
This where in your proxy configure options you can have nginx intercept and remove the headers being sent by the backend.
In this post I will cover growing the file system of a guest instance when running KVM linux.
For this you will require the following Packages:
libguestfs-tools
guestfish
Shutdown the instance
In order to grow the disk we must virsh shutdown the instance, this can be achieved using a simple virsh shutdown instance_name, try to avoid running a virsh destroy as we want a clean filesystem to avoid issues in the resize.
Get current image information
After the image has shutdown we can now go ahead and get some information on the disk configuration:
123456
virt-filesystems --long --parts --blkdevs -h -a centos_centos6.qcow2
Name Type Size Parent
/dev/sda1 partition 200M /dev/sda
/dev/sda2 partition 9.8G /dev/sda
/dev/sda device 10G -
As can be seen here there is a single 10GB virtual disk residing on /dev/sda
virt-rezise
We must then create a destination disk image, of the required total size
1
qemu-img create -f qcow2 outfile 150G
I have opted to use the –expand flag, if this is not specified a new partition is created to ocupy the free space, refer to man virt-resize for more advanced options such as splitting the freespace to grow existing partitions (i.e. expand the boot partition +100M)
Go make a coffee as this step will take a while to complete.
Finishing up
If you were to start the instance back up now using outfile.qcow2 as the disk image, you would find the OS reports the original disk size, this is due to the LVM configuration which we can not change “online” (unless of course you are changing a partition that can be unmounted, not the case here).
We will use guestfish to complete the process.
123456789101112131415161718192021222324
guestfish --rw -a outfile.qcow2
Welcome to guestfish, the libguestfs filesystem interactive shell for
editing virtual machine filesystems.
Type: 'help' for help on commands
'man' to read the manual
'quit' to quit the shell
><fs> run
><fs> list-filesystems
/dev/vda1: ext4
/dev/VolGroup00/LogVol00: ext4
/dev/VolGroup00/LogVol01: swap
><fs> lvresize-free /dev/VolGroup00/LogVol00 100
><fs> resize2fs /dev/VolGroup00/LogVol00
><fs> e2fsck-f /dev/VolGroup00/LogVol00
><fs> exit
virt-df -h outfile.qcow2
Filesystem Size Used Available Use%
centos_el6_php53_lap:/dev/sda1 194M 52M 132M 27%
centos_el6_php53_lap:/dev/VolGroup00/LogVol00
146G 1.1G 137G 1%
Your lvm configuration may differ change the above according to the output from list-filesystems.
Note: I run e2fsck-f as a precaution, this is not a required step though I highly recomend doing this.
Now finally swap out the images (or update the libvirt xml file, it’s up to you)
Earlier in the month I made reference in my Google+ posting that I had begun prototyping a pentesting “drop box” using the (Raspberry Pi)[https://www.raspberrypi.org] as the brains.
This is now 19 days since, and I realised I had not gotten around to writing a blog post on the project.
The Problem
The general public are unaware just how much data they send/receive at any given time; especially if said person has a “smart phone” the wealth of personal data a person carries around in their pocket can be staggering; more so that they have absolutely no clue how bad that can potentially be.
Want to carry out a little experiment?
Gather some none netsec aware people
How many of them can tell you right now without looking, if their phones wifi is enabled?
How many can do the same for bluetooth?
Without giving details, how many have passwords / bank details / something that shoudln’t be on their phone; on their phone?
You’ll be concerned with the results (unless you have somehow found a random grouping of people completely aware of their phones function and content at all times …).
Bridging the gap
In my experience no matter how you phrase it; for the general end consumer any conversation on netsec is met with indifference mainly due to a lack of understanding which is frustrating to say the least.
However you can can two directions in this situation berate the stupid luser; or you can attempt to educate them, and to that effect the most successfull method is something visual, in the form of a practical demonstration of the point you are trying to get across.
Why? It removes the need for the end consumer to attempt to mentally visualise what you are describing; all puns aside this makes it far easier for the end consumer to understand.
Education, got it … so why the pi?
Simple really, inexpensive 600MHZ arm processor that can boot linux and run from a battery pack.
The peak consumption I read somewhere is around 700ma, the battery pack in question is a 5000maH which asusming we see a 60% return on a full charge equestes to roughly 4.5hrs run time total.
Low power consumption
Easily portable
Relativly inexpensive
Runs linux
The Concept
I’d like to assume if you are reading this, you have at least a basic knowledge of netsec so at this point the post becomes less end user friendly …
Jassegar - utilizing jassegar to masquerade as a trusted ap, and route traffic through ethernet / usb 3g dongle.
a. Desposable - setup and go, access data over 3g connection via a reverse tunnel; remote wipe / destruction.
Karma - I don’t know much about the karma quite, it appears this can be used for much the same as jassegar.
Couple the above with airdrop-ng for active denial of all wifi in the area, and suddenly every smart phone / laptop in the area is routing via the pwnberry pi and NO ONE is the wiser.
Proof or STFU
Whilst I don’t have a working demo at this time, perhaps some photos of the “build” would suffice?
Running left to right:
SD Card
5000maH usb battery
Bottom of the “weather proof box”
Raspberry PI
ALFA awus036nh
All boxed in the “Premium” container, aka rubber sealed tupperware of doom …
To come …
I’m trying out different distributions to achieve this, pwnpi is looking promising at the moment.
As always time is limited so it’s on an as / when basis.
Yeh yeh … so it is true I have some quite vocal opinions, on all this cloud marketing fluff.
That said it has some great potential, if you’ve been following my open source contributions and posts you’ll known I have an special affinity for Openstack, Aeolus, and of course Opennebula.
As such I’ve taken to jumping in “feet first”, what better way eh?
Last October I was fortunate enough to attend the Openstack training in London, hosted by Rackspace, recently I now have a full openstack deployment running on fedora 17 on my laptop for prototyping, and testing (I have of course been bugreporting to redhat bugzilla! and I encourage you to do the same!).
I met some great people on the course last October, which unfortunatly I’ve only managed to keep in contact with a few of (if you’re reading this and were there get in contact!).
I have some upstream commits for: EPEL Openstack, libcloud, aeolus, boxgrinder … and I’ve gotten to a point this year where I can reflect, and make a post to that effect.
In short I have one problem with the cloud, and that’s the marketing; let me explain why, marketing is driven to make sales, it does not care about the education of the end user as to the product they are paying for, (and frankly hearing my parents / clients ask “Can’t you just use the cloud?” makes me want to break out the beating stick of education, more for the marketing people I belive in making a solution right for the indvidual not for the bottom line…), as I’ve come to know more on the systems involved it’s a revolution, now calm down and let me explain.
Yes the cloud is simply virtualization if you break it down into it’s rawest form, and that has been around for decades … but what “the cloud” is doing despite the marketing fluff, is comoditizing the technology and plating it firmly in the hands of users who have little to no technical background or knowlege, why is this a revolution?
Inherently a person who is somewhat intellegent is curious, curiosity (Despite killing the cat, though if my neighbours cat craps in my garden again it may well be my boot and not the curioisity) leads to discovery, this inturn leads to understanding; putting something so powerful so simply within reach of those who do not understand the technology both increases it’s proftiablity and should said end user persue their curosity they will learn.
Right so education for the massses, what’s next hugging trees?
Not quiet the you may be missing the point, what’s better than an educated client someone who knows what they want and the potential technologies to achieve it as apposed to the uneducated who take the line of “it can’t be that hard all you do is sit there and tap the keyboard all day”.
There is a very real gap in understanding between the end user, and the Sysadmin/Devops supporting it, the cloud may well help to bridge the gap between the technology and the user, such as Devops bridges the gap between operations and the developer.
So, pulling this back to the original point of this blog, I appear to have gone off at a tangent.
I’ve conveted Wordpress -> Jekyll + Octopress
I’ve worked on the Rakefile to push differing assets to cloudfiles/
I am now just waiting on clouddns to allow CNAME records for the main domain, then …
blog.oneiroi.co.uk will exist purely in cdn.
With any luck I will be the first but this is reliant on the dns options becomming available, please comment and let me know your thoughts!
Please be aware the following applies to 2011.3 ONLY! (Diablo Final) the configuration to come in Essex is far simpler, if when reading this post your packages are 2012.X you have just installed essex and this is not relevant, anyway here we go …
1
yum install openstack-keystone
Keystone itself has it’s own tirade of concepts to get to grips with … tenant, user, role, service, token etc … I’m not going to go into detail on those concetps, for that Please see the documentation.
Configuring mySQL
First thing I am going to do is change from sqlite to mySQL connection, this involves editing line 54 of /etc/keystone/keystone.conf
Ignoring the default_store configuration at the top of the file, as this states sqllite, from what I can tell this simply instructs keystone to use the sqlAlchemy driver, which we just updated to point to mySQL.
Now like glance we need to restart keystone for the database to be populated.
1
service openstack-keystone restart
Now run keystone-manage with no args if you see
123
File "/usr/lib/python2.6/site-packages/keystone/manage/__init__.py", line 283, in main
raise exc
sqlalchemy.exc.OperationalError: (OperationalError) (1044, "Access denied for user 'keystone'@'localhost' to database 'keystone'") None None
Review your keystone.conf file and ensure your mySQL credentials are correct, once done start keystone again.
Initial Credentials
Now we need to create an admin Tenant, and add an admin user to this tenancy.
12345678910
keystone-manage tenant add adminTenant
SUCCESS: Tenant adminTenant created.
keystone-manage user add adminUser <password>
SUCCESS: User adminUser created.
keystone-manage role add Admin
SUCCESS: Role Admin created successfully.
keystone-manage role grant Admin adminUser
SUCCESS: Granted Admin the adminUser role on None.
keystone-manage role grant Admin adminUser adminTenant
SUCCESS: Granted Admin the adminUser role on adminTenant.
Ok so we have just:
setup a tenant named adminTenant.
setup a user named adminUser and specified their password.
created an admin role.
assigned the adminUser to the Admin role.
granted adminUser the Admin role to the adminTenant
Note: the outputs are a little confusion on the role assignments…
“Granted Admin the adminUser role on adminTenant”,
it appears the string output has the arguments in the wrong order here it should read:
“Granted adminUser the Admin role on adminTenant”.
I have however verified the mySQL data and can see the roles being correctly assigned.
Also the output from
12
keystone-manage role grant help
Missing arguments: role grant 'role' 'user' 'tenant (optional)'
Confirms the arguments are being entered in the correct order.
Edit these to reflect your Admin role accordingly and then restart openstack-keystone
The above shows seperate roles for general and service admin, in my case I set these to the same role, it is of course entirely up to you and your delegation setup.
If you choose to retain the KeystoneServiceAdmin delegation you will need to setup the role as per the Admin role above and run through the grants accordingly.
Setting up the Service token and service definitions
ERROR: 'NoneType' object has no attribute 'id'
2012-04-23 12:27:29 ERROR [root] 'NoneType' object has no attribute 'id'
Traceback (most recent call last):
File "/usr/bin/keystone-manage", line 16, in <module>
keystone.manage.main()
File "/usr/lib/python2.6/site-packages/keystone/manage/__init__.py", line 283, in main
raise exc
AttributeError: 'NoneType' object has no attribute 'id'
check your have correctly entered adminUser adminTenant (or the details you have entered) including correct capitilization.
123456
keystone-manage service add nova compute "Openstack Compute Service"
SUCCESS: Service nova created successfully.
keystone-manage service add glance image "Openstack Image Service"
SUCCESS: Service glance created successfully.
keystone-manage service add keystone identity "Openstack Image Service"
SUCCESS: Service keystone created successfully.
Defining endPoints
Nova
Here I managed to confuse myself, so let me be clear, this needs the nova_api service ip, not each compute node, meaning you only need one endpoint.
12
keystone-manage endpointTemplates add regionOne nova https://<nova_api_ip>:8774/v1.1/%tenant_id% https://<nova_api_ip>:8774/v1.1/%tenant_id% https://<nova_api_ip>:8774/v1.1/%tenant_id% 1 1
SUCCESS: Created EndpointTemplates for nova pointing to https://<nova_api_ip>:8774/v1.1/%tenant_id%
The 3 URL arguments are for publicURL, internalURL, adminURL (No idea if that is the order).
Glance
12
keystone-manage endpointTemplates add regionOne nova https://<glance_ip>:9292/v1 https://<nova_api_ip>:9292/v1 https://<nova_api_ip>:9292/v1 1 1
SUCCESS: Created EndpointTemplates for glance pointing to https://<glance_ip>:9292/v1
Keystone
12
keystone-manage endpointTemplates add pi-whc keystone https://<keystone_ip>:5000/v2.0 https://<keystone_ip>:5000/v2.0 https://<keystone_ip>:5000/v2.0 1 1
SUCCESS: Created EndpointTemplates for keystone pointing to https://<keystone_ip>:5000/v2.0.
Configuring Nova
Now we have keystone setup we need to configure nova to use keystone for authentication, by editing /etc/nova/api-paste.ini.
Now there are seveal edits required, as such what follows are snippets of those changes.
EC2 Section modification
line 22 and 27 ([pipeline:ec2cloud] and [pipeline:ec2admin] sections).
Most of the other commands for myself are presently returning 404 / 500 errors, with the Essex Release Impending the current EPEL advice seems to be to use Essex, I will update as/when I can with futher information on these issues.
For instance on a: flavor-create a 500 error is encountered with the following logged in api.log
123
...
(nova.api.openstack): TRACE: AttributeError: 'ControllerV11' object has no attribute 'create'
...
Configuring Glance
Modify /etc/glance/glance-api.conf
Comment out line 138 and uncomment 140
1234
[pipeline:glance-api]
#pipeline = versionnegotiation context apiv1app
# NOTE: use the following pipeline for keystone
pipeline = versionnegotiation authtoken auth-context apiv1app
now edit /etc/glance/glance-registry.conf and again comment out the current pipline= line and uncomment the keystone line.
1234
[pipeline:glance-registry]
#pipeline = context registryapp
# NOTE: use the following pipeline for keystone
pipeline = authtoken auth-context registryapp
for i in api registry; do service openstack-glance-$i restart; done
Stopping openstack-glance-api: [ OK ]
Starting openstack-glance-api: [ OK ]
Stopping openstack-glance-registry: [ OK ]
Starting openstack-glance-registry: [ OK ]