Archiv der Kategorie: Security

Owncloud: Es gab Probleme mit dem Code – Integritätsprüfung.

Owncloud hat wohl eine Integrationsprüfung für seine Dateien hinzugefügt (mit Version 9.0?). Da ich die util.php aufgrund von abweichenden Zugriffsrechten per Hand anpassen muss, erhalte ich in der Browseransicht die Fehlermeldung. Es funktioniert alles, aber der gelbe Balken stört.

Die Integritätsprüfung lässt sich durch einen Eintrag in der owncloud/config/config.php einfach abschalten.

'integrity.check.disabled' => true,

Anschließend auf der owncloud/index.php/settings/admin#security-warning die erneute Prüfung aktivieren.

Fieser workaround, aber tut was er soll.

SSH-Tunnel mit Firefox nutzen

Kurz notiert:

Ich hatte etwas Probleme bei der Verwendung eines aktuellen Firefox mit einem dynamischen SSH Tunnel. Konnte ich in der Vergangenheit etwa mit dem Befehl

ssh -fNCD 4444 remotesshserver

einen SOCKS Proxy auf Port 4444 aufmachen und Firefox einfach auf diesen umlenken, funktioniert dies wohl aktuell(?) nicht mehr. Richte ich den Proxy in den Einstellungen des Browsers ein (localhost, Port 4444, alle Protokolle, SOCKSv5 etc), kann anschließend keine Verbindung aufgebaut werden. Die selben Daten, konfiguriert in FoxyProxy funktionieren allerdings problemlos.

Hilfreich bei der Fehlersuche:

ssh -N -vvv -D 4444 remotesshserver
curl –socks5 127.0.0.1:4444 http://icanhazip.com

Raspberry Pi: Owncloud setup revisited

The Raspberry and owncloud ran for a few months now and I really enjoyed my own personal cloud. But I was really annoyed by the poor performance. One possible solution was to switch the sd card, which I did. I replaced the Transcend 16GB SDHC card with a 4GB one. Performance is much better now. Since setting up the system is a pretty simple and fast process, I didn’t bother about cloning the card etc. I reinstalled raspbian and followed my own guide on how to setup nginx and php and oriented on my other tutorial on how to install owncloud 6 beta. Of course I needed to change some links etc.

Some more things (I) changed:

  1. owncloud added security for trusted domains
  2. moved owncloud storage to an external usb drive
  3. changed the nginx webserver configuration: restrict to https only and …
  4. accessing php-fpm through network socket

 

1. If you access the webinterface of your owncloud instance using different ips, names etc., you need to add them to the „trusted_domains“ parameter.

pi@raspberrypi ~ $ sudo vi /var/www/owncloud/config/config.php

‚trusted_domains‘ =>
array (
0 => ‚192.168.12.34′,
1 => ‚your.dyndns.org‚,
),

2. Connect the usb drive and use lsblk and blkid to find the needed UUID.

pi@raspberrypi ~ $ lsblk && blkid
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 2,7T 0 disk
└─sda1 8:1 0 2,7T 0 part /media/usb
mmcblk0 179:0 0 3,7G 0 disk
├─mmcblk0p1 179:1 0 56M 0 part /boot
└─mmcblk0p2 179:2 0 3,7G 0 part /
/dev/mmcblk0p1: SEC_TYPE=“msdos“ LABEL=“boot“ UUID=“7D5C-A285″ TYPE=“vfat“
/dev/mmcblk0p2: UUID=“5d18be51-3217-4679-9c72-a54e0fc53d6b“ TYPE=“ext4″
/dev/sda1: LABEL=“Backup3TB“ UUID=“1D3F163D4EEC069E“ TYPE=“ntfs“

Create the mountpoint /media/usb and edit /etc/fstab to mount the drive on startup.

pi@raspberrypi ~ $ sudo mkdir /media/usb

pi@raspberrypi ~ $ sudo vi /etc/fstab
proc /proc proc defaults 0 0
/dev/mmcblk0p1 /boot vfat defaults 0 2
/dev/mmcblk0p2 / ext4 defaults,noatime 0 1
UUID=1D3F163D4EEC069E /media/usb ntfs-3g defaults,auto, uid=pi,gid=wwwdata,umask=007,users 0 0

While setting up your owncloud, you can now define /media/usb as your data storage. Not sure if there is a way to change this on a already running owncloud setup.

 

3. Change the nginx configuration (/etc/nginx/sites-availabe/default) according to the owncloud 6 documentation

upstream php-handler {
server 127.0.0.1:9000;
}

server {
listen 80;
return 301 https://your.dyndns.org$request_uri; # enforce https
}

# HTTPS server
#
server {
listen 443 ssl;
server_name your.dyndns.org localhost;

root /var/www;

autoindex off;
index index.php index.html index.htm;

ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/server.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/server.key;

client_max_body_size 10G; # set max upload size
fastcgi_buffers 64 4K;

rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
deny all;
}

location / {
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

try_files $uri $uri/ index.php;
}

location ~ ^(.+?\.php)(/.*)?$ {
try_files $1 =404;

include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$1;
fastcgi_param PATH_INFO $2;
fastcgi_param HTTPS on;
fastcgi_pass php-handler;
}

# Optional: set long EXPIRES header on static assets
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
# Optional: Don’t log access to assets
access_log off;
}
}

4. Modify the php5-fpm config to listen on a netsocket.

 pi@raspberrypi ~ $ sudo vi /etc/php5/fpm/pool.d/www.conf

;listen = /var/run/php5-fpm.sock
listen = 127.0.0.1:9000

Restart the services.

pi@raspberrypi ~ $ sudo service php5-fpm restart
pi@raspberrypi ~ $ sudo service nginx restart

 

 

 

 

QNAP TS419U+ und die Passwortlänge

Wenn man bei Google z.B. nach den Schlagworten „qnap max password length“ sucht, findet man einige Treffer zu Foreneinträgen, in denen sich Besitzer von QNAP Netzwerkspeichern über eine Grenze bei der Passwortlänge ärgern. Anscheinend war es sogar mal so, dass die Firmware, Passwörter, die länger als 16 Zeichen waren, einfach abschnitt ohne den User zu informieren.

(Dieses Vorgehen ist auch schon bei einigen anderen Anbietern aufgefallen. Ich erinnere mich noch an AOL und das Sparkasse Onlinebanking. Allerdings ist das schon einige Jahre her.)

In den offiziellen Foren wird seit langer Zeit (Aus-)Besserung versprochen, jedoch gibt es auch bei der aktuellsten Firmware-Version immer noch ein Limit von 16 Zeichen (siehe Screenshot).

QNAP Passwortlänge

 

Wie es sich für ein NAS gehört, kann man auf das System auch auf andere Art als über das Webinterface zugreifen, z.B. per SSH. Wer allerdings versucht sich hier mit seinem Benutzernamen und 16stelligen Passwort anzumelden, wird sich wundern warum der Login verweigert wird. Angeblich ist das Passwort falsch. Auch im Systemlog des NAS werden die „failed login attempts“ aufgelistet. Nach einiger Fehlersuche ist die Ursache gefunden:

Als Passwort für den SSH-Zugang sind nur die ersten 12 Zeichen gültig! 

Und das 2014! Oh Man. Dokumentiert wird dies natürlich nirgendwo. Jedenfalls habe ich nichts gefunden.

Facebook kauft WhatsApp

Gestern Abend wurde bekannt gegeben, dass Facebook den Messenger WhatsApp für 19 Milliarden Dollar (ca. 13,8 Milliarden Euro) übernehmen wird.

Aus diesem Grund nochmal der Verweis auf den „sicheren“ Messenger Threema. Mehr Infos und ein interessantes Interview mit den Entwicklern gibt es in einem Podcast bei monoxyd.

Android Version: Play Store
iOS Version: App Store

Raspberry Pi: Selfhosted cloud with ownCloud 6 beta

Quick writeup on how to install the new owncloud 6 beta on your raspberry Pi.

Disclaimer: If you want something superfast, leave this site now. If you’re looking for a really cheap way to get your own cloud (No NSA. So yay!) and give some use to your raspberry pi which is sitting on the shelf since months, here you go. Just don’t expect a 1 to 1 dropbox/drive/$whatever clone.

Prequirements: Working Raspberry Pi with Raspbian (path etc. may vary on other distributions) and a running webserver with php and ssl.

Installation on the Pi
Download the package from here, extract it, move it to the right location and set the correct user rights:

pi@raspberrypi ~ $ wget http://download.owncloud.org/community/testing/owncloud-6.0.0beta1.zip
pi@raspberrypi ~ $ unzip owncloud-6.0.0beta1.zip
pi@raspberrypi ~ $ sudo mv owncloud /var/www/
pi@raspberrypi ~ $ sudo chown -R www-data:www-data /var/www/owncloud
pi@raspberrypi ~ $ cd /var/www/owncloud/

We need to change a few settings in the php config.

pi@raspberrypi /var/www/owncloud $ sudo vi /etc/php5/fpm/php.ini

Replace

upload_max_filesize = 2M
post_max_size = 8M

with

upload_max_filesize = 1024M
post_max_size = 1024M

and add some lines to the end of the file (we will install apc later):

upload_tmp_dir = /srv/www/owncloud/data/temp
extension = apc.so
apc.enabled = 1
apc.include_once_override = 0
apc.shm_size = 256

Create the directory for uploads

pi@raspberrypi /var/www/owncloud $ sudo mkdir -p data/temp
pi@raspberrypi /var/www/owncloud $ sudo chown -R www-data:www-data data

After editing your webserver config according to the documentation, visit http://localhost/owncloud or http://raspberryip/owncloud and check for error messages. In my case, I got two:

1. PHP module GD is not installed. Please ask your server administrator to install the module.

So I needed to install this:

pi@raspberrypi /var/www/owncloud $ sudo aptitude install php5-gd

And

2. No database drivers (sqlite, mysql, or postgresql) installed.

Of course. After some searching and reading the official documentation about the database configuration, I decided to use MySQL as backend. Mainly because there will be at least two persons using the system. So I installed the mysql-server and php5-mysql package.

pi@raspberrypi /var/www/owncloud $sudo aptitude install mysql-server php5-mysql

After settings the root password, connect to your mysql server. Create a user for owncloud and a database.

pi@raspberrypi /var/www/owncloud $ mysql -u root -h localhost -p
CREATE USER ‚owncloud’@’localhost‘ IDENTIFIED BY ‚password‘;
CREATE DATABASE IF NOT EXISTS owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO ‚owncloud’@’localhost‘ IDENTIFIED BY ‚password‘;
QUIT

Return to http://localhost/owncloud or http://raspberryip/owncloud and complete the setup process.

Some tips to improve performance:
There are a few guides and tips on the net on how to improve performance of owncloud on your pi. Here are some of them.

1. Install the PHP Accelerator (see modified php.ini at the top)

pi@raspberrypi /var/www/owncloud $ sudo aptitude install php-apc

2. Use a cronjob to update the database and fasten up the webinterface. Open the crontab for the webserver user:

pi@raspberrypi /var/www/owncloud $ sudo crontab -u www-data -e

For updates every 15 minutes add:

*/15 * * * * php -f /var/www/owncloud/cron.php

On the webinterface go to Administration -> Cron and change the setting to Cron.

3. Disable unused apps. Disable all apps you don’t need.

 

Installation of the owncloud ubuntu client

pat@think:~$ wget http://download.opensuse.org/repositories/isv:ownCloud:devel/xUbuntu_13.10/Release.key
pat@think:~$ sudo apt-key add Release.key
pat@think:~$ echo ‚deb http://download.opensuse.org/repositories/isv:ownCloud:devel/xUbuntu_12.04/ /‘ >> sudo tee /etc/apt/sources.list.d/owncloud-client.list
pat@think:~$ sudo aptitude update
pat@think:~$ sudo aptitude install owncloud-client

Sources: http://doc.owncloud.org/server/5.0/admin_manual/installation/installation_others.html#nginx-configuration http://doc.owncloud.org/server/5.0/admin_manual/configuration/background_jobs.html#cron-jobs http://doc.owncloud.org/server/5.0/admin_manual/configuration/configuration_database.html http://jankarres.de/2013/10/raspberry-pi-owncloud-server-installieren/ (german) http://cloudlog.de/owncloud-langsam-diese-tipps-machen-owncloud-schneller/ (german)

Raspberry Pi: Mount and unmount truecrypt on startup and shutdown

My Raspberry Pi functions as a lokal NAS and data haven for backing up remote servers and all my clients. The data is stored in a truecrypt container on an external usb harddrive. The drive is mounted on bootup, as well as the decrypted container. If you follow my notes, please be aware that the password to unlock the files is stored in cleartext in the automount script and could show up when running e.g. ps. So maybe this isn’t the right solution when you grant access to your Pi to other people.

 

Create the two directories to mount the external harddrive and the truecrypt container.

sudo mkdir /mnt/{usb,truecrypt}

If you use NTFS as a filesystem on your external drive, install the ntfs-3g package and try mounting the it manually first:

pi@raspberrypi ~ $ sudo aptitude install ntfs-3g
pi@raspberrypi ~ $ mount -t ntfs-3g /dev/sda1 /mnt/usb

When everything works, add the permanent mount entry to your /etc/fstab:

/dev/sda1 /mnt/usb ntfs-3g defaults 0 0

To automount the truecrypt container on startup, install truecrypt like explained here and create the two init scripts for mounting and unmounting the container.

/etc/init.d/tc_mount

#!/bin/bash
### BEGIN INIT INFO
# Provides:          tc_mount
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2
# Default-Stop:
# Short-Description: tc_mount
# Description:      Mount the truecrypt container
### END INIT INFO
echo „Mounting truecrypt container“
/usr/local/bin/truecrypt -t -k „“ –protect-hidden=no –mount /mnt/usb/crypt /mnt/truecrypt/ -v -m=nokernelcrypto -p ‚YOURPASSWORD‘
exit 0

/etc/init.d/tc_unmount

#!/bin/bash
### BEGIN INIT INFO
# Provides:          tc_unmount
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:
# Default-Stop:      0 1 6
# Short-Description: tc_unmount
# Description:       Unmount the truecrypt container
### END INIT INFO
echo „Unmounting truecrypt containers“
/usr/local/bin/truecrypt -d
exit 0

And add them to the correct runlevels:

pi@raspberrypi ~ $ sudo update-rc.d tc_mount start 02 2 .
pi@raspberrypi ~ $ sudo update-rc.d tc_unmount stop 02 0 1 6 .

 

Sources:

http://debianforum.de/forum/viewtopic.php?f=34&t=123447

https://www.linuxquestions.org/questions/debian-26/run-this-command-when-the-computer-shutdown-or-reboot-683851/

RAM Analysis – Part 1: Introduction and Obtaining the RAM image

I just found this old draft from July 2010, which I completely forgot about. This was supposed to be a series of blogposts but I didn’t had the time back then. Even this post is far from complete, but maybe it’s useful for somebody.

1.1 Introduction

This multiparted series will summarize the various aspects, possibilities and methods to obtain and analyse a computers physical memory. You can find a lot of information about memory analysis on the net and this series neither wants to nor won’t be able to cover all aspects. Part I will focus on the different methods to obtain an memory dump, which will be analyzed later. If you’re not interested in getting a memory dump and just want to take a look at its content, you can download some of the sample memory images for example from here, here, or here.

1.2 Hardware Tools

There are a few PCI cards out there, but most of them are research projects or not available to the costumer.

Tribbel PCI card
Tribble is a proof-of-concept research project by Joe Grand of Grand Idea Studio and Brian Carrier of digital-evidence.org. Most information about the device can be found in this paper.

CoPilot
CoPilot was developed by Komoku as a malware protection and rootkit detection PCI card and was later on acquired by Microsoft.

FRED: Forensic RAM extraction device
Only a few information about this project is available on the developers website at BBN Technologies.

1.3 Software Tools

1.3.1 Windows (free)

http://www.mantech.com/capabilities/mdd.asp

http://sourceforge.net/projects/mdd/

https://www.hbgary.com/products-services/fastdump-pro/

1.3.2 Windows (paid)

http://gmgsystemsinc.com/knttools/

http://www.x-ways.net/capture/index-d.html

1.3.2 Unix/Linux/Mac

Firewire http://www.storm.net.nz/projects/16

Firewire, only for use by law enforcement http://goldfish.ae/

http://www.sleuthkit.org/index.php
http://www.forensicswiki.org/index.php?title=Jesse_Kornblum

1.4 Forensic live cds

http://www.caine-live.net/

http://www.deftlinux.net/

helix

1.5 Links

http://www.gmgsystemsinc.com/fau/
http://computer.forensikblog.de/themen/windows/speicheranalyse/index10.html
http://cybercrimetech.com/projects/reaper/
http://www.digital-evidence.org/tools/index.html
http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
http://www.informaworld.com/smpp/section?content=a779634402&fulltext=713240928
http://www.dfrws.org/

Raspberry Pi: Truecrypt on Raspbian

Quick howto on how to install truecrypt on the rapberry pi.

Get the source for Mac OS X/Linux from http://www.truecrypt.org/downloads2 (Update: https://www.grc.com/misc/truecrypt/truecrypt.htm) and copy the file to the pi:

pat@earth Downloads]$ scp TrueCrypt 7.1a Source.tar.gz pi@pi:/home/pi/

Connect to the pi and extract the archive:

pi@raspberrypi ~ $ tar xfv TrueCrypt 7.1a Source.tar.gz

Even without a GUI, you’ll need WxWidget. Download and extract:

pi@raspberrypi ~ $ wget http://prdownloads.sourceforge.net/wxwindows/wxWidgets-2.8.12.tar.gz
pi@raspberrypi ~ $ tar xfv wxWidgets-2.8.12.tar.gz

Install the fuse library:

pi@raspberrypi ~ $ sudo aptitude install libfuse-dev

Create a folder and download some needed header files:

pi@raspberrypi ~ $ mkdir ~/truecrypt-7.1a-source/pkcs
pi@raspberrypi ~ $ wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/*.h -P truecrypt-7.1a-source/pkcs/

Change to the truecrypt directory and compile WxWidgets (takes about 20 minutes):

pi@raspberrypi ~ $ cd truecrypt-7.1a-source/
pi@raspberrypi ~/truecrypt-7.1a-source $ export PKCS11_INC=/home/pi/truecrypt-7.1a-source/pkcs/
pi@raspberrypi ~/truecrypt-7.1a-source $ make NOGUI=1 WX_ROOT=/home/pi/wxWidgets-2.8.12 wxbuild

Now compile truecrypt (~ 40 minutes):

pi@raspberrypi ~/truecrypt-7.1a-source $ make NOGUI=1 WXSTATIC=1

Copy the binary into the bin directory:

pi@raspberrypi ~/truecrypt-7.1a-source $ sudo cp Main/truecrypt /usr/local/bin/

Mount your container:

pi@raspberrypi ~/truecrypt-7.1a-source $ truecrypt -t -k „“ –protect-hidden=no –mount /mnt/usb/crypt /mnt/truecrypt/ -m=nokernelcrypto

Cleanup:

pi@raspberrypi ~/truecrypt-7.1a-source $ cd ~
pi@raspberrypi ~ $ rm -r truecrypt-7.1a-source TrueCrypt 7.1a Source.tar.gz wxWidgets-2.8.12*

Edit: I uploaded the binary. If you don’t want to compile truecrypt yourself, feel free to use this one.

Edit 2: If you want to automatically mount the truecrypt container on startup and unmount on shutdown, take a look at this howto.