Wednesday, November 21, 2007

vmware server, grsecurity and devices

Finally we've decided to switch to a new infrastructure in our production servers...

evaluating xen and vmware, I finally decided to put vmware server...and see how it reacts on the system...

So I started to create a new vmware image of my favourite linux distro, actually used in production:
Gentoo hardened.

After installing all the necessary for a base system (syslong-ng, vixie-cron, xfsprogs, lvm2, and so on
),configuring lvm2 for dynamic partitions, and recompiling world with the new CFLAGS, the time to compile the kernl arrived...

actually i'm using 2.6.22-hardened-r8

as you can see in teh image below, vmware use some pre-defined emulated hardware we need to compile the new kernel taking care of them

later I will post the important kernel config sections

stay tuned ;)

Saturday, November 10, 2007

need security???? TJX :)

reading posts in as usually, I've found one
so interesting...about TJX got hacked :)

just see the letter that TJX CEO wrote to his customers


October 11, 2007

To Our Valued Customers:

At TJX, our first priority always has been and continues to be, our customers. I want each of you to know how much I personally and, on behalf of the Company, regret any difficulties you may have experienced as a result of the criminal attacks on our computer systems announced earlier this year. Importantly, we truly appreciate that you have continued to place your trust in us with your loyalty and patronage.

We remain committed to providing our customers a safe shopping environment as you shop for great values, fashion and brands. TJX has been working diligently with some of the world’s best computer security firms to further enhance our computer security. We have also continued to work with law enforcement and government agencies and very much want to see that the sophisticated cyber criminals who attacked our computer systems are brought to justice.

We have worked diligently to reach a settlement, which we believe would offer an excellent resolution for our customers, addressing the different ways that they have told us that they have been impacted by the computer intrusion(s). (Like all class action settlements, our settlement is subject to Court approval and other conditions, and therefore, customers cannot yet seek benefits.) We have provided a separate link, below, to additional information regarding the proposed settlement.

To learn more about steps you can take to protect your credit and debit card information, I encourage you to access the information we are providing on this website or to contact our special customer helplines listed below.

Once again, we sincerely regret any inconvenience you may have experienced as a result of the attacks on our computer system. We are deeply grateful for your continued trust and patronage.

Carol Meyrowitz
President and Chief Executive Officer funny as usually...
I'm just surprised knowing that a so big company got hacked in a so huge way :)

well well

take a look here too:

Friday, November 9, 2007

Surfing anonymously??? yes thanks

what about web anonymity?
every seconds you're surfing the web, you are leaving informations about your presence in routers,
webservers, and so on...
these informations are vital stuff for companies that grab your behaviors and make money sending to you
spam and other usefulness things...

what about hacking?
the difference between a legal and illegal penetration test is often minimal, especially regarding which assets you're trying to penetrate with or without an explicit permit...
when the DARK POWER make you a Black Hat, you don't want to leave your IP logged everywhere, when you're
sending malicious javascripts or other injection things to targets...

so start to use Privoxy and Tor..
google them...

they are great tools, highly configurable an secure...

Tor is based on the Onion Routing principle, so every packet is forwarded to a lot of routers before to arrive to the correct this way you can be sure that at least doing web penetration tests you will be not taken by policy :)

just remember to add:

forward-socks4a / .
to your /etc/privoxy/config file (don't forgot the dot at the end of the line)

use Firefox with Firebugs, and a proxy switcher like FoxyProxy...
check your IP with some IP-detctors website...or just with will see
that the page will be loaded in a different language than yours (different IP - different location)

here below some logs of privoxy:

Snort_inline, firewall DROP rules and fucking behavior

well well...

Snort_inline with DROP rules sent to iptables are really a good defense mechanism...
I'm using them in production environments...

BUT? there is always a *but* in security :)

But...of course there will always be false positives (behaviors considered BAD actions)...
for example using Snort with the Inline patch and all the default rules I was falling in the following trouble

I was just doing new things with Apache and Glassfish, and mod_jk, resetting sometimes the connections
from firefox to my server with the STOP loading button, and after this the server was not responding anymore...
well, at least on port 80:)

watching at the Snort logs I've found this:

as you can see there are Snort alerts for just these things...

So i'm asking to myself, more and more, if inline mode is effective a good solution in production...
Well maybe tweaking a bit the rules of Snort yes, can be...

I will continue my studies about it;)

Wednesday, November 7, 2007

mod_jk connector and GlassFish2

finally i was able, after some troubles, to configure mod_jk of Apache and GlassFish...

why (you're gonna ask)???

well...not really for load balancing, at least not for now...

you know, I'm a paranoid security system administrator and pen tester, and trust me
that leave your AS directly exposed to Internet is always a bad choice...

in fact i'm using a modified version of mod_Security, for which i'm creating a particular parser in Java
to show the logs in a useful and realtime way ;);) don't loose the topic in too many words...
take a look here :)

and here

Tuesday, October 30, 2007

Acegi Security + Icefaces

today my blogging activity is fucking intense :)
this is my first post about excited:):)
well, just a little how-to about how to configure your JEE development environment
to work with Acegi and Icefaces (and JSF).

Do you know Acegi Security? it's a really powerful security framework for those JEE applications
that needs a best fine-grained access control/session management: JAAS sometimes really sucks...

just google it :)

if you are not working with Spring and IceFaces, the first problem is to configure the libraries you need to deploy all your now I will take a closer look about these damned libraries...
I suppose (and recommend you) that you're using Glassfish...

libraries to add in the application server dir (/path/to/AppServer/lib):
- ehcache []
- apache ORO []
- IceFaces libs: practically all the jars contained inside the "lib" directory of the BIN downloadable version of IceFaces libs (here is contained also the important acegi-security-1.0.1.jar)

libraries to add in your IDE:
- acegi-security-1.0.1.jar;
- all the icefaces libs

after some hours of headache and blasphemies, I've figured out why I was getting a strange SessionExpired Exception using a simple application created few minutes before...

you MUST add the following listener in your deployment descriptor (web.xml):

eventually, if it's not already present, the following too:

That's all....enjoy Icefaces with Acegi :):)

Dual monitor

I'm proud to announce that from now I will work with dual monitor :)
Finally I was able to configure with my loved Gentoo and my fucking ATI 9600, thanks to Xinerama,
another useful monitor...

I've used closed source drivers...
It seems it's working well...

just an aticonfig --initial=dual-head --dtop=horizontal --screen-layout=right -v
and all was working :):) good good

just remember to add

Section "ServerFlags"
Option "Xinerama" "true"

to your xorg.conf