Archive

Archives pour la catégorie ‘Logiciel’

What is a Distributed Firewall?

27/03/2023 Aucun commentaire

In the post “What is Network Virtualization?” I described a model where the application’s complete L2-L7 virtual network is decoupled from hardware and moved into a software abstraction layer for the express purpose of automation and business agility. In this post I’ll focus on network security, and describe an imminent firewall form factor enabled by Network Virtualization — the Distributed Firewall.

ALL YOUR PACKET ARE BELONG TO US

If InfoSec ruled the world … well, OK, maybe not the world … if InfoSec ruled the data center network design, and if money was no object, we would probably have something like this. Every server in the data center directly connected to its own port on one massive firewall. Every packet sent from every server would be inspected against a stateful security policy before going anywhere. And every packet received by every server would pass one final policy check before hitting the server’s NIC receive buffer. The firewall wouldn’t care about the IP address of the servers, for the simple reason that it’s directly connected to every server. E.g. “The server on this port can talk to the server on that port, on TCP port X”. And if that wasn’t good enough, the firewall knows everything about the servers connected to it, and can create rules around a rich set of semantics. All of this with no performance penalty. That would be awesome, right?

Let’s pretend money was not the issue. How would you design this massive omnipresent data center firewall? I can think of three ways off hand.

  1. You design a monstrous power sucking stateful firewall chassis with thousands of line-rate ports. At this point it’s time to route a ghastly mess of cables from every server to this centralized mega firewall core chassis – but that’s somebody else’s problem. Oh, and don’t forget you’ll need two of those bad boys for “redundancy”. Your monster firewall is pretty freaking awesome at security, but only so-so at basic L2 and L3 networking. But so what — the network team can learn to like it or find a new job. And if you run out of ports … no worries; just wait another few years for a bigger chassis and do the rip/replace routine.
  2. You design a line rate stateful firewall ToR switch. Rip out the network team’s favorite ToR and put this one in its place. Tell them to stop throwing a fit and just deal with it. You’ll have hundreds of these ToR firewalls to manage and configure consistently. No problem … just let the network team re-apply for their jobs as firewall engineers.

Go ahead and pinch yourself now. This is nothing but a fantasy nightmare.

The interests of security often poorly translate into networking. Comprehensive security ~= Compromisednetworking.

What about design #3? More on that in a minute. (Hint: title of the post)

In the real world, rest assured we do have firewalls to provide some security. But this security is not ubiquitous, nor is it assured. Instead, we have firewalls (physical or virtual) hanging off the network somewhere catching steered packets – and we can only hope the network was configured correctly to steer the right traffic to the right policy.

In this post we’ll briefly review the physical and virtual firewall, followed by a discussion on the Distributed Firewall.

Lire la suite…

Categories: Logiciel, Réseau Tags:

How to set up web-based network traffic monitoring system on Linux

26/03/2023 Aucun commentaire

When you are tasked with monitoring network traffic on the local network, you can consider many different options to do it, depending on the scale/traffic of the local network, monitoring platforms/interface, types of backend database, etc.

ntopng is an open-source (GPLv3) network traffic analyzer which provides a web interface for real-time network traffic monitoring. It runs on multiple platforms including Linux and MacOS X. ntopng comes with a simple RMON-like agent with built-in web server capability, and uses Redis-backed key-value server to store time series statistics. You can install ntopng network traffic analyzer on any designated monitoring server connected to your network, and use a web browser to access real-time traffic reports available on the server.

In this tutorial, I will describe how to set up a web-based network traffic monitoring system on Linux by using ntopng.

Features of ntopng

  • Flow-level, protocol-level real-time analysis of local network traffic.
  • Domain, AS (Autonomous System), VLAN level statistics.
  • Geolocation of IP addresses.
  • Deep packet inspection (DPI) based service discovery (e.g., Google, Facebook).
  • Historical traffic analysis (e.g., hourly, daily, weekly, monthly, yearly).
  • Support for sFlow, NetFlow (v5/v9) and IPFIX through nProbe.
  • Network traffic matrix (who’s talking to who?).
  • IPv6 support.

Install ntopng on Linux

The official website offers binary packages for Ubuntu and CentOS. So if you use either platform, you can install these packages.

If you want to build the latest ntopng from its source, follow the instructions below. (Update: these instructions are valid for ntopng 1.0. For ntopng 1.1 and higher, see the updated instructions).

To build ntopng on Debian, Ubuntu or Linux Mint:

$ sudo apt-get install libpcap-dev libglib2.0-dev libgeoip-dev redis-server wget libxml2-dev
$ tar xzf ntopng-1.0.tar.gz -C ~
$ cd ~/ntopng-1.0/
$ ./configure
$ make geoip
$ make

In the above steps, “make geoip” will automatically download a free version of GeoIP databases with wget from maxmind.com. So make sure that your system is connected to the network.

To build ntopng on Fedora:

$ sudo yum install libpcap-devel glib2-devel GeoIP-devel libxml2-devel libxml2-devel redis wget
$ tar xzf ntopng-1.0.tar.gz -C ~
$ cd ~/ntopng-1.0/
$ ./configure
$ make geoip
$ make

To install ntopng on CentOS or RHEL, first set up EPEL repository, and then follow the same instructions as in Fedora above.

Configure ntopng on Linux

After building ntopng, create a configuration directory for ntopng, and prepare default configuration files as follows. I assume that “192.168.1.0/24” is the CIDR address prefix of your local network.

$ sudo mkir /etc/ntopng -p
$ sudo -e /etc/ntopng/ntopng.start
--local-networks "192.168.1.0/24"
--interface 1

$ sudo -e /etc/ntopng/ntopng.conf
-G=/var/run/ntopng.pid

Lire la suite…

Categories: Logiciel, Réseau Tags: , ,

How to monitor a Linux server and desktop remotely from web browser

24/03/2023 Aucun commentaire

Monitoring Linux server

When it comes to monitoring a Linux server, there are more than enough options to choose from. While there are many production-quality monitoring solutions (e.g., Nagios, Zabbix, Zenoss), boasting of fancy UI, monitoring scalability, comprehensive reporting capabilities, etc., these solutions are probably an overkill for most of us end users. If all you need is to check the basic status (e.g., CPU load, memory usage, active processes, disk usage) of a remote Linux server or desktop, consider linux-dash.

linux-dash is a web-based lightweight monitoring dashboard for Linux machines, which can display, in real-time, various system properties, such as CPU load, RAM usage, disk usage, Internet speed, network connections, RX/TX bandwidth, logged-in users, running processes etc. linux-dash does not come with any backend database for storing long-term statistics. Simply drop in linux-dash app in an existing web server (e.g., Apache, Nginx), and you are good to go. It is a quick and easy way to set up remote monitoring for personal projects.

In this tutorial, I am going to describe how to set up linux-dash in Nginx web server on Linux. Nginx is preferred over Apache web server due to its lightweight engine.

Set up linux-dash on Debian, Ubuntu or Linux Mint

First, install Nginx web server with php-fpm.

$ sudo apt-get install git nginx php5-json php5-fpm php5-curl

Configure Nginx for linux-dash app by creating /etc/nginx/conf.d/linuxdash.conf as follows. In this example, we are going to use port 8080.

$ sudo vi /etc/nginx/conf.d/linuxdash.conf
server {
 server_name $domain_name;
 listen 8080;
 root /var/www;
 index index.html index.php;
 access_log /var/log/nginx/access.log;
 error_log /var/log/nginx/error.log;
 
 location ~* .(?:xml|ogg|mp3|mp4|ogv|svg|svgz|eot|otf|woff|ttf|css|js|jpg|jpeg|gif|png|ico)$ {
 try_files $uri =404;
 expires max;
 access_log off;
 add_header Pragma public;
 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
 }
 
 location /linux-dash {
 index index.html index.php;
 }
 
 # PHP-FPM via sockets
 location ~ .php(/|$) {
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 fastcgi_split_path_info ^(. ?.php)(/.*)$;
 fastcgi_pass unix:/var/run/php5-fpm.sock;
 if (!-f $document_root$fastcgi_script_name) {
 return 404;
 }
 try_files $uri $uri/ /index.php?$args;
 include fastcgi_params;
 }
}

Disable the default site configuration.

$ sudo rm /etc/nginx/sites-enabled/default

Configure php-fpm by editing /etc/php5/fpm/pool.d/www.conf. Make sure to edit “user“, “group” and “listen” directives as shown below. You can keep the rest of the configuration unchanged.

$ sudo vi /etc/php5/fpm/pool.d/www.conf

. . .
user = www-data
group = www-data
listen = /var/run/php5-fpm.sock
. . .

Proceed to download and install linux-dash.

$ git clone https://github.com/afaqurk/linux-dash.git
$ sudo cp -r linux-dash/ /var/www/
$ sudo chown -R www-data:www-data /var/www

Restart Nginx web server as well as php5-fpm to finalize installation.

$ sudo service php5-fpm restart
$ sudo service nginx restart

Lire la suite…

Categories: Logiciel, Système Tags: , ,

Phishing: Un développeur web recommande l’utilisation de “rel=noopener”

22/03/2023 Aucun commentaire

Pour empêcher les attaques par hameçonnage lancées en se servant du window.opener

phishingEn HTML, l’attribut “rel” peut être utilisé sur les balises <a> (qui permet de créer un lien hypertexte pointant vers un document en spécifiant l’URL de celui-ci au niveau de l’attribut “href” et qui permet également de définir des ancres au sein d’un document et les liens pour y accéder), <area> (qui permet de définir une zone particulière d’une image et peut lui associer un lien hypertexte) et <link> (qui permet de définir l’emplacement d’un fichier qui sera accessible au sein de la page où elle est déclarée couramment utilisée pour mettre en relation d’autres documents comme les feuilles de style).

Dans ces différentes balises, il est utilisé pour détailler la relation existante entre le document courant et le document qui sera ouvert par le lien et il prend pour valeur des éléments d’une liste de différentes relations dont les valeurs sont séparées par des virgules (par exemple “alternate”, “author”, “bookmark”, “help”, “license”, “next”, “nofollow”, “noreferrer”, “prefetch”, “prev”, “search”, “tag”).

Mathias Bynens, un développeur web front-end dans la ville de Termonde en Belgique, a voulu partager avec la communauté des développeurs web les bienfaits de l’une des valeurs de l’attribut “rel”, notamment “noreferrer” qui permet entre autres de résoudre un problème, mais lequel ?

En guise de démonstration, dans un billet blog il a proposé une petite expérience. Bynens propose les URL index.html et index/malicious.html. En définissant un lien vers la seconde URL avec l’attribut “target” qui avec la valeur “_blank”, cela va déclencher l’ouverture de la page cible dans une nouvelle fenêtre (dans ce cas la page malicious.html). Pour rappel, lorsqu’une fenêtre est ouverte depuis une autre fenêtre, elle conserve une référence à cette première fenêtre dans window.opener. Si la fenêtre courante n’a pas été ouverte par une autre fenêtre, la méthode renvoie null.

Bynens note que « le document malicious.html dans cette nouvelle page a l’élément windows.opener qui pointe vers l’élément window du document que vous regardez actuellement, c’est-à-dire index.html. Ce qui signifie que lorsque l’utilisateur clique sur le lien, malicious.html a un contrôle total sur l’objet window du document ». Dans le cas d’espèce, malicious.html vient remplacer l’onglet contenant index.html par index.html#hax, qui affiche un message caché.

« Ceci est un exemple relativement inoffensif, mais le lien aurait pu rediriger vers une page d’hameçonnage conçue pour ressembler à la vraie page index.html, demandant des informations de connexion. L’utilisateur ne l’aurait probablement pas remarqué, parce que l’accent est mis sur la page malveillante dans la nouvelle fenêtre tandis que la redirection se passe en arrière-plan. Cette attaque pourrait être encore plus subtile en ajoutant un retard avant de rediriger vers la page de phishing en arrière-plan », a-t-il avancé.

Dans cet exemple, index.html et index/malicious.html ont la même origine. Mais Bynens a indiqué qu’il est possible d’effectuer la même attaque avec des origines différentes.

Que faire pour empêcher que les pages n’abusent de window.opener ? Bynens recommande simplement de se servir de “rel=noopener”, « cela va permettre de vous assurer que window.opener a la valeur “null” sur Chrome 49 et Opera 36. Pour les navigateurs plus anciens, vous pouvez vous servir de “rel=noopener” qui va également désactiver l’en-tête HTTP “Refer”, ou alors vous servir de ce script JavaScript qui va potentiellement activer le bloqueur de popup.

var otherWindow = window.open();
otherWindow.opener = null;
otherWindow.location = URL;
Ne vous servez pas de “target=_blank” (ou tout autre “target” qui ouvre un nouveau contexte de navigation) en particulier pour les liens dans le contenu généré par l’utilisateur, à moins que vous n’ayez une bonne raison ».

Il a déjà averti les éditeurs de navigateurs dans des rapports de bogues. Le problème semble corrigé du côté de Chrome et Opera, mais pas encore chez Firefox, Safari et Edge.

Source : billet Mathias Bynens

Categories: Logiciel Tags: , ,

Owncloud: Using the occ Command

21/03/2023 Aucun commentaire

occ: la commande d’administration de ownCloud

ownCloud’s occ command

[ ATTRIBUTE: Please check: http://www.flickr.com/photos/91795203@N02/23828677959 to find out how to attribute this image]

owncloud
ownCloud’s occ command (ownCloud console) is ownCloud’s command-line interface. You can perform many common server operations with occ:

* Manage apps
* Manage users
* Convert the ownCloud database
* Reset passwords, including administrator passwords
* Convert the ownCloud database from SQLite to a more performant DB
* Query and change LDAP settings

occ is in the owncloud/ directory; for example /var/www/owncloud on Ubuntu Linux. occ is a PHP script. You must run it as your HTTP user to ensure that the correct permissions are maintained on your ownCloud files and directories.

The HTTP user is different on the various Linux distributions. See the Setting Strong Directory Permissions section of Installation Wizard to learn how to find your HTTP user.

  • The HTTP user and group in Debian/Ubuntu is www-data.
  • The HTTP user and group in Fedora/CentOS is apache.
  • The HTTP user and group in Arch Linux is http.
  • The HTTP user in openSUSE is wwwrun, and the HTTP group is www.

Running it with no options lists all commands and options, like this example on Ubuntu:

$ sudo -u www-data php occ
ownCloud version 8.0.3
Usage:
 [options] command [arguments]

Options:
 --help (-h)           Display this help message
 --quiet (-q)          Do not output any message
 --verbose (-v|vv|vvv) Increase the verbosity of messages: 1 for normal
                       output, 2 for more verbose output and 3 for debug
 --version (-V)        Display this application version
 --ansi                Force ANSI output
 --no-ansi             Disable ANSI output
 --no-interaction (-n) Do not ask any interactive question

Available commands:
 check                       check dependencies of the server environment
 help                        Displays help for a command
 list                        Lists commands
 status                      show some status information
 upgrade                     run upgrade routines after installation of a new
                             release. The release has to be installed before.

This is the same as sudo -u www-data php occ list.

Run it with the -h option for syntax help:

$ sudo -u www-data php occ -h

Display your ownCloud version:

$ sudo -u www-data php occ -V
  ownCloud version 8.0.3

Query your ownCloud server status:

$ sudo -u www-data php occ status
  - installed: true
  - version: 8.0.3.4
  - versionstring: 8.0.3
  - edition: Enterprise

occ has options, commands, and arguments. Options and arguments are optional, while commands are required. The syntax is:

occ [options] command [arguments]

Get detailed information on individual commands with the help command, like this example for the maintenance:mode command:

$ sudo -u www-data php occ help maintenance:mode
  Usage:
  maintenance:mode [--on] [--off]

  Options:
  --on                  enable maintenance mode
  --off                 disable maintenance mode
  --help (-h)           Display this help message.
  --quiet (-q)          Do not output any message.
  --verbose (-v|vv|vvv) Increase the verbosity of messages: 1 for normal
  output, 2 for more verbose output and 3 for debug
  --version (-V)        Display this application version.
  --ansi                Force ANSI output.
  --no-ansi             Disable ANSI output.
  --no-interaction (-n) Do not ask any interactive question.

 

Apps Commands

The app commands list, enable, and disable apps. This lists all of your installed apps, and shows whether they are enabled or disabled:

$ sudo -u www-data php occ app:list

Enable an app:

$ sudo -u www-data php occ app:enable external
  external enabled

Disable an app:

$ sudo -u www-data php occ app:disable external
  external disabled
Categories: Logiciel Tags: