siv/github.io
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Back in business writing apprentice docs!~

Browse Source
This commit is contained in:
Sivert V. Sæther 2022-08-08 08:47:33 +00:00
parent 4039da1a63
commit 798debc3e3
15 changed files with 230 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/_default/languages.yml
View File

@ -2,7 +2,7 @@ en:
title: Sivert Does Stuff Online!
languageName: English
weight: 0
'no':
no:
title: Sivert Gjør Ting På Nett!
languageName: Norsk
weight: 2

36
content/blog/apprentice/_index.en.md
View File

@ -15,32 +15,34 @@ This section of my blog serves as an index of technologies I've learned or becam
It also serves the purpose of the required documentation apprentices in Norway are supposed to do. :flushed:
Here are lists of stuff I'll be writing about here;
:x: not started :construction: marks work in progress :white_check_mark: marks complete!
## Programming
### Python
- Flask :baby_bottle:
- SQLAlchemy :sake:
- MSAL (Microsoft Authentication Library) :banjo:
- :x: Flask :baby_bottle:
- :x: SQLAlchemy :sake:
- :construction: MSAL (Microsoft Authentication Library) :banjo:
### Browser JavaScript
- jQuery :calling:
- Handlebars.js :wavy_dash:
- :x: jQuery :calling:
- :construction: Handlebars.js :wavy_dash:
## Programs / Tools
- Docker :smiling_face_with_hearts:
- FreeRADIUS :crystal_ball:
- Postgres :floppy_disk:
- Ansible :gun:
- :construction: Fail2ban :hammer:
- :construction: Docker :smiling_face_with_hearts:
- :x: FreeRADIUS :crystal_ball:
- :x: Postgres :floppy_disk:
- :construction: Ansible :gun:
## OS / Networking
- Debian :dolls:
- Mikrotik :package:
- Cisco Meraki :cloud:
- :x: Debian :dolls:
- :construction: Mikrotik :package:
- :x: Cisco Meraki :cloud:
## Azure
- App Registration :rocket:
- Active Directory :dizzy:
- :white_check_mark: App Registration :rocket:
- :x: Active Directory :dizzy:
## The WHM saga (shortie)
- Wordpress :eyes:
- cPanel :shit:
- WHM :ok_hand:
- :construction: Wordpress :eyes:
- :construction: cPanel :shit:
- :construction: WHM :ok_hand:

2
content/blog/apprentice/ansible.en.md
View File

@ -1,6 +1,6 @@
---
date: 2022-06-07T07:15:24Z
draft: true
draft: false
aliases: []
categories: ['documentation']
series: ['apprentice']

1
content/blog/apprentice/cpanel.en.md
View File

@ -11,3 +11,4 @@ title: cPanel
description: cPanel is a server interface provided by many hosting providers for web based management of the servers by their customers
---
I think anyone who uses cPanel should be aware of [WHM](../whm).

5
content/blog/apprentice/docker-fix.en.md
View File

@ -1,6 +1,6 @@
---
date: 2022-06-13T08:42:53Z
draft: true
draft: false
aliases: []
categories: ['various']
series: []
@ -8,6 +8,7 @@ tags: ['various']
chroma: false
toc: true
title: Docker Fix
description: The adventure I went through with fixing a terrible docker-compose local development setup
description: The adventure I went through with fixing a terrible docker-compose local development setup.
---
# :construction: Work in progress

52
content/blog/apprentice/docker.en.md
View File

@ -1,18 +1,60 @@
---
date: 2022-06-11T17:33:55Z
draft: true
draft: false
aliases: []
categories: ['docker']
series: ['apprentice']
tags: ['programming', 'devops', 'docker']
chroma: false
chroma: true
toc: true
title: Docker
description: Introduction to Docker for local development and production deployment ready images.
---
Docker is a super container management system that let's you isolate programs and services running on servers.
Docker is a super container management system that lets you isolate programs and services.
This is very useful, both during development and for production deployment.
Because all dependencies may be bundled into the "docker image", and if the program/service is hacked.
Because all dependencies may be bundled into the "docker image".
And if the program/service is hacked.
The adversary will only have access to the container.
Which with proper configuration
Which with proper configuration should make it super hard for any adversary to gain persistence.
## Local development
When using docker for local development.
You'd likely want to have a container that has all tools and dependencies for the project.
But not the project itself, because you'd mount that into the container with the latest local changes.
So for example a simple project would just need a compiler or interpreter for the programming language.
And you should be good to go!
Although you'd want to have auto-reloading or similar to automagically run or reload on code changes.
### Simple example
This is a simple docker setup for local development of a simple python web-app.
The Dockerfile; Dockerfile.local
{{< highlight docker >}}{{% asset "apprentice/docker/basic/local-dev.dockerfile" %}}{{< /highlight >}}
Build it;
{{< highlight shell >}}docker build -t python-webapp Dockerfile.local{{< /highlight >}}
Run it;
{{< highlight shell >}}docker run -v ./:/opt -itp 8080:80 python-webapp ./run.py{{< /highlight >}}
## Production ready images
For production on the other hand.
You want the application with the whole runtime within the docker image.
And you want it to be as standalone as possible for easy deployment in Kubernetes and the like.
The only real change needed to our simple python web-app example would be including the app in the docker image.
{{< highlight docker >}}{{% asset "apprentice/docker/basic/production.dockerfile" %}}{{< /highlight >}}
The only difference from the local development version is the COPY of the entire project folder.
Instead of just the requirements.txt, if you have any sort of build step.
You'd likely want to either just include the built application.
Or maybe even try docker multistep builds.
Doing so allows you to have one docker based build environment.
And a completely different one for the runtime that will become the actual docker image.
This is very good for many reasons, main one usually being minimal docker images.
For such advanced usage see [docker-fix](../docker-fix).

4
content/blog/apprentice/expose/_index.en.md
View File

@ -19,7 +19,7 @@ As in Norway the company needs to be registered, with one guy who is supposed to
And another one whom which the apprentices may go to if any issue in the workplace should appear.
All of this was for sure very lacking in both companies.
And it feels like I was just a normal employee that got payed like :poop:.
And it feels like I was just a normal employee that got pay'd like :poop:.
## Timeline
In chronological order I got approved at Sircon kinda late, after we were done at school and most of the class already working.
@ -32,7 +32,7 @@ That was kinda nice actually, and I probably should've just gone through with it
Cause then I'd have my papers after only one year.
Whereas a normal apprenticeship in Norway is two years in almost all fields.
This alternative was also pretty fun.
Because my teacher let me work on whatever, as long as it was IT focused and I documented it.
Because my teacher let me work on whatever, as long as it was IT focused, and I documented it.
The reason I still went to SkyLabs after all that is mostly money...
Which also happens to seem like the root of my biggest problems at that company...

25
content/blog/apprentice/fail2ban.en.md Normal file
View File

@ -0,0 +1,25 @@
---
date: 2022-07-14T09:01:03Z
draft: false
aliases: []
categories: ['documentation']
series: ['apprentice', 'security']
tags: ['firewall', 'tech']
chroma: false
toc: true
title: Fail2ban
description: Fail2ban is a neat tool that makes it easy to watch logs and ban IP's that try to do malicious stuff to your servers.
---
At SkyLabs I had the surprisingly pleasant experience of configuring fail2ban for a bunch of production servers.
What fail2ban simply does is watch log files, match the lines against predefined regex patterns.
After a predefined amount of matches for a specific IP, it gets :hammer: banned.
The super cool thing about this is that the max retry, and most options may be set globally, but also locally for each "jail".
These jails are just configs for the filters.
Those filters are where the magic happens!
It's configs that describe the regex for matching log lines.
There is also the actions.
Actions describe shell commands for performing bans.
And extra stuff to also do when banning IPs.

7
content/blog/apprentice/mikrotik.en.md
View File

@ -1,6 +1,6 @@
---
date: 2022-06-08T10:34:42Z
draft: true
draft: false
aliases: []
categories: ['various']
series: []
@ -11,11 +11,6 @@ title: Mikrotik
description: Mikrotik routers has a lot of wierd stuff builtin, here is some of that
---
# Full disk problem
The built-in drive on the boxes may get filled up by hidden files...
There exists an official [fix_space](https://www.mikrotik.com/download/share/fix_space.npk) package, but finding that was a little adventure in itself reading through old forum threads from 2018...
# SkyLabs provisioning/setup problem

15
content/blog/apprentice/msal.en.md
View File

@ -1,13 +1,18 @@
---
date: 2022-06-20T14:10:19Z
draft: true
draft: false
aliases: []
categories: ['various']
series: []
tags: ['various']
categories: ['documentation']
series: ['apprentice', 'programming']
tags: ['cloud', 'tech']
chroma: false
toc: true
title: MSAL
description: MSAL the new and cloud/Azure AD only version of the old ADAL, both of these are libraries that Microsoft has implemented in sevral programming languages for Active Directory authenitication built into whatever apps you're programming
description: MSAL the new and cloud/Azure AD only version of the old ADAL, both of these are libraries that Microsoft has implemented in sevral programming languages for Active Directory authenitication built into whatever apps you're programming.
---
MSAL stands for Microsoft Authentication Library.
It's the replacement for ADAL, the Active Directory Authentication Library.
Although Microsoft now definitely pushes cloud hard like most tech companies.
So MSAL is focused on Azure AD specifically.
Where there is a distinct difference between "organizational" accounts and normal public Microsoft services account.

22
content/blog/apprentice/security/_index.en.md Normal file
View File

@ -0,0 +1,22 @@
---
date: 2022-07-04T13:11:57Z
draft: false
aliases: []
categories: ['apprentice']
series: ['hacking', 'security']
tags: ['apprentice', 'tech', 'bug']
chroma: true
toc: true
title: Security issues
description: Various security issues I found, disclosed and got fixed as an apprentice!
---
Here is a collection of security issues I found, disclosed and got fixed as an apprentice!
This one is divided into two main parts corresponding to the company I worked with when finding the issues.
First one is [Sircon](sircon) and second [SkyLabs](skylabs).
I have a pretty extensive Non Disclosure Agreement with SkyLabs.
So anything I publish to the internet around them needs to be approved or clearly not covered by the NDA.
At SkyLabs I fixed the issues myself, but at Sircon they delegated all the boring support to me and the previous apprentice.
So there I just disclosed the issue to the responsible person and both of them fixed their respective issues within an hour or so of the disclosure.

43
content/blog/apprentice/security/sircon.en.md Normal file
View File

@ -0,0 +1,43 @@
---
date: 2022-07-04T13:12:00Z
draft: false
aliases: []
categories: ['apprentice']
series: ['hacking', 'security']
tags: ['apprentice', 'tech', 'bug']
chroma: true
toc: true
title: Sircon
description: Security issues I found at Sircon AS. They were all fixed quickly by the responsible persons.
---
These guys have a few beefy ass physical servers in their own rack in a supposedly EMP and fire safe room in the basement of their offices.
Those physical machines run virtual machines that run WHM/cPanel and whatever PHP app the customer would like.
But >90% of their customers are non-technical and just only interact with the default WordPress setup and maybe the e-mail service that comes with their cPanel.
Most of the people calling in to their support line has problems using their e-mail, and it's usually the end user who fucked up.
## Servers
Have you ever used Apache httpd? Have you ever used its .htaccess config?
Well it's pretty cool, but may pose a threat on shared "web hotels" like WHM servers running a whole lot of cPanel accounts.
If using .htaccess is allowed users may set their own configuration options for httpd.
And the issue I identified here was the fact that cgi configuration options where allowed in .htaccess.
So I had some fun making wired cgi scripts in python, perl and bash.
The last thing I did before disclosing it to Sircon's server guy was to make a proof of concept script that gave me a shell on the server.
As they don't allow ssh access and PHP is configured to not allow anything dangerous, like the system() function, that would allow you to create shells.
Example .htaccess to run cgi scripts.
{{< highlight apache >}}{{% asset "apprentice/security/htaccess" %}}{{< /highlight >}}
The fix for this is the [AllowOverride](https://httpd.apache.org/docs/current/mod/core.html#allowoverride) directive.
Just make sure it does not include "FileInfo".
## WordPress
I found a bug on their homepage [sircon.no](https://sircon.no) where they have a simple WordPress shop with a couple of cool features, like [this](https://sircon.no/sjekk-om-din-nettbutikk-nettsted-driftes-miljovennlig/) where you supposedly can check how green a web page is. As in green energy.
The bug I found was missing server side validation and a shopping cart that's stored in the browsers local storage with price specified.
This is a pretty minor issue however, as they don't do automatic provisioning, and it only gets added to some internal webpage they use to keep track of everything.
But whatever you posted as the price would show up in that tool.
You could even post negative prices!

61
content/blog/apprentice/security.en.md → content/blog/apprentice/security/skylabs.en.md
View File

@ -1,21 +1,16 @@
---
date: 2022-06-07T07:15:51Z
draft: true
date: 2022-07-04T13:35:43Z
draft: false
aliases: []
categories: ['apprentice']
series: ['hacking', 'security']
tags: ['apprentice', 'tech', 'bug']
chroma: true
toc: true
title: Security issues
description: Various security issues I found, disclosed and got fixed as an apprentice!
title: SkyLabs
description: Security issues I found working as an apprentice at SkyLabs AS. Compared to Sircon, these ones I actually had to figure out how to fix myself.
---
Here is a collection of security issues I found, disclosed and got fixed as an apprentice!
At SkyLabs I fixed the issues myself, but at Sircon they delegated all the boring support to me and the previous apprentice.
So there I just disclosed the issue to the responsible person and both of them fixed their respective issues within an hour.
## SkyLabs
SkyLabs has surprisingly good stability compared to expectations based on the codebase.
I'm guessing it's a byproduct of Python that let's us fail pretty safely on almost all endpoints.
The in-house development is mainly four services, two JS frontends and two Python Flask backends, all web.
@ -24,7 +19,7 @@ These services are a captive portal, it's API and an admin interface web app and
We support lots of interesting [authentication](https://wiki.skylabs.no/partner:authentication) methods!~
### Sky ID Admin
## Sky ID Admin
And so far the only real security related issue I've found in the in-house codebase is that the Access Control was missing a check.
The problem is that API keys that are associated with a deleted account is valid.
Allowed methods are by x-api-key Authorization header, api-key as an url parameter or by Json Web Token.
@ -65,20 +60,24 @@ Old keys is a theme on SkyLabs servers.
I'm surprised no one, as far as we know anyway, has broken into the servers yet.
#### Funny
### Funny
Something I find kinda funny is the fact that those exception descriptions are in English, but the admin frontend is entirely in Norwegian only.
It's even got a big ass JavaScript file that maps all the error codes to messages.
And the best part about that whole situation is the fact that my boss/the sales guy at the company wants to sell our services outside Norway...
The only part that supports multiple languages is the actual captive portal, but even that has a bug which makes it so that only two languages can be active at one time.
#### Minor
### Minor
One minor issue I found in our production system is the password for the "system" account.
The password for that account is a real shitty one that I've seen used several palaces at the company.
It's even been used as a Wi-Fi password.
To fix this one very easily I just enabled 2FA on the account.
But the whole account should probably just be deleted as nobody ever uses it.
### Servers
{{< raw >}}
<!-- You cheecky bastard! -->
{{< /raw >}}
<!--
## Servers
{{< img src="apprentice/skyid/old-intrauser-key.png" caption="The old intrauser ssh key" >}}
On the other side, the cloud servers had some bigger problems.
@ -107,35 +106,7 @@ To be honest I'm quite surprised the servers hasn't been pwnd big time!
As I've in fact proven that any ex-employee that has a copy of our Ansible repo could easily forge OpenVPN client keys and certificates.
And also got full root access over ssh anyway.
Just add a little [Tor](https://torproject.org/) magic on top of that, and you got full access to all the servers without us being able to trace it back...
## Sircon
These guys has a few beefy ass physical servers in their own rack in a supposedly EMP and fire safe room in the basement of their offices.
Those physical machines run virtual machines that run WHM/cPanel and whatever PHP app the customer would like.
But >90% of their customers are non-technical and just only interact with the default WordPress setup and maybe the e-mail service that comes with their cPanel.
Most of the people calling in to their support line has problems using their e-mail, and it's usually the end user who fucked up.
### Servers
Have you ever used Apache httpd? Have you ever used its .htaccess config?
Well it's pretty cool, but may pose a threat on shared "web hotels" like WHM servers running a whole lot of cPanel accounts.
If using .htaccess is allowed users may set their own configuration options for httpd.
And the issue I identified here was the fact that cgi configuration options where allowed in .htaccess.
So I had some fun making wired cgi scripts in python, perl and bash.
The last thing I did before disclosing it to Sircons server guy was to make a proof of concept script that gave me a shell on the server.
As they don't allow ssh access and PHP is configured to not allow anything dangerous, like the system() function, that would allow you to create shells.
Example .htaccess to run cgi scripts.
{{< highlight apache >}}{{% asset "apprentice/security/htaccess" %}}{{< /highlight >}}
The fix for this is the [AllowOverride](https://httpd.apache.org/docs/current/mod/core.html#allowoverride) directive.
Just make sure it does not include "FileInfo".
### WordPress
I found a bug on their homepage [sircon.no](https://sircon.no) where they have a simple WordPress shop with a couple of cool features, like [this](https://sircon.no/sjekk-om-din-nettbutikk-nettsted-driftes-miljovennlig/) where you supposedly can check how green a web page is. As in green energy.
The bug I found was missing server side validation and a shopping cart that's stored in the browsers local storage with price specified.
This is a pretty minor issue however, as they don't do automatic provisioning, and it only gets added to some internal webpage they use to keep track of everything.
But whatever you posted as the price would show up in that tool.
You could even post negative prices!
-->
{{< raw >}}
<!-- Grep my github.io repo for secrets located here! -->
{{< /raw >}}

1
content/blog/apprentice/whm.en.md
View File

@ -11,3 +11,4 @@ title: WHM
description: Web Host Manager, this is the secret sauce for many companies that do shared Linux server web hosting with cPanel
---
WHM/Web Host Manager is the partner/backend admin panel for [cPanel](../cpanel).

40
content/blog/apprentice/wordpress.en.md
View File

@ -2,12 +2,46 @@
date: 2022-06-20T14:06:54Z
draft: true
aliases: []
categories: ['various']
series: []
tags: ['various']
categories: ['documentation']
series: ['apprentice', 'cms']
tags: ['wordpress', 'tech', 'cms']
chroma: false
toc: true
title: WordPress
description: The worlds most popular and whackiest web page Content Management System
---
WordPress is by far the world's most popular Content Management System.
And it makes sense with its ease of use.
It's famous for letting anyone have a blog setup within 5 minutes.
For the initial setup you just create an account for the admin panel.
And set things like the base URL/domain for the web page.
After that you're free to explore the /wp-admin and make the content for the page.
There is also the healthy plugin and theme marketplaces for WordPress that you may access from within the admin pages of a standard WordPress setup.
So without any technical skills one should be able to make a WordPress page or blog that looks fine and even has web store integration against stripe or some alternative payment provider.
By far the most popular option for having a simple web store is WooCommerce using stripe.
Anyway, while this is all cool, fine and dandy.
WordPress is super slow.
Because it's a PHP web-app where all requests should be run through the same index.php file.
The problem with this is that it has heavy implications for the security setup of the web server hosting the thing.
But also performance as that index.php would load the whole WordPress setup, including plugins and theme.
So what can we do about it?
Well as it turns out, a lot!
## Simple WordPress improvements
The first and easiest thing to do to a WordPress page is adding caching of the page.
The best WordPress cache plugin is [WP Fastest Cache](https://wordpress.org/plugins/wp-fastest-cache/).
Any cache should help with page load, but that one is for sure the best option.
And of course I'd recommend going through all the configuration options, but the defaults should be fine.
This and any other self-respecting WordPress cache plugin should be able to automagically detect when pages need re-rendering and if not show the cached version of the page.
## WordPress security
When it comes to securing a WordPress setup, it's important to make sure the actual web server in use is configured properly.
Here I'll showcase some example nginx and Apache configs for a hardened WordPress installation.
If your WordPress is installed in some shared hosting solution.
Then it's up to the hosting provider to configure the web server and potentially php-fpm or something properly.