I have not blogged since a long time mainly because I was a bit busy authoring a book Squid Proxy Server 3.1: Beginner’s Guide for Packt Publications. The book is an introductory guide to Squid (especially the new features in Squid-3 series) covering both the basic aspects as well as the in dept details for advanced users. The book focuses on learning by doing and provides example scenarios for the concepts discussed throughout the book. Access control configuration, reverse proxying, interception proxying, authentication and other features have been discussed in details with examples.

Checkout the links below:

• Table of contents
• Sample Chapter : Running Squid
• Amazon link

Fedora Tutorials and Videocache by Kulbir Saini.

There is a vulnerability in the way Google authentication service works. Whenever you login to any of the Google’s online services like GMail, Orkut, Groups, Docs, Youtube, Calendar etc., you are redirected to an authentication server which authenticates against the entered username and password and redirect back to the required service (GMail, Youtube etc.) setting the session variables.

Now, if you are able to grab the url used to set the session variables, you can login as the user to whom that url belongs from any machine on the Internet (need not be the machine belonging to the same subnet) without entering the username and password of the user.

The proxy servers in the organizations can be used to exploit this vulnerability. Squid is the most popular proxy server used. In the default configuration, squid strips the query terms of a url before logging. So, this vulnerability can’t be exploited. But if you turn off the stripping mechanism by adding the line shown below, then squid will log the complete url.

strip_query_terms off

So, after turning stripping mechanism off, the log will contain urls which will look like this

http://www.google.co.in/accounts/SetSID?ssdc=1&sidt=Q5UrfB0BAAA%3D.oHVGErODzffQ%2Bms%2FOKfk53g5naReDKehRNHOBsmJlBu3VTNXjF03SbgX%2FVEEhmImhR4mlu5IAAjM%2BdbuXvMMSIb0oU8IGCYpnLcSNkbCIrG%2BQnm81YmX5%2Brcrq7U6Qx65%2F1yaQ2NzgmKD94jg0Iw13iXDen3qD5qn6L%2FhmmYWwTrcOeuTzGbO%2BAehpjEU3mrWapRafaq3b4kxyigJ68s8QrGQqZTINNE%2Bs%2BoIkZWmGt5kNzoT8fkVAsWJeu3CKFkxj4oVMngeDvpwb1nyFpsJCltOzmAr46fTxVJSpvQdx0%3D.BMLtjUdIDCcuszktZSvYzA%3D%3D&continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26ts%3D1226148773097%3A1226148773386%3A1226148774868%26auth%3DDQAAAIcAAAC1pPE1QT4chKgrU4B3oyKZrQRkEVPtYlclpESQoXV_d9x9gdoe75Z0hfJ_22Pn5tVMR7j-uV5YCps3NB48L0bFlDeX-4PGHVT6Loztp_ru3tAy_gxDa9_YAEbz4d9CO4wD2VTKtzax9zvpGgrnJVZQfoWPkkIomUmxDtVGoH7g3fA3UjS0vdBJ2PJtgFMElso

Replace .co.in with your tld specific to your country. If you paste this url in any browser, it’ll directly log you in and you can do whatever you want to that account. Remember that all such urls remains valid only for two minutes. So, if you use that url after two minutes, it’ll lead nowhere.

At the time of writing this post Orkut, Google Docs, Google Calendar, Google Books and Youtube are vulnerable.

So, make sure your squid has stripping mechanism turned on and your squid server is properly firewalled.

You can watch the Video proof for Orkut on Blip.tv, Youtube.

Fedora Tutorials and Videocache by Kulbir Saini.

Mission

To write a Python program which can be used to authenticate for Squid proxy server. This is useful when you don’t want to configure complex systems like LDAP, ntlm etc.

Use Cases

1. When you want to authenticate clients using mysql database.
2. When you want to authenticate clients using flat files or /etc/passwd file or some custom service on your network.

How to proceed

From auth_param section in squid.conf file:

Specify the command for the external authenticator. Such a program reads a line containing "username password" and replies "OK" or "ERR" in an endless loop. "ERR" responses may optionally be followed by a error description available as %m in the returned error page.

By default, the basic authentication scheme is not used unless a program is specified.

That clearly states that our python program should read a line from standard input (stdin) and write the appropriate response to the standard output (stdout). But there are some issues with I/O. The output should be unbuffered and should be flushed to standard output immediately after the response is known.

So, lets see a small program where we authenticate using a function ‘matchpassword()‘. This function returns True when username, password pair matches and returns False when they mismatch.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

#!/usr/bin/python
 
import sys
import socket
"""USAGE:The function returns True if the user and passwd match False otherwise"""
def matchpasswd(login,passwd):
    # Write your own function definition. 
    # Use mysql, files, /etc/passwd or some service or whatever you want
    pass
 
while True:
    # read a line from stdin
    line = sys.stdin.readline()
    # remove '\n' from line
    line = line.strip()
    # extract username and password from line
    username = line[:line.find(' ')]
    password = line[line.find(' ')+1:]
 
    if matchpasswd(username, password):
        sys.stdout.write('OK\n')
    else:
        sys.stdout.write('ERR\n')
    # Flush the output to stdout.
    sys.stdout.flush()

Save the above file somewhere. We save this example file in /etc/squid/custom_auth.py .Now, we have the function for authenticating clients. We need to configure squid to use custom_auth.py . Below is the squid configuration for telling squid to use the above program as basic authenticator.

1
2
3
4
5
6
7
8
9
10
11

# you need to specify /usr/bin/python if your file is not executable and needs an interpreter to be invoked.
# Replace /usr/bin/python with /usr/bin/php , if you write auth program in php.
auth_param basic program /usr/bin/python /etc/squid/custom_auth.py
# how many instances of the above program should run concurrently
auth_param basic children 5
# display some message to clients when they are asked for username, password
auth_param basic realm Please enter your proxy server username and password
# for how much time the authentication should be valid
auth_param basic credentialsttl 2 hours
# whether username, password should be case sensitive or not
auth_param basic casesensitive on

Now, to force clients to authenticate, configure the acls as follow. Below we assume, you want to force all clients on your lan to authenticate for using proxy server.

1
2
3
4
5
6

# acl to force proxy authentication
acl authenticated proxy_auth REQUIRED
# acl to define IPs from your lan
acl lan src 192.168.0.0/16
# acl to force clients on your lan to authenticate
http_access allow lan authenticated

Now, reload/restart squid. That’s all we need to write and use a custom authentication plugin for squid.

Limitation

Username can’t contain spaces. Otherwise program will not be able to parse/extract username, password from standard input.

Fedora Tutorials and Videocache by Kulbir Saini.

This post is totally dedicated to vsftpd configuration with uploads enabled. vsftpd stands for Very Secure FTP Daemon. It is shipped with almost all the latest Red Hat based OS. vsftpd for rpm based Linux distros can be downloaded from here. Also, one can install vsftpd by issuing ‘yum install vsftpd’ or ‘apt-get install vsftpd’ command. After installing vsftpd, you just need to start the vsftpd service.

[root@bordeaux saini]$ service vsftpd start [Enter]

And you are done. Your computer is now a FTP server. You can browse your ftp server by pointing your favourite browser to ftp://localhost/ or ftp://127.0.0.1/ or ftp://<IP_ADDRESS_OF_YOUR_MACHINE> .

If you see access denied or some error related to access. Issue ‘iptables –flush’ and ’setenforce 0′ commands.

By default the files and directories in /var/ftp/ directory will be shown at ftp://localhost/ . Now, there are two ways to share your files on ftp.

1. Copy/move files that you want to share to /var/ftp/ directory.

2. Mount directories you want to share to /var/ftp/SharedDirName. Suppose you want to share /home/saini/Movies/ folder on your ftp, then follow the following steps:

Step 1

Login as root.

1
2

[saini@bordeaux saini]$ su [Enter]
Enter Password for root.

Step 2

Go to /var/ftp/ and create the directory that you want to share.

1
2

[root@bordeaux saini]$ cd /var/ftp/ [Enter]
[root@bordeaux ftp]$ mkdir SharedMovies [Enter]

Step 3

Bind the original directory to SharedMovies.

[root@bordeaux ftp]$ mount --bind /home/saini/Movies/ /var/ftp/SharedMovies/ [Enter]

If you browse your ftp now, you’ll see SharedMovies folder as well. You can remove default pub directory if you don’t like it.

The current ftp server will be a very basic one and will allow only downloads. Below we will see how to configure it so that others are allowed to upload files/directories to your server.

Step 1

Create a directory say ‘Upload’.

[root@bordeaux saini]$ mkdir Upload [Enter]

Note that this Upload directory can be anywhere either in your home directory or in /var/ftp/ or even on some other partitions.

Step 2

Change the ownership of Upload to ftp and change the permissions to 777.

1
2

[root@bordeaux saini]$ chown ftp:ftp Upload [Enter]
[root@bordeaux saini]$ chmod 777 Upload [Enter]

Step 3

If you created Upload at any place other than /var/ftp/ , then bind it to a dir in /var/ftp/ .

1
2

[root@bordeaux saini]$ mkdir /var/ftp/Uploads [Enter]
[root@bordeaux saini]$ mount --bind /home/saini/Upload/ /var/ftp/Uploads/ [Enter]

Step 4

Configure vsftpd.conf . The default configuration files for vsftpd lives in /etc/vsftpd/ . vsftpd.conf is configuration file for vsftpd.
Open /etc/vsftpd/vsftpd.conf in any editor and add/uncomment the following lines :

Lines to be added or uncomments in /etc/vsftpd/vsftpd.conf

1
2
3
4
5
6
7
8
9
10
11

anonymous_enable=YES
write_enable=YES
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
dirmessage_enable=YES
dirlist_enable=YES
no_anon_password=YES
file_open_mode=0777
guest_enable=YES

Save vsftpd.conf file and restart the vsftpd service with the command ’service vsftpd restart’. Now anyone can upload files to your ftp server, but only to Upload folder.

There are certain more configurations which are related to restricting bandwidth, upload/download speed, connections etc.

1
2
3
4

max_per_ip=2 # Max no. of allowed connections per IP Address.
max_clients=3 # Max no. of different IP Addressed which are allowed to connect.
anon_max_rate=1097152 # Max bytes/sec a user can upload/download to/from your ftp server.
banner_file=/etc/vsftpd/ftp_banner # The file containing the welcome message to be displayed to the clients.

For more configuration options, refer man pages for vsftpd.conf and vsftpd.

Note :

• Whenever you restart your computer, you have to bind the directories everytime, so that they are shown on the ftp server. To skip binding every time, write everything (all commands for binding) in a mount.sh file and run it whenever you restart your computer.
• You can view my vsftpd.conf file here.
• Sometime, uploaded files doesn’t have 777 permissions. You can run this shell script in background forever.

PS0 : Absence of compat-libstdc++-33(libstdc++.so.5) is breaking a large no. of applications in Fedora 7. Here’s a solution anyway.

Fedora Tutorials and Videocache by Kulbir Saini.

The only essential thing is that you should have a Linux boot CD of the same operating system for which you want to crack root password. Some other Linux boot CD may work in some cases. If system is able to boot from the CD, it will take you to a command prompt as shown.

boot:

Type ‘linux rescue’ at this command prompt and enter as shown

boot: linux rescue [Enter]

It will take you to some interface with some questions, answer them properly. The system will go to temporary command prompt. Then issue the following commands

1
2
3

[bash$] chroot /mnt/sysimage [Enter]
[bash$] cd /boot/grub [Enter]
[bash$] vi menu.lst [Enter]

Now in this file you can see a line beginning with the word ‘password’ remove this line and save the file.

1
2

[bash$]exit
[bash$]exit

Now system will be rebooted and you can see the grub without a password. Don’t forget to remove the CD.

Press ‘e’ at boot screen and again by taking the pointer to the second line press e. Now you can see yourself on a command prompt. Remove ‘rhgb quiet’ from there and write single and press enter.

Now you will come back to the boot screen. Press ‘b’ and system will appear to boot and leave you in command line interface like this.

-bash2-$

Just type passwd like this

1
2
3
4

-bash2-$ passwd [Enter]
new password:
retype new password:
passwd: All authentication updated successfully.

Now you have set a new password. Now exit from the shell and system will boot properly in graphical interface.

-bash2-$ exit [Enter]

If there is any error in the procedure please post your suggestions.

Fedora Tutorials and Videocache by Kulbir Saini.