Tag: security
LaTeX Shell Escape
by Mostafa on Mar.13, 2011, under How To ..., LaTeX
One of the lesser known features of LaTeX is its “shell-escape” mode. This is achieved using the LaTeX command \write18{cmdlist} in the document. This facility can be used to incorporate dynamic content or simply run additional processes during the compilation phase. An example document may look something like:
\documentclass{article} \begin{document} \immediate\write18{date > tmpdate.tex} \input{tmpdate} \immediate\write18{rm tmpdate.tex} \end{document}
As \write18 is usually disabled on most systems for obvious security reasons, it must be enabled explicitly:
$ latex -shell-escape input_file
More details are available in the MiKTeX documentation under the heading “Running Programs From Within TeX“.
Restricting access to SFTP / SCP
by Mostafa on Oct.18, 2009, under How To ..., Linux, Software
rssh is a tool that allows SFTP/SCP for file transfers over SSH but denies shell access — useful for preventing users from running commands on the system. More details are available on the tool’s homepage.
I first came across it on this page.
SSH Blacklisting
by Mostafa on Nov.29, 2007, under How To ..., Linux, Software
After getting around 1500 failed ssh login attempts a day for a while on a server I manage, I decided to look into tools that automatically blacklist offending IPs.
Sshblack fits the bill perfectly. A HOWTO (including an init-script) for REDHAT-like systems is available from the OSS Watch Wiki.
Network Security
by Mostafa on Aug.09, 2007, under How To ..., Linux, Software
A list of very interesting articles:
http://backtrack.offensive-security.com/index.php?title=ExternalHowto
Linux authentication using LDAP
by Mostafa on Feb.27, 2007, under How To ..., Linux, Software
There’s a lot of information out there but none really provide a step-by-step guide that would be useful to a novice:
This one however, sheds some light on the bigger picture:
Once the initial configuration of the server is complete, LDAP Browser/Editor serves as a very useful client/admin tool.
Installing RPMs as a regular user
by Mostafa on Apr.20, 2006, under How To ..., Linux, Software
A while back I needed some packages on a machine that I don’t have admin rights to. Grabbing the source and recompiling would have been a pain the a** so I decided to read the rpm man pages and look for a way to install packages in the user home directory. Since it’s such a nice package manager, it comes with options that allows me to do just that. The command needed is:
$ rpm -ivh --relocate OLDPATH1=NEWPATH1 [--relocate OLDPATH2=NEWPATH2 ...] \ --badreloc package.rpm
where OLDPATH is the path in the package; and NEWPATH is something like /home/user/userroot/usr, etc.
It’s best to run
$ rpm -qpl package.rpm
to see exactly which paths are going to be used by the package. For example, if the package foo.rpm produces:
$ rpm -qpl foo.rpm /usr/bin/foo /usr/lib/foo.so.0.0 /usr/lib/foo.so.0 /usr/share/doc/foo/README
then the steps needed are:
$ mkdir -p ~/myroot/usr/bin ~/myroot/usr/lib ~/myroot/usr/share/doc $ rpm -ivh --relocate /usr=/home/$USER/myroot/usr --badreloc foo.rpm
That’ll install the package under the hierarchy ~/myroot. There will some errors from rpmdb but this is fine since the rpmdb is in a filesystem that we do not have write access to. The only repercussion is that rpm will have no record of the package foo being installed (so packages will have to be removed by hand); but that’s okay since we cannot possibly mess up the system while installing stuff under our own home dirs.
The only steps remaining are to add the new paths to the binary and library search paths. To so this, add the following lines to ~/.bash_profile
PATH=$PATH:$HOME/myroot/usr/bin LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HOME/myroot/usr/lib export PATH LD_LIBRARY_PATH
This is only efficient as long as the package does not have too many unmet dependencies — since you will need to grab and install all missing dependencies along with the package itself. And even if you had installed some of the dependencies earlier using this method, rpm will not know about it since there will be no entry in the system rpmdb.
HTTP Access Control
by Mostafa on Jan.25, 2006, under How To ..., Software
Finally figured out how to password protect individual directories on the server:
Authentication, Authorization and Access Control
It’s a simple 2-step process:
1. Create a passwords file for the users using “htpasswd“:
jsmith@server:~/public_html/db$ htpasswd -c ~/htpasswds jdoe New password: Re-type new password: Adding password for user jdoe jsmith@server:~/public_html/db$
2. Create a file “.htaccess” in the directory to be protected:
jsmith@server:~/public_html/db$ cat .htaccess AuthType Basic AuthName "db" AuthUserFile /home/jsmith/htpasswds Require user jdoe
Proxy tools
by Mostafa on Jan.25, 2006, under Software
There’s a very nice list of servers here:
This Firefox extension is handy for changing Proxies quickly: SwitchProxy
Return of DARKWORLD
by Mostafa on Jan.15, 2006, under Hardware, Software
Yup! My favorite PC just regained Net connectivity today. I moved into the new apartment this morning and was up and running by the evening. The guy who I share the place with wasn’t around and so I would have had to wait till I got the info about the wireless network. So, instead of waiting, I just decided to see what kind of a WLAN he has … and oh my oh my … there were 5 freakin’ access points around — and 3 of them completely unsecured! As it turned out, one belonged to the dude I share the place with …
Anyway, then I decided to catch up on my TV eps (Stargate SG1/Atlantis, Threshold, Supernatural, Doctor Who) and f*** the speed sux! It’s a bloody T-Online DSL1000 Flat deal. Anyway, the IP I got was “192.168.0.5”, so I deduced that the router should be at “192.168.0.1” or “192.168.0.254”. And sure enough there it was in the first address. Obviously, it asked me for a password that I didn’t know. So, I just tried “admin:1234” .. and nope, no go .. Then I thought I’d just do a little net search. The router was NETGEAR (deduced from the WLAN SSID), so I just googled “netgear default password” and the 4th hit came up with “admin:password”. Turns out the guy didn’t even change that password 😀 So, I got in, fiddled around with the NAT settings and Azureus was NAT free in no time. This has got to be the prime example of an unsecured network …
Anyway, once the guy got back, I explained everything to him and changed the router password and setup a WEP-key. It seems there was a machine leeching off of this net and things improved a little once that dude got kicked out. It turns out DSL6000 costs just as much as he pays right now — but he has no use for so much bandwidth when I’m gone — so we’ll just change to DSL2000 with 384k upload for now. That should be enough for me to download the occasional SG1 / Doctor Who episode 😀
Proxy Bypass
by Mostafa on Jan.10, 2006, under How To ..., Linux, Software
I guess it’s usual for every institution to have a central firewall/proxy that all internal traffic must go through to reach the outside world. I am by no means paranoid about security/privacy but it got me thinking.
… And once again, SSH to the rescue! It almost feels like the possibilites of a SSH tunnel with Local port forwarding are limitless 😀
I just picked up a public German proxy from this page:
http://www.publicproxyservers.com/index.html
And then setup a SSH connection to forward local port 8080 to proxy:port. Then for the browser I just set localhost:8080 as the proxy.
Well, the speed is a little short of astounding but it’s very much usable 😀 Now all that the central firewall/proxy should be seeing is a bunch of encrypted traffic.