Random Wisdom

Tag: security

LaTeX Shell Escape

by on Mar.13, 2011, under How To ..., LaTeX

One of the lesser known features of LaTeX is its “shell-escape” mode. This is achieved using the LaTeX command \write18{cmdlist} in the document. This facility can be used to incorporate dynamic content or simply run additional processes during the compilation phase. An example document may look something like:

\documentclass{article}
\begin{document}
  \immediate\write18{date > tmpdate.tex}
  \input{tmpdate}
  \immediate\write18{rm tmpdate.tex}
\end{document}

As \write18 is usually disabled on most systems for obvious security reasons, it must be enabled explicitly:

$ latex -shell-escape input_file

More details are available in the MiKTeX documentation under the heading “Running Programs From Within TeX“.

1 Comment :, more...

Restricting access to SFTP / SCP

by on Oct.18, 2009, under How To ..., Linux, Software

rssh is a tool that allows SFTP/SCP for file transfers over SSH but denies shell access — useful for preventing users from running commands on the system. More details are available on the tool’s homepage.

I first came across it on this page.

Leave a Comment :, , , , , more...

SSH Blacklisting

by on Nov.29, 2007, under How To ..., Linux, Software

After getting around 1500 failed ssh login attempts a day for a while on a server I manage, I decided to look into tools that automatically blacklist offending IPs.

Sshblack fits the bill perfectly. A HOWTO (including an init-script) for REDHAT-like systems is available from the OSS Watch Wiki.

1 Comment :, , , more...


Linux authentication using LDAP

by on Feb.27, 2007, under How To ..., Linux, Software

There’s a lot of information out there but none really provide a step-by-step guide that would be useful to a novice:

This one however, sheds some light on the bigger picture:

LDAP Authentication In Linux

Once the initial configuration of the server is complete, LDAP Browser/Editor serves as a very useful client/admin tool.

Leave a Comment :, , more...

Installing RPMs as a regular user

by on Apr.20, 2006, under How To ..., Linux, Software

A while back I needed some packages on a machine that I don’t have admin rights to. Grabbing the source and recompiling would have been a pain the a** so I decided to read the rpm man pages and look for a way to install packages in the user home directory. Since it’s such a nice package manager, it comes with options that allows me to do just that. The command needed is:

$ rpm -ivh --relocate OLDPATH1=NEWPATH1 [--relocate OLDPATH2=NEWPATH2 ...] \
      --badreloc package.rpm

where OLDPATH is the path in the package; and NEWPATH is something like /home/user/userroot/usr, etc.

It’s best to run

$ rpm -qpl package.rpm

to see exactly which paths are going to be used by the package. For example, if the package foo.rpm produces:

$ rpm -qpl foo.rpm
/usr/bin/foo
/usr/lib/foo.so.0.0
/usr/lib/foo.so.0
/usr/share/doc/foo/README

then the steps needed are:

$ mkdir -p ~/myroot/usr/bin ~/myroot/usr/lib ~/myroot/usr/share/doc
$ rpm -ivh --relocate /usr=/home/$USER/myroot/usr --badreloc foo.rpm

That’ll install the package under the hierarchy ~/myroot. There will some errors from rpmdb but this is fine since the rpmdb is in a filesystem that we do not have write access to. The only repercussion is that rpm will have no record of the package foo being installed (so packages will have to be removed by hand); but that’s okay since we cannot possibly mess up the system while installing stuff under our own home dirs.

The only steps remaining are to add the new paths to the binary and library search paths. To so this, add the following lines to ~/.bash_profile

        PATH=$PATH:$HOME/myroot/usr/bin
        LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HOME/myroot/usr/lib

        export PATH LD_LIBRARY_PATH

This is only efficient as long as the package does not have too many unmet dependencies — since you will need to grab and install all missing dependencies along with the package itself. And even if you had installed some of the dependencies earlier using this method, rpm will not know about it since there will be no entry in the system rpmdb.

Leave a Comment :, , more...

HTTP Access Control

by on Jan.25, 2006, under How To ..., Software

Finally figured out how to password protect individual directories on the server:

Authentication, Authorization and Access Control

It’s a simple 2-step process:

1. Create a passwords file for the users using “htpasswd“:

jsmith@server:~/public_html/db$ htpasswd -c ~/htpasswds jdoe
New password:
Re-type new password:
Adding password for user jdoe
jsmith@server:~/public_html/db$

2. Create a file “.htaccess” in the directory to be protected:

jsmith@server:~/public_html/db$ cat .htaccess
AuthType Basic
AuthName "db"
AuthUserFile /home/jsmith/htpasswds
Require user jdoe
2 Comments :, , , , more...

Proxy tools

by on Jan.25, 2006, under Software

There’s a very nice list of servers here:

Proxyz.net

This Firefox extension is handy for changing Proxies quickly: SwitchProxy

Leave a Comment :, , , more...

Return of DARKWORLD

by on Jan.15, 2006, under Hardware, Software

Yup! My favorite PC just regained Net connectivity today. I moved into the new apartment this morning and was up and running by the evening. The guy who I share the place with wasn’t around and so I would have had to wait till I got the info about the wireless network. So, instead of waiting, I just decided to see what kind of a WLAN he has … and oh my oh my … there were 5 freakin’ access points around — and 3 of them completely unsecured! As it turned out, one belonged to the dude I share the place with …

Anyway, then I decided to catch up on my TV eps (Stargate SG1/Atlantis, Threshold, Supernatural, Doctor Who) and f*** the speed sux! It’s a bloody T-Online DSL1000 Flat deal. Anyway, the IP I got was “192.168.0.5”, so I deduced that the router should be at “192.168.0.1” or “192.168.0.254”. And sure enough there it was in the first address. Obviously, it asked me for a password that I didn’t know. So, I just tried “admin:1234” .. and nope, no go .. Then I thought I’d just do a little net search. The router was NETGEAR (deduced from the WLAN SSID), so I just googled “netgear default password” and the 4th hit came up with “admin:password”. Turns out the guy didn’t even change that password 😀 So, I got in, fiddled around with the NAT settings and Azureus was NAT free in no time. This has got to be the prime example of an unsecured network …

Anyway, once the guy got back, I explained everything to him and changed the router password and setup a WEP-key. It seems there was a machine leeching off of this net and things improved a little once that dude got kicked out. It turns out DSL6000 costs just as much as he pays right now — but he has no use for so much bandwidth when I’m gone — so we’ll just change to DSL2000 with 384k upload for now. That should be enough for me to download the occasional SG1 / Doctor Who episode 😀

Leave a Comment :, , more...

Proxy Bypass

by on Jan.10, 2006, under How To ..., Linux, Software

I guess it’s usual for every institution to have a central firewall/proxy that all internal traffic must go through to reach the outside world. I am by no means paranoid about security/privacy but it got me thinking.

… And once again, SSH to the rescue! It almost feels like the possibilites of a SSH tunnel with Local port forwarding are limitless 😀

I just picked up a public German proxy from this page:

http://www.publicproxyservers.com/index.html

And then setup a SSH connection to forward local port 8080 to proxy:port. Then for the browser I just set localhost:8080 as the proxy.

Well, the speed is a little short of astounding but it’s very much usable 😀 Now all that the central firewall/proxy should be seeing is a bunch of encrypted traffic.

Leave a Comment :, , , , , , more...