>An ubuntu install script

>

Wrote a simple little script this morning to install all the software packages I might need for ruby development (plus a few security tools).  Hopefully it will serve someone other than me 🙂
I know, I know…  You can’t generalize and install some set of packages without knowing what they are.  That’s not the linux way.  On a production server, I’ll always perform a manual setup and, when I can, I compile from source rather than use packages.  This particular script is suited for a dev machine.
Note that, in the very beginning, I set up a few version variables.  You should be able to just set these and then fire up the script.
Caution: I’m providing this script as I use it, on a non-production, fresh install of a linux desktop environment. You can do whatever you want with it; but if you’re dumb enough to run this on a production server without checking it out in detail first, and it breaks your prod environment, don’t come complaining to me — I’ll hurt you, man! 😉
And now for the code:
#!/bin/bash

#This script assumes that you’re running ubuntu 10.4 32-bit. For the metasploit, ruby enterprise and flash packages, you’ll definitely need to change the packages downloaded!

if [ “$(whoami)” != ‘root’ ]; then
        echo “You have no permission to run $0 as non-root user.”
        exit 1;
fi

#Set a few variables here:
metasploit_version=3.4.1-linux-i686
ruby_version=1.9
ruby_enterprise_version=1.8.7-2010.02_i386_ubuntu10.04
gem_version=1.8
passenger_version=2.2.15
flash_version=10_linux

echo ************************** Installing basic packages: **************************
apt-get install -y build-essential subversion vpnc network-manager-vpnc libreadline5-dev

echo ************************** Installing forensics packages: **************************
apt-get install -y ewf-tools sleuthkit registry-tools hfsutils squashfs-tools
echo ************************** Installing security packages: **************************
apt-get install -y snort flow-tools aircrack-ng ettercap-gtk python-scapy wireshark tcpreplay ghex openvas-server openvas-client nmap zenmap

echo ************************** Setting up metasploit **************************
wget http://www.metasploit.com/releases/framework-`echo $metasploit_version`.run
chmod +x framework-`echo $metasploit_version`.run
./framework-`echo $metasploit_version`.run

echo ************************** Installing software development packages: **************************
apt-get install -y ruby`echo $ruby_version` ruby`echo $ruby_version`-dev libopenssl-ruby rubygems mysql-server meld

echo ************************** Installing web server packages: **************************
apt-get install -y apache2 apache2-prefork-dev libapr1-dev libaprutil1-dev

echo ************************** Removing mysql-server autostart **************************
update-rc.d -f mysql remove

echo ************************** Removing apache autostart **************************
update-rc.d -f apache2 remove

echo ************************** Setting up ruby enterprise **************************
wget http://rubyforge.org/frs/download.php/71100/ruby-enterprise_`echo $ruby_enterprise_version`.deb
dpkg -i ruby-enterprise_`echo $ruby_enterprise_version`.deb

echo ************************** Setting up passenger **************************
/usr/local/lib/ruby/gems/`echo $gem_version`/gems/passenger-`echo $passenger_version`/bin/passenger-install-apache2-module

echo LoadModule passenger_module /usr/local/lib/ruby/gems/`echo $gem_version`/gems/passenger-`echo $passenger_version`/ext/apache2/mod_passenger.so > /etc/apache2/mods-available/passenger.load
echo <IfModule mod_mime_magic.c> > /etc/apache2/mods-available/passenger.conf
echo PassengerRoot /usr/local/lib/ruby/gems/`echo $gem_version`/gems/passenger-`echo $passenger_version` >> /etc/apache2/mods-available/passenger.conf
echo PassengerRuby `which ruby` >> /etc/apache2/mods-available/passenger.conf
echo </IfModule> >> /etc/apache2/mods-available/passenger.conf

echo ************************** Getting Flash Player **************************
wget http://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player_`echo $flash_version`.deb
dpkg -i install_flash_player_`echo $flash_version`.deb

echo ************************** cleanup **************************
rm examples.desktop install_flash_player_10_linux.deb framework-`echo $metasploit_version`.run ruby-`echo $ruby_enterprise_version`.deb

Here’s a sample apache config (taken straight from phusion’s installer…):
   <VirtualHost *:80>
      ServerName http://www.yourhost.com
      DocumentRoot /somewhere/public 
      <Directory /somewhere/public>
         AllowOverride all
         Options -MultiViews
      </Directory>
   </VirtualHost>

>A (very) simple ruby script to add files to your repository

>You’re developing a ruby on rails site and, as a dutiful developer, you’ve set up versioning on your code. As you probably already know, when you generate a new object there are quite a few files that get created — so every time you want add a new model, you have to type that “svn add [filename]” command… A bit boring if you ask me.

In Windows, all you really need to do is use a graphic interface like TortoiseSVN; it’s a bit clunky at times but it definitely does the trick. In Mac OS X and Linux, the most powerful and flexible tools are already at your disposal in your command line — so why go through the fuss of a GUI?

I’m sure there are plenty of elegant, easy solutions to this — but here’s mine:

  • Open up your favorite text editor
  • Copy &Paste this code into it:

#!/usr/bin/ruby

delim = “? “

results = `svn stat | grep #{ARGV[0]}`.split “n”

results.each do |result|

`svn add #{result.gsub delim, “”}`

end

  • Save the file in, say, the same directory as the project that you have under SVN (don’t save it in the project directory — that wouldn’t be clean). I call mine svnaddfiles.rb
  • For convenience, make that file executable with a “chmod u+x svnaddfiles.rb”
  • From your project directory, you can use it like this: “../svnaddfiles.rb [file prefix]”

Voilà — easy adding of many files, using just ruby, svn and grep!

>Run your linux applications remotely over SSH

>
This is a *very* short article on using x-win with SSH — namely because there’s a ton of articles out there on the subject already. I found that this worked using with cygwin and ubuntu… If you’re using ubuntu as both the client and the server, you won’t need to export the DISPLAY variable…

Server: the machine whose programs you want to run; could be a server on a rack
Client: the machine on which you want to see the programs; could be your workstation

from your client:
1) start X-Win (if cygwin)
2) use xhost to grant access to the x-win server: “xhost +[name]”, where name can be a host or a user.
3) use ssh to connect to the server: “ssh -X [user]@[servername]”

from the server via ssh:
1) set the display (this assumes you’re using bash): “export DISPLAY=[client ip address]:0.0”
2) test using xclock: “xclock &”

Once you’re done, I would recommend that you do an “xhost -[name]” from your client again.

>QEMU: Accessing the Internet and making the guest pingable from your host.

>
QEMU is a nice, fast virtualization tool that allows you to create guest machines. It works much like VMWare or VirtualBox; I won’t go into the merits and drawbacks of using one over the other (I use all three, selecting the most appropriate for the situation). I’ve found that qemu is best used for sandboxing, proofs of concept, and tutorials where you need a quick, disposable machine to be set up in very little time.

The following article is nothing new. It’s simply a rehash of the qemu documentation, merged with the following ubuntu post: http://ubuntuforums.org/showthread.php?t=179472

In the past, I’ve found that reading several articles on the same topic can be useful because it gives the reader several perspectives. This is my own “recipe”, hope it will be of use to someone out there…


The procedure in a nutshell:
1) Create a TAP network interface for communicating between your guest and host
2) Set your host up for NAT so that the guest can access the internet
3) Manually configure an IP address and name server on your guest OS.

FROM THE HOST SYSTEM

– Creating the TAP interface –
You need to double-check that TAP is available on your host. To do this, simply type “ls /dev/net/tun” to check whether the device exists. By default, the Ubuntu kernel supports TAP. If your kernel doesn’t, google “Ubuntu tap interface”.

With qemu, this is not particularly complicated. Simply append the “-net nic” and “-net tap” flags to your qemu command. For instance:

qemu <name of your image> -net nic -net tap

Double check that a tap interface has indeed been created by running ifconfig
– Setting up NAT – 

You’ll need to enable IP forwarding on your host and set up iptables to forward traffic from your tap interface to your regular interface. I assume that the interface that you use to connect to the internet from your host is eth0 in the following lines. I also assume that your host connects to a router, and not directly to the internet.

To enable IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward

To set up iptables: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

FROM THE GUEST SYSTEM

– Configuring the IP address and name server –
Check out the IP address attributed to your host’s TAP interface and use it as a reference in your /etc/network/interfaces file. Assuming that your guest machine’s network card is eth0, your host IP is 172.20.0.1 and subnet mask is 255.255.0.0:

auto eth0

iface eth0 inet static

  address 172.20.0.2

  netmask 255.255.0.0

  gateway 172.20.0.1

You’ll need to check your host’s /etc/resolv.conf file; use the same nameserver setting as your host, that’s the easiest thing to do. In other words, if your host’s /etc/resolv.conf file indicates the nameserver is 192.168.1.2 then set up your ghost’s /etc/resolv.conf file to use 192.168.1.2 as well.

>Recover from accidental removal from the admin group

>We know, it’s happened to everyone before… You’re putzing about in your shell and you need to add yourself to a group, so you use the usermod command instead of the adduser command — adduser, useradd, who remembers details like that, right? You reboot your machine sometime after that and — oh shit — you can’t get root no more!

Like I said, it’s happened to everyone before. The reference to the forum where you can get a bit more support is:
http://ubuntuforums.org/showthread.php?t=186331

The procedure, put quite simply, is this: reboot your computer and enter grub. Boot up in recovery mode and drop to a shell, then input the following:

adduser [your user name] admin

You may then proceed to the normal boot, rejoicing in the fact that you don’t have to reinstall your entire system 🙂

>A honeypot solution from start to finish

>
Operating System and tools
Pick an operating system with which you’re comfortable. A lot of *nix junkies out there will heckle you about which distro is best, especially when it comes to running security tools; and whilst I agree with the principle that a good solid distro will improve your machine’s robustness and prevent a malicious attacker from turning your security tools against you, let’s be realistic: there isn’t a single distro, operating system or device out there that can’t be exploited. This is not always due to the shortcomings of the developer, or administrator, or what have you: it is the result of a complex balance between security, functionality, communication and logistics. So what I say is, pick *one* distro and get to know it very well. Make sure it can patched on a regular basis and that any remote communication you set up with it is secured (encrypted, with a long password or certificate for authentication). For this example, I’m going to use an Ubuntu box, honeyd, swatch and ruby to set up the honeypot and monitoring systems.

OS setup
I would strongly recommend starting with a fresh install of your distro on the system. You don’t want to leave any unexpected services running on your box as it will increase its vulnerability. Install the bare minimum — if you’re comfortable with a barebones system with a simple shell and no xwin, go for it; just make sure that you can handle the config under stress.

Once the OS is installed, I’d test it right away to make sure no superfluous services are running on it. Start with several nmap scans; begin with a simple scan, use the -P0 flag, scan all ports consecutively, use the –send-ip flag… The works. I’d check out all the processes on your machine as well, to see if anything could be removed. Then use nessusd as a final test.

Tools setup
Next, install honeyd, farpd, rrdtool, rails, swatch and, optionally, snort. If you’re using APT, then the startup scripts and config files for honeyd and farpd will be setup (in /etc/init.d and /etc/default). These will not run automatically on startup – amongst other things, you’ll need to specify the interface and IP addresses on which these tools will listen.

To give you a bit of background, farpd was developed by Dug Song as part of dsniff (a collection of tools for network auditing and pentesting). What it does is reply to ARP requests, effectively directing traffic to your host. Whilst it can be used for nefarious purposes, in this case it allows your honeypot to capture traffic for multiple IP addresses. Rails is the tool I’ll be using for scripting — it’s just a preference. One could use anything from a simple bash script to a compiled mono exec; just remember that you want to be able to modify it fairly quickly and painlessly. The scripts in question will be for emulating services (such as IIS) but also for monitoring purposes (such as sending mail). As for swatch, it’s a tool that allows you to quickly set up monitoring of log files; it’s nifty because you can set all sorts of thresholds, filter the log by keyword, and send out alerts via e-mail or script. Finally — the pièce de résistance — honeyd is the tool you’ll be using to simulate other systems. It’s easily configurable and simulates machine profiles and network topologies. It uses rrdtool for this, so make sure that’s on your machine.

Configuring honeyd and swatch
The first thing to do is to make a copy of /etc/honeypot/honeyd.conf, which you’ll rename to honeyd.conf.orig. This will serve as a reference for your config. The configuration is super straight-forward and gives examples for a virtual network and several hosts. For each host, you’ll need to define the OS profile as labelled in the nmap.prints file, set up the services and bind an IP address. For each service, you indicate the port, transport protocol and action; the latter can be a command, such as “echo You’ve been 0wned get outta Dodge” or something a bit more complex like “ruby /opt/scripts/my_iis_emulator.rb” — check out honeyd’s site for a useful list of service scripts. Alternatively, you can set up the port to proxy a service running on another machine (including the source IP’s, using $ipsrc). If you’re feeling particularly nasty, you could fathomably proxy a malicious server running exploits — but I wouldn’t recommend that as it could seriously backfire on you…

In order to get logging going, you’ll have to change ownership of the /var/log/honeypot directory, using a command like ‘sudo chown -R honeyd.honeyd /var/log/honeypot’. You’ll need to perform a chmod on . and honeyd.log, something like ‘sudo chmod 777 /var/log/honeypot/.;sudo chmod 777 /var/log/honeypot/honeyd’ (I would say 766 is better). If honeyd.log does not exist, create it using touch. If this doesn’t work, you could chown it to nogroup.nobody.

Swatch is also fairly easy to set up. It needs a config file, which you’ll create from scratch. Place it somewhere logical, i.e. /etc/swatchrc. You’ll want to read the man file very carefully, but in essence you can set up the alerts very quickly using syntax like:

watchfor /tcp|udp|icmp/

exec=/path/to/ruby/script

threshold type=limit,count=1,seconds=90

The example above watches for the values ‘tcp’, ‘udp’ and ‘icmp’ as honeyd is wont to output, limits swatch to trigger a maximum of once every 90 seconds and sets the action to run a ruby script of your choice.

Setting up the startup scripts
The scripts are pretty much set up; if you’re using ubuntu even the honeyd user is created for you. You’ll need to edit the /etc/default/farpd and /etc/default/honeyd files so that they know which interface and ip addresses to use. Note that to specify IP addresses, enter them in separated by spaces.

The swatch script will need to be created by making a copy of the template init.d script (/etc/init.d/skeleton) and modifying it to execute /usr/bin/swatch with the -c (config file path) -t (honeyd.log path) flags set. Sounds more complicated than it actually is, but if you’re having trouble, google ‘init.d skeleton startup script’

Running the services for the first time
Easy: start up a terminal session and type ‘sudo /etc/init.d/farpd start;sudo /etc/init.d/honeyd start;sudo /etc/init.d/swatch start’. You should get no errors and if you run ‘ps aux’ you should see all processes running.

Testing your machineFirst thing to do is ping the fake machines; if that works, the next step is running nmap with the –send-ip flag (note that from the LAN this is absolutely necessary). Finally, try a few telnet sessions to open ports to make sure that honeyd works and swatch triggers correctly.