Author: Josh Reichardt

A Brief Overview of the Linux chattr Command

Josh Reichardt 1 Comment

I recently watched a talk given by Raphael Mudge, the creator of Armita, entitled “Dirty Red Team Tricks”. In this talk he basically goes over the basics of how to play the hacker version of capture the flag from the point of view of the offensive team or attackers, the red team (pretty self explanatory right?). It was a really good watch, and he demonstrated some really neat little tricks to the audience, including how to use Armitage effectively. Here is the link If you would like to view the presentation.

There was one very curious trick he mentioned in his talk that I want to focus this post on and to save as a note to myself for future reference. That is the chattr command.

The main use case for this command is to essentially make a file immutable by setting the “+i” flag. This is similar to using the attrib command in dos on Windows.  So for instance, you could do something like change the attributes of a password file or any other important file that you didn’t want getting altered by issuing the following command:

chattr +i some_file_name

Note, you must be root or in the sudo group to use this. Until the flag to turn this off is issued, even the root user cannot change the file, how cool is that?! I see why Mudge likes to use this dirty little trick when competing in capture the flag games now. So to check what attributes a particular file has applied to it you can use the lsattr command as follows, notice that the i flag is now set for the file:

lsattr some_file_name
----i------------e- some_file_name

And finally, to switch this flag off use the following command:

chattr -i some_file_name

We can check again to see if the flag actually got turned off:

lsattr some_file_name
-----------------e- some_file_name

That’s it. I couldn’t believe how simple this nasty little trick was to use but how effective it may be in a given situation. I hope this post was helpful for you, and seriously, you should check out Armitage if you are messing around with penetration testing tools, Raphael Mudge is a really smart dude.

Read More

My favorite browser is Windows

Josh Reichardt 13 Comments

So I’ve been getting acclimated to my new environment at work and have been thinking more and more about how much I miss Linux and the command line.  The new environment is nearly entirely a Windows based environment and I feel like my productivity has dropped without the option for using the command line, hence the title of this article.  It seems like the most productive aspect of my Windows experience is using a web browser.

At my previous place of employment I got so used to command line that I take it for granted now as I could do nearly all of my daily work from the command line (aside from web browsing, and email I never made that jump).  In this post I would like to highlight some of the command line tools that I am talking about and how they contributed to my productivity in a former life (although I still take advantage of them at home obviously).

The first and most important piece of the command line experience is getting a good terminal multiplexer, I have played with both screen and tmux but have to say out of the two I like using tmux more.  Both of them can do nearly identical things but I just became more attached to tmux the more that I played with it, one thing that drew me in was the quick and easy screen splitting functionality of tmux.

After much experimentation I finally have a .tmux.conf config file that I feel comfortable with that utilizes all of the settings I like and need as well as the bindings to match those in screen along with a few other neat tricks.

# This configuration file binds many of the common GNU screen key bindings to
# appropriate tmux key bindings. Note that for some key bindings there is no
# tmux analogue and also that this set omits binding some commands available in
# tmux but not in screen.#
# Note this is a good starting point but you should check out the man page for more
# configuration options if you really want to get more out of tmux

### Unbind existing tmux key bindings (except 0-9).

# Set the prefix to ^A.
unbind C-b
set -g prefix ^A
bind a send-prefix

# Bind appropriate commands similar to screen.
# lockscreen ^X x
unbind ^X
bind ^X lock-server
unbind x
bind x lock-server

# screen ^C c
unbind ^Cbind ^C new-window
bind cbind c new-window

# detach ^D d
unbind ^D
bind ^D detach

# displays *
unbind *
bind * list-clients

# next ^@ ^N sp n
unbind ^@
bind ^@ next-window
unbind ^N
bind ^N next-window
unbind " "
bind " " next-window
unbind n
bind n next-window

# other ^A
unbind ^A
bind ^A last-window

# prev ^H ^P p ^?
unbind ^H
bind ^H previous-window
unbind ^P
bind ^P previous-window
unbind p
bind p previous-window
unbind BSpace
bind BSpace previous-window

# windows ^W w
unbind ^W
bind ^W list-windows
unbind w
bind w list-windows

# quit \
unbind \
bind \ confirm-before "kill-server"

# kill K k
unbind K
bind K confirm-before "kill-window"
unbind k
bind k confirm-before "kill-window"

# redisplay ^L l
unbind ^L
bind ^L refresh-client
unbind l
bind l refresh-client

# More straight forward key bindings for splitting
unbind %
bind | split-window -h
bind v split-window -h
unbind '"'
bind - split-window -v
bind h split-window -v

# History
set -g history-limit 10000

# Terminal emulator window title
set -g set-titles on
set -g set-titles-string '#S:#I.#P #W'

# Status Bar
set -g status-bg black
set -g status-fg white
set -g status-interval 1
#set -g status-left '#[fg=green]#H#[default]'
set -g status-left '#[fg=green](#S) #(whoami)@#(host `hostname` | cut -d " " -f 4)'
set -g status-right '#[fg=yellow]#(cut -d " " -f 1-4 /proc/loadavg)#[default] #[fg=cyan,bold]%Y-%m-%d %H:%M:%S#[default]'

# Notifying if other windows has activities
setw -g monitor-activity on
set -g visual-activity on

# Highlighting the active window in status bar
setw -g window-status-current-bg red

# Clock
setw -g clock-mode-colour green
setw -g clock-mode-style 24

# Hostname and IP address
#set -g status-right '#[fg=white]#(hostname)@#(host `hostname` | cut -d " " -f 4)'
#set -g status-right '#[fg=white]#(host `hostname` | cut -d " " -f 4)'

The most important part of how you utilize your tmux experience is the management of your sessions.  Within tmux I usually have at least four terminals open for various different tasks.  At least one term for bash, one for Irssi command line IRC client, one for ipython python interpreter and one for editing text files (I use Vim but that is separate topic).   Once you get comfortable with the key combinations for navigation and other tasks, tmux can increase your productivity a great deal. As I stated, in my daily work the only things I don’t use the command line for are email and web browsing, which I know is possible I just never tired to make the switch. I would still like to do at some point in the future.

If you have any command line-fu you would like to share let me know or post in the comments section I always love hearing about what others are doing and incorporating it into my own bag of tricks.

Read More

A Quick Status Update

Josh Reichardt 13 Comments

I know it has been awhile since I have updated the blog so I figured this would be a good time to do a quick little post, if anyone is even reading this.  I have been super busy getting adjusted to everything after the move to the new place as well as trying to get comfortable with things at my new job, it is a really exciting time for me right now.  Everything seems to be going well there so far, I have even managed to survive my first patch management day.

Once I get settled in a little more I plan to get back to the blog and have a feeling some really Windows heavy stuff will be coming soon.  If there are any requests I will try to do my best to get to them.  One other thing I have learned already at my new job is that I will be handling some Cisco networking projects so maybe some of those types of topics will start showing up here as well pretty soon.

On top of that I have a few side projects for home that I’ve been thinking about and will be posting those efforts on here as I (however slowly) get around to them, I think those will probably be geared a lot more toward the Linux stuff since those are my favorite type of projects.

Read More

Feeding your mail gateway a proper spam diet

Josh Reichardt 17 Comments

In a previous post I described the process of how to get a Linux based mail filtering gateway set up on your network to check for viruses and do some basic filtering, eventually delivering messages to your Exchange server.

In this post I will expand on the various ways to “train” and customize your SpamAssassin mail filter to do more checks to weed out spam and generally lower the amount of junk that is making its way to your users’ inbox.

There are a number of things that aren’t enabled by default in SpamAssassin.  Obviously this isn’t as efficient as we would like, so there is a little bit of extra leg work getting everything set up the way it should be.

Tightening up Postfix:

This is the first step to improving the efficiency of your filtering process.  There are a number of checks that can be enabled in the configuration file (/etc/postfix/main.cf) here to fight the incoming spam.  I have appended these various checks to the end of my configuration posted previously to lower the amount of spam getting through by ensuring proper sending addresses, valid recipients, proper domains, etc.

smtpd_helo_required = yes
smtpd_sender_restrictions =
 reject_non_fqdn_sender,
 reject_unknown_sender_domain
smtpd_recipient_restrictions =
 permit_mynetworks,
 reject_unauth_destination,
 reject_invalid_hostname,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_non_fqdn_recipient

Configuring these properties will cause an immediate drop in the amount of spam that makes its way through the filter so the importance of getting this implemented cannot be overstated.

Make your spam filter happy, feed it spam:

The next technique that I will discuss took me FOREVER to figure out, so I hope that by sharing what I have learned I will help people save time in their own implementations.  It didn’t help that IMAP wasn’t enabled on our Exchange server, but I will save that story for another day.

Essentially you want to get a good chunk of SPAM and HAM emails messages to your mail filter for SpamAssassin to apply it Bayesian filtering techniques to learn how to classify incoming messages(statistical analysis stuff, I don’t know a lot about the specifics).

My first thought was to have users copy SPAM messages into a public folder on my Exchange server and pull the messages down directly to my mail gateway.  BUT that dream was shattered when I discovered that IMAP support for public folders had been dropped in the version of Exchange I am using (Exchange 2010).

So I dabbled with a few ideas that weren’t very graceful, the most notable of which was copying the Exchange public folder into Thunderbird then copying the mbox file from Thunderbird to the mail gateway, yuck.  I finally got some help from my friends over at ServerFault.  I basically had to install and configure fetchmail to go out and look for two specified mailboxes on my Exchange, one SPAM account (a spam collection account I created) and one HAM account (my personal inbox).

To install fetchmail issue the following command:

sudo aptitude install fetchmail

Next, we need to configure fetchmail to look at our specified IMAP acounts, so we need to edit the config file ~/.fetchmailrc

poll mail.domain.com protocol IMAP port 993:
auth password user "domain/spamacct" with password "password" ssl
auth password user "domain/hamacct" with password "password" ssl

Modify the permissions so that only the specified user can read/write the config file

chmod 600 .fetchmailrc

Finally you should be able to pull the emails onto your mail gateway by issuing the following command:

fetchmail -a -v -n -k --folder inbox

At this point the mail should be on your mail server in the directory /var/spool/mail/USER.  The final step is to feed the mail into the Bayesian filter provided by SpamAssassin.  To do this, issue the following command:

sa-learn --showdots --mbox --spam spam
sa-learn --showdots --mbox --ham ham

I had to fool around with the mail file names when I first copied them to the server to read as “spam” and “ham” but that should be easy enough to accomplish.

To check how the learning process is going we need to check the sa-learn database for the tokens, ham and spam it has received.  There are a few ways to check the database but the easiest I have found is to enter the following into the command line:

sa-learn --dump magic

This will output a number of results, the most important of which are the nham, nham and ntoken outputs.  Here is a sample from the initial training stages from my spam filter:

bruticus@bruticus:~$ sa-learn --dump magic
0.000          0          3          0  non-token data: bayes db version
0.000          0        341          0  non-token data: nspam
0.000          0        210          0  non-token data: nham
0.000          0      69078          0  non-token data: ntokens
0.000          0 1318421928          0  non-token data: oldest atime
0.000          0 1319205954          0  non-token data: newest atime
0.000          0 1319142287          0  non-token data: last journal sync atime
0.000          0 1319142287          0  non-token data: last expiry atime
0.000          0          0          0  non-token data: last expire atime delta
0.000          0          0          0  non-token data: last expire reduction count

Ideally you want the nham and nspam outputs around or above the 1000 message mark, but the filter can begin working with as little as 200 of each.

Also, I have read that the best way to train is to feed SpamAssassin the newest spam and ham messages that you have, so make sure to look for the newest messages to feed it.  I read that it has something to do with the Bayesian analysis.

NOTE:  Try to do the spam/ham learning step of the process in off hours or a slow time because it adds a tremendous amount of overhead to Postfix to process all the messages as well the machine itself taking up a large chunk of memory.

That’s it. The spam filter should be able to filter out even more messages now thanks to the bayesian filtering that we just enabled.

Final Step:

This one may or may not be overkill, I just implemented it yesterday and haven’t had a chance to get any feedback from it yet.  If you are in a multi-language  environment  this addition may not be feasible either.  With this step we are going to enable a SpamAssassin plugin to attempt to detect the email language and filter out everything that isn’t either English or Spanish.

To do this we need to enable the plugin so open up the SpamAssassin config, /etc/spamassassin/v310.pre and uncomment the following line,

loadplugin Mail::SpamAssassin::Plugin::TextCat

Then we need to edit the main SpamAssassin configuration file, /etc/spamassassin/local.cf to filter out all non English or Spanish languages, this line can be added anywhere, I chose to add it under the Bayesian filtering sections.

ok_languages en es
ok_locales en es

Conclusion:

That is pretty much it, at least for now. There are possibly a few other things to modify but I need to see how efficient the spam filter is at this point before I decide if I need to add any more layers.  I have a feeling that things are pretty good at this point and adding more filtering wouldn’t really add much value to the filter.

I am very satisfied with the results that I have attained with this project and hope to keep refining the process as I see fit.  Although, at some point I think I am just going to need to take a look at is and say “enough is enough”.  So, if you have any questions or ideas for improvement let me know, I would be glad to hear them.

Resources:

http://wiki.apache.org/spamassassin/SingleUserUnixInstall#Enable_IMAP_LearnAsSpam_folder
http://wiki.apache.org/spamassassin/RemoteImapFolder
http://www.byteplant.com/support/cleanmail/howtolearnexchange.html
http://faisal.com/docs/salearn
http://allaboutexchange.blogspot.com/2007/08/how-to-configure-spamassassin-bayesian.html
http://serverfault.com/questions/320594/bayesian-filtering-for-exchange-2010/320838#320838
http://www.howtoforge.com/debian_etch_fetchmail
http://spamassassinbook.packtpub.com/chapter9_preview.htm
http://www.linuxhomenetworking.com

Read More

Short Hiatus

Josh Reichardt 16 Comments

I have a new job lined up as an “official” Systems Administrator that I will be starting here shortly, so the posts may be a little light in the next month or so, plus I haven’t had any really good ideas for topics (so if you have something you would like to see, let me know). Hopefully with this new job I will get some fresh new challenges and be able to blog about how I solved them or get ideas for other future posts.

This new position will be focused primarily on Windows and Network administration so I can foresee posts in the future focusing more heavily on those sorts administration aspects although I do have some Linux plans for my own personal knowledge in the works right now which I can’t wait to write about either.

As for now, keep checking back. If the site is down its probably because I’m in the middle of moving or haven’t gotten my new internet connection set up. Once I’m all settled in I will start cranking out the posts again. If you have something cool you would like to share I would love to post it here for you, so let me know about that as well.

Read More