Troubleshooting with Colt Python .357

Mar 30, 2013

siwapp :: File does not exists error

We tested siwapp application, which is an opensource invoicing application, but we had some problems, the error log was full of these:

[Sat Mar 30 17:32:55 2013] [error] [client xx.xx.xx.xx] File does not exist: /home/invoice/web/invoices

The site seemed to work fine otherwise.

It seemed that there was a problem with the app's .htaccess.

The main problem was here:

RewriteCond %{REQUEST_URI} \..+$

which matches all files with a dot in the filename, but the rule was ment to match files that start with a dot.

The fix for this is:

RewriteCond %{REQUEST_URI} /\..+$

After that fix, the app created errors because of a request for favicon.ico.

Well, the fix for that is simple enough

RewriteRule .+/favicon.ico$ favicon.ico [L]

So the whole .htaccess looks like this:

Options +FollowSymLinks +ExecCGI -MultiViews

AddDefaultCharset utf-8

Order deny,allow

Deny from all

Order deny,allow

Deny from all

RewriteEngine On

# Rule to test if rewrite module is available during

# the install process

RewriteRule test_rewrite1\.txt test_rewrite2.txt

RewriteRule .+/favicon.ico$ favicon.ico [L]

# uncomment the following line, if you are having trouble

# getting no_script_name to work

#RewriteBase /

# we skip all files with .something

RewriteCond %{REQUEST_URI} /\..+$

RewriteCond %{REQUEST_URI} !\.html$

RewriteRule .* - [L]

# we check if the .html version is here (caching)

RewriteRule ^$ index.html [QSA]

RewriteRule ^([^.]+)$ $1.html [QSA]

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_FILENAME} !-f

# no, so we redirect to our front web controller

RewriteRule (.*) index.php [L,QSA]

Mar 25, 2013

Java, PHP :: RSA Asymmetric Encryption

Information Security and Privacy was a pretty fun and interesting class I had in college, I learned quite a lot of interesting new stuff, but when it came down to it, in practice, I had some problems implementing encrypted communication between Android (Java) frontend and PHP backend because of a tiny little detail.
Algorithm of choice was RSA and the most important part is to use "RSA/ECB/PKCS1PADDING" algorithm when calling Cipher instance in Java, other stuff is pretty straightforward.

RSA works like this.

Imagine a scenario where Alice sends an encrypted message to Bob.
As you can see, Alice encrypts data with Bob's public key, and only Bob can decrypt it, because only he has his private key.

Here's the Java code (Warning, some Android elements ahead)

public class Encryption {
 private static Key  privKey;
 private static PublicKey pubKey;
 private static PublicKey servPub;
 
 private static String  tag  = "Encryption";
 private static String[]  alg  = {"RSA","RSA/ECB/PKCS1PADDING"};
 private static String  hash  = "SHA1";

 private static String  serverPubKeyB64 = ""; //Bob's public key here
 
 
 public static String encrypt(String data) {
  return b64(encrpyt(data.getBytes()));
 }
 
 public static byte[] encrpyt(byte[] data) {
  genKey();
  try {
   Cipher c1 = Cipher.getInstance(alg[1]);
         c1.init(Cipher.ENCRYPT_MODE, getServPub());
         return c1.doFinal(data);
  } catch(Exception e) {
   Log.e(tag, "encrpyt", e);
  }
  return new byte[0];
 }
 
 public static void genKey() {
  if (privKey == null || pubKey == null) {
   Log.i(tag, "generating key");
   try {
    KeyPairGenerator kpg = KeyPairGenerator.getInstance(alg[0]);
    kpg.initialize(1024);
    KeyPair kp = kpg.generateKeyPair();
    privKey = kp.getPrivate();
    pubKey = kp.getPublic();
   } catch (Exception e) {
    Log.e(tag, "genKey", e);
   }
  }
 }
 
 public static PublicKey getServPub() {
  if(servPub == null) {
   try {
    byte[] encodedPublicKey = b64decode(serverPubKeyB64);
    
    KeyFactory keyFactory = KeyFactory.getInstance(alg[0]);
    X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(encodedPublicKey);
    PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
    
    return publicKey;
   } catch(Exception e) {
    Log.e(tag, "getServPub", e);
   }
  }
  return servPub;
 }
 
 public static PublicKey getPubKey() {
  genKey();
  return pubKey;
 }
 
 public static String getPubKeyB64() {
  PublicKey key = getPubKey();
  if(key != null) {
   return b64(getPubKey().getEncoded());
  } else {
   Log.e(tag, "getPubKeyB64 - key is null");
   return "";
  }
 }
 
 public static String b64(byte[] b) {
  return Base64.encodeToString(b, Base64.DEFAULT);
 }
 
 public static byte[] b64decode(String str) {
  return Base64.decode(str, Base64.DEFAULT);
 }
 
 public static String sha1(String data) {
  return sha1(data.getBytes());
 }
 
 
 public static String sha1(byte[] data) {
  return formatString(sha1bytes(data));
 }
 
 public static byte[] sha1bytes(byte[] data) {
  try {
   MessageDigest md = MessageDigest.getInstance(hash);
   return md.digest(data);
  } catch(Exception e) {
   Log.e(tag, "sha1", e);
   return new byte[0];
  }
 }
 
 @SuppressLint("DefaultLocale")
 public static String formatString(byte[] data) {
  StringBuilder sb = new StringBuilder();

  for (byte b : data) {
      sb.append(String.format("%02X", b));
  }
  
  return sb.toString().toLowerCase();
 }
}

And the PHP code:

class Encryption {

    public $pubkey = '...';

    public $privkey;
 
 public function __construct() {
  $this->privkey = openssl_pkey_get_private(file_get_contents('....pem'));
 }

    public function encrypt($data) {
        if (openssl_public_encrypt($data, $encrypted, $this->pubkey))
            $data = base64_encode($encrypted);
        else
            throw new Exception('Unable to encrypt data.');

        return $data;
    }

    public function decrypt($data) {
        if (openssl_private_decrypt(base64_decode($data), $decrypted, $this->privkey))
            $data = $decrypted;
        else
            $data = '';

        return $data;
    }
}

Jan 9, 2013

DKIM + SPF + Sendmail for multiple domains (Ubuntu)

First things first,

DKIM is DomainKeys Identified Mail and is used in mail servers, such as Postfix or Sendmail to sign e-mails and thus authenticating the sender so that a forgery can be detected. It also reduces the possibility of an e-mail being flagged as spam, but it's not a definite prevention.

A much simpler method is using SPF (Sender Policy Framework) which, in a nutshell, verifies the sender IP address.

According to the internet, using both should result to ????, PROFIT !!!.

SPF does not need a specific configuration. Whitelisted servers are listed in a DNS record, TXT or SPF, and an example record is:

example.com. IN TXT "v=spf1 a mx ~all"

And that's preety much it, for the simplest case there is. This record specifies the policy (v=spf1), whitelisted servers (a and mx records), and ~all states that every other IP address should be tagged as SOFTFAIL.
It can get much more complicated than this, so RTFM.

Okay, so, DKIM.

DKIM includes a cryptographic hash in the e-mail header which is calculated with the private key (on the server) and verified with the public key (in the DNS record).

DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
     c=relaxed/simple; q=dns/txt; l=1234; t=1117574938; x=1118006938;
     h=from:to:subject:date:keywords:keywords;
     bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
     b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
              VoG4ZHRNiYzR

First, install opendkim.

apt-get install opendkim

Edit the configuration file of opendkim.conf, located in /etc/opendkim.conf.

AutoRestart             Yes
UMask                   002
Syslog                  yes
AutoRestartRate         10/1h
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  Yes
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  inet:8891@localhost
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UserID                  opendkim:opendkim

As you can see, there are three more files to be added, TrustedHosts (whitelisted IPs that can sign e-mails), KeyTable (multiple domain configuration for public and private keys) and SigningTable (whitelisted users that can sign e-mail).

/etc/opendkim/TrustedHosts:

127.0.0.1
example.com
192.168.0.1/24

You get the idea.

/etc/opendkim/SigningTable:

*@example.com default._domainkey.example.com

All users from @example.com can sign. You can specifiy usernames and domains, instead of the wildcard, for additional security.

/etc/opendkim/KeyTable:

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com.pvt

Location of the private key and name of the DNS record for each domain. The "default" before _domainkey.example.com and :default: is a selector. This can be changed to something else.

Next, we need to generate the public and private key for each domain.

Shouldn't be too difficult.

If some folders don't exist, just create them.

root@ubuntu:/etc/opendkim/keys# opendkim-genkey -D /etc/opendkim/keys/example.com -d example.com -s default

Again -s flag is for the selector. If you changed it, you need to enter it here.

The command generates a private key (default) and public key (default.txt). You will probably rename them, to match the configuration.
An important note here is that the files are owned by user opendkim, or you will get permission denied errors in /var/log/mail.err. Default permissions on those files are -rw------.

Move the private key to where you specified it should be in the KeyTable.
Insert the public key in your DNS as a TXT record.

Next up, telling sendmail to talk to opendkim.

Edit /etc/mail/sendmail.mc and add this line at the end. DO NOT EDIT sendmail.cf.

INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

Rebuild sendmail configuration and restart, start opendkim if it's not running yet

root@ubuntu:~# sendmailconfig; service sendmail restart; service opendkim start

Test it out.

That's it, you're done!

Jan 8, 2013

PHP: shortest and easiest GeoIP (IP to Country)

Without using a database of IP addresses or an "external API" (not completely true), this is the shortest method of determining the country of an IP addresss.

The one-liner issues a shell_exec() to the whois command and parses the two letter country code from it.

if(preg_match('/^(\d+\.?){4}$/',$ip)) {
$country = trim(shell_exec('whois '.$ip.' -H | grep country | awk \'{print $2}\''));
}

The preg_match() is of course optional, but for your own good, because as you may know, shell_exec() is VERY DANGEROUS.

Note: This does not work on all versions of WHOIS!

Also note that there is a daily query limit to the RIPE.NET database, so it's good to cache the results. It's not like that information gets changed often.

Jan 4, 2013

Sendmail :: X-Authentication-Warning: user set sender to email using -f

Solving the X-Authentication-Warning header in the emails you send requires quite a few steps.

An example of a typical warning:

X-Authentication-Warning: hostname: www-data set sender to info@example.com using -f

The -f flag in sendmail is used to set the envelope sender address.

Usually the -f flag is passed in PHP's mail() function as an additional parameter argument.

It comes in handy to set a valid bounce email address to catch undelivered mail.

Even the PHP manual states that only the trusted users in the system (listed in /etc/mail/trusted-users) can set the -f flag.

Each line in the file contains the trusted user name.

Trouble is, that's not enough

To tell sendmail to actually include the trusted-users file, you need to modify submit.mc, located in /etc/mail/submit.mc. Just add these two lines at the end of the file:

define(`_USE_CT_FILE_',`1')dnl

define(`confCT_FILE',`/etc/mail/trusted-users')dnl

The last thing you need to do is rebuild the sendmail configuration files by executing the command sendmailconfig as root and restart sendmail.

Read more about SPF records and DKIM, to increase the chances of mail being delivered and not getting flagged as spam.