Wednesday, December 10, 2008

Parallels 4.0 Upgrade - Windows XP Guest

I recently upgraded to version 4.0 of Parallels for Mac. Everything went well, with the exception of one minor issue. While upgrading some of my Windows XP guests, the driver for the sound card was not found.

In fariness to Parallels, I use a customized install of Windows XP which was created by using nLite. It allows for faster setup and smaller Parallels images. The catch is that it does this by removing things that are not normally used. Like programs and drivers...

So when I went to upgrade my Windows XP guests to Parallels 4.0, the guest OS couldn't find the sound card driver. Normally this driver is included, but I believe it was stripped out by nLite.

After trying the usual tricks (uninstalling the device, searching the Windows XP CD, etc...) nothing worked.

Fortunately I was able to locate the driver that is needed to work with Parallels. It is an Intel 82801 AC97 Audio driver. I was able to download a free copy of it from DriverGuide.com. Installed fine, sound works great now!

Monday, November 24, 2008

Ubuntu, Virtualbox, and Shorewall

If you are running virtual servers using VirtualBox and you are using the host based networking, then this post may be helpful for you.

I am running my development servers (Tomcat, Asterisk, Apache, etc...) using VirtualBox since it allows me to consolidate machines and run everything from one dual core box. Since I also try to practice good security (even at home) I have enabled UFW (uncomplicated firewall). While this works great for a basic desktop setup, it breaks networking for my virtual hosts.

To get around this you can use a more sophisticated firewall configuration tool like shorewall or you can edit your iptables directly. I went with shorewall since it is easier to work with.

Here is what I did to get everything working...

1.) Installed shorewall,
sudo aptitude install shorewall

2.) Disabled UFW,
sudo ufw disable

3.) Copy the default shorewall configuration files,


cd /usr/share/doc/shorewall-common/examples/one-interface
sudo cp interfaces policy rules zones /etc/shorewall/


4.) Configured the files as based on this post on the Ubuntu forums.

http://ubuntuforums.org/showthread.php?t=968278

5.) Validate your configuration,
sudo shorewall check

6.) Turn on shorewall by editing /etc/default/shorewall and changing the startup=0 line to startup=1.
7.) Start shorewall,
sudo /etc/init.d/shorewall start



I followed the post on the Ubuntu forum with the following exceptions...

1.) I have multiple VirtualBox host adapters (tap0, tap1, and tap3). So I have additional lines in the interfaces file for them.


vbx tap0 detect dhcp
vbx tap1 - -
vbx tap2 - -


2.) I didn't start with adding this line to the policy file, all all ACCEPT info. Mostly because I'm lazy and didn't want to remove it a few steps later.

3.) I tweaked my rules file a bit so that I could ping my virtual hosts.


# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping/REJECT bri $FW

# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW bri icmp
ACCEPT $FW net icmp
ACCEPT $FW vbx icmp


At this point everything should be working fine. That being said, I do not claim to be an expert on shorewall or linux network security. So please feel free to leave a comment if you notice something that could be improved.

Monday, June 02, 2008

Tomcat Authentication Session Fixation Issues

I recently worked on a project that was using Tomcat's authentication and realms to manage user access and authentication. Part of the project was to pass the client's internal security audit. It was noted during the audit that Tomcat's built-in authentication is susceptible to a basic session fixation attack.

For details on session fixation, see this link.

Here is a breakdown of what was happening in our project...

- User accesses protected URL
- Tomcat creates session and saves user's original URL to session.
- User is redirected to login page
- User authenticates *
- User is redirected to error page or original URL depending on success of authentication.

The problem is that the session id is not regenerated after the user is successfully authenticated (* above). The issue we had is very similar to what was detailed here.

In our setup we were using Tomcat 6.0.13 with form authentication and an LDAP realm.

The fix, which is also detailed on the link above, was to build a Valve that intercepts access to j_security_check and regenerates the session id before each login attempt (success or failure).

Everything was pretty simple, the only trick was that Java doesn't have a method to regenerate the session id so you have to save all the session variables, destroy the session, and then create a new session.

Here is a link to the deployed Valve.

Feel free to post any comments or suggestions.

Thursday, April 03, 2008

Quick Bash Pointer

While writing a Bash script today, I came across an interesting situation.

I had gathered some output into a variable and I wanted to email those results to myself.

Typically you just use the mail command, specify a subject, and add a to address. Then just pipe in a file which will be used for the body text of the email.

However, I didn't have results in a file. I had them in a variable in memory. So rather than create a temp file and use the traditional approach, a friend of mine showed me the following approach which seems cleaner.

mail -s "subject" "to address" <<eof
$RESULT
eof


This will send everything after '<<eof' up to the next 'eof' to the mail command via stdin. More information can be found here about the usage of eof.

Original suggestion for this approach was taken from the following link, in the comments section.

Tuesday, April 01, 2008

MailScanner Cron Jobs (Ubuntu 6.06.2 LTS w/ Mailscanner 4.68.8-1)

I recently performed a MailScanner upgrade on a mail server that I maintain, and I noticed that afterwards I was receiving tons of messages from the MailScanner cron jobs that were running.

The messages didn't indicate any problems, just that things were running smoothly. While this is great information, I really only need to know when there is a problem so I can correct it. Anything else will just clutter my inbox or be filtered to the trash.

My initial thought was to just pipe the output to /dev/null and forget about it. However if I did this I would no longer receive emails alerting me of problems, which I need to get.

The three scripts that were causing a problem are check_mailscanner, update_phishing_sites, and update_bad_phishing_sites.

The check_mailscanner has an easy fix, and that is to just add a -q parameter to the cron entry that calls the script. This will suppress the positive output.

The other two scripts I had to manually edit. I commented out the line calling wget and modified the command to call curl to have the --silent and --show-error options.

Not sure this was the best way to fix the problem, but it has seemed to do the trick. Other suggestions are welcome.


update_phishing_sites

#wget http://www.mailscanner.info/phishing.safe.sites.conf.master || \
curl --silent --show-error -O http://www.mailscanner.info/phishing.safe.sites.conf.master || \
( logger -p mail.warn -t update.phishing.sites Cannot find wget or curl, update failed. ; echo Cannot find wget or curl to do phishing sites update. ; exit 1 )

update_bad_phishing_sites

#wget http://www.mailscanner.eu/phishing.bad.sites.conf.master || \
curl --silent --show-error -O http://www.mailscanner.eu/phishing.bad.sites.conf.master || \
( logger -p mail.warn -t update.phishing.sites Cannot find wget or curl, update failed. ; echo Cannot find wget or curl to do phishing bad sites update. ; exit 1 )

Monday, February 18, 2008

Oracle JDBC PreparedStatement & setString Issue

I've noticed some interesting behavior with the Oracle JDBC driver (version 10g, ojdbc14.jar).

This interesting "feature" surrounds the behavior of the PreparedStatement. The easiest way to describe the issue is with an example.

Table A has one column, b CHAR(3).

Query, SELECT * FROM A WHERE b = ?

My intended query was SELECT * FROM A WHERE b = ' ', but the Oracle JDBC driver actually was building this query, SELECT * FROM A WHERE b = ''.

The problem is that when calling setString() on the PreparedStatement to populate the ?, the PreparedStatement strips any leading or trailing spaces.

Normally this wouldn't be an issue and the driver would actually be doing me a favor. However, in my case where I was trying to substitute the ' ' space character it was a big problem.

The easiest way I found to get around this behavior was to simply not use a PreparedStatement. By using a normal Statement, I could control how the substitution was processed and allow the proper query to be generated.

Ubuntu 7.10 Disable trackerd

On my Ubuntu 7.10 desktop I have noticed that for long periods of time the CPU will be maxed out. When I investigate further trackerd is always the culprit.

Since this seems to be a common issue, this is what I do to disable trackerd and reclaim wasted CPU cycles.

1.) Right click on the 'Deskbar Applet'. Go to 'Preferences'.
2.) Scroll down in the list till you see, 'Tracker Live Search' & 'Tracker Search'. Make sure both of these are unchecked.
3.) Press the Close button.
4.) Go to 'System' -> 'Preferences' -> 'Sessions'.
5.) Scroll down the list to 'Tracker'. Make sure it is unchecked.
6.) Logout. (if that doesn't work, try rebooting.)

When you log back in to the system, you should no longer have the trackerd process running.

You can check by issuing a 'ps aux | grep trackerd'. Which shouldn't list a running 'trackerd' process.