/var/log/orava

Petri Wessman's weblog

London, the city-sized Hotel California

London was nice, as always. Huge, busy, multicultural, and full of more things to do than you’d ever have time for. Or money… the place remains one expensive place to visit – or to live in, I gather.

…but leaving was slightly traumatic. I can confidently say that the London airport situation isn’t as bad as they claim. It’s much, much worse. We would have missed our flight if some nice people hadn’t let us jump the line a bit (it would have taken us about an hour to queue to that spot, and at that point our flight was leaving in about an hour). Since we were flying out through Stansted we thought it couldn’t be that bad. Oh ha. We would have needed to be at the airport 2.5 - 3 hours in advance. Totally ridiculous, and to add insult to injury this idiocy doesn’t do much if anything to improve security.

Until they get their act sorted out, if ever, do try to avoid London airports. “You can fly in any time you like, but you can never leave”, to paraphrase a bit…

Other than the Kafka-meets-Dilbert security madness at the airport, the trip was nice. Guy and Michaela got properly married (in Westminster Cathedral no less), there was much partying and dancing until late-o-clock, and we even eventually managed to get “home” – though we had to resort to a bicycle “riksha” (was a fun experience).

Apart from the wedding, we did touristy stuff. Visited the Tower, the British Museum, the Sherlock Holmes museum, the Zoo, etc. Ate well (including an Ethiopian meal, whee!), shopped a small bit, and even managed to get same-day tickets to see Stomp at the Vaudeville Theatre.

Nice trip, but city vacations are always exhausing. My feet are still a bit sore, and there’s some amount of sleep lag piled up.

Published on by Orava, tags , , , ,

Rails 1.1.6

The 1.1.5 patch to Rails didn’t quite fix all the holes, so version 1.1.6 is now out, along with details on the hole. It’s good to see the Rails team take this seriously and move fast – and I really don’t understand the whiners about “security through obscurity”. Yes, in the long run that’s a bad policy, but when you’ve just discovered a hole in a popular framework, the thing to do is precisely what the Rails team did: announce the fact that there’s a potential expoit and offer a new version of the software, but withhold details for a day or two until most people have managed to update their systems. To do otherwise would be to give the script kiddies of the world a free ride. Yes, you can possibly figure out the hole by comparing diffs… but most of the script kids out there are just that: kids who will use a ready-made “hack”, but won’t bother to figure it out for themselves.

This site is now upgraded to 1.1.6, naturally. Typo is still version 4.0.0 – there is now a version 4.0.2 out which fixes some bugs and includes Rails 1.1.6, but the gem updater for that one gave me an error. I’ll try it again after Ropecon, no time to hack now.

Published on by Orava, tags , , ,

New firewall

On Saturday I finished reading Linux Firewalls, and promptly got to work writing version 2.0 of the new server firewall. The book was very good – while it didn’t teach me all that much totally new (I’ve been tinkering with iptables for years), it did present a lot of “best practices” and scenarios. My favorite thing about the book was how it condensed various protocols and scenarios into tight recipes, so I could just go, “hmm, I want to enable DHCP for my LAN, what’s the bare minimum I need to allow for that?”… and find a nice, concise answer. I guess the biggest boon I got from the book was tips on how to tighten up the firewall; it isn’t all that hard to write a simple firewall, but it gets tricky fast when you want to block and check all that you possibly can without impeding the server systems or users of the local LAN in any way. Good book, I can warmly recommend it to anyone who is interested in the subject.

Anyway, I spent a large part of Saturday building a new firewall. Took quite a bit of effort and required some mishaps (like me locking myself out of NFS for a while) before it was working and polished… but now I have a pretty nice and tight new firewall setup, with filtering on INPUT, OUTPUT and FORWARD chains. My previous firewalls have only had INPUT rules, the new one has OUTPUT added to check that the server communicates to only those services it’s supposed to (makes life harder for potential intruders). Also added some light FORWARD filtering, mainly anti-spoofing sanity checks and a block on SMTP traffic (to catch and stop possible spam robots in LAN). All it all, I’m pretty satisfied with the setup.

I also have logcheck and aide running on the system, along with various other boobytraps, intended to give me warning of any intrusion attempt (or even a successful one). I have no illusions about being able to stand up to a serious, targeted custom attack, but that’s not a very likely scenario in any case. The intention here is to armor the system against automated attacks and script kiddies, and make life as difficult as possible even for successful intrusions that haven’t elevated to root yet. On that latter note, I intend to look into the GRSecurity extension and PaX one of these days, ideally I would massively reduce the rights that high-risk user accounts (apache, mainly) have in the system. One thing at a time.

Security is always about layers and procedures, and it’s always a tradeoff between it and ease of use. There are limits to how far it’s reasonable to go in a home server setting in any case. But it’s fun to tinker.

Published on by Orava, tags , , , ,

Powered by Publify – Thème Frédéric de Villamil | Photo Glenn