Chawarong's Blog on Stuff for Hacker

how-to-upgrade-openssl-to-fix-heartbleed.md

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Upgrade OpenSSL on Ubuntu 12.04 LTS

http://www.ubuntu.com/usn/usn-2165-1/

Install the patch

$ sudo apt-get update
$ sudo dpkg --list | grep openssl
ii  openssl                           1.0.1-4ubuntu5.3      Secure Socket Layer (SSL)...

$ sudo apt-get --only-upgrade install openssl
$ sudo apt-get install libssl1.0.0

$ sudo dpkg --list | grep openssl
ii  openssl                           1.0.1-4ubuntu5.12     Secure Socket Layer (SSL)...

Check if installed correctly

$ openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014             <<<< THIS IS THE CORRECT DATE 
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

To install Heartbleed command-line tool to check your service

Install Go on Mac

• download from https://code.google.com/p/go/downloads/list?q=OpSys-OSX+Type-Installer
• Open a terminal
• Set GOPATH in .bashrc export GOPATH=“/Users/songserm/Dropbox/projects/go”

Install Heartbleed on Mac

$ go get github.com/FiloSottile/Heartbleed
$ go install github.com/FiloSottile/Heartbleed

Check your service

Note: you can also use an online tool here http://filippo.io/Heartbleed/#

$ cd ~/Dropbox/projects/go/bin
$ ./Heartbleed www.example.com:443
2014/04/10 13:31:31 www.example.com:443 - SAFE

If not successfull, you should still see the yellow submarine.

$ ./Heartbleed www.example.com:443
2014/04/10 13:33:05 ([]uint8) {
 00000000  02 00 79 68 65 61 72 74  62 6c 65 65 64 2e 66 69  |..yheartbleed.fi|
 00000010  6c 69 70 70 6f 2e 69 6f  59 45 4c 4c 4f 57 20 53  |lippo.ioYELLOW S|
 00000020  55 42 4d 41 52 49 4e 45  b2 fb b3 7c 8a 8b 9b df  |UBMARINE...|....|
 00000030  c5 04 78 e8 62 38 91 30  32 0c cd ad 42 4c 45 00  |..x.b8.02...BLE.|
 00000040  00 00 13 00 11 00 00 0e  6f 6e 61 2e 65 78 73 65  |........ona.exse|
 00000050  65 64 2e 6e 65 74 00 05  00 05 01 00 00 00 00 00  |ed.net..........|
 00000060  0a 00 08 00 06 00 17 00  18 00 19 00 0b 00 02 01  |................|
 00000070  00 00 0d 00 0a 00 08 04  01 04 03 02 1d 80 3b 29  |..............;)|
 00000080  90 ff 29 31 de 83 00 8a  ce 95 98 ce              |..)1........|
}

I am currently using cucumber/capybara to test my Rails app and now I’m facing a problem: how the heck can I debug my test right in the middle?

I have found a gem called pry-debugger and since I use pry, so I just want to give it a try.

Installation

• Install gem “pry”, “pry-debugger” in Gemfile

    gem 'pry-rails'
    gem 'pry-debugger'
  

• In support/env.rb require the gem

    require 'pry'
  

• Put binding.pry before the line that you want to debug

• just run bundle exec cucumber --tags @dev ; cannot run in Rubymine since there’s no pry console REPL

Reference Links
pry
pry-debugger

Pry Debugger useful commands

• step: Step execution into the next line or method. Takes an optional numeric argument to step multiple times.

• next: Step over to the next line within the same frame. Also takes an optional numeric argument to step multiple lines.

• finish: Execute until current stack frame returns.

• continue: Continue program execution and end the Pry session.

• breakpoints: TBD

Tips

Stepping through code often? Add the following shortcuts to ~/.pryrc:

if defined?(PryDebugger)
  Pry.commands.alias_command 'c', 'continue'
  Pry.commands.alias_command 's', 'step'
  Pry.commands.alias_command 'n', 'next'
  Pry.commands.alias_command 'f', 'finish'
end

Because capistrano is so powerful, sometimes, we want to use it with other things other than Rails. Here is a quick example.

I want to get a single command line output on my remote host e.g. free -m

• Install capistrano

    $ vi Gemfile
  
        source 'https://rubygems.org'
        gem 'capistrano', '~> 2.15'
  
    $ bundle install
  

• Generate capistrano

    $ capify .
  

• Create a task

    $ vi config/deploy.rb
  
        set :application, "my-app-ios"
  
        set :user, "chawarong.s"
        set :host, "my.example.com"
  
        role :web, "#{host}"                          # Your HTTP server, Apache/etc
        role :app, "#{host}"
  
        namespace :monitor do
          task :free do
            output = capture "free -m"
            puts output
  
          end
        end
  

• Run it

    $ cap monitor:free
      * 2014-01-09 15:36:47 executing `monitor:free'
      * executing "free -m"
        servers: ["my.example.com"]
        [my.example.com] executing command
        command finished in 376ms
                 total       used       free     shared    buffers     cached
    Mem:          2003       1845        158          0        183        984
    -/+ buffers/cache:        677       1326
    Swap:          507          0        507
  
  
  
    ~        
  

While I was working with my code, I noticed that something about git wasn’t the way I understood it should. Here are my experiments.

git commit w/o filename

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git add broadway  
    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git status  

    # On branch master
    # Your branch is ahead of 'origin/master' by 2 commits.
    #
    # Changes to be committed:
    #   (use "git reset HEAD <file>..." to unstage)
    #
    #   new file:   broadway
    #
    # Changes not staged for commit:
    #   (use "git add <file>..." to update what will be committed)
    #   (use "git checkout -- <file>..." to discard changes in working directory)
    #
    #   modified:   folsom
    #

“Changes to be commited:” means that if you do a git commit w/o filenames, it will commit these files. Why? it’s because those files are in index tree (i.e. stagging tree) and ready to be committed.

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git commit -m "add broadway" 
    [master 4c9bd0d] add broadway
     0 files changed
     create mode 100644 boulder/broadway

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git status
    # On branch master
    # Your branch is ahead of 'origin/master' by 3 commits.
    #
    # Changes not staged for commit:
    #   (use "git add <file>..." to update what will be committed)
    #   (use "git checkout -- <file>..." to discard changes in working directory)
    #
    #   modified:   folsom
    #
    no changes added to commit (use "git add" and/or "git commit -a")

“Changes not staged for commit:” means that if you do a git commit w/o filename, it won’t commit these files.
It’s because these files are in working tree (not yet in stagging tree)

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git help commit
    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git add folsom
    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git status
    # On branch master
    # Your branch is ahead of 'origin/master' by 3 commits.
    #
    # Changes to be committed:
    #   (use "git reset HEAD <file>..." to unstage)
    #
    #   modified:   folsom
    #

Doing git add filename on a “modified” file will just add this not-staged file to a stagging tree

Warning: removing “modified” file (not a newly added one) in “Changes to be committed” using $ git rm --cache will just “completely” remove the file’s content from the index tree (i.e. stagging tree)

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git status
    # On branch develop
    # Changes to be committed:
    #   (use "git reset HEAD <file>..." to unstage)
    #
    #   modified:   folsom

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git rm --cache folsom
    rm 'folsom'

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git status
    # On branch develop
    # Changes to be committed:
    #   (use "git reset HEAD <file>..." to unstage)
    #
    #   deleted:    folsom                            <<<< watch out for this, it's gonna delete your file

To undo the above, just git add it again

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git add folsom

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git status
    # On branch develop
    # Changes to be committed:
    #   (use "git reset HEAD <file>..." to unstage)
    #
    #   modified:   folsom                           <<<< it's back!!!

If you really want to remove “modified” file, use git reset -- <filename> instead

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git reset -- folsom

    Unstaged changes after reset:
    M   folsom
    M   Gemfile.lock
    M   features/application/group/folsom.feature
    M   features/application/folsom/folsom_security.feature
    M   features/applicationfolsom/step_definitions/folsom_security_steps.rb

    songserm@songserm-ubt:~/Dropbox/projects/git-dummy/boulder$ git status
    # On branch develop
    # Changes to be committed:
    #   (use "git reset HEAD <file>..." to unstage)
    #
    #
    # Changes not staged for commit:
    #   (use "git add <file>..." to update what will be committed)
    #   (use "git checkout -- <file>..." to discard changes in working directory)
    #
    #   modified:   folsom                          <<<< it's back down to unstagged area
    #   modified:   Gemfile.lock
    #   modified:   features/application/group/folsom.feature
    #   modified:   features/application/folsom/folsom_security.feature
    #   modified:   features/application/folsom/step_definitions/folsom_security_steps.rb
    #

• Install these packages

    $ sudo apt-get install xvfb         ;# a framebuffer, the magic behind headless
    $ sudo apt-get install firefox      
    $ sudo apt-get install ffmpeg       ;# take care of video conversion
  

• In a CI script, do this:

    #!/bin/bash
    echo "gem 'headless'" >> ./Gemfile
    read -d '' cucumber_append <<EOF
  
    if Capybara.current_driver == :selenium
  
      require 'headless'
      headless = Headless.new(:dimentions => "1366x768x24")
      headless.start
  
      at_exit do
        headless.destroy
      end
  
      Before do
        headless.video.start_capture
      end
  
      After do |scenario|
        if scenario.failed?
          headless.video.stop_and_save(video_path(scenario))
        else
          headless.video.stop_and_discard
        end
      end
  
      def video_path(scenario)
        "#{scenario.name.split.join("_")}.mov"
      end
  
    end
    EOF
    echo "" >> ./features/support/env.rb
    echo "$cucumber_append" >> ./features/support/env.rb
    echo "" >> ./Gemfile
    echo "gem 'capistrano_colors'" >> ./Gemfile
  
    rvm use 1.9.3-p286
    bundle install
    bundle exec rake db:migrate RAILS_ENV=test
  
    #bundle exec cucumber features/userstory/a -r features/
    bundle exec cucumber --color 
  

“Desktop or server” is not a binary thing – it’s possible to have some desktop components installed on a machine originally installed as a server, etc.

However, there are some tips available to find that out.

Check a package

$ dpkg -l ubuntu-desktop                               ;# will tell you if the desktop components are installed.

Login to the terminal to see Welcome message or cat /etc/motd

Desktop

    Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-29-generic i686)

     * Documentation:  https://help.ubuntu.com/

Server

    Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic x86_64)

     * Documentation:  https://help.ubuntu.com/

      System information as of Thu Nov 21 13:23:37 ICT 2013

      System load:  0.0                Processes:           185
      Usage of /:   70.7% of 60.90GB   Users logged in:     1
      Memory usage: 57%                IP address for eth0: 10.225.50.163
      Swap usage:   8%

      => There are 13 zombie processes.

      Graph this data and manage this system at https://landscape.canonical.com/

    134 packages can be updated.
    66 updates are security updates.

List all cron jobs of all users in the system

You would have to run this as root, but:

    $ for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

will loop over each user name listing out their crontab. The crontabs are owned by the respective users so you won’t be able to see another user’s crontab w/o being them or root. —[edit] if you want to know, which user does a crontab belong to insert echo $user

    $ for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

Make CPU high all the times

note: it reads stream of zeroes from /dev/zero and write into a null file /dev/null which basically gets discarded.

    $ dd if=/dev/zero of=/dev/null

Write a huge file until disk space is full.

    $ dd if=/dev/zero of=/tmp/hugefile

Find out network connection usage

    $ lsof -i

    COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
    dropbox   2749 songserm   24u  IPv4 743438      0t0  TCP songserm-ubt.local:32899->snt-re2-8c.sjc.dropbox.com:http (ESTABLISHED)
    dropbox   2749 songserm   29u  IPv4  15602      0t0  UDP *:17500 
    dropbox   2749 songserm   32u  IPv4  15605      0t0  TCP *:17500 (LISTEN)
    ubuntu-ge 2849 songserm    7u  IPv4  15155      0t0  TCP songserm-ubt.local:59924->mistletoe.canonical.com:http (ESTABLISHED)
    unity-sco 3046 songserm   12u  IPv4  15662      0t0  TCP songserm-ubt.local:54618->alkes.canonical.com:http (ESTABLISHED)
    unity-sco 3046 songserm   14u  IPv4  15663      0t0  TCP songserm-ubt.local:54619->alkes.canonical.com:http (ESTABLISHED)


    # small cheat sheet
    $ lsof -h

Find out memory/cpu usage

    # refress rate is 0.5 sec
    $ top -d 0.5 

    # list only this process id
    $ top -p 1234

    # htop is more interactive
    $ htop

Buffer & cache in Linux memory usage

The buffers number represents in-memory blocks that result from the kernel accessing the disk, such as when the kernel needs to read the contents of files. The cached figure tells us how much RAM is being used to cache the content of recently read files. The buffer figure increases when the file system layer is bypassed while the cache grows when the file system is used. Both grow as read operations increase.

For more details, you can visit this link

    top - 18:54:11 up 38 days, 19:58,  7 users,  load average: 0.02, 0.01, 0.00
    Tasks: 181 total,   1 running, 179 sleeping,   1 stopped,   0 zombie
    Cpu(s):  0.0%us,  0.0%sy,  0.0%ni, 99.8%id,  0.1%wa,  0.0%hi,  0.0%si,  0.0%st
    Mem:   2074952k total,  1967968k used,   106984k free,   503416k buffers
    Swap:  4192956k total,      128k used,  4192828k free,  1135640k cached

      PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
    18751 shs       15   0  2424  980  724 R  2.0  0.0   0:00.01 top
        1 root      15   0  2160  592  516 S  0.0  0.0   0:01.07 init
        2 root      RT  -5     0    0    0 S  0.0  0.0   0:00.07 migration/0
        3 root      34  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
        4 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
        5 root      RT  -5     0    0    0 S  0.0  0.0   0:00.77 migration/1
        6 root      34  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/1
        7 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/1
        8 root      RT  -5     0    0    0 S  0.0  0.0   0:00.14 migration/2
        9 root      39  19     0    0    0 S  0.0  0.0   0:00.02 ksoftirqd/2
       10 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/2
       11 root      RT  -5     0    0    0 S  0.0  0.0   0:00.32 migration/3
       12 root      39  19     0    0    0 S  0.0  0.0   0:00.04 ksoftirqd/3
       13 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/3
       14 root      10  -5     0    0    0 S  0.0  0.0   0:00.02 events/0
       15 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/1
       16 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/2

Generate a timestamp in various way

    $ date +"%Y%m%d%H%M%S"
    20131010102451

    $ date +"%Y-%m-%d %H:%M:%S"
    2013-10-10 10:24:34

    $ date --date='@1374000050' +"%Y-%m-%d %H:%M:%S"
    2013-07-17 01:40:50

Run a command on behalf on other user

    $ su - chawarong -c 'whoami'
    $ su - chawarong -c 'cmd1 & cmd2'

Set vim as a default editor in ubuntu

    $ sudo update-alternatives --set editor /usr/bin/vim.basic

Walk into each releases folder and do git status

    $ listdir=`ls`
    $ for l in $listdir ; do cd /var/www/my_rails_app/releases/$l; pwd; git status; done

    # look for modified deploy.rb 
    $ for l in $listdir ; do cd /var/www/my_rails_app/releases/$l; pwd; git status; done | grep deploy.rb

Using default vhost to serve unspecified IP & port

i.e. Catching every request to any unspecified IP address and port, i.e., an address/port combination that is not used for any other virtual host

    <VirtualHost _default_:*>
      DocumentRoot /www/default
    </VirtualHost> 

A default vhost never serves a request that was sent to an address/port that is used for name-based vhosts.

    <VirtualHost _default_:80>
    DocumentRoot /www/default80
    # ...
    </VirtualHost>

    <VirtualHost _default_:*>
    DocumentRoot /www/default
    # ...
    </VirtualHost> 

This is the same as the 1st one, but serve port 80 pointing to /www/default80

Configure network using init networking (text mode)

    /etc/network/interfaces

12.04 or later

    $ sudo /etc/init.d/networking restart 

Normally dns-* option in /etc/resolv.conf can be configured in /etc/network/interfaces. Don’t need to specify it in /etc/resolvconf/resolv.conf.d

    dns-search
    dns-nameserver
    dns-nameservers

/etc/resolv.conf is an symlink to /run/resolvconf/resolv.conf or /etc/resolvconf/run/resolv.conf

note: in resolv.conf, do use “search” instead of “domain” option because the search feature supersedes the domain feature. Unlike domain, search accepts multiple arguments.

Once configured in /etc/network/interfaces, use resolvconf tool

    $ man resolvconf
    $ resolvconf -u 

If /etc/resolv.conf doesn’t look right, maybe the resolvconf interface database needs to be updated by -d (delete) and -a (add) arguments

    $ resolvconf -d eth0
    $ ls /etc/resolvconf/run/interface       # you shouldn't see eth0 file
    $ resolvconf -a eth0
    $ ls /etc/resolvconf/run/interface       # now you should see the file and its content matched yours

In otherwords, to update the database you have to call resolvconf with the -a or -d option. That happens behind the scenes when you run ifup or ifdown. So, normally, as with any other change to /etc/network/interfaces, to activate changes to the dns-* options you have to ifdown the interface in question and ifup it again. Or you can reboot.

referrence

If you don’t want resolv.conf to take effect, make /etc/resolv.conf a regular file

check if resolvconf install

    $ dpkg --list | grep resolv

if not installed

    $ sudo apt-get install resolvconf

add config in /etc/resolvconf/resolv.conf.d/head

agian, /etc/resolv.conf is an symlink to /run/resolvconf/resolv.conf or /etc/resolvconf/run/resolv.conf

Configure network using network manager gui (graphic mode)

restart all interface

    $ sudo service network-manager restart

restart specific interface

    $ sudo service network-interface restart INTERFACE=eth0

Caveat

There is a bug that if 2 network interfaces configured on network manager gui and/or /etc/network/interfaces, there will be confusion. Suggestion is to configure on /etc/network/interfaces on both interfaces.

error message looks similar to this

    syslog.1:Oct  6 12:32:26 myhost NetworkManager[763]: <info> Unmanaged Device found; state CONNECTED forced. (see http://bugs.launchpad.net/bugs/191889)
    syslog.1:Oct  6 12:32:26 myhost NetworkManager[763]: <info> Activation (eth0) Beginning DHCPv4 transaction (timeout in 45 seconds)
    syslog.1:Oct  6 12:32:26 myhost NetworkManager[763]: <info> dhclient started with pid 14990
    syslog.1:Oct  6 12:32:26 myhost NetworkManager[763]: <info> Activation (eth0) Beginning IP6 addrconf.
    syslog.1:Oct  6 12:32:26 myhost NetworkManager[763]: <info> Activation (eth0) Stage 3 of 5 (IP Configure Start) complete.
    syslog.1:Oct  6 12:32:26 myhost NetworkManager[763]: <info> (eth0): DHCPv4 state changed nbi -> preinit
    syslog.1:Oct  6 12:32:46 myhost NetworkManager[763]: <info> (eth0): IP6 addrconf timed out or failed.
    syslog.1:Oct  6 12:32:46 myhost NetworkManager[763]: <info> Activation (eth0) Stage 4 of 5 (IP6 Configure Timeout) scheduled...
    syslog.1:Oct  6 12:32:46 myhost NetworkManager[763]: <info> Activation (eth0) Stage 4 of 5 (IP6 Configure Timeout) started...
    syslog.1:Oct  6 12:32:46 myhost NetworkManager[763]: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) started...
    syslog.1:Oct  6 12:32:46 myhost NetworkManager[763]: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) failed (no IP configuration found)

link to bug