RSS
 

Enabling SSL on IIS with a Self-Signed Cerfificate

30 Mar

If you’re a developer and you want to be able to use SSL on your development machine, or you are just doing some in-house development, you can install an SSL certificate on your IIS server without obtaining it from VeriSign, Thawte or others.

The plus side is that you can enable this right away for free. The downside is that any visitors to your site will get the security warning saying that the certificate used is not valid. If this is for in-house use only, you can add the certificate to your trusted certs for IIS for yourself and/or all your internal employees. Otherwise, you can just deal with the security pop-up. Either way, it works for testing SSL on your dev box.

Installing it is actually pretty easy. First, you need to install the IIS 6.0 Resource Kit From Microsoft:

[url]http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en[/url]

Once it’s installed, Your Start menu will contain a new folder with a bunch of IIS utilities.

To install the cert, run the app: Start -> IIS Resources -> SelfSSL -> SelfSSL

A DOS window will open with some instructions. At the DOS prompt, type “SelfSSL” (without the quotes) to run the app and enter “Y” when prompted to override your default certificate.

At that point SSL should be installed – you can verify this by opening your browser to https://localhost/

 
No Comments

Posted in IIS

 

Beating the Final Mission in GTA Vice City!

30 Mar

Yea, this isn’t really programming related, but hey, it’s important! This level took me forever, but I figured out a strategy that’s practically fool-proof. The final level in GTA Vice City is called “Keep your friends close…” and you have to kill the big boss. Here’s how you do it:

Before you start, make sure you have the rocket launcher and a good supply of amo (at least 8 rockets). Also have one manual aiming rifle. Make sure your health and shields are at 100% too. Once you are set, save the game right there in the office. That way if you have to do it over, it’s pretty fast to load the game and start the mission.

At the start you are in your office gaurding the safe. Grab the python pistol and stand in the middle of the room facing the doorway. Just stand there until people come at you and shoot them with the python (one shot kills). I like to rapidly press the aim button so it will lock onto a target as soon as one gets close. If you do well, you can get past this level without getting hit. As long as you have about 50% shields, you’ll be fine.

After about 60 seconds of this, you’ll get a message to go kill Lance. As soon as you see this, run out of the room. Don’t bother trying to kill anybody. As soon as you get outside the room, a cut-scene will appear. Have the joystick pointed to the right and the run button depressed. As soon as the cut-scene is over, you’ll start running to the right towards Lance. Here is the trick – don’t try to shoot anybody – even Lance. Just run as fast as you can to the roof. Run right past Lance if you can. Try to memorize the moves so you can just haul ass the whole way. Just go around people and try not to get shot. If you can make it to the roof with any health left at all, you’ll be fine.

As you go onto the roof, have the joystick already pointed left and the run button depressed. Run straight to the adrenalin pill, grab it, and take a right towards the helipad. Run to the Heart and recharge your health if necessary. Don’t bother shooting anybody! At this point, you’ll be standing on the helipad. All of the bad guys are standing at the level below you and they cannot hit you. You can take a breath here and proceed when you’re ready.

Now, staying on the helipad, move towards the rail, towards the guys. Arm yourself with one of the manual aiming rifles so that you can snipe the guys. Staying towards the left seems to give a better angle. As you get closer, you’ll get into firing range, so be careful. But if you move up very slowly, you’ll be able to see the guys heads poking up and you can shoot them without them being able to shoot you! If you do get hit, you can go back to the heart. This part is easy if you take your time – no need to rush.

Once you have killed all the guys, you can walk back towards the door. Before you do, arm yourself with the rocket launcher. Once you go back inside, go down the stairs and take the first doorway you can (this is the level just above your office). If you see any guys on the way – they are your own guys and they won’t bother you. No need to shoot anybody. Take the most direct path to your office. Just before you get to the office door, another cut-scene will occur.

As soon as the cut scene is over (you should already be armed with the rocket launcher) you will be standing at the top of the stairs – your health and shields are magically charged to full. Very quickly, take about 4 steps forward, aim and fire the rockets right at the boss guy. You’ll knock him down on the first shot, but keep firing. After about 4 shots, he dies!

That’s it. If you do it right, you can rock through this level really fast. The key, again, is not to bother shooting anybody when you’re running from one place to the next.

Happy Happy Joy!

-j

 
No Comments

Posted in Digital Life

 

Installing OpenSSL on Windows

30 Mar

The following is my personal successful experience installing OpenSSL on Windows. However, my machine is loaded with development tools, so there is a chance that there is something installed on my computer that is not mentioned here and, unknowingly, serving some function. However, I’m pretty sure I’ve got most of it.

UPDATE:. I am also told that following my instructions may or may not result in a healthy binary, although it seemed to work for me. (Thanks to Thomas Hruska and the openssl.org users list for the info)

[i:18d3bd8262]– original walkthrough (ie, the hard way) –

A. Requirements:

1. Visual C++ (which, unfortunately is not a free software) You can download nmake.exe by itself from [url]http://download.microsoft.com/download/vc15/Patch/1.52/W95/EN-US/Nmake15.exe[/url] however I am told that OpenSSL will only compile successfully if you have the full version of Visual C++.

2. ActiveState Perl. This can be downloaded freely from [url]http://www.activestate.com/[/url]

3. Some way of decompressing a tar.gz file. If you don’t already have anything, I recomment IZArc, which can be downloaded from [url]http://www.izsoft.dir.bg/izarc.htm[/url]. If you are familiar with unpacking tar.gz on unix, then you can use UNIX Utils (see below) instead.

4. UNIX Utils – obtained at [url]http://unxutils.sourceforge.net/[/url]. I don’t know for a fact that this is required, however I notice that compiles will many times fail because tar or gz or some other trivial unix command is not available. If you notice any such errors during compile, grab UNIX utils. If you do much compiling, just grab it anyway.

5. MASM assembler. Download it from [url]http://www.masm32.com/[/url] (this gets installed into your VC++ bin directory)

B. Preparation:

For VC++, if you didn’t elect to configure the command-line environment variables during installation, then you should run the batch file vcvars32.bat (which is in the VC++ directories somewhere) to set them.

MASM should include a bin directory and the contents are supposed to be installed into your VC++ bin directory as well. If you put them somewhere else, make sure this location is in your Path.

Make sure the path to Perl executable is in your Path.

Make sure the path to UNIX utils is in your Path. (I don’t know that this is absolutely necessary, but I have it set this way)

C. Installation

If everything is all set, installation should go as planned:

1. Download OpenSSL source from [url]http://www.openssl.org/[/url]. You will want to download the tar.gz that is marked as the “Latest” release.

2. Extract the tar.gz file using whatever method you like. Move this directory to “C:\OSSL” (this is an arbitrary location for the purposes of easy explaination)

3. Open a DOS window, move to the C:\OSSL directory, and execute the following commands: (These instructions are taken from install.w32 which is included in the OpenSSL install folder. I suggest you read it.)

> perl Configure VC-WIN32
> ms\do_masm
> nmake -f ms\ntdll.mak

If everything went ok, you’ll not see any error messages. If you do, the message should give some clue. Things like “ml not a valid command” etc indicate you don’t have your environmental paths set up correctly.

Now that OpenSSL is compiled, there are are some tests you can run to make sure it’s ok. Read install.w32 for info about these. Finally, you can move the necessary parts to their permenant home on your system. install.w32 recommends the following dos commands to do the trick (you can use windows explorer, though):

> md c:\openssl
> md c:\openssl\bin
> md c:\openssl\lib
> md c:\openssl\include
> md c:\openssl\include\openssl
> copy /b inc32\openssl\* c:\openssl\include\openssl
> copy /b out32dll\ssleay32.lib c:\openssl\lib
> copy /b out32dll\libeay32.lib c:\openssl\lib
> copy /b out32dll\ssleay32.dll c:\openssl\bin
> copy /b out32dll\libeay32.dll c:\openssl\bin
> copy /b out32dll\openssl.exe c:\openssl\bin

Open SSL should be compiled and available now.

 
No Comments

Posted in Windows

 

Securing your cgi-bin

30 Mar

The Problem:

I find a lot of surprising security problems as I work on client’s sites. Even large, reputable companies often have gross security issues. I know more than anyone how difficult it can be to get a cgi script installed and working. It’s tempting to walk away without double-checking the security. One of the most common things that I see is poor security of the cgi-bin. Depending on the setup of your server, someone can take total control of your account easily through a poorly secured cgi-bin.

The particular problem i’m writing about involves writable files/directories within your cgi-bin, or scripts that make calls to external programs (like sendmail). These are both very common types of scripts that you would find in just about any cgi-bin.

The writable file issue is that most cgi scripts rely on a datafile to store their information. In some cases, they need an entire writable directory to store data (file uploads, etc). The tricky part is that you have to allow the script write access to the file/directory. If your server is running as “nobody” then you need to allow world write access to the file. This is dangerous because other users on the server also have the ability to run under the “nobody” user – which means they can also write to those files. Some servers are configured so that scripts execute under your own userid. Otherwise sensible people are fooled into thinking that they are protected by this. Although it does protect you from the “nobody” exploits, it actually make the potential damage much worse if you have poor security settings.

The issue with scripts that make calls to external programs (like Formail for sending email via sendmail, etc) is that if they are not coded properly, someone can input malicious text that causes an arbitrary shell command to run in addition to the sendmail command. This command will run under whatever userid that the original script has.

One dangerous situation is a script that allows file uploads and it’s writable directory is in the cgi-bin. Any script like this should have serious security checks in place to prevent malicious files from being uploaded. If the script doesn’t check file types as they upload, any anonymous user can upload a script or executable file right to your cgi-bin.

Another situation is on a virtual host where you share your account with lots of other users. This exploit is only available to people who have an account on your machine, however it is no less a problem. All users on your server can install cgi scripts in their account which run under the “nobody” permissions. If they install a simple command processing script, they can manipulate any file in your account that allows world write access.

So, take a look at your cgi-bin and look for any writable files or directories. Imagine what would happen if someone could edit or add any file there in your cgi-bin. A writable directory is particularly bad because the other person on your server can actually write a new script file there and then browse to the url to execute it.

Normally if someone can totally compromise your site in this way, they are limited to running as the user “nobody.” However, there is still quite a bit of damage that can be done. Formmail scripts can be installed to send spam. Scripts to snoop into your datafiles can be installed. Large files can be uploaded and shared (using your bandwith). I once had a client who incurred a $10,000 bandwidth bill after their server was compromised by hackers sharing video game software. Nothing more than “nobody” access is needed to do this.

If cgi-wrap is enabled, the situation is compounded because the scripts in your cgi-bin can be executed through cgi-wrap to run under your own userid. At that point, they own your account.

How To Secure cgi-bin:

There’s a few simple things that can help lock down your cgi-bin.

1. Never, ever have a file with both world-execute and world-write permissions. This can be overwritten with any arbritrary code by any user on your server. Once they overwrite, they can execute it through the browser. Scripts themselves should never require write permission. Read/Execute is fine (chmod 505 is nice and secure).

2. If possible, never have any writable directories or files in the cgi-bin. Not even writable by your own user id. there is no reason that a file needs to be writable within the cgi-bin. Depending on what scripts you have installed, this can be challenging. The solution is to move all datafiles to an area that is not accessible through the web browser. If this is not possible, see # 3

3. If you must have writable files or folders in the cgi-bin because of the functionality of a script, keep them in a subdirectory and put an .htaccess file in there that has the contents “deny from all” in it. Your scripts can still read/write files there, but nothing can be executed through the browser. if you are not able to put them in a separate directory, you can deny access to specific files using .htaccess.

4. Never give any permissions to the “group.” In UNIX you have three permissions to grant – owner, group, world. for example, chmod 644 grants 6 (rw) to owner, 4 (r) to group and 4 (r) to the world. The group is almost always other accounts on your server. You generally do not know these other users and there is no reason to give them any permissions for any file in your account. The middle value should always be zero. for example: chmod 604 gives the group 0 (no access) which is fine.

5. be very careful when cgi-wrap is enabled or your cgi-bin executes using your own account’s userid. in this case you have to make sure that nothing can be written arbitrarily into your cgi-bin even using your own account permissions. Keep in mind that you do not need permission to write to a script. You can remove the write permission even for yourself. If you need to change it later, you first change the permission to allow write, then change it back. It doesn’t need to sit there with write permissions. You have to be very cautious about what scripts are installed, because any script with an exploit can be dangerous. if someone can write or upload to your cgi-bin, they can create their own script and run it under you userid. If you use cgi-wrap, there is no reason for the group or the world to have any permissions on your files. so, you should change permissions something like this: chmod 400 (only you have read permission). scripts can be chmod 500. writable datafiles can be chmod 600, but should not be stored in a public area. remember that if someone can run arbitrary code as your userid, they own your account!

6. Try to break into your own account. Go through your scripts and try to upload a file that shouldn’t be allowed. Look at scripst that send email and see if you can enter data in such a way that code gets executed.

Summary:

The moral of the story is to be cautious with your cgi-bin. Especially look for writable files and directories. Never trust other users on your server. It may not seem important to take security seriously for your homepage with a bulletin board and formmail script. But there are malicious people out there always scanning for easy targets. Your data can be compromised or your bandwidth stolen – leaving you with the bill. A little bit of extra time can save you a lot of grief later.

 
No Comments

Posted in *NIX, Apache

 

vi primer for UNIX dummies

30 Mar

vi is a text editor that is installed pretty much on all UNIX systems. favored by old-school geeks, vi can be somewhat complex to use. However the basics are pretty easy. Most of us only need the basics to go into a config file and change a setting.

Starting vi:

vi [filename] – opens a file using the vi text editor. if this is an existing file, it will edit. otherwise, it will create a new, blank file.

Panic Button!

:q! then hit the enter key= exit without saving. useful when things go out of control!

Switching “modes”

the first confusing part is that vi has different “modes” while you are editing a file. They are known as “command” mode and “input” mode.

Esc – takes you back to command mode.

i, a, A, r or R – (while in command mode) goes into insert mode.

Moving Around:

Moving around the file is done in command mode. if your terminal is set up correctly, the up,down,left,right arrows will nmove the cursor around.

if your terminal is not set up correctly, then you have to use j=down, k=up, h=left, l=right.

/[search term] then hit enter = the slash followed by a search term will move the cursor to the next occurance of that term. handy for locating configuration settings.

?[search term] then hit enter = same as search, but searches backwards.

ctrl+shift+R = screen refresh. especially when scrolling, vi has a tendency not to redraw the whole screen correctly. use this to refresh the screen.

Deleting

Deleting is again done from command mode. This is probably the most confusing part of vi for me personally. because input mode allows you to enter new characters. but to delete existing ones, you must exit back to command mode and delete them.

x = delete current character
dd = delete entire current line
u = undo last edit

Inserting / Editing

i = enter insert mode starting before current char
a = goto insert mode starting after current character
A = goto insert mode at end of current line.
r = overwrites next character typed then exits back to command mode
R = goto insert mode, but overwriting instead of inserting

when you enter insert mode, you just start typing as you would with any editor. it’s pretty simple. When you’re done typing, or you want to move the cursor to make a correction, hit Esc to return to command mode.

Exiting vi with and without saving

(This is all done in command mode)

:q! then hit enter = exit without saving

shift+ZZ then hit enter = save and exit.

Getting Help

:viusage = shows vi commands
:h = general help screen

 
No Comments

Posted in *NIX

 
« Older Entries
Newer Entries »