Lyte's Blog

When connecting to an SSL site that is sending “Pragma: no-cache” headers it looks like all versions of IE fail to download files such as .doc, .pdf and .xls due to it refusing to let them pass through disk cache to be passed on the relevant application.

Some sites seem to suggest this is trivial to fix by adjusting the “Do not save encrypted pages to disk” setting in IE. In IE 8 this setting made no difference for me and in most cases the users I deal with that are using IE are unable to change such settings as they are locked down in Mandatory profiles or other forms of AD config.

See: http://answers.google.com/answers/threadview/id/142007.html

My hack to solve this problem is to strip out the Pragma header when the user agent matches MSIE at the Apache level:

# file downloads do not function in IE if "Pragma: no-cache" is set in the headers
BrowserMatch MSIE disable_pragma
Header unset Pragma env=disable_pragma

In this case it’s ok because we are also sending sensible Cache-Control headers which all HTTP/1.1 compliant software should be using anyway. As I know about everything between Apache and where SSL is terminated and I can ensure that Cache-Control is being sent by the program up stream from Apache, disabling Pragma shouldn’t really affect anything, but just in case we only disable it for IE.
See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9

It would probably be a good idea to also run a test to ensure SSL is actually on, but I’m lazy and in this case it’s not possible as SSL is handled at a different layer that doesn’t let Apache know what’s going on.

Lyte SysAdmin

This isn’t really a big deal I was just bored and researching something when I got distracted by the incredibly dodgy output Google gave me for pm.gov.au.

I thought I would let them know:

The front page for pm.gov.au is currently lacking metadata which means Google is having trouble determining what text to summarise on the page. When I search for “kevin rudd” in Google I currently get “Please visit http://get.adobe.com/flashplayer/ to download the player…”. Adding appropriate metadata tags should make Google display something more relevant after the crawl of the site. The relevant metadata tags are implemented on the front page of http://www.immi.gov.au/ for reference.

The site should, at minumum, implement AGLS metadata, according to http://www.naa.gov.au/Images/AGLS_Manual_v2_tcm2-914.pdf, “The Government Online Strategy, issued 6 April 2000, mandated the use of AGLS metadata by Australian Government agencies”. If it’s out of budget to implement metadata throughout the whole site, consider putting releveant DC.Description tags on landing pages like the home page only.

Cheers,
Dave

Lets see if they respond…

Lyte Uncategorized

I wanted to make the title “Securely Transmitting a File to Someone You Don’t Trust Across an Untrusted Medium” but that seemed a bit long…

So today I wanted to figure out how to transfer a pretty large file across the internet, have it be encrypted end-to-end, ensure that only the only that person I wanted to download it could download it and only let that person get exactly what I’d defined (I don’t exactly think they’re going to try to crack my network but it’s better to be safe).

For various reasons we ruled out gpg encrypting a file and just publishing it to HTTP. I decided to try securing a ssh user, I think it worked reasonably well, maybe you can see some flaw I haven’t spotted yet.

I’ve basically just placed their public key in the relevant authorized_keys file with a very restrictive command and abilities:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="scp -f /path/to/file" ssh-dss AAAA...users_public_key...== key description

This seems to work really well, the untrusted user can download the secured content by running:

scp them@myhost: /tmp/

My scp command will force them to download my file, anything else I can come up with will be disabled by all the no-* config directives and they can’t access any other files directly via scp.

I’ve also got other restrictions in place that mean that that user can only log in from the IP they gave me and that IP can only log in as that user (lots of AllowUsers config in sshd_config, also some firewall config limiting the total number of IPs that can even hit port 22).

So… Have I missed something?

Lyte SysAdmin ssh, SysAdmin

Every now and then I rebuild a machine that I’m leaving permanently plugged in to the internet and available via ssh. I limit ssh to key based logins only and I encrypt all my keys, so I’m reasonably comfortable that this is “secure enough”, but after a couple of months I always notice that I’m getting heaps of connections to ssh that are slowing down my link.

The security implications don’t really bother me because I basically trust the rest of the security I’ve implemented but there is a trivial way to stop this and I always forget what it is.

I found it again so I thought I’d write it down somewhere… In Ubuntu, just install “denyhosts”. If your config is still mostly standard, sshd will be pumping authentication errors in to /var/log/auth.log and denyhosts will simply pick these up and put the relevant bad IPs in /etc/hosts.deny.

denyhosts picked up all but the bottom 3 IPs I had trying to crack my system:

# grep 'Invalid user' /var/log/auth.log | sed 's/.*Invalid user //g' | sed 's/.* from//g' | sort | uniq -c | sort -nr
   1404  203.110.240.71
    264  210.169.213.211
    179  210.51.191.165
    134  217.91.230.179
     75  222.73.205.9
     28  125.141.237.100
     14  58.254.201.113
      9  88.134.254.37
      9  219.238.166.101
      8  212.76.68.158
      2  217.97.185.35
      2  122.155.5.132
      2  118.129.153.43

… those guys weren’t very dedicated any way, I’ll give them another chance to lift their game.

They tried a massive range of different user names:

# grep 'Invalid user' /var/log/auth.log | sed 's/.*Invalid user //g' | sed 's/ from.*//g' | sort | uniq -c | sort -nr | wc -l
1071

Apparently the first few times they tried some of these names they had the wrong password though:

# grep 'Invalid user' /var/log/auth.log | sed 's/.*Invalid user //g' | sed 's/ from.*//g' | sort | uniq -c | sort -nr | head -20
     67 test
     49 oracle
     47 admin
     46 user
     37 guest
     24 postgres
     22 administrator
     21 web
     21 vmail
     21 master
     21 info
     19 teamspeak
     18 tomcat
     18 ftp
     17 webmaster
     15 jboss
     14 ubuntu
     14 operator
     14 eric
     13 vsifax

little did they know that password authentication is not configured to let anyone in, let alone this “test” fellow.

Lyte SysAdmin SysAdmin

Unfortunately you can only stare and wonder as to why there exists only one strain of this amazing mould. I personally witnessed the board that previously covered the top section of this door slowly grow legs and leap from where it had apparently been happily placed for many years prior.

I’m really hoping it will walk in to the real estate office and ask for some repairs to be carried out, I’m sure it would have more effect than I’ve had.

LJ. Hooker, you’re the best.

Lyte Stuff

At the time of writing this no one else I could find via Google seemed to have much clue specifically what BLP_bbot was either.

A bit of background

I spent the best part of a day trying to get a web server that was continually crashing to not crash quite so often. The first thing that was noted by Bill (not a real name) the guy I was working with was that the reverse proxy Squid instance that sits in front of the Apache instance was MISSing for a huge number of requests. After a bit of digging I found a pattern to the MISSing URLs, they all seemed to be */{up,down,left,right}.gif type paths, at first I thought someone had figured out that it was taking this server 45 seconds + to generate a 404 (I know I know, it’s WAY too long… but apparently it’s always been that way and I was only asked to examine and fix what was making it crash right now, not actually fix the whole thing up) and was purposefuly bringing us down. It turns out someone had uploaded some bad JavaScript 2 years ago that was generating all the 404s, looks like maybe the traffic level or amount of info the dynamic content has to evaluate has hit some magical threshold.

Anyway long story short, I fixed the JavaScript (from a Sys Admin point of view, it still didn’t actually work :p ) watched the server for a bit, the load went down by HUGE amounts from where it started. It seemed ok, so I went home.

So what is BLP_bbot???

Well the next day I got told the server was much better but it had still crashed once over night (crashing in this case was the cronned fail script picking up that Apache was stuck and restarting the service, killing all crud procs). I started watching Apache’s Server-Status page again. We were very slowly ramping up dead requests on a /news URL. A dig through the Squid access logs revealed that most of the requests for /news were from a BLP_bbot. Stracing the dead procs showed they were trying to get a futex and deadlocking, I thought maybe the bot was sending through a non-standard request and that was some how failing our service (I was wrong).

I spent a while trying to figure out what the bot actually is as most results in Google are just people asking “wtf is BLP_bbot?!@#” and others replying with answers to an unasked question about how to block it.

Geo-IP information was very revealing, showing that the ISP the IPs belong to is “Bloomberg Financial Market”. After a bit more digging I found that Bloomberg do indeed refer to themselves as “BLP”.

Chances are if I blocked the BLP_bbot, some share holder some where would suddenly start losing money. It’s unlikely to be documented well anywhere, they probably don’t want anyone to really know for sure, but chances are it’s used for some sort of autonomous financial trading. If I blocked it I might unwittingly tip its metrics in favour of dumping stock for whoever I happened to be working for that day. Never a fantastic career tactic, so I chose to avoid it.

In short, if BLP_bbot is crawling you it’s probably because you’re actually important enough in an economic sense to be worth looking at and if you block it, I would expect bad and unintended results.

For those that care

So at this point I’d spent an hour or more wasting time hoping that this bot was sending malicious packets and I could just block it, making the problem would go away. Turns out I had an interaction problem between PHP’s memory_limit being exceeded and SHM in eaccelerator though. I had a wild stab in the direction of eaccelerator because I started to think about what might make a futex call and for a while I was stumped. We’re not using them directly in PHP, PHP shouldn’t be using them for anything except possibly session sharing (but I know a session deadlock happens on flock calls because we stores sessions on disk), Apache shouldn’t be using them under the mpm model we’re employing so the only thing left was eaccelerator, or maybe pgsql bindings but we had persistent db connections off so that seemed really unlikely (also disabling pgsql bindings would cause our app to malfunction just a tad more than it alread was).

After turning off eaccelerator the server became stable, slow (yeh well it was slow before, so maybe “slothful” is the right term), but definitely stable.

After a bit of digging we found a bug for eaccelerator that causes deadlocks when using SHM on the version we were running, in theory it’s fixed in the current stable. So I upgrade and reenable it, the server starts crashing again. Doh. Back off.

At this point “Bill” noticed that /news wasn’t quite rendering as much HTML as it should (at the very least it was missing a tag). A bit of digging through logs revealed that we were hitting the memory_limit for that page and the proc was being abnormally terminated. Fixed that up, reenabled eaccelerator, it was stable now.

Now I have another problem, I want to figure out how to reproduce this bug so I can lodge it with the nice eaccelerator people but it only seems to exist on the production instance of this system. I can’t make it fail in the same way anywhere else. I guess I’ll just have to hope someone else discovers the same thing and documents a sequence of events to reproduce it… I’m not holding my breath.

Lyte SysAdmin

Today I locked myself out of the house, bugger. I made a few calls and found out that my sister had a key and was happy to drop it off, phew. I waited patiently knowing that my saviour was only 15 minutes away.

This was a fairly standard use of a phone, you know making calls and talking to people.

The only problem was when my sister arrived, the key didn’t actually work!

Argh, I’m in a new city walking around in shoes that are only designed for riding a push bike (I recently upgraded to cleats and my bike was locked up with the only key being inside the house as well)… what am I going to do?

Being a nerd I pulled out my phone and googled for an answer, and I found it!

I found a bobby pin on the ground and after a few minutes of work shaping the metal and a couple more minutes trying and re-reshaping the metal, I didn’t get the shape remotely right the first time, I was in! Actually, once I knew what I was doing and had the shape of the pick right I was in scarily quickly (about 15 seconds of actual lock picking).

Woo hoo!

That’s not the only reason my phone is currently the most useful thing I own. Navigating a city I barely know is hard at the best of times. Having a built in GPS means I often seem to find my way around better than some of the locals . Plus having google maps in my pocket always makes it easy to find somewhere to eat, the nearest ATM or whatever else I’m looking for.

Also my phone takes pictures when I’m out and about and don’t have a camera, or just can’t be bothered finding the actual camera. Like taking a picture of my home made lock picks.

I can also play music, read books (PDFs), read my email, check my calendar, message friends and if I’m feeling really desperate talk to someone.

I wonder what my phone will do tomorrow?

Lyte Stuff

Despite the fact that this is the guitar I’m least good at playing it will always be my favourite… I’ll miss you old friend.

For anyone that comes across this and gets confused I’m moving to Melbourne and getting rid of as much as possible.

Lyte Stuff

I have some ssh keys I place in ~/.ssh/authorized_keys on a bunch of servers. Every now and then I feel the need to update my key, this is normally long and arduous so I wrote a script.

Here it is: update_authorized_keys

If you intend to use this, you’ll want to modifiy at minimum the accounts list.

Lyte Code bash

I was a little obsessed with making Counter Strike 1.6 Surf Maps for a while. The obsession only really passed because when Counter Strike Source came out people flooded away from 1.6 and I never bothered to upgrade.

Well I’ve finally upgraded my computer and actually put a copy of Windows back on it just so I can try out Source.

I think I’m going to have a go at building maps for Source but in the mean time I thought I would try digging up a few of the old maps and actually putting them up here. I had to dig pretty hard though, I only found 3 and one of them wasn’t the final version and that was after sifting through about 200 cds from my “to sort” pile … sigh.

I’ll upload the maps one post at a time due to the way Word Press’ Gallery feature seems to work.

The first one is surf_de_lyte.

This was the first map I built that was not just for learning how to build maps.

It’s a bomb map where you have to surf to the bomb zone. You can surf via some fairly standard waves or use the bowl I created. It’s also got some jump map style stuff and enough hidden areas and hidden guns to keep all the campers happy. For those who don’t like the campers, it’s next to impossible to get shot in the bowl

Download link: surf_de_lyte

Screen Shots:

Don’t forget to set:

sv_airaccelerate 100
mp_freezetime 0

Also you need 100fps for surf maps to work properly.

Lyte Games