Thursday 25 October 2018

UML Class Diagrams - Common Conventions

I just felt like writing this stuff down for once.

Java keyword	UML	PlantUML syntax
public	+	+/green circle
protected	#	#/yellow diamond
package-private	~	~/blue triangle
private	-	-/red square
abstract	italic	{abstract}/italic
static	underlined	{static}/underlined
public final static	constants are in ALL_CAPS
final definition	{leaf}
final value	{readOnly}

References

The Oxford Math Center - UML, Abstract Classes and Methods, and Interfaces: http://www.oxfordmathcenter.com/drupal7/node/35
UML 2.5.1. specification: https://www.omg.org/spec/UML/2.5.1/
StackOverflow - How do I add a final variable to a class diagram?: https://stackoverflow.com/questions/16252399/how-do-i-add-a-final-variable-to-class-diagram
PlantUML - Class Diagram: http://plantuml.com/class-diagram

Thursday 18 October 2018

Sarketsdr

I am running a Glassfish server, and I recently noticed an application was deployed that I did not remember having deployed. The name of the application was completely unhelpful as being "Sarketsdr".

On closer inspection, the offending application contained a Java/JSP/JavaScript files, specifically to disclose the filesystem and grant shell access to persons unknown.

I've since removed the application and turned off the remote administration console. I plan on changing application servers, and keeping them properly updated.

I should also get some Intrusion Detection Systems going.

I've uploaded the files as gists.

File structure of Sarketsdr

File/Directory	Comments
aff.jsp	https://gist.github.com/maartenl/ddd99b927fc535a271b171a350fbe512
cj.jsp	https://gist.github.com/maartenl/dbfd8e11fb0767b06ee0f2d8c9d544bd
emu.jsp	https://gist.github.com/maartenl/549dc20a5229560e34cebf0c38e422b8
index.jsp	https://gist.github.com/maartenl/cc96faa3feb78fdeeaeff8cc12e0700b
mob.jsp	https://gist.github.com/maartenl/6deb7a1f277a6843ee34fe709b7ca5ec
META-INF
context.xml
MANIFEST.MF
WEB-INF
web.xml

I am working on securing my Glassfish installation in the mean time.

References

Frage /etc/rc.d/init.d/wipefs startet das CPU-Problem: http://webirectory.com/questions/19967/etc-rc-d-init-d-wipefs-startet-das-cpu-problem
FortiGuard Labs - JSP.File.Browser: https://fortiguard.com/appcontrol/42719
vonloesch.de - Jsp File Browser: http://www.vonloesch.de/filebrowser.html

Thursday 11 October 2018

The Browser Keeps Bugging Me

Lately the browser and/or websites seems to keep bugging me, and I am getting a little tired of it.

The questions it keeps asking for each website are the following:

"We use cookies to ensure ... etc."
"Would you like Firefox to save this login for [sitename]?"
"Will you allow [sitename] to send notifications?"

The amount of questions a website/webbrowser offers me seems to have been proliferating lately.

I always accept cookies, but I never want the other options.

Seeing as I am using Firefox at the moment, let's see what we can do about it.

The "i-don't care about cookies' addon^{1 2} seems to suit me just fine.
Preferences - Privacy & Security - Forms & Passwords - turn off "Remember logins and passwords for websites".
Go to "about:config". Search for "dom.webnotifications". Set "dom.webnotifications.enabled" to false to not see any notifications³.

UBlock addon^{4 5} seems to be also very good.

References

[1] I-Don't-Care-About-Cookies website: https://www.i-dont-care-about-cookies.eu/
[2] I-Don't-Care-About-Cookies addon: https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-about-cookies/
[3] Web Push notifications in Firefox: https://support.mozilla.org/en-US/kb/push-notifications-firefox
[4] Firefox Addon UBlock: https://addons.mozilla.org/nl/firefox/addon/ublock-origin/
[5] Wikipedia - UBlock: https://en.wikipedia.org/wiki/UBlock_Origin

Saturday 6 October 2018

SSH Key-Based Authentication

I'm using reference [1] almost exclusively, it is easy to follow and very well written. The reason I am writing stuff down here, is in the case the referenced article goes offline.

Generating Keys

[mrbear@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mrbear/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Passphrases do not match. Try again.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mrbear/.ssh/id_rsa.
Your public key has been saved in /home/mrbear/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:etv4wn8 4843n3v48nvan80avw2408a4vn588an04845 mrbear@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+
[mrbear@localhost ~]$

Copying keys to the server

[mrbear@localhost ~]$ ssh-copy-id mrbear@www.mysite.org
The authenticity of host 'www.mysite.org (10.0.0.11)' can't be established.
ECDSA key fingerprint is SHA256:B&B(&BSf7bFSfb7fF&SFb7SF&tFibFuSOWWFuFBUf76.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
mrbear@www.mysite.org's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'mrbear@www.mysite.org'"
and check to make sure that only the key(s) you wanted were added.

[mrbear@localhost ~]$

Logging in

[mrbear@localhost ~]$ ssh mrbear@www.mysite.org
Last login: Mon Sep 24 21:01:12 2018

Add to sudoers file

Found how to do this at [2].

[root@mysite ~]# usermod -aG wheel mrbear

Disabling Password Authentication

Edit the file /etc/ssh/sshd_config.

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# systemctl restart sshd.service

Now what you get when you try is:

$ ssh -l root www.mysite.org root@www.mysite.org: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Thank the heavens I no longer have to worry about messages as the one below:

root@mysite's password:
Last failed login: Sat Oct 6 10:12:48 CEST 2018 from 10.0.0.1 on ssh:notty
There were 56310 failed login attempts since the last successful login.
Last login: Tue Oct 2 23:23:41 2018
[root@mysite ~]#

I originally had installed fail2ban, as a way to protect against a password-based attack, but even the man page of fail2ban³ indicates that the above way is pretty much better.

References

[1] Digital Ocean - How To Configure SSH Key-Based Authentication on a Linux Server: https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
[2] Top 20 OpenSSH Server Best Security Practices: https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
[3] Fail2ban: https://www.fail2ban.org/wiki/index.php/Main_Page
How to disable ssh password login on Linux to increase security: https://www.cyberciti.biz/faq/how-to-disable-ssh-password-login-on-linux/