UFW: Uncomplicated Fire Wall

Back when I used Red Hat Linux and Fedora I had to use the iptables tool to create a secure box over the Internet. It's been a few years since, and now I gladly find that the CLI has a new simplified firewall tool: ufw. This tool takes away the onerous task of creating the long chain rules required for iptables and compresses them into easy to decipher statements.

Here is a little script I used for my machine to lock away the whole internet except for the companies web-application:


#!/bin/bash
#
# Accept all outgoing packets from this machine by default
sudo ufw default allow outgoing
#
# Deny all incoming packets to this machine by default
sudo ufw default deny incoming
#
# Only accept outgoing connections to port 80 (www) to the following IP addresses
sudo ufw allow out to 1.2.3.4 port 80
sudo ufw allow out to 10.0.0.1 port 80
#
# Other reject all other connections to port 80
sudo ufw reject out 80
#
# Turns on the firewall and adds it to the boot-up script
sudo ufw enable

C/C++ Tricks

These are some tricks I learned and implemented during my time at UTS (especially in Embedded Software and DADS). These should work in both C and C++, although it largely depends on your compiler/IDE implementation...

Structs and Unions

• Union: Access a memory location with different variables
• Struct: A data structure that can be accessed with '.' (ie struct.variable)

The union below creates an int that has its MSB and LSB easily accessible i.e. variable.b.lo will access the least significant bits of variable.i because it shares memory space

NOTE: writing to one union variable will change the value of ALL variables in the union!!!

typedef union BYTES
{
    unsigned int i;
    struct
    {
       unsigned char lo;
       unsigned char hi;
    } b;
} bytes;

Enumerated Data Types

Enums basically convert strings into their machine equivalent. In the BOOLEAN example below FALSE will be set to a value of 0 and TRUE to 1. The more values you put their index will increase by 1.

enum BOOLEAN
{
    FALSE,
    TRUE
};

Defines

The following define is an in-line function that will delay our PIC by a specific number of microseconds. It will basically rewrite any instances of a keyword to whatever we want, including functions or constants.
#define Common_DelayUs(x) { unsigned char _dcnt; \
_dcnt = (x)*((20000000)/(12000000)); \
while(--_dcnt != 0) \
continue; }

Resources

A good resource on C++ data structures
http://www.cplusplus.com/doc/tutorial/other_data_types/

A resource I use most frequently is Peter McLeans lab resources for Embedded Systems. This guy knows his stuff.
http://services.eng.uts.edu.au/pmcl/embsw/index.htm

A simple PERL script

PERL has become one of the most popular server scripting language. Because most of my experience is with administering networked machines I decided that I had to learn a little about it.

A quick overview of the program:

• Designed for Linux!!! Need to edit the code to make it work for other operating systems
• Has one subroutine that opens a new file to write to and sets this file to the internal global variable MYOUTFILE
• The subroutine also inserts the HTML and <title> tags
• Uses both forms of print; printing to terminal and printing to a file handle (MYOUTFILE)
• Storing of local variables
• Uses exec to perform system commands (in this instance it lists the files in the current working directory)

Below is my first ever PERL program, completed in about 2010.

#!/usr/bin/perl
#
# Make PERL less forgiving and more robust
use strict;
use warnings;
#
# Creates a new HTML report
#
# INPUT: The location ($_[0]) and name ($_[1]) of the file you want to write to
sub openFile
{
    my $output = '~/' . $_[0];
    open(MYOUTFILE, ">$output") or die("Error");
    print MYOUTFILE "<html>\n<title>$_[1]</title>\n<body>\n";
}
#
# Using my to declare variables to be local
my $variable1 = "~/";
#
# Output
print("This program outlines some of perl's functionality\n");
#
# Write a new output file
openFile("network.html", "Files");
#
# Executes a system function
exec "ls $variable1"

Software list for CentOS

This is a rough procedure I use to determine what software is installed on my system, and what has changed.

1. Create a text file with the list of currently installed software. This is usually best done on a fresh system. This code will also date the file so you can insert it into your scripts:
   
   sudo rpm -qa > ~/`hostname -s`-software-`date +%Y%m%d`.txt


2. We can now send ourselves an email of what has been installed on this system (in case the system is compromised):
   
   mail -s "`hostname -s` Software `date +%Y%m%d`" john@example.com.au < ~/host-software-20111026.txt


3. We can also compare files to see how our system has changed (for instance, on an update):
   
   diff host-software-20111026.txt host-software-20111027.txt

VSFTPD and CentOS

This basic configuration allows only users with an account and a home directory to log in and use the resource. Although it must be said that if you have SSH up and running then you should use SFTP (which is pretty much FTP over SSH), as it provides a little bit more security.

1. Install vsftpd:
   
   sudo yum install vsftpd


2. Configure our firewall to allow incoming connections:
   
   sudo /sbin/iptables -I RH-Firewall-1-INPUT 4 -p tcp --dport 21 -m state --state NEW -j ACCEPT
sudo /sbin/iptables -I RH-Firewall-1-INPUT 5 -p tcp --dport 20 -m state --state NEW -j ACCEPT


3. Check to see if SELinux is up and running (an output of 0 means that it is):
   
   /usr/sbin/selinuxenabled; echo $?


4. If SELinux is up and running you need to disable it for the ftp protocol, or apply a policy to allow FTP to make changes to your local directory:
   
   sudo /usr/sbin/setsebool -P ftpd_disable_trans 1


5. Open up the vsftpd configuration file for editing:
   
   sudo vim /etc/vsftpd/vsftpd.conf


6. Make the following changes:
   
   anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES


7. Start VSFTPD:
   
   sudo /sbin/service vsftpd start


8. Turn on FTP on reboot:
   
   sudo /sbin/chkconfig --levels 235 vsftpd on

References:

• Fedora Forum post about how to set up SELinux policies for FTP
• nixCraft guide to setting up FTP on RedHat/CentOS
• IPTables guides are available from here and here
• Red Hat documentation manuals (good reference for ANYTHING)

Locking down windows vista

Yes, it's Windows Vista. I know, I know... believe me, it has caused me more than enough pain. But the customer had already bought the product and so I grudgingly have to go in and configure this beast. So here are a few tips for others who find themselves in my predicament (and some of these tips can be used for Windows 7 and later).

This is not an exhaustive list of what you can do, but hopefully this guide can point you in the right direction...

Runing only specific applications (or not)

1. Open up gpedit.msc
2. Navigate to User Configuration -> Administrative Templates -> System -> Run only specified Windows Applications
3. Enable this setting and add the executables you wish to restrict such as winword.exe, calc.exe, firefox.exe, outlook.exe, paint.exe, and notepad.exe (NOTE: If you don't include gpedit.msc and other sysadmin applications, this policy will LOCK you out of everything!)
4. Apply the setting.
5. Alternatively, there is another setting available that acts as a blacklist of programs

Disable the command prompt

1. Open up gpedit.msc (through the run command)
2. Navigate to User Configuration -> Administrative Templates -> System -> Prevent access to command prompt
3. Enable this setting. You can also disable command prompt scipt processing

Prevent editing of the Registry

1. Open up gpedit.msc (through the run command)
2. Navigate to User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools
3. Enable this setting. You can also stop regedit from running silently in the background.

Edit the actions of Ctrl+Alt+Del

1. Open up gpedit.msc (through the run command)
2. Navigate to User Configuration -> Administrative Templates -> System -> Ctrl+Alt+Del
3. Enable or disable your desired options. These include whether the user can change their password, lock the computer, open up task manager or logg off.

Restrict Control Panel Access

1. Open up gpedit.msc (through the run command)
2. Navigate to User Configuration -> Administrative Templates -> Control Panel
3. Under the Programs sub-menu you can hide pages such as the Windows Marketplace, Features, Installed Updates, and Program Defaults.
4. You can also force the classic control panel look and even prohibit access to the control panel.

Clean up the start menu

1. Open up gpedit.msc (through the run command)
2. Navigate to User Configuration -> Administrative Templates -> Start Menu and Task Bar
3. From this directory you can remove links and items, force the classic start menu, and prevent users from rearranging the taskbar.

References

• Sean Daniel's repost of a How-To Geek post on using group policies
• Iron Geek post on locking down malicious USB's

Social Network APIs

I have been doing a lot of research into how you would integrate the various Social Networks into my own websites and web applications. I have been keeping tabs with various links, and I thought it would be handy to put up a sort of Developer's reference. Here is an almost one-stop guide to you developer needs!


If you know of any other resources feel free to add them in the comments below!

YouTube

• Apps Dashboard
•  Getting Started with Youtube APIs
   
• Overview of Youtube APIs

Facebook

• Graph Explorer (see what you can access through Facebook)
• Apps Documentation
   
• The PHP SDK (a tutorial is available here)
   
• JS SDK (the references are available here)

Twitter

• Getting Started
• Documentation
• Stream API (this is split into site streams and user streams)

Google+

• The Google +1 button (more info here)

Linked In

• Linked In APIs
• Website Plugins

ASP mail form

Normally I would use PHP or PERL to perform the task of creating and sending e-mail from a HTML form, but unfortunately not all web-host providers have this functionality. Some platforms are offered as Windows servers (*shudder*) and hence only have support for ASP. So, occurring far too often in this industry, I had to learn another new language to perform the simple task I was assigned.

<%

Dim objCDO
Set objCDO = Server.CreateObject("CDONTS.NewMail")

' declare variables
Dim EmailFrom
Dim EmailTo
Dim Subject
Dim Name
Dim Email
Dim Phone
Dim Details

' get posted data into variables
EmailFrom = "info@xxx.xxx.xx"
EmailTo = "info@xxx.xxx.xx"
Subject = "Inquiry"
Name = Trim(Request.Form("Name"))
Email = Trim(Request.Form("Email"))
Phone = Trim(Request.Form("Phone"))
Details = Trim(Request.Form("Details"))

' prepare email body text
Dim Body
Body = Body & "Name: " & Name & VbCrLf
Body = Body & "Email: " & Email & VbCrLf
Body = Body & "Phone: " & Phone & VbCrLf
Body = Body & "Details: " & Details & VbCrLf

' This code assumes the above CDO
'instantiation code is included
objCDO.To = EmailTo
objCDO.From = EmailFrom
objCDO.Subject = Subject
objCDO.Body = Body
objCDO.Send

%>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
         <title>Mail Form</title> 
    </head>

    <body> 
        <table width="660"> 
            <tr> 
                <td > 
                    <p>
Thank you for enquiring! We will get back to you within 1 working day.
                     </p> 
                </td> 
            </tr> 
        </table>
        <br /> 
    </body>
</html>