Sometimes, you have multiple nodes accesing your MySQL server (or any kind of server, for that matter) concurrently. Eventually, software in one or more of these nodes might do nasty things (you know who you are buddy:))

MySQL provides a built in mechanism to limit concurrent connections, but this can only be set for the whole server, or on a per user basis. Unfortunatly, most of these setups use the same database user for all their nodes, so this feature can’t be used to confine any possible damage.

Enter your good friend iptables.

This isn’t perfect, but this little trick might help you while programmers take care of their business:

iptables -A INPUT -p tcp -m recent --rcheck --seconds 60 -j REJECT
iptables -A INPUT -p tcp --dport 3306 -m connlimit --connlimit-above 2 -m recent --set -j REJECT

(The number of seconds and the concurrency limit here are examples for testing only, set them to proper values if you use them in your servers!)

This two rules create a recent ‘bad guy’ list, and send any source that exceeds two concurent connections on tcp pot 3306 to this list for 60 seconds.

If used smartly with a proper timeout value for MySQL connections, this could be useful for situations such as the one I described.

Hope it helps you!

No related posts.

So, without further ado,  here it goes:

#!/bin/bash 

[ $# -eq 0 ] && {
        echo "usage: salt <length>">&2
        exit
}
strings </dev/urandom | while read line; do
        echo $line | tr '\n\t ' $RANDOM:0:1 >> /tmp/.salt.$$
        salt=$(cat /tmp/.salt.$$)
        [ ${#salt} -ge $1 ] && salt=${salt:0:$1} && echo $salt && break
done
rm -f /tmp/.salt.$$

I had to use $1 and not a var, and echo the salt right from inside the while, because the ‘|’ creates another shell, so I can’t pass variables to or from the while in this case.

If you want to keep things simple, you can go perl and just do

#!/usr/bin/perl
use Crypt::Salt;
my $length = shift;
print salt($length);

But if you ever find yourself in a server with no cpan, the first option might prove useful

Related posts:

1. Generating data with dbmonster In my last post I included some sample data...
2. Running commands from the shell with a timeout (pt 2) Here’s an improved version of the safecmd script. This one...
3. Running commands from the shell with a timeout Sometimes, in a shell script, you need to run a...

Related posts brought to you by Yet Another Related Posts Plugin.

According to the site, it aims to counter XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks, and unknown attack patterns,  through it’s Centrifuge component.

Installation is simple. Just download it, copy the lib directory to a directory in your project structure, or add it to your include_path.

I actually chose a mix of both ways, so it’s automatically included when I distribute my applications.

Here’s how to use it:


ini_set('include_path',ini_get('include_path').PATH_SEPARATOR.PRIVATE_ROOT.DIRECTORY_SEPARATOR.'phpids'.DIRECTORY_SEPARATOR.'lib');

Here we’re just modifying the include path in order to add phpids.
PRIVATE_ROOT is a constant that I’ve defined in my app, which defines the root of the application. This is not accessible from the web server (following the recommendation of the Dispatch method, from the PHP Security Consortium. However, this is a particular case, in most situations, I’d recommend using a framework that already takes a similar pattern into account, like CakePHP).
phpids is where I’ve copied this IDS. The downloaded package has a similar root directory name, like phpids-x.y.n, depending on the version number.


require_once 'IDS/Init.php';


Require the Init.php file

Then, whenever you need to access the request variables (in my case, this was just in one point in my application so I just had to modify one function), add something like this:


$request = array(
'REQUEST' => $_REQUEST,
'GET' => $_GET,
'POST' => $_POST,
'COOKIE' => $_COOKIE
);
$init = IDS_Init::init(PRIVATE_ROOT. DIRECTORY_SEPARATOR .'phpids'.DIRECTORY_SEPARATOR.'lib/IDS/Config/Config.ini');

$ids = new IDS_Monitor($request, $init);
$result = $ids->run();

if (!$result->isEmpty()) {
trigger_error($result);
}

If the $result object is not empty, the IDS detected an attack attempt and therefore you should stop processing the request.

And now the fun part.

In order to test this, I set up a very simple, very insecure test page.
Here’s the php code:

error_reporting(E_ALL);
ini_set('include_path',ini_get('include_path').':'.'../src/phpids/lib');
require 'IDS/Init.php';
function checkIds()
{
   $request = array(
     'REQUEST' => $_REQUEST,
     'GET' => $_GET,
     'POST' => $_POST,
     'COOKIE' => $_COOKIE
);

$init = IDS_Init::init('/home/fipar/workspace/at-intranet/src/phpids/lib/IDS/Config/Config.ini');
$ids = new IDS_Monitor($request,$init);
$result = $ids->run();
if (!$result->isEmpty()) {
     trigger_error($result);
}
}

if (isset($_REQUEST['sql'])) {
     checkIds();
     $sql = $_REQUEST['sql'];
     print 'Form says '.$sql.'
';
}

The html page has just an input type text with the name ‘sql’, and a submit button.

I tried the following inputs:

• Hello, which goes by ok
• ‘ and 1, which generates errors for the REQUEST and POST variables, stating
  

  Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

• <a href=”http://www.google.com”>www.google.com</a>, which generates errors for the REQUEST and POST variables, stating
  

  • finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
  • Detects JavaScript object properties and methods | Tags: xss, csrf, id, rfe | ID: 17
  • Detects basic SQL authentication bypass attempts 2/3 | Tags: sqli, id, lfi | ID: 45

No related posts.

The problem is, sometimes, people who skip on frameworks, don’t know what they’re doing.
Or, as the Tao of Programming says:

There once was a master programmer who wrote unstructured programs. A novice programmer, seeking to imitate him, also began to write unstructured programs. When the novice asked the master to evaluate his progress, the master criticized him for writing unstructured programs, saying, “What is appropriate for the master is not appropriate for the novice. You must understand the Tao before transcending structure.”

Anyway, for novices and masters alike, here’s a great resource of common programming errors one should avoid while working on a project. Some are web oriented, but most are applicable in any environment.

No related posts.