Category Archives: open source

PSAD Quick Fix

Posted on by
Reply

I like psad. I use it often and I find the email reports really handy.

Here is an issue I faced in Ubuntu and the solution:

Instead of the reports I received an email with the following contents:

[-] You may just need to add a default logging rule to the /sbin/iptables
‘filter’ ‘INPUT’ chain on oxide-server.  For more information,
see the file “FW_HELP” in the psad sources directory or visit:

http://www.cipherdyne.org/psad/docs/fwconfig.html

[-] You may just need to add a default logging rule to the /sbin/ip6tables
‘filter’ ‘INPUT’ chain on oxide-server.  For more information,
see the file “FW_HELP” in the psad sources directory or visit:

http://www.cipherdyne.org/psad/docs/fwconfig.html

 

I found on the web several people with the same problem, so here is what worked for me:

  1. Enable ufw logging. Type in console as root: ufw logging on
  2. Type as root:
    iptables -A INPUT -j LOG
    iptables -A FORWARD -j LOG
    ip6tables -A INPUT -j LOG
    ip6tables -A FORWARD -j LOG
  3. Open /etc/ufw/before.rules and type before the COMMIT directive:
    -A INPUT -j LOG
    -A FORWARD -j LOG
  4. Open /etc/ufw/before6.rules and type before the COMMIT directive:
    -A INPUT -j LOG
    -A FORWARD -j LOG
  5. Restart ufw by typing as root:
    ufw disable
    ufw enable
  6. Test if it worked:
    psad –fw-analyze

I know that some parts appear to do very similar things but for a strange reason it worked only after the exact above procedure.

Hope it helps!
Vasilis

 

 

SWikipedia: S (named ess spelled ‘es’- in compound words; plural esses, forms/script: ) is the nineteenth (19th) letter in the ISO basic Latin alphabet.

ZAProxy & a common question

Posted on by
1

One of my favourite tools for penetration testing is ZAProxy or ZAP.
In case you haven’t heard about it you can find more information and download it here.

In this post I will publish an answer Psiinon (the project lead) gave in the ZAP mailing list. I decided to publish this because I was asked the same thing many times, especially from new ZAP users.

Question:
Is there any danger when scanning with ZAP against a live website (e.g. create/delete/update/corrupt data)?

Answer: (Psiinon)

I usually try to explain it this way:

Proxying (and therefore passive scanning) requests via ZAP is completely safe and legal, it just allows you to see whats going on.
Spidering is a bit more dangerous. Is could cause problems depending on how your application works (and we should make the ‘no post’ option visible!).
Active scanning is dangerous and depending on your app may create/modify/delete data.
So the only really safe thing is proxying and passive scanning, the other 2 could cause problems and could be considered illegal if you perform them on apps you dont have permission to test.
I have wondered about adding a ‘safe’ mode to ZAP which will only allow you to do safe things. Thoughts anyone? I know its not something pentesters would use;)
Hope that helps,
Psiinon

 

I did searched a bit in the ZAP FAQ or wiki but I was not able to find it. Hope it helps!

Best regards,
Vasilis

iptables is not a firewall

Posted on by
Reply

A mistake I come across often is confusing iptables with linux kernel firewall.
Even in articles, whose writers appear to have great knowledge on iptables tweaking and rule creation, the same mistake can be found.

OK, it is not a firewall, but what is it?
According to wiki (and me Tongue out):
iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

It simply comes pre-installed with most linux/unix distos and requires elevated privilages.