Category Archives: Security

Spam This Post – It’s Protected By Cleantalk

Spam is one of those things on the web that no matter what, you can’t really escape from it.  I’ve been posting stuff on the web for years, helped moderate a number of forums etc and always Spam is a problem.

Chicken Spam

I have this WordPress site you’re reading this post on, and two Drupal sites that I maintain.  One of those Drupal sites I do my very best to keep it out of Google, it’s just a personal blog with information only I and maybe my family care about.  So it’s got a robots.txt on it and a number of HTTP Headers that are designed to stop it getting any traffic.

Still it gets Spam.  I’ve been writing and posting in that Diary for over 20 years now, so it’s been around a while.  For ages I just deleted Spam as it came in, there was only one or two posts a month if even that.  Then just as it started to get really bad, along came Mollom.  Mollom was a great web service that you just plugged in your Drupal instance and it would flag any new content as either Good, Bad or “Maybe”.  Anything Maybe you had to manually review to ensure you weren’t hiding good content.  Mollom was an excellent free service, but after many years Acquia decided that it wasn’t a Core Product and terminated it.  There’s a great blog post by Dries talking about it and its eventual demise.

The sad, dead Mollom Drupal Plugin

Once it died, neither of my Drupal sites were Spam protected anymore and of course the Spam rolled in.  I tried a few different things in that timeframe, mostly either “Anti-Bot” type plugins, or Captchas.  Captcha seemed like the best solution, but I hated that on this very wordpress blog, whenever I went to login to the Admin panel I would be greeted with a picture where I had to click traffic lights and all that nonsense.  And so I moved to hCaptcha and it seemd to be a bit better, but then once again the Spam started rolling in.  Not really a surprise when you realise there’s plenty of Captcha Solving Services available.  I guess it’s profitable to pay the small fee to be able to post Spam.

Ugh! So again I was back to square one, and even for a time turned off comments on the popular posts on this site that were getting spam.  Then I got annoyed and went hunting for a solution and that’s when I discovered Cleantalk.

The first thing I was impressed with is there’s a plugin for both WordPress AND Drupal.  With WordPress being the primary blogging platform a lot of people use, I was glad to see Drupal (Which I think is superior myself, but they serve different audiences) hadn’t been forgotten about.

The WordPress Plugin is super easy:

Cleantalk WordPress Plugin

You install it, paste in your key provided by the cleantalk website and off you go.  You’re protected from Spam.  You can click on “advanced settings” if really need to tweak some settings when you’re using a WordPress Caching plugin, or some of the e-Commerce modules.  The Cleantalk WordPress module has settings to make sure all different types of WordPress sites are supported out of the box.

Drupal is a similar story:

Drupal Cleantalk Plugin

Again it’s very easy to setup, you put in your API key and tweak a few settings to how you need them for your setup, and away you go.  Your site is protected against Spam!

As I said, I’ve got 3 sites.  2 Drupal and 1 WordPress.  To see the status of your Spam Protection you just log into the Cleantalk Portal and you get a nice simple overview of your sites:

Cleantalk Admin Panel

From there you can see how many Spams were blocked before they were even attempted (SpamFirewall), for those spammers lucky enough to get through the SpamFirewall, how many Approved or Spam comments were processed and dealt with.

The SpamFirewall Logs

The SpamFirewall Logs

I’ve only been using Cleantalk for a couple of weeks thus far, so I don’t have a lot of Approved comments (my blogs aren’t that popular I guess!) but I sure have a lot of blocked spam.  Handbag sales, do I want a video etc.  All blocked.  No longer do I have to keep comments disabled, no longer do I have to delete comments as soon as they’re posted etc.  You can see here the content that Spammers tried to post being denied:

Spam being blocked by Cleantalk

Overall I’m very happy with Cleantalk.  It’s fitted in where Mollom left off – automated, hassle free Spam prevention.  I think the cost of the service is reasonable, even for a hobbiest like me.  I’ve asked a few support questions and both times the support people were very quick to help and offer solutions, and that’s always a good thing.

One final note: I signed up before my trial period (7 days) was over.  In doing so, I was granted an extra 6 months free, on top of the 3 years I purchased.  In writing this review, I will submit it to Cleantalk and they’ll give me a bonus 12 months of Spam protection.  So this post is, in a way, sponsored.  But the reason I’d like a bonus 12 months is because I’m very happy with the service they’re providing!  So much so I wrote this post.

Thanks for reading.  Now go and protect your website from Spam the easy way with Cleantalk!

Cleantalk Logo

Tim

grsecurity logo

grsecurity on a Xubuntu laptop

I installed xubuntu on my now very old Dell XPS m1330 the other day.  Windows 10 just wasn’t cutting it for me, though that’s probably because I had an excess of crap installed.  It was taking upwards of 5 minutes to reboot though, so I thought I’d try something else.

Xubuntu was the obvious choice, Gnome can die in a fire and KDE while nice is too UI heavy for what I want.  I love XFCE, it’s small, clean and does a great job, so xubuntu got the nod.

Once installed and working, I then downloaded the 4.1.3 kernel source and the latest grsecurity patch for it.  Patched the source and fired up make menuconfig.  Ubuntu being ubuntu it comes with pretty much every freaking option, module and setting defaulted to yes.  Rather than piss about making a nice small custom kernel, I just went with all the defaults, then turned on pretty much every grsec feature.  The few items I kept disabled are:

They’re only minor things (well, the RBAC system isn’t really “minor”), all of the main memory protection features (thanks, PaX) and the other grsecurity hardening features are enabled.

Then it’s just a matter of making sure all the right packages are installed to be able to do a “make-kpkg –initrd kernel_image” and waiting for a very long time.  Oh and it helps to set the CONCURRENCY_LEVEL to 2, which is how many Core’s the CPU has.  Then you wait about 3 hours…

Finally you end up with a .deb that you install and off you go.  Install it and reboot and….

It worked first go. Not that I really expected otherwise.  The only problems encountered are the expected ones, some binaries don’t like the hardened memory protections, so those protections have to turned off on a per-binary basis.  So it’s apt-get install pax-utils and apt-get install paxctl.

The binaries I adjusted flags for are:

  • chrome
  • thunderbird
  • python3
paxctl -cpm /path/to/binary

c: creates a pax header, m: disables mProtect, p: disables pageexec

The only problems I’ve faced apart from this are issues with the sound module.  Under a default ubuntu kernel the sound just works.  Under my compiled kernel, the module needs to be removed and re-added for sound to work, and then it fails if you suspend the laptop.  I’m 99% sure this isn’t anything to do with grsecurity, but rather the fact it’s a vanilla kernel source, not a heavily-patched ubuntu kernel source with fixes for all those sorts of things.  I’ll get to the bottom of it at some stage.

But the laptop works and works well.  I’m not using the proprietary Nvidia drivers, just the nouveau ones.  Suspend works.  It’s still fast and browsing is quick, despite all of the PaX and grsecurity options turned on, some of which have a known performance impact (I’m looking at you Userland Dereference and Memory Sanitize)

The whole process has been easy, quick and painless.  The hardest part has been waiting for the kernel to compile.  When I have a bit more free time I’ll go through and build an image for just this laptop, disabling all the drivers and options that are totally unnecessary.  I’ll end up with a much leaner kernel that’s quick to compile.  But this image I have now could be given to anyone with a x64 system and it’d boot and work perfectly.

Thanks spender, pipacs and emese for their work on PaX/grsecurity.

Tim

UPDATE: A couple of updates to this post.  Firstly, the issue with sound was caused by CONFIG_GRKERNSEC_SYSFS_RESTRICT being set.  Disabling this, building again works.  I also found that I was getting slower performance, disabling uderef on the command line as well as slab sanitization has fixed this, giving me excellent performance again.  Beause they’re command line, I can re-enable them easily withouth having to recompile.  My full linux boot command is:

BOOT_IMAGE=/boot/vmlinuz-4.1.4-grsec root=/dev/sda1 ro reboot=w nouveau.runpm=1 nouveau.pstate=1 pax_nouderef pax_sanitize_slab=off pax_extra_latent_entropy

Finally, I sat down over the weekend and stripped out all the unneeded modules and settings.  Ubuntu by default sets a lot of debugging features, so all those are turned off now in the aims of squeezing a bit more performance out of the laptop.  Plus now my kernel image is ~25Mb, instead of ~250mb.

ASB Bank and TOR

Sometime in early December I thought I’d have a play with TOR.  I ran it up on micro and played with it for a few days.  I thought I’d “help the TOR world” by running an exit node, seeing as we have more bandwidth allocated to us than we use.

After a few days though I figured hell, I probably wasn’t doing much to help, so I turned it off and forgot about it.

Fast forward to a few weeks later:  Suddenly my wife can’t get to a website she needs to access.  Do some digging, turns out that it works from other IP’s, just not our home IP.  Our home IP is static, so I can’t just reboot and get a new one.  I email the people running the website and to my surprise, they’re very helpful.  They investigate and tell me that due to my IP having been a TOR node, it’s been blacklisted.  Their network gear auto-updates a blacklist every few weeks, so if we’re not longer a TOR node we should be removed.

No worries, I put a bypass in place in our home router, using OpenVPN.  Annoying, but it works.  A couple of weeks later they email me to tell me that it’s all sorted now. I remove the bypass and their site still works. Thanks!

Then ASB FastNet stops working. Both the website and their Mobile App (which accesses MobileAPI.asbbank.co.nz, a different IP than the Browser site.)  Argh!

I can’t get a single communication out of them as to why it doesn’t work, but trying to connection to FastNet classic gives me:
micro:~> curl -vv -I https://fnc.asbbank.co.nz
* About to connect() to fnc.asbbank.co.nz port 443 (#0)
* Trying 210.55.180.58...
* Connection refused
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

Which is quite annoying.  So I have an OpenVPN bypass in place for it as well.  The problem is my OpenVPN bypass is quite flakey, mostly due to the way I’ve setup OpenVPN.  It doesn’t reconnect properly when the tunnel drops, which it does every now and then on the end of a consumer grade Internet Service.

Can I get hold of anyone at ASB to help me?  Tell me why the IP’s blacklisted?  Nope.  I’ve emailed, prodded.  Very frustrating.  Please, someone at ASB in the Network Team get in contact.  Tell me what I can do to get removed/get this fixed.

Thanks,

Tim

Update: ASB use BrightCloud’s IP Reputation service.  Once I filed a request with Brightcloud and they verified we weren’t a TOR exit node anymore, they updated the status of our IP address and we can once again access ASB directly.  Thanks ASB for getting back to me after I made a lot of noise…

modsecurity

I re-enabled modsecurity, this time with the PCRE JIT.

To do this I had to do the following:

Build the latest version of pcre.
Install it in /usr/local/pcre

Modify the apache startup to use LD_PRELOAD to load the new libpcre.so instead of the standard system one.
I could have overwritten this using ld.so.preload but that’s a system-wide changes and I don’t know what else I might break, seeing as most other things will be compiled against the old version.

Finally I had to modify the apache2 binary so that it’s allowed to create code at runtime (we are doing JIT here, afterall)

paxctl -cm /usr/lib/apache2/mpm-prefork/apache2

Now it seems to be working fine.

PCRE was compiled like so:

./configure –prefix=/usr/local/pcre –enable-jit –enable-pcre16 –enable-pcre32 –enable-utf –enable-unicode-properties –disable-static

Full RELRO for Bitlbee

Took me ages of fucking around to get bitlbee to compile with full RELRO.

In the end I had to hack the makefile.
At line 182 (the line where it gets linked) I had to add the following:

180 $(OUTFILE): $(objects) $(subdirs)
181 @echo '*' Linking $(OUTFILE)
182 @$(CC) $(objects) $(subdirobjs) *-march=native -O2 -fstack-protector-all -fpic -pipe -Wl,-z,relro,-z,now* -o $(OUTFILE) $(LDFLAGS_BITLBEE) $(LFLAGS) $(EFLAGS)

Paxtest: grsecurity vs vanilla kernel

Vanilla Kernel

timh@Jumphost-Lab:~$ paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Writing output to /home/timh/paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Mode: Blackhat
Linux Jumphost-Lab 3.2.0-29-generic 46-Ubuntu SMP Fri Jul 27 17:03:23 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 9 bits (guessed)
Heap randomisation test (ET_EXEC) : 14 bits (guessed)
Heap randomisation test (PIE) : 16 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 8 bits (guessed)
Shared library randomisation test : 10 bits (guessed)
Stack randomisation test (SEGMEXEC) : 19 bits (guessed)
Stack randomisation test (PAGEEXEC) : 19 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : Vulnerable
Return to function (memcpy, PIE) : Killed
Grsecurity/PaX hardened kernel

Grsecurity Enabled Kernel

tim@beaker ~> paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux beaker 3.6.8-grsec 1 SMP Wed Nov 28 09:30:28 NZDT 2012 i686 GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 18 bits (guessed)
Heap randomisation test (ET_EXEC) : 22 bits (guessed)
Heap randomisation test (ET_DYN) : 24 bits (guessed)
Main executable randomisation (ET_EXEC) : 18 bits (guessed)
Main executable randomisation (ET_DYN) : 18 bits (guessed)
Shared library randomisation test : 18 bits (guessed)
Stack randomisation test (SEGMEXEC) : 24 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed