Archivio

Archivio per luglio 2009

eMule è del tutto gratuito

29 luglio 2009

eMule è il programma di scambio file peer-to-peer (P2P) per eccellenza. eMule è del tutto gratuito e il suo codice sorgente è rilasciato pubblicamente. E’ possibile scaricare gratuitamente eMule dal suo sito Internet ufficiale.

Alcuni truffatori, approfittando della sempre crescente popolarità di eMule, hanno iniziato ad ingannare gli utenti meno esperti che cercano sui motori di ricerca, come Google, dei siti Internet da cui scaricarlo.

Se si digita la parola emule su Google vengono mostrati, prima dei risultati e accanto ad essi, delle inserzioni pubblicitarie in cui si sponsorizza lo scaricamento di eMule. L’utente meno esperto, che non individua, a prima vista, che si tratta di pubblicità, clicca su di essa per scaricare eMule.

eMule a pagamento

Le stesse inserzioni pubblicitarie si ritrovano anche nei siti Internet in cui si parla di eMule e che fanno utilizzo di Google Adsense, che permette al creatore del sito Internet, attraverso la visualizzazione di pubblicità da parte di Google sulle sue pagine, di guadagnare.

Giungendo, in un modo o nell’altro, sui siti Internet sponsorizzati, l’utente trova una cattiva sorpresa. Lo scaricamento di eMule dai siti Internet sponsorizzati si rivelerà infatti essere alla fine a pagamento. Dopo averti ricordato che lo scaricamento di eMule è gratuito dal suo sito Internet ufficiale, posso procedere all’analisi dei siti Internet truffaldini.

Ora come ora sono sponsorizzati solo due siti Internet che promettono lo scaricamento di eMule. Da buon studioso di truffe, faccio click sulla prima inserzione pubblicitaria e mi ritrovo in una pagina scarna in cui sono presenti solamente due immagini, cliccando sulle quali è possibile scaricare eMule o eMule Plus, una versione modificata di eMule, anch’essa scaricabile gratuitamente dal suo sito Internet ufficiale.

eMule a pagamento

La mia intenzione iniziale era quella di scaricare la versione tradizionale di eMule: faccio quindi click sulla relativa immagine e lo scarico. Per motivi di sicurezza avvio il file di installazione scaricato dentro un ambiente protetto, in quanto questi siti Internet truffaldini potrebbero installare sul nostro computer software malevoli (virus, spyware).

Si apre l’installazione tradizionale di eMule, solo che, ad un certo punto dell’installazione, viene chiesto di chiamare un numero a pagamento dal costo di 3 euro per ottenere un codice di installazione con cui terminare l’installazione di eMule.

eMule a pagamento

Da nessuna parte né sulla pubblicità né sul sito Internet truffaldino c’era scritto che eMule era a pagamento! L’utente meno esperto, non sapendo che eMule è totalmente gratuito, alza la cornetta del telefono e paga per avere il codice di installazione.

Anche nel secondo sito Internet sponsorizzato non si fa accenno al fatto che lo scaricamento di eMule da loro sito Internet è a pagamento. Leggi da qualche parte, nell’immagine seguente, che lo scaricamento di eMule è a pagamento?

eMule a pagamento

Domanda cruciale. Perché eMule da questi siti Internet è a pagamento? Ce lo spiega, all’interno di una pagina nascosta, il secondo sito Internet truffaldino. Il pagamento per lo scaricamento di eMule è “orientati a coprire le spese di revisione e analisi esaustive di tutte le scariche elencate in questo portale, cosí come per la loro revisione giornaliera”.

Detto in altre parole, ti assicurano che eMule è sicuro e privo di software malevoli (virus, spyware) e tu paghi questa preziosa informazione. Tuttavia c’è un piccolo problema. Se scarichi eMule da loro sito Internet truffaldino, come essi stessi ti dico, il tuo computer viene riempito di software poco affidabili e la pagina iniziale del tuo browser cambiata.

Insomma ti assicurano che il programma che stai per scaricare (a pagamento) è sicuro da software malevoli, di cui loro ti riempiranno il computer. Un bel servizio (a pagamento)! Altra domanda. Lo scaricamento di eMule da dove viene?

Lo scaricamento “si realizza direttamente dalla web dell’autore per mezzo edi un meccanismo creato da questa impresa e denominato scaricatore”. Quindi NON si tratta di una versione modificata di eMule, come era sponsorizzato sulla pubblicità, ma della versione ufficiale di eMule scaricata dallo stesso sito Internet ufficiale, dove si trova gratuitamente. Insomma, oltre al danno la beffa.

Per concludere, per il fatto che ti vendono qualcosa di gratuito, senza fartelo capire, e alcuni ti riempiono il computer di software poco affidabili, mi permetto di dire che questi siti Internet sono truffaldini e cercano di ingannare gli utenti meno preparati. Occhi aperti, dunque!

P2P Forum Italia ha stilato una lista di siti Internet truffaldini che ti vendono programmi P2P gratuiti. Da leggere.

Share

Documenti Tecnici

Configurare ed installare eMule

29 luglio 2009

eMule: installare e configurare eMule per scaricare al massimo!

eMule, insieme a uTorrent, è il più noto programma P2P che permette di condividere e scaricare musica, film, programmi e molto altro da Internet.

Scaricare con eMule è un gioco da ragazzi, ma solo con la guida giusta riuscirai ad installare e configurare eMule correttamente per ottenere il massimo delle sue prestazioni. Seguimi alla scoperta di eMule.

Download Speed(Foto Download speed di Sean Future)

Come scaricare eMule gratis

Attento ai truffatori che tentano di venderti eMule: eMule è gratis! Per scaricare eMule gratuitamente, collegati su questo sito Internet e fai click su Scarica sotto la voce Installer.

Per gli utenti Fastweb esiste una particolare versione di eMule chiamata Adunanza. Per informazioni sul suo utilizzo e sulla sua configurazione ti invito a consultare il sito Internet di Adunanza.

Come installare e configurare eMule al meglio

Installare eMule è semplicissimo. Fai doppio click sul file di installazione di eMule scaricato e procedi premendo di seguito: Ok, Avanti, Accetto, Avanti, Avanti, Installa, Avanti, Fine.

Fai doppio click sull’icona di eMule sul Desktop per avviarlo. Se hai installato un firewall ti verrà chiesto se consentire o meno l’accesso ad Internet di eMule: senza pensarci due volte, permetti l’accesso ad Internet di eMule.

Si apre la procedura guidata per la configurazione di eMule. Fai click sul pulsante Avanti, metti il segno di spunta alla voce Connetti automaticamente eMule al suo avvio. Se vuoi, ma non è necessario, puoi inserire un tuo nome utente nel campo di testo presente per renderti riconoscibile dagli altri utenti di eMule. Fai click su Avanti.

La finestra che si apre è molto importante. Prima di fare click sul pulsante Avanti, sostituisci i numeri delle porte già impostate nella finestra con TCP 4662 e UDP 4672 e poi clicca sul pulsante Testa Porte.

Si apre una pagina Web dove scopriremo subito se possiamo incominciare a scaricare con eMule alla massima velocità. Se il test fallisce, non disperare. Risolveremo questo problema in un secondo momento, nella sezione relativa all’ID-Alto.

Fai sempre click su Avanti e poi su Fine per arrivare alla finestra Wizard…, dove devi specificare la velocità della tua connessione ad Internet. Per scoprire la velocità della tua connessione, collegati sul sito Internet di Dslreports, fai click sulla voce Flash 8 plugin based speed test, scegli un server a caso nella finestra server list che si apre e aspetta la conclusione del test.

Alla luce dei risultati del test, puoi tornare alla finestra della configurazione di eMule e scegliere una voce che abbia dei parametri simili ai tuoi. Fai click sul pulsante Applica per terminare il processo di configurazione.

Tieni duro. Stai per terminare la configurazione di eMule! Collegati su questo sito Internet e fai click sulla voce add to eMule in corrispondenza della riga all servers. Se vuoi essere però sicuro al 100% dell’affidabilità dei server di eMule ed evitare server spia, leggi anche questa mia guida.

Collegati infine su questo sito Internet, fai click sulla voce add to eMule e poi sul pulsante Si in eMule.

Connettersi ad eMule ed avere un ID-Alto su eMule

La prima cosa che devi fare per scaricare file da eMule è quella di assicurarsi di essere connessi premendo il pulsante Connetti nella barra di navigazione in alto. Per scaricare al massimo da eMule, dobbiamo ottenere dal server a cui eMule ci connette un ID-Alto di riconoscimento.

Un ID-Alto di riconoscimento su eMule si ottiene solo se i server riescono a comunicare con noi senza interferenze da parte del nostro router o del nostro computer. Guardando in basso al programma, possiamo vedere quale sia il nostro stato assicurandoci che il colore delle frecce intorno al globo siano verdi.

Se fossero gialle o peggio rosse, c’è qualcosa che non va. Se ti colleghi ad Internet usando un router, devi andare sul sito Portforward, cercare la marca e il modello del tuo router e seguire la procedura guidata per aprire le porte necessarie al funzionamento di eMule.

Non spaventarti se il sito Internet è in Inglese: le guide sono ricche d’immagini e di facile interpretazione. Dopo aver effettuato tutte le modifiche necessarie sul router, chiudi e riapri eMule per vedere se le variazioni al router hanno portato i miglioramenti sperati (frecce verdi e, quindi, ID-Alto).

Come scaricare con eMule

Per scaricare file con eMule, fai click sul pulsante Cerca nella barra di navigazione in alto. Digita quello che vuoi cercare nel campo di testo Nome, seleziona Kad Rete in Metodo di Ricerca e fai click sul pulsante Inizia.

Per meglio aiutarti nella scelta del file da scaricare puoi fare click su una delle colonne per avere un ordinamento dei file trovati: Dimensione o Fonti sono le colonne che maggiormente ci interessano. Maggiore è il numero di fonti e più probabilità ci sono di avere una velocità alta e costante di scaricamento nel tempo con il successivo vantaggio di portare a termine il download.

Una volta trovato il file desiderato basta cliccarci sopra due volte col mouse per metterlo nella lista dei file da scaricare (pulsante Trasferimenti nella barra di navigazione in alto) e attendere il suo completamento, che avverrà quando la barra progressiva diventerà tutta verde.

Perché il download non inizia subito come in altri programmi P2P oppure si interrompe di frequente? La colpa, diversamente da quanto potresti immaginare, non è la tua.

eMule funziona tramite il concetto delle code. Quando decidi di scaricare un file, eMule si connette ai vari utenti che dispongono di quel file, mettendoti in coda. Se non c’è nessuno prima di te, il download avrà inizio subito altrimenti dovrai aspettare il tuo turno.

Share

Documenti Tecnici

YouTube come scaricare i video

29 luglio 2009

Come scaricare video da YouTube

Ti sei imbattuto in un video divertente e vorresti scaricarlo: stai cercando disperatamente il tasto Download, ma non riesci a trovarlo. Non disperare: non c’è. Adesso però ti spiego come usare un piccolo trucco e scaricare il tuo video. Prima di tutto copia l’indirizzo del video: lo trovi nella parte superiore del browser.

Scaricare video da YouTube

A questo punto, collegati al sito Internet KeepVid, nel campo di testo incolla l’indirizzo del video (esempio: http://www.youtube.com/watch?v=8×7J4psoo2g) e premi il tasto Invio (o fai click sul pulsante Download). Dopo qualche attimo appare un riquadro chiamato Download: fai click con il tasto destro del mouse sulla voce Download Link e seleziona Scarica documento collegato, se usi Safari (Mac OS X), oppure Salva destinazione con nome… e poi fai click su Salva, se usi Mozilla Firefox o Internet Explorer.

Scaricare video da YouTube

Dopo che lo scaricamento è terminato, ti ritrovi davanti un file chiamato get_video. Adesso devi rinominare il file e dargli l’estensione .flv. Non preoccuparti: non è per nulla difficile. Su Windows, fai click con il tasto destro del mouse sul file, seleziona la voce Rinomina e scrivi nomedelvideo.flv.

Su Mac OS X, seleziona il file, premi il tasto Invio e scrivi nomedelvideo.flv. Bene, bene! Sei arrivato a un buon punto: non resta che insegnarti come usare l’ottimo programma VLC vedere i video scaricati. Semplicemente punta il tuo browser sul sito Internet http://www.videolan.org/vlc/ e, sotto la voce Download, seleziona il tuo sistema operativo.

Nella pagina che si apre, fai click sulla voce Download (vanno tutte bene) e poi installa il programma scaricato: in Mac, devi spostarlo semplicemente nella cartella Applicazioni; in Windows, devi fare sempre click sul tasto Avanti. Infine apri VLC (in Windows, devi spostarti su Start/Tutti i programmi/VideoLan/VLC media player), vai sul menu File e seleziona Apri file (rapido)…. A questo punto, ripesca il video scaricato e fai click su Apri.

Share

Documenti Tecnici

WordPress Impostazione permessi

29 luglio 2009

Changing File Permissions

Contents

On computer filesystems, different files and directories have permissions that specify who and what can read, write, modify and access them. This is important because WordPress may need access to write to files in your wp-content directory to enable certain functions.

Permission Modes

  7       5     5
 user   group  world
 r+w+x  r+x    r+x
 4+2+1  4+0+1  4+0+1  = 755

The permission mode is computed by adding up the following values for the user, the file group, and for everyone else. The diagram shows how.

  • Read 4 – Allowed to read files
  • Write 2 – Allowed to write/modify files
  • eXecute1 – Read/write/delete/modify/directory
  6      4      4
 user   group  world
 r+w    r      r
 4+2+0  4+0+0  4+0+0  = 644

Example Permission Modes

Mode Str Perms Explanation
0477 -r–rwxrwx owner has read only (4), other and group has rwx (7)
0677 -rw-rwxrwx owner has rw only(6), other and group has rwx (7)
0444 -r–r–r– all have read only (4)
0666 -rw-rw-rw- all have rw only (6)
0400 -r——– owner has read only(4), group and others have no permission(0)
0600 -rw——- owner has rw only, group and others have no permission
0470 -r–rwx— owner has read only, group has rwx, others have no permission
0407 -r—–rwx owner has read only, other has rwx, group has no permission
0670 -rw-rwx— owner has rw only, group has rwx, others have no permission
0607 -rw—-rwx owner has rw only, group has no permission and others have rwx
See full list 0000 to 0777.

Permission Scheme for WordPress

All files should be owned by your user account on your web server, and should be writable by your username. Any file that needs write access from WordPress should be group-owned by the user account used by the webserver. For example, you may have a user account that lets you FTP files back and forth to your server, but your server itself may run using a separate user, in a separate usergroup. A user such as dhapache or nobody.

The file and folder permissions of wordpress should be the same for most users, depending on the type of installation you performed and the umask settings of your system environment at the time of install.

NOTE: If you installed WordPress yourself, you likely do not need to modify file permissions. Unless you are experiencing problems with permission errors, or you want to, you probably should not mess with this.

For core WordPress files, all should be writable only by your user account. However, if you utilize mod_rewrite Permalinks or other .htaccess features you should make sure that WordPress can also write to your /.htaccess file.
If you want to use the built-in theme editor, all files need to be group writable. Try using it before modifying file permissions, it should work.

Some plugins require the /wp-content/ folder be made writeable, but in such cases they will let you know during installation. In some cases, this may require assigning 755 permissions or higher (e.g. 777 on some hosts). The same is true for /wp-content/cache/ and maybe /wp-content/uploads/

Additional directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions will vary.

/
|- index.php
|- wp-admin
|   `- wp-admin.css
|- wp-blog-header.php
|- wp-comments-post.php
|- wp-commentsrss2.php
|- wp-config.php
|- wp-content
|   |- cache
|   |- plugins
|   |- themes
|   `- uploads
|- wp-cron.php
|- wp-includes
`- xmlrpc.php

Using an FTP Client

FTP programs (“clients”) allow you to set permissions for files and directories on your remote host. This function is often called chmod or set permissions in the program menu.

In a WordPress install, two files that you will probably want to alter are the index page, and the css which controls the layout. Here’s how you change index.php – the process is the same for any file.

In the screenshot below, look at the last column – that shows the permissions. It looks a bit confusing, but for now just note the sequence of letters.

Initial permissions

Right-click ‘index.php’ and select ‘File Permissions’
A popup screen will appear.

Altering file permissions

Don’t worry about the check boxes. Just delete the ‘Numeric value:’ and enter the number you need – in this case it’s 666. Then click OK.

Permissions have been altered

You can now see that the file permissions have been changed.

Unhide the hidden files

By default, most FTP Clients, including FileZilla, keep hidden files, those files beginning with a period (.), from being displayed. But, at some point, you may need to see your hidden files so that you can change the permissions on that file. For example, you may need to make your .htaccess file, the file that controls permalinks, writeable.

To display hidden files in FileZilla, in it is necessary to select ‘View’ from the top menu, then select ‘Show hidden files’. The screen display of files will refresh and any previously hidden file should come into view.

To get FileZilla to always show hidden files – under Edit, Settings, Remote File List, check the Always show hidden files box.

Using the Command Line

If you have shell/SSH access to your hosting account, you can use chmod to change file permissions, which is the preferred method for experienced users. Before you start using chmod it would be recommended to read some tutorials to make sure you understand what you can achieve with it. Setting incorrect permissions can take your site offline, so please take your time.

You can make all the files in your wp-content directory writable in two steps, but before making every single file and folder writable you should first try safer alternatives like modifying just the directory. Try each of these commands first and if they dont work then go recursive, which will make even your themes image files writable. Replace DIR with the folder you want to write in

chmod 746 -v DIR
chmod 747 -v DIR
chmod 756 -v DIR
chmod 757 -v DIR
chmod 764 -v DIR
chmod 765 -v DIR
chmod 766 -v DIR
chmod 767 -v DIR

If those fail to allow you to write, try them all again in order, except this time replace -v with -R, which will recursively change each file located in the folder. If after that you still cant write, you may now try 777.

About Chmod

chmod is a unix command that means “change mode” on a file. The -R flag means to apply the change to every file and directory inside of wp-content. 766 is the mode we are changing the directory to, it means that the directory is readable and writable by WordPress and any and all other users on your system. Finally, we have the name of the directory we are going to modify, wp-content. If 766 doesn’t work, you can try 777, which makes all files and folders readable, writable, and executable by all users, groups, and processes.

If you use Permalinks you should also change permissions of .htaccess to make sure that WordPress can update it when you change settings such as adding a new page, redirect, category, etc.. which requires updating the .htaccess file when mod_rewrite Permalinks are being used.

  1. Go to the main directory of WordPress
  2. Enter chmod -v 666 .htaccess
NOTE: From a security standpoint, even a small amount of protection is preferable to a world-writeable directory. Start with low permissive settings like 744, working your way up until it works. Only use 777 if necessary, and hopefully only for a temporary amount of time.

The dangers of 777

The crux of this permission issue is how your server is configured. The username you use to FTP or SSH into your server is most likely not the username used by the server application itself to serve pages.

  7      7      7
 user   group  world
 r+w+x  r+w+x  r+w+x
 4+2+1  4+2+1  4+2+1  = 777

Often the Apache server is ‘owned’ by the dhapache or nobody user accounts. These accounts have a limited amount of access to files on the server, for a very good reason. By setting your personal files and folders owned by your user account to be World-Writable, you are literally making them World Writable. Now the dhapache and nobody users that run your server, serving pages, executing php interpreters, etc.. will have full access to your user account files.

This provides an avenue for someone to gain access to your files by hijacking basically any process on your server, this also includes any other users on your machine. So you should think carefully about modifying permissions on your machine. I’ve never come across anything that needed more than 767, so when you see 777 ask why its necessary.

The Worst Outcome

The worst that can happen as a result of using 777 permissions on a folder or even a file, is that if a malicious cracker or entity is able to upload a devious file or modify a current file to execute code, they will have complete control over your blog, including having your database information and password.

Find a Workaround

Its usually pretty easy to have the enhanced features provided by the impressive WordPress plugins available, without having to put yourself at risk. Contact the Plugin author or your server support and request a workaround.

Finding Secure File Permissions

The .htaccess file is one of the files that is accessed by the owner of the process running the server. So if you set the permissions too low, than your server won’t be able to access the file and will cause an error. Therein lies the method to find the most secure settings. Start too restrictive and increase the permissions until it works.

Example Permission Settings

The following example has a custom compiled php-cgi binary and a custom php.ini file located in the cgi-bin directory for executing php scripts. To prevent the interpreter and php.ini file from being accessed directly in a web browser they are protected with a .htaccess file.

Default Permissions (umask 022)

644 -rw-r--r--  /home/user/wp-config.php
644 -rw-r--r--  /home/user/cgi-bin/.htaccess
644 -rw-r--r--  /home/user/cgi-bin/php.ini
755 -rwxr-xr-x  /home/user/cgi-bin/php.cgi
755 -rwxr-xr-x  /home/user/cgi-bin/php5.cgi

Secured Permissions

600 -rw-r--r--  /home/user/wp-config.php
604 -rw----r--  /home/user/cgi-bin/.htaccess
600 -rw-------  /home/user/cgi-bin/php.ini
711 -rwx--x--x  /home/user/cgi-bin/php.cgi
100 ---x------  /home/user/cgi-bin/php5.cgi

.htaccess permissions

644 > 604 – The bit allowing the group owner of the .htaccess file read permission was removed. 644 is normally required and recommended for .htaccess files.

php.ini permissions

644 > 600 – Previously all groups and all users with access to the server could access the php.ini, even by just requesting it from the site. The tricky thing is that because the php.ini file is only used by the php.cgi, we only needed to make sure the php.cgi process had access. The php.cgi runs as the same user that owns both files, so that single user is now the only user able to access this file.

php.cgi permissions

755 > 711This file is a compiled php-cgi binary used instead of mod_php or the default vanilla php provided by the hosting company. The default permissions for this file are 755, which

php5.cgi permissions

755 > 100 – Because of the setup where the user account is the owner of the process running the php cgi, no other user or group needs access, so we disable all access except execution access. This is interesting because it really works. You can try reading the file, writing to the file, etc.. but the only access you have to this file is to run php scripts. And as the owner of the file you can always change the permission modes back again.

$ cat: php5.cgi: Permission denied
./php5.cgi:  Welcome
Share

Documenti Tecnici

Ubuntu Firewall con “Firewall Builder”

29 luglio 2009

Ho trovato questa guida in inglese, che spiega il funzionamento dell’ottimo Firewall Builder, uno strumento in grado di generare regole per svariati tipi di firewall, utilizzando un’unica interfaccia grafica.

Getting Started with Firewall Builder

This article is part of a series regarding firewalling and network security using the Firewall Builder tool on Ubuntu. This is user-contributed content. If you would like to contribute an article, please see the About page for contact information.

Getting Started with Firewall Builder

Author: vadim@fwbuilder.orghttp://www.fwbuilder.org

This guide starts a series of articles about Firewall Builder. Firewall Builder (also known as fwbuilder) is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both professional network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls. The first article is an introduction to the program. We will follow up with series of articles focusing on more advanced aspects of it in the coming weeks.

Firewall Builder is packaged with most Linux distributions and is available under “System/Administration” menu.

If it is not there, then it probably needs to be installed on your system. You need to install package that has supporting API library libfwbuilder and package fwbuilder that contains Firewall Builder GUI and policy compilers. Use apt-get or aptitude to find and install them:

# aptitude install libfwbuilder fwbuilder

On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder.

Packages shipping with Ubuntu are always one or two minor revisions behind. If you want to try the latest version, you can use pre-built binary .deb packages offered on the project’s web site or build from source using our online installation instructions. Pre-built binary packages can be installed using our repositories of rpm and deb packages, see instructions on this page.

If the system menu item is not there or you have built the program from source, you can always launch it from the command line by just typing “fwbuilder” on the shell prompt:

$ fwbuilder

The program starts and opens main window and greeting dialog. The dialog provides links to the project web site where you can find more tutorials, FAQ, Firewall Builder CookBoook and other documentation, as well as bug tracking system and links to user forums and mailing list. Clicking on the link in the dialog opens corresponding web page in your web browser. This works the same on all supported OS: Linux, Windows and Mac OS X. You can always open this dialog later using an item in the main menu “Help”.

pict_010

Lets create our first firewall object. To do this, we’ll use object creation menu that appears when you click on the icon in the small toolbar right above the object tree. Choose menu item “New Firewall” from the menu that appears.

pict_020

The program presents wizard-like dialog that will guide you through the process of creation of the new firewall object. In the first page of the wizard you can enter the name for the new firewall object (here it is “guardian”), its platform ( “iptables”) and host OS (”Linux”).

There are two ways new firewall can be created: you can use one of the preconfigured template firewall objects or create it from scratch. This tutotiral demonstrates the first method (using template object). To do this, check checkbox “Use pre configured template firewall objects”. Template can be taken from the library of template objects that comes with Firewall Builder package or from a file provided by the user. The latter is useful when administrator wants to distribute a library of predefined templates to other users in the enterprise. We are using one of the standard templates in this guide and therefore leave standard template library path and name in the “Template file:” input field. Click “Next” to move on to the next page of the wizard.

Note that template firewall object comes completely configured, including addresses and netmasks of its interfaces and some basic policy and NAT rules. This configuration is intended as a starting point only. You should reconfigure addresses of interfaces to match those used on your network and most likely will have to adjust rules to match your security policy.

pict_030

This page of the wizard shows template objects and their configuration. Standard template objects represent firewalls with two or three interfaces, a host with one interface, web server or Cisco router. Choose firewall with three interfaces for this guide. Note that template comes with completely configured firewall object, including set of interfaces and their ip addresses and some basic firewall policy. You will see how addresses can be changed later on in this guide. Click “Finish” to create a new firewall object using chosen template.

pict_040

Here is our new firewall object. Its name is guardian, it appears in the object tree in the left hand side of the main window in the folder Firewalls. When an object is selected in the tree, a brief summary of its properties appears in the panel under the tree. Double-clicking on the object in the tree opens it in the editor panel at the bottom of the right hand side panel of the main window. The editor for the firewall object allows the user to change its name, platform and host OS and also provides buttons that open dialogs for “advanced” settings for the firewall platform and host OS. We will inspect these little later in this tutorial.

You can always resize the main window to make all columns of the policy view be visible.

pict_050

Now would be a good time to save the data to a disk file. This is done in a usual way using main menu File/Save As.

Lets take a little tour of the network and service objects that come standard with the program. You can use these preconfigured objects to build policy and NAT rules for your firewall.

Objects in the tree are orginized in libraries, you can switch between libraries using drop-down menu above the tree. Firewall Builder comes with a collection of address, network, service and time interval objects in the library called “Standard”. Lets take a look at them. Notice that the background color of the panel that shows objects tree depends on the chosen object library. This makes it easier to keep track of the library currently opened in the program.

pict_060

Folder Objects/Hosts contains few host objects used in standard firewall templates. Folder Objects/Network contains network objects that represent various standard address ranges and blocks, such as multicast, net 127/8, networks defined in RFC1918 and so on.

pict_070

Firewall Builder also comes with extensive collection of TCP, UDP and ICMP service objects that describe commonly used protocols. This slide shows some TCP objects (all of them do not fit in the screenshot).

pict_080

Here is an example of a simple TCP service. It defines source and destination port ranges (in this case source port range is not defined and there is only one destination port 80). TCP service object can also define any combination of tcp flags the firewall should inspect and also which ones of them should be set in order for a packet to match this object. In the case of the service “http” we do not need to define any flags.

pict_090

Now lets take a look at the objects created as part of the new firewall object guardian. In order to do this, switch to the library User where this object was created. To open an object in the editor panel to inspect or change it, double click on it in the tree. Also, if you click on an object in the policy rule to select it, it will automatically open in the tree on the left.

pict_100

First, the firewall object itself.

Every object in fwbuilder has basic attributes such as its name and comment. Other attributes depend on the object type.

Attributes of the firewall object include platform (can be iptables, pf, ipfilter, etc.), version (platform-depended) and host OS. Buttons Host OS Settings and Firewall Settings open dialogs with many additional attributes that depend on the firewall platform and host OS. More on these later.

pict_110

Here are the choices for the firewall platform, version (for iptables) and host OS.

pict_103

Interfaces of the firewall are represented by objects located below the Firewall object in the tree. We refer to them as “children” of the firewall object. This slide demonstrates properties of the interface eth0. To open it in the editor double click on it in the tree. If editor panel is already open and shows some object, it is sufficient to select new object in the tree to reveal it in the editor panel (no need to double click).

IP and MAC addresses of interfaces are represented by child objects in the tree located below corresponding interface.

pict_120

Interface object has several attributes that define its function, such as “Management interface”, “external” etc.

  • Name: the name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like “eth0″, “eth1″, “en0″, “br0″ and so on.
  • Label: On most OS this field is not used and serves the purpose of a descriptive label. Firewall Builder GUI uses a label, if it is not blank, to show interfaces in the tree. One of the suggested uses for this field is to mark interfaces to reflect the network topology (’outside’, ’inside’) or the purpose (’web frontend’ or ’backup subnet’). The label is mandatory for Cisco PIX though, where it must reflect the network topology.
  • “Management interface”: Sometimes the host has several network interfaces in which case one of them can be marked as the ’manaagement interface’. The management interface is used for all communication between Firewall Builder and the host.
  • “External interface (insecure)”: marks an interface that connects to the Internet.
  • “Unprotected interface”: marks interface to which fwbuilder should not assign any access lists (used only with Cisco IOS platform)
  • “Regular Interface”: Use this option if the interface has an IP address assigned to it manually.
  • “Address is assigned dynamically”: Use this option if the interface has a dynamic address (obtained by means of DHCP or PPP or another protocol); in this case an address is unknown at the moment when Firewall Builder generates the firewall policy.
  • “Unnumbered interface”: Use this option if the interface can never have an IP address, such as the ethernet interface used to run PPPoE communication on some ADSL connections, tunnel endpoint interface, or an interface on a bridging firewall. See below Section 5.3.1 for more detailed discussion of these different types of interfaces.
  • “Bridge port”: this option is used for port of bridged firewall.
  • “Security level”: security level of this interface, used only with Cisco PIX (ASA)
  • “Network zone”: network zone of this interface, used only with Cisco PIX (ASA). Network zone drop-down list shows all network obejcts and groups of addresses and networks present in the tree. Choose one of them to tell the compiler which networks and blocks of addresses can be reached through this interface. Compiler uses this information to decide which interface each ACL rule should be associated with based on the addresses used in the destination of the rule.

pict_130

Here is IP address of interface eth0, external interface of the firewall. The address and netmask are attributes of the child object of the type “IPv4 address”. Here the address is “192.0.2.1″ and netmask “255.255.255.0″. Button “DNS Lookup” can be used to determine ip address using DNS. The program runs DNS query for the “A” record for the name of the parent firewall object.

pict_140

Lets look at the IP address of the internal interface of the firewall. The address used in the template is 192.168.1.1″ with netmask “255.255.255.0″. This is rather typical address used for small and home networks. Some commercial firewall appliances come preconfigured with this address.

pict_150

If address 192.168.1.0/24 matches address of your local network, you can skip this part of the guide and move to the page 4. Otherwise, you need to reconfigure the address of the internal interface of the firewall object that you just created in fwbuilder and also change address object used in the policy rules. Start with changing address attribute (and possibly netmask, if necessary) of the object guardian:eth1:ip as shown in the screenshot:

pict_160

Now we need to change IP address used in the rules. To do this, we create new Network object with correct address and replace object net-192.168.1.0 in all rules with this new network object.

Use new object menu to create Network object.

pict_170

New Network object is created with default name ‘New Network’ and IP address 0.0.0.0.

pict_180

Edit object name and address, then hit “Apply”.

pict_190

Use menu Object / Find to activate search and replace dialog. The Find and Replace dialog opens at the bottom of the right hand side panel in the main window, below the policy rules view.

pict_200

Locate object object net-192.168.1.0 in any policy rule where it is used or in its location in the tree in library Standard and drag and drop it to the left object well in the search and replace dialog as shown on the screenshot:

pict_210

Change the scope setting to “Policy of all firewalls”. If you have many firewalls in the tree, use scope “policy of the opened firewall” instead. Locate new Network object you just created in the tree and drag and drop it to the right object well in the search and replace dialog as shown on the screenshot:

pict_220

Now hit “Replace all” button. Pop-up dialog should appear and report how many replacements the program had to make in all rules of the firewall. Note that the replacement is done not only in the policy rules, but in NAT rules as well.

pict_230

Now that you have created a new object and replaced old network object with new one in all rules, do not forget to save data to a file using menu File/Save

Lets inspect properties of the firewall object. Double click on the firewall “guardian” in the tree to open it in the editor panel, then click “Firewall Settings” button in the editor. This opens new dialog that looks like this. Notice button “Help” in this dialog, clicking this button opens help as shown on the next slide.

pict_240

Online help explains all attributes and parameters located in each tab of the firewall settings dialog. I encourage you to explore it as many parameters are important and affect generated iptables script in different ways.

Next few screenshots show other tabs of the firewall settings dialog. You can find detailed explanations of all parameters in the online help.

pict_250

This page defines various parameters for the built-in policy installer. Installer uses ssh client (pscp.exe and plink.exe on Windows) to transfer generated script to the firewall machine and activate it there.

pict_260

User can define shell commands that will be included in the generated script at the beginning and in the end of it. These commands can do anything you want, such as configure some subsystems, set up routing etc.

pict_270

Parameters for logging.

pict_280

More options for the script generation. Notice that fwbuilder can produce iptables script in two formats: 1) as a shell script that calls iptables utility to add each rule one by one, or 2) it can use iptables-restore script to activate the whole policy at once. Other parameters are explained in the online help.

pict_290

Starting with v3.0 Firewall Builder can generate both IPv4 and IPv6 policy. This tab controls the order in which they are added to the script if user defined rules for both address families in the Policy objects of the firewall.

pict_300

Lets take a look at the policy of the template firewall. These rules are intended to be an example, a starting point to help you create your own policy quicker. Most likely you will want to modify them to suite your requirements. Explanation of the rules given here is rather brief because the goal of this guide was only to demonstrate how to use Firewall Builder.

  • Rule 0: this is an anti-spoofing rule. It block incoming packets with source address that matches addresses of the firewall or internal or DMZ networks. The rule is associated with outside interface and has direction set to “Inbound”.
  • Rule 1: this rule permits any packets on loopback interface. This is necessary because many services on the firewall machine communicate back to the same machine via loopback.
  • Rule 2: permit ssh access from internal network to the firewall machine. Notice service object “ssh” in the column “Service”. This object can be found in the Standard objects library, folder Services/TCP.

pict_310

Policy rules belong to the object “Policy”, which is a child object of the firewall and can be found in the tree right below it. As any other object in Firewall Builder, Policy object has some attributes that you can edit if you double click on it in the tree.

  • Policy can be either IPv4, or IPv4 or combined IPv4 and IPv6. In the latter case you can use a mix of IPv4 and IPv6 addess objects in the same policy (in different rules) and Firewall Builder will automatically figure out which one is which and will sort them out.
  • Policy can translate to only mangle table, or a combination of filter and mangle tables. Again, in the latter case policy compiler decides which table to use based on the rule action and service object. Some actions, such as “Tag” (translates into iptables target MARK) go into mangle table.
  • “Top ruleset” means that compiler will place generated iptables rules into built-in chains INPUT/OUTPUT/FORWARD. If policy is not marked as “top ruleset”, generated rules will go into user-defined chain with the name the same as the name of the policy object.

pict_320

Here are preconfigured NAT rules.

  • Rule 0: tells the firewall that no address translation should be done for packets coming from network 192.168.2.0 going to 192.168.1.0 (because Translated Source, Translated Destination and Translated Service are left empty)
  • Rule 1: packets coming to the firewall from internal and DMZ networks should be translated so that source address will change and become that of the outside interface of the firewall.
  • Rule 2: packets coming from the Internet to the interface “outside” will be translated and forwarded to the internal server on DMZ represented by the host object “server on dmz”.

pict_330

Now we should be ready to compile policy of the firewall guardian and generate iptables script. To do this, select firewall in the tree and click right mouse button. Choose item “Compile” in the pop-up menu. The dialog that appears lists all firewall objects defined in the objects tree and lets you select which ones should be compiled. The firewall guardian has just been created and has never been compiled and dialog shows that. Make sure checkbox next to the firewall object guardian is checked and click button “Next”.

pict_340

Firewall Builder calls policy compiler (which is by the way an external program which can be used on the command line). The next page of the dialog shows compiler progress and result.

pict_350

Compiler generates iptables script in the file with the name the same as the name of the firewall object, with extension “.fw”. The file is placed in the same directory where the data file .fwb is located.

$ ls -la test2.fwb guardian.fw

-rwxr-xr-x 1 vadim vadim 11253 2009-02-16 16:41 guardian.fw

-rw-r--r-- 1 vadim vadim 24696 2009-02-16 16:41 test2.fwb

Here is how generated script looks liie. This is just a fragment from the middle to show some generated iptables commands.


# ================ IPv4
# ================ Table 'filter', automatic rules

$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do

$IPTABLES -t $table -L -n | while read c chain rest; do

if test “X$c” = “XChain” ; then
$IPTABLES -t $table -F $chain
fi
done

$IPTABLES -t $table -X
done

$IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# ================ Table ‘nat’, rule set NAT
# NAT compiler errors and warnings:

#
#
# Rule 0 (NAT)
#

echo “Rule 0 (NAT)”

#
# no need to translate
# between DMZ and
# internal net

$IPTABLES -t nat -A POSTROUTING -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT

Now you can transfer it to the firewall and execute it there to install iptables rules. However it is much more convenient to use built-in policy installer to do this. To use installer, click right mouse button on the firewall object in the tree and use menu item Install. Firewall Builder will compile the policy if necessary and then open dialog where you can configure parameters of the installer. Here you need to enter password to authenticate to the firewall. Once you click OK, installer will connect to the firewall using ssh client. First, it will copy generated script to the directory /etc on the firewall (or different one, if configured in the Installer tab of firewall settings dialog), then it will run this script and check for errors. Its progress will be visible in the panel of the installer wizard, just like the progress of policy compiler.

pict_370

This guide walked you step by step through the process of creating of a firewall object, making some minor changes in its parameters and policy rules, compiling the policy and activating it on the firewall machine. This guide did not touch advanced topics such as built-in revision control system, working with multiple data files, working with multiple firewall objects, IPv6. You can find documentation and guides on these topics and more on our project web site at http://www.fwbuilder.org.

Share

Documenti Tecnici

WordPress Changing File Permissions

28 luglio 2009

Contents

On computer filesystems, different files and directories have permissions that specify who and what can read, write, modify and access them. This is important because WordPress may need access to write to files in your wp-content directory to enable certain functions.

Permission Modes

  7       5     5
 user   group  world
 r+w+x  r+x    r+x
 4+2+1  4+0+1  4+0+1  = 755

The permission mode is computed by adding up the following values for the user, the file group, and for everyone else. The diagram shows how.

  • Read 4 – Allowed to read files
  • Write 2 – Allowed to write/modify files
  • eXecute1 – Read/write/delete/modify/directory
  6      4      4
 user   group  world
 r+w    r      r
 4+2+0  4+0+0  4+0+0  = 644

Example Permission Modes

Mode Str Perms Explanation
0477 -r–rwxrwx owner has read only (4), other and group has rwx (7)
0677 -rw-rwxrwx owner has rw only(6), other and group has rwx (7)
0444 -r–r–r– all have read only (4)
0666 -rw-rw-rw- all have rw only (6)
0400 -r——– owner has read only(4), group and others have no permission(0)
0600 -rw——- owner has rw only, group and others have no permission
0470 -r–rwx— owner has read only, group has rwx, others have no permission
0407 -r—–rwx owner has read only, other has rwx, group has no permission
0670 -rw-rwx— owner has rw only, group has rwx, others have no permission
0607 -rw—-rwx owner has rw only, group has no permission and others have rwx
See full list 0000 to 0777.

Permission Scheme for WordPress

All files should be owned by your user account on your web server, and should be writable by your username. Any file that needs write access from WordPress should be group-owned by the user account used by the webserver. For example, you may have a user account that lets you FTP files back and forth to your server, but your server itself may run using a separate user, in a separate usergroup. A user such as dhapache or nobody.

The file and folder permissions of wordpress should be the same for most users, depending on the type of installation you performed and the umask settings of your system environment at the time of install.

NOTE: If you installed WordPress yourself, you likely do not need to modify file permissions. Unless you are experiencing problems with permission errors, or you want to, you probably should not mess with this.

For core WordPress files, all should be writable only by your user account. However, if you utilize mod_rewrite Permalinks or other .htaccess features you should make sure that WordPress can also write to your /.htaccess file.
If you want to use the built-in theme editor, all files need to be group writable. Try using it before modifying file permissions, it should work.

Some plugins require the /wp-content/ folder be made writeable, but in such cases they will let you know during installation. In some cases, this may require assigning 755 permissions or higher (e.g. 777 on some hosts). The same is true for /wp-content/cache/ and maybe /wp-content/uploads/

Additional directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions will vary.

/
|- index.php
|- wp-admin
|   `- wp-admin.css
|- wp-blog-header.php
|- wp-comments-post.php
|- wp-commentsrss2.php
|- wp-config.php
|- wp-content
|   |- cache
|   |- plugins
|   |- themes
|   `- uploads
|- wp-cron.php
|- wp-includes
`- xmlrpc.php

Using an FTP Client

FTP programs (“clients”) allow you to set permissions for files and directories on your remote host. This function is often called chmod or set permissions in the program menu.

In a WordPress install, two files that you will probably want to alter are the index page, and the css which controls the layout. Here’s how you change index.php – the process is the same for any file.

In the screenshot below, look at the last column – that shows the permissions. It looks a bit confusing, but for now just note the sequence of letters.

Initial permissions

Right-click ‘index.php’ and select ‘File Permissions’
A popup screen will appear.

Altering file permissions

Don’t worry about the check boxes. Just delete the ‘Numeric value:’ and enter the number you need – in this case it’s 666. Then click OK.

Permissions have been altered

You can now see that the file permissions have been changed.

Unhide the hidden files

By default, most FTP Clients, including FileZilla, keep hidden files, those files beginning with a period (.), from being displayed. But, at some point, you may need to see your hidden files so that you can change the permissions on that file. For example, you may need to make your .htaccess file, the file that controls permalinks, writeable.

To display hidden files in FileZilla, in it is necessary to select ‘View’ from the top menu, then select ‘Show hidden files’. The screen display of files will refresh and any previously hidden file should come into view.

To get FileZilla to always show hidden files – under Edit, Settings, Remote File List, check the Always show hidden files box.

Using the Command Line

If you have shell/SSH access to your hosting account, you can use chmod to change file permissions, which is the preferred method for experienced users. Before you start using chmod it would be recommended to read some tutorials to make sure you understand what you can achieve with it. Setting incorrect permissions can take your site offline, so please take your time.

You can make all the files in your wp-content directory writable in two steps, but before making every single file and folder writable you should first try safer alternatives like modifying just the directory. Try each of these commands first and if they dont work then go recursive, which will make even your themes image files writable. Replace DIR with the folder you want to write in

chmod 746 -v DIR
chmod 747 -v DIR
chmod 756 -v DIR
chmod 757 -v DIR
chmod 764 -v DIR
chmod 765 -v DIR
chmod 766 -v DIR
chmod 767 -v DIR

If those fail to allow you to write, try them all again in order, except this time replace -v with -R, which will recursively change each file located in the folder. If after that you still cant write, you may now try 777.

About Chmod

chmod is a unix command that means “change mode” on a file. The -R flag means to apply the change to every file and directory inside of wp-content. 766 is the mode we are changing the directory to, it means that the directory is readable and writable by WordPress and any and all other users on your system. Finally, we have the name of the directory we are going to modify, wp-content. If 766 doesn’t work, you can try 777, which makes all files and folders readable, writable, and executable by all users, groups, and processes.

If you use Permalinks you should also change permissions of .htaccess to make sure that WordPress can update it when you change settings such as adding a new page, redirect, category, etc.. which requires updating the .htaccess file when mod_rewrite Permalinks are being used.

  1. Go to the main directory of WordPress
  2. Enter chmod -v 666 .htaccess
NOTE: From a security standpoint, even a small amount of protection is preferable to a world-writeable directory. Start with low permissive settings like 744, working your way up until it works. Only use 777 if necessary, and hopefully only for a temporary amount of time.

The dangers of 777

The crux of this permission issue is how your server is configured. The username you use to FTP or SSH into your server is most likely not the username used by the server application itself to serve pages.

  7      7      7
 user   group  world
 r+w+x  r+w+x  r+w+x
 4+2+1  4+2+1  4+2+1  = 777

Often the Apache server is ‘owned’ by the dhapache or nobody user accounts. These accounts have a limited amount of access to files on the server, for a very good reason. By setting your personal files and folders owned by your user account to be World-Writable, you are literally making them World Writable. Now the dhapache and nobody users that run your server, serving pages, executing php interpreters, etc.. will have full access to your user account files.

This provides an avenue for someone to gain access to your files by hijacking basically any process on your server, this also includes any other users on your machine. So you should think carefully about modifying permissions on your machine. I’ve never come across anything that needed more than 767, so when you see 777 ask why its necessary.

The Worst Outcome

The worst that can happen as a result of using 777 permissions on a folder or even a file, is that if a malicious cracker or entity is able to upload a devious file or modify a current file to execute code, they will have complete control over your blog, including having your database information and password.

Find a Workaround

Its usually pretty easy to have the enhanced features provided by the impressive WordPress plugins available, without having to put yourself at risk. Contact the Plugin author or your server support and request a workaround.

Finding Secure File Permissions

The .htaccess file is one of the files that is accessed by the owner of the process running the server. So if you set the permissions too low, than your server won’t be able to access the file and will cause an error. Therein lies the method to find the most secure settings. Start too restrictive and increase the permissions until it works.

Example Permission Settings

The following example has a custom compiled php-cgi binary and a custom php.ini file located in the cgi-bin directory for executing php scripts. To prevent the interpreter and php.ini file from being accessed directly in a web browser they are protected with a .htaccess file.

Default Permissions (umask 022)

644 -rw-r--r--  /home/user/wp-config.php
644 -rw-r--r--  /home/user/cgi-bin/.htaccess
644 -rw-r--r--  /home/user/cgi-bin/php.ini
755 -rwxr-xr-x  /home/user/cgi-bin/php.cgi
755 -rwxr-xr-x  /home/user/cgi-bin/php5.cgi

Secured Permissions

600 -rw-r--r--  /home/user/wp-config.php
604 -rw----r--  /home/user/cgi-bin/.htaccess
600 -rw-------  /home/user/cgi-bin/php.ini
711 -rwx--x--x  /home/user/cgi-bin/php.cgi
100 ---x------  /home/user/cgi-bin/php5.cgi

.htaccess permissions

644 > 604 – The bit allowing the group owner of the .htaccess file read permission was removed. 644 is normally required and recommended for .htaccess files.

php.ini permissions

644 > 600 – Previously all groups and all users with access to the server could access the php.ini, even by just requesting it from the site. The tricky thing is that because the php.ini file is only used by the php.cgi, we only needed to make sure the php.cgi process had access. The php.cgi runs as the same user that owns both files, so that single user is now the only user able to access this file.

php.cgi permissions

755 > 711This file is a compiled php-cgi binary used instead of mod_php or the default vanilla php provided by the hosting company. The default permissions for this file are 755, which

php5.cgi permissions

755 > 100 – Because of the setup where the user account is the owner of the process running the php cgi, no other user or group needs access, so we disable all access except execution access. This is interesting because it really works. You can try reading the file, writing to the file, etc.. but the only access you have to this file is to run php scripts. And as the owner of the file you can always change the permission modes back again.

$ cat: php5.cgi: Permission denied
./php5.cgi:  Welcome
Share

Documenti Tecnici

Articoli con tag hardening WordPress

28 luglio 2009

Articoli con tag hardening

Il titolo è ovviamente ad effetto. Dopo aver avuto fra le mani il codice di qualche sito compromesso, ho cominciato a pensare a qualcosa per impedire o mitigare l’effetto di un bug nel codice di WordPress tale da portare ad una intrusione ed all’iniezione di codice malevolo.

Nessuna pretesa di presentare la soluzione definitiva, anzi: chi si occupa di queste cose sa meglio di chiunque altro che ogni software ha innumerevoli modi per essere sovvertito nel funzionamento.

Andiamo con ordine.

L’Hosting

La prima linea di difesa è appunto il metodo di hosting, ossia dove e come è ospitato il nostro blog. Di solito abbiamo a disposizione uno spazio accessibile via FTP (o altri metodi a piacere), un database su MySQL ed un pannello di controllo. Il primo problema viene dal metodo con cui il corrispondente web server accede al nostro spazio: il web server altro non è che un programma che viene eseguito con un certo utente di sistema ed accede in lettura al nostro spazio per prendere i file e presentarli al resto del mondo. Alcuni fornitori adottano la corretta separazione di privilegi fra l’account con cui viene eseguito il web server e l’account con cui accediamo per modificare il nostro sito: il risultato è che i file da noi scritti non possono essere modificati dal web server. Tradotto, vuol dire che se un malintenzionato scopre una falla in WordPress e tenta di sfruttarla per modificare il codice stesso di WordPress, o di scrivere un file aggiuntivo fra quelli del sito, non ci riesce perché il web server ha accesso in sola lettura.

L’effetto collaterale è che alcune funzioni di WordPress non sono disponibili: la modifica dei temi e dei plugin, l’upload di file ed il backup del database su un file nel server. Queste funzioni richiedono appunto che il web server abbia accesso in scrittura e modifica a queste directory e file:

  • wp-content/themes/ e tutti i file presenti in essa per la modifica dei temi
  • wp-content/backup-xxx/ per i backup (se si ha il plugin installato ed attivo)
  • wp-content/uploads/ per i file caricati tramite il manager di WordPress
  • wp-content/plugins/ per i plugin.

Rendere di nuovo utilizzabili queste funzioni è piuttosto facile, al prezzo di diminuire la sicurezza di un po’: si modificano i permessi di accesso ai file ed alle directory interessate consentendo la modifica al web server. E’ pur vero che questa assegnazione può essere granulare, ossia possiamo decidere di permettere solo gli upload, ed assegnare i permessi giusti alla sola directory wp-content/uploads/.

Se invece, come purtroppo succede con alcuni servizi a basso costo, il web server accede con lo stesso account con cui accediamo noi, siamo di fronte ad un potenziale problema di sicurezza che rende molto facile l’attacco da parte di un malintenzionato in presenza di un bug in WordPress che permetta l’iniezione di codice e di file nel sito.
Questo perché il web server può essere costretto a modificare praticamente qualsiasi file fra quelli installati nel nostro sito, e niente glielo impedisce. Nell’altro caso invece, anche in presenza di un bug che permette l’iniezione di codice malevolo, l’operazione fallisce perché il web server non ha i permessi per scrivere o modificare file.

Queste sono le due casistiche che ci si trova di fronte. Nel secondo il rischio è molto maggiore e diventa difficile contrastarlo. Ma qualcosa si può fare. Vediamo.

Le misure minime

Partiamo da alcune impostazioni generali di WordPress:

  • Registrazione degli utenti: se non abbiamo particolari necessità di consentire l’accesso a chiunque voglia registrarsi, è meglio disabilitare la voce relativa alla registrazione aperta a tutti nel pannello di opzioni generali. Gran parte degli attacchi sono facilitati dalla possibilità di registrarsi. In parecchie vecchie versioni di WordPress c’era un bug che permetteva ad un utente registrato di elevare i propri privilegi, anche solo per alcune operazioni, ma tanto bastava ad aprire una breccia nelle difese. Quindi, se non serve, disabilitiamo. Da notare che non è una efficace misura contro lo spam, costringere gli utenti a registrarsi per commentare. Gli spammer non si fanno intimidire, mentre invece si scoraggiano i visitatori “onesti”. E lo spam passa lo stesso. E’ molto più efficace un plugin antispam o la moderazione dei commenti.
  • Cancelliamo i temi non utilizzati: anche quelli “di serie” con WordPress, accertando prima che i file non siano utilizzati dal tema corrente, naturalmente. Se dovesse servire, terremo di scorta il tema di default di WordPress e lo caricheremo sul sito se occorre. Questo perché i file dei temi sono comunque raggiungibili, anche se inutilizzati, ed il percorso per raggiungerli è noto, visto che è uguale per tutte le installazioni. Sono file PHP, quindi passibili di tutti i problemi di qualsiasi altro file PHP. A maggior ragione se il tema non è uno di quelli ufficiali. Potrebbe contenere errori sfruttabili da un malintenzionato, e data la minore diffusione del singolo tema rispetto a WordPress nel complesso, gli eventuali errori potrebbero passare inosservati per molto tempo, esponendo il nostro blog ad un rischio inaccettabile.
  • Cancelliamo i plugin non utilizzati: vale lo stesso discorso fatto per i temi. Anche i plugin sono file PHP, certamente più difficili da raggiungere, nel senso che se sono disabilitati non c’è modo di sapere dall’esterno se siano installati, quindi il lavoro per un malintenzionato è un po’ più difficile. Ma basta guardare quante volte parliamo nel blog stesso dei plugin e dei temi che stiamo provando per capire che troppo spesso l’informazione per il malintenzionato la forniamo noi stessi su un piatto d’argento…

Rinunciamo alla modifica del tema e dei plugin

Per operare su tema e plugin lavoreremo sempre su una copia locale nel nostro computer, per poi trasferire i file modificati sul server. E’ più laborioso ma infinitamente più sicuro. Senza trascurare il fatto di poter usare il nostro editor preferito per modificare i file PHP e CSS del tema o dei plugin.

Per impostare questa limitazione occorre togliere i permessi di scrittura al web server. Se siamo nell’ipotesi dell’utente dedicato differente dal nostro, basta impostare i permessi al valore ottale 0644 per i file e 0755 per le directory a partire da wp-content/plugins/ e wp-content/themes/, che significa: proprietario può leggere e scrivere, tutti gli altri solo leggere, invece dei classici 0666 e 0777 consigliati per abilitare la modifica dal pannello di amministrazione di WordPress.

Se invece siamo nel caso peggiore, quello del web server che accede con lo stesso nostro utente, le modifiche sono molto meno efficaci, anche se niente vieta di applicarle: occorre togliere del tutto il permesso di scrittura, anche a noi stessi, usando il valore ottale 0444 per i file e 0555 per le directory. E’ una misura molto meno efficace perché il permesso di scrittura può essere ripristinato dal proprietario del file o della directory, che in questo caso è l’utente con cui viene eseguito anche il web server: se un malintenzionato riesce ad accedere, può tentare di ripristinare il permesso attraverso un comando in PHP e da lì avere via libera. E’ comunque un ulteriore ostacolo, il che non guasta.

Disinnescare i file in upload

Questa è un po’ più complicata, e richiede l’uso di alcune funzioni del web server che potrebbero non essere abilitate. Si tratta di impedire che un file PHP inserito nella cartella di upload da un malintenzionato possa essere eseguito dall’esterno.

Se abbiamo la registrazione degli utenti inibita, siamo già a buon punto, e questa misura è in un certo senso superflua. Certo, se esistesse un bug così grande in WordPress da permettere l’upload di un file anche senza essere registrati, la prima directory che potrebbe essere utilizzata è proprio quella di upload: per definizione deve essere scrivibile dal web server. A questo punto, basta immaginare un file PHP inserito a bella posta che includa il file di configurazione e mostri utente e password del database, di seguito piazzare un file che permetta di modificare il database e includere un altro file, o se stesso, come plugin di WordPress. Il gioco è fatto.

Ebbene, se il nostro servizio di hosting lo permette è possibile disinnescare l’esecuzione di file PHP nella directory degli upload ed in tutte le sottodirectory, inserendo un file .htaccess nella directory di upload con una singola direttiva:


RemoveHandler .php

Il risultato è che un eventuale file PHP inserito in quella directory non viene interpretato, ma quando fosse invocato via browser verrebbe trattato come un file di testo semplice, e ne verrebbe mostrato il contenuto, ossia non verrebbe eseguito come script PHP.

Questo ovviamente è possibile solo se il servizio di hosting lo permette. Conoscendo il tipo di web server installato e le opzioni abilitate è possibile migliorare di parecchio la sicurezza di WordPress, naturalmente a prezzo di qualche disagio in più.

Conclusioni

Ci sarebbe molto da dire, ancora. Non ho volutamente trattato argomenti abbastanza inflazionati come sicurezza delle password, aggiornamenti di WordPress e spam in commenti e trackback. Certamente l’argomento non è a portata di principiante, come sempre occorre sapere cosa c’è “sotto il cofano”, ma non ci si improvvisa in queste cose. I centinaia di blog WordPress violati presenti in Rete, di cui sto faticosamente tentando di avvertire i proprietari, dimostrano che mentre scrivere in un blog è alla portata di chiunque, mantenere un blog non è proprio banale.

Riferimenti

Share

Documenti Tecnici