Linux User Group of Mauritius Promoting open source software in our beautiful island

24Dec/150

Find user IP address with Cloudflare & Nginx

Posted by Ish

A content delivery network (CDN) is a distributed network of servers that delivers content, typically webpages, to users based on their geographic location. A CDN would serve you from a less distant location on the network.

CloudFlare provides such a CDN service. A friend recommended me to use CloudFlare around a year or so, and I do not regret accepting.

Find user IP address with Cloudflare & Nginx

CloudFlare Global Network, Source: cloudflare.com

I noticed considerable performance gain when I switched to CloudFlare.

PING hacklog.mu (104.28.11.229) 56(84) bytes of data.
64 bytes from 104.28.11.229: icmp_seq=1 ttl=51 time=114 ms
64 bytes from 104.28.11.229: icmp_seq=2 ttl=51 time=115 ms
64 bytes from 104.28.11.229: icmp_seq=3 ttl=51 time=113 ms
64 bytes from 104.28.11.229: icmp_seq=4 ttl=51 time=113 ms
64 bytes from 104.28.11.229: icmp_seq=5 ttl=51 time=114 ms

--- hacklog.mu ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 113.856/114.509/115.854/0.847 ms

CloudFlare bundles other features, among which the Firewall allows you to set rules for rogue visitors.

Get the user’s IP address with Nginx

CloudFlare proxies requests to your webserver and as such, your webserver log would record CloudFlare’s IP addresses. In order to obtain the user’s IP address in a request, you would need to activate the True-Client-IP Header from CloudFlare’s administration panel. However, that requires an Enterprise plan. It is not available in the free service.

There is one workaround using the ngx_http_realip_module in Nginx. It allows a change of the client address to one that is specified in the header field. CloudFlare specifies the same in the CF-Connecting-IP field. The technical story can be summed up as follows in the http context of Nginx:

http {

    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 199.27.128.0/21;
    real_ip_header   CF-Connecting-IP;

    ...
}

The IP addresses specified are those of CloudFlare and they can be obtained here. I suggest checking the page from time to time for updates or you might even monitor changes on the page (^^,) …


Ubuntu & openSUSE come bundled with ngx_http_realip_module. If Nginx is complaining about an unknown directive in your distribution, then you most likely need to compile Nginx with the --with-http_realip_module parameter.

The post Find user IP address with Cloudflare & Nginx appeared first on HACKLOG.

Tagged as: No Comments
12Oct/150

How to protect your phone from Stagefright?

Posted by Ish

A few weeks ago, Logan and some fellow geeks had a video podcast about Stagefright; the much feared Android vulnerabilities. News articles around the web have dubbed Stagefright as having the possibility to compromise millions of Android powered handsets. In fact, at the time of writing this blog post many mobile phone manufacturers haven’t yet released updates to fix Stagefright and other reported bugs.

The Stagefright vulnerability was detected and reported by Joshua Drake, the VP of Platform Research and Exploitation and an expert at Zimperium zLabs. To verify if a mobile phone is vulnerable to Stagefright, one may use the Stagefright Detector app by Zimperium INC.

stagefright-vulnerabilities

What is Stagefright?

Stagefright is a group of ‘bugs’ that have been identified and are potentially exploitable in the Android operating system. More information about these vulnerabilities are published under the following CVEs at cve.mitre.org:

CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
CVE-2015-3864

How does Stagefright work?

The attack happens by exploiting vulnerabilities in the Multimedia Messaging Service (MMS). An attacker can include a piece of malicious code in a video and send the same through MMS. Most handsets have the “auto-retrieve” feature enabled. Therefore, the code gets executed on the phone even if the phone’s owner does not open the message. This happens during the auto-retrieval of the message.

Depending on what sort of code is run, an attacker may get the ability to control the phone, execute commands, copy/delete files, trigger the camera at will etc.

How to protect your phone from Stagefright?

The best protection would come through security patches released by the phone manufacturer. Alas, until that happens, one is left with a vulnerable phone. Therefore, to mitigate a Stagefright attack, one could disable the “auto-retrieve” feature. To do so, navigate to:

Messages > Settings > Multimedia Message (MMS)

Thereby, disable the “auto-retrieve” feature.

stagefright-mms-auto-retrieve

However, this will only “mitigate” the attack. The malicious code does not get executed through auto-retrieval, but it will execute if the message is opened by someone.

To enforce an added security, one may disable the MMS functionality since it is not much a messaging tool used nowadays. To do so, go to:

Settings > Wireless & Networks > More > Mobile Networks > Access Point Names

You should normally find two APNs, one for SMS and one for MMS. I am subscribed to Orange Mauritius and the MMS APN is listed as “MMS Orange”. Once you have identified the correct APN, tap it and scroll down to the “APN enable/disable” option. That’s it. You may disable the MMS APN which will prevent your phone from both sending and receiving MMS.

mms-apn-disable

The post How to protect your phone from Stagefright? appeared first on HACKLOG.

12Oct/150

How to protect your phone from Stagefright?

Posted by Ish

A few weeks ago, Logan and some fellow geeks had a video podcast about Stagefright; the much feared Android vulnerabilities. News articles around the web have dubbed Stagefright as having the possibility to compromise millions of Android powered handsets. In fact, at the time of writing this blog post many mobile phone manufacturers haven’t yet released updates to fix Stagefright and other reported bugs.

The Stagefright vulnerability was detected and reported by Joshua Drake, the VP of Platform Research and Exploitation and an expert at Zimperium zLabs. To verify if a mobile phone is vulnerable to Stagefright, one may use the Stagefright Detector app by Zimperium INC.

stagefright-vulnerabilities

What is Stagefright?

Stagefright is a group of ‘bugs’ that have been identified and are potentially exploitable in the Android operating system. More information about these vulnerabilities are published under the following CVEs at cve.mitre.org:

CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
CVE-2015-3864

How does Stagefright work?

The attack happens by exploiting vulnerabilities in the Multimedia Messaging Service (MMS). An attacker can include a piece of malicious code in a video and send the same through MMS. Most handsets have the “auto-retrieve” feature enabled. Therefore, the code gets executed on the phone even if the phone’s owner does not open the message. This happens during the auto-retrieval of the message.

Depending on what sort of code is run, an attacker may get the ability to control the phone, execute commands, copy/delete files, trigger the camera at will etc.

How to protect your phone from Stagefright?

The best protection would come through security patches released by the phone manufacturer. Alas, until that happens, one is left with a vulnerable phone. Therefore, to mitigate a Stagefright attack, one could disable the “auto-retrieve” feature. To do so, navigate to:

Messages > Settings > Multimedia Message (MMS)

Thereby, disable the “auto-retrieve” feature.

stagefright-mms-auto-retrieve

However, this will only “mitigate” the attack. The malicious code does not get executed through auto-retrieval, but it will execute if the message is opened by someone.

To enforce an added security, one may disable the MMS functionality since it is not much a messaging tool used nowadays. To do so, go to:

Settings > Wireless & Networks > More > Mobile Networks > Access Point Names

You should normally find two APNs, one for SMS and one for MMS. I am subscribed to Orange Mauritius and the MMS APN is listed as “MMS Orange”. Once you have identified the correct APN, tap it and scroll down to the “APN enable/disable” option. That’s it. You may disable the MMS APN which will prevent your phone from both sending and receiving MMS.

mms-apn-disable

The post How to protect your phone from Stagefright? appeared first on HACKLOG.

26Sep/150

Privacy Compliance Assessment in Mauritius

Posted by Ish

Privacy is a subject that is poorly understood in Mauritius. I often see local websites collecting information through contact forms yet having no privacy policy or some times the policy is a mere “copy & paste” without considering compliance as per the Data Protection Act 2004 of Mauritius.

Privacy Compliance Assessment in MauritiusCompliance with the Data Protection Act can be a cumbersome process for many. Some might even ignore it as very few people ever question about privacy in Mauritius. Nonetheless, the law remains the law. To help in making privacy simpler to understand and comply with, several months ago, Nadim Bundhoo, Nirvan Pagooah, Ajay Ramjatan, S. Moonesamy and I collaborated on a project, which we called the “Privacy Compliance Assessment” webapp.

The Privacy Compliance Assessment web application can be accessed at http://www.elandsys.com/~sm/privacy-mu.

As per the Data Protection Act, a “data controller” is a person who either alone or jointly with any other person, makes a decision with regard to the purposes for which and in the manner in which any personal data are, or are to be, processed.

A data controller needs to make sure that procedures of collection, processing and storage of personal data as set are compliant with the Data Protection Act 2004 of Mauritius.

We’re thankful to the Data Protection Commissioner, Mrs. Drudeisha Madhub and her team, who provided us the relevant information. The Data Protection Office helped us throughout the project with regular reviews and suggesting amendments.

The Data Protection Commissioner accepted our invitation to introduce the webapp and do a presentation during the Developers Conference 2015.

How does the app work?

The application runs on the client side, that is your Internet browser. The assessment takes you through a series of questions that can be answered with a Yes/No toggle button. At the end of the assessment, you’re told whether your organization is compliant with the Data Protection Act 2004. Information that you provide are not sent back to the server. You may run the assessment as many times as you require.

The web application is released under the GNU General Public License (GPL) version 2. You may use the app, modify it and redistribute it as allowed under GNU GPLv2.

We aim to present “privacy” in a simple way and make “privacy compliance” a bit of a fun thing to achieve :)


On 15 May 2014, I highlighted a major privacy breach on the mnic.mu website where personal data collected through Google Forms were exposed on the Internet.

On 1 June 2014, I reported a data leak on the government web portal that affected over 9,000 people.

On 7 July 2014, I presented security flaws on the government web portal that could lead to data leakage.

On 5 October 2014, I wrote about my concerns over the use of Face recognition CCTV cameras in urban areas of Mauritius.

On 3 October 2014, S. Moonesamy reported privacy concerns with konetou advertising.

On 21 September 2015, S. Moonesamy wrote to the Government Online Centre regarding the “privacy policy” of www.govmu.org.

On 23 September 2015, I wrote to the Ministry of Technology, Communication and Innovation, highlighting my concerns as to the collection of personal data through the “login captcha” on the government web portal.

The post Privacy Compliance Assessment in Mauritius appeared first on HACKLOG.

30Nov/140

Meeting Eddy of Internet Systems Consortium

Posted by Ish

Last Friday, a few members of the Linux User Group of Mauritius organized an « Informal Talk on DNS » at Flying Dodo, Bagatelle Mall.

Eddy Winstead from the Internet Systems Consortium was our guest. He was in Mauritius for AFRINIC-21 and has been delivering talks on BIND.… Read more ➡

The post Meeting Eddy of Internet Systems Consortium appeared first on HACKLOG.

25Oct/140

Shellshock: A survival guide

Posted by Ish

It’s been the hot talk since a few weeks. Well, the presentation was finally due today at the University of Mauritius. Scheduled for 13h00, however I reached at noon. Planned to meet Shelly first and explain her a little about Linux (in general) and then show her what’s Bash.… Read more ➡

The post Shellshock: A survival guide appeared first on HACKLOG.

Tagged as: No Comments
8Jun/140

OpenSSL: More vulnerabilities, CVE-2014-0224

Posted by Ish

Earlier today, Logan, posted on the LUGM facebook group that he has created a online tool (still in beta) that would test if your server is vulnerable to yet another vulnerability that has been recently discovered in OpenSSL. This particular vulnerability is known as CVE-2014-0224.… Read more ➡

The post OpenSSL: More vulnerabilities, CVE-2014-0224 appeared first on HACKLOG.

Tagged as: No Comments