Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts

Monday, 16 September 2024

How GitHub Advanced Security for Azure DevOps Saves the Day (and Your Reputation)

Let's face it, developers: we've all accidentally committed a secret (or two) to our code repository at some point. Maybe it was an API key, a database password, or that super-secret encryption key you swore you'd never forget. ‍♂️



The problem?  Those exposed secrets can be a hacker's dream come true. A leaked secret can bring your entire application crashing down, wreaking havoc on your data and reputation. Shuddersville.  Many good developers do not pay attention to this critical aspect while working on the code, behaviour which most of the time becomes very costly and painful.

That's where GitHub Advanced Security for Azure DevOps swoops in like a superhero with a cape (well, maybe more like a shield, but you get the idea). This powerful integration brings the muscle of GitHub's security features into your Azure DevOps workflow, so you can identify and squash those secret leaks before they become a disaster.


Here's how GitHub Advanced Security for Azure DevOps saves your bacon:

  • Secret Scanning: It acts like a super-sleuth, scouring your code for any exposed secrets like passwords, tokens, and keys. No more accidental oopsies making it past your commit.
  • Dependency Scanning: Those third-party libraries you love? They can have hidden vulnerabilities. Advanced Security scans your dependencies to expose any weak spots so you can patch them up before they get exploited.
  • CodeQL Code Scanning: This built-in code analysis tool is like a security X-ray for your codebase. It hunts for potential vulnerabilities and coding errors, so you can fix them before they become a problem.

The best part? This security suite integrates seamlessly into your Azure DevOps workflow. No need to jump through hoops or learn a whole new platform. You can find, fix, and prevent security issues all within your familiar Azure DevOps environment. Win-win!

So, ditch the stress of exposed secrets and vulnerable code. Embrace the power of GitHub Advanced Security for Azure DevOps. Your future self (and your security team) will thank you for it.

P.S. Looking for more info? Check out the official documentation to see how to get started with GitHub Advanced Security for Azure DevOps and start building more secure software today!

Tuesday, 10 September 2013

Linux Containers on Virtualbox - Disposal Boxes by Michal Migurski's

Hey look, a month went by and I stopped blogging because I have a new job. Great.
One of my responsibilities is keeping an eye on our sprawling Github account, currently at 326 repositories and 151 members. The current fellows are working on a huge number of projects and I frequently need to be able to quickly install, test and run projects with a weirdly-large variety of backend and server technologies. So, it’s become incredibly important to me to be able to rapidly spin up disposable Linux web servers to test with. Seth clued me in to Linux Containers (LXC) for this:
LXC provides operating system-level virtualization not via a full blown virtual machine, but rather provides a virtual environment that has its own process and network space. LXC relies on the Linux kernel cgroups functionality that became available in version 2.6.24, developed as part of LXC. … It is used by Heroku to provide separation between their “dynos.”
I use a Mac, so I’m running these under Virtualbox. I move around between a number of different networks, so each server container had to have a no-hassle network connection. I’m also impatient, so I really needed to be able to clone these in seconds and have them ready to use.
This is a guide for creating an Ubuntu Linux virtual machine under Virtualbox to host individual containers with simple two-way network connectivity. You’ll be able to clone a container with a single command, and connect to it using a simple <container>.local host name.

The Linux Host

First, download an Ubuntu ISO. I try to stick to the long-term support releases, so I’m using Ubuntu 12.04 here. Get a copy of Virtualbox, also free.
Create a new Virtualbox virtual machine to boot from the Ubuntu installation ISO. For a root volume, I selected the VDI format with a size of 32GB. The disk image will expand as it’s allocated, so it won’t take up all that space right away. I manually created three partitions on the volume:
  1. 4.0 GB ext4 primary.
  2. 512 MB swap, matching RAM size. Could use more.
  3. All remaining space btrfs, mounted at /var/lib/lxc.
Btrfs (B-tree file system, pronounced “Butter F S”, “Butterfuss”, “Better F S”, or “B-tree F S") is a GPL-licensed experimental copy-on-write file system. It will allow our cloned containers to occupy only as much disk space as is changed, which will decrease the overall file size of the virtual machine.
During the OS installation process, you’ll need to select a host name. I used “ubuntu-demo” for this demonstration.

Host Linux Networking

Boot into Linux. I started by installing some basics, for me: git, vim, tcsh, screen, htop, and etckeeper.
Set up /etc/network/interfaces with two bridges for eth0 and eth1, both DHCP. Note that eth0 and eth1 must be commented-out, as in this sample part of my /etc/network/interfaces:
## The primary network interface
#auto eth0
#iface eth0 inet dhcp

auto br0
iface br0 inet dhcp
        dns-nameservers 8.8.8.8
        bridge_ports eth0
        bridge_fd 0
        bridge_maxwait 0

auto br1
iface br1 inet dhcp
        bridge_ports eth1
        bridge_fd 0
        bridge_maxwait 0
Back in Virtualbox preferencese, create a new network adapter and call it “vboxnet0”. My settings are 10.1.0.1, 255.255.255.0, with DHCP turned on.


Shut down the Linux host, and add the secondary interface in Virtual box. Choose host-only networking, the vboxnet0 adapter, and “Allow All” promiscuous mode so that the containers can see inbound network traffic.

The primary interface will be NAT by default, which will carry normal out-bound internet traffic.
  1. Adapter 1: NAT (default)
  2. Adapter 2: Host-Only vboxnet0
Start up the Linux host again, and you should now be able to ping the outside world.
% ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=63 time=340 ms
…
Use ifconfig to find your Linux IP address (mine is 10.1.0.2), and try ssh’ing to that address from your Mac command line with the username you chose during initial Ubuntu installation.
% ifconfig br1

br1       Link encap:Ethernet  HWaddr 08:00:27:94:df:ed  
          inet addr:10.1.0.2  Bcast:10.1.0.255  Mask:255.255.255.0
          inet6 addr: …
Next, we’ll set up Avahi to broadcast host names so we don’t need to remember DHCP-assigned IP addresses. On the Linux host, install avahi-daemon:
% apt-get install avahi-daemon
In the configuration file /etc/avahi/avahi-daemon.conf, change these lines to clarify that our host names need only work on the second, host-only network adapter:
allow-interfaces=br1,eth1
deny-interfaces=br0,eth0,lxcbr0
Then restart Avahi.
% sudo service avahi-daemon restart
Now, you should be able to ping and ssh to ubuntu-demo.local from within the virtual machine and your Mac command line.

No Guest Containers

So far, we have a Linux virtual machine with a reliable two-way network connection that’s resilient to external network failures, available via a meaningful host name, and with a slightly funny disk setup. You could stop here, skipping the LXC steps and use Virtualbox’s built-in cloning functionality or something like Vagrant to set up fresh development environments. I’m going to keep going and set up LXC.

Linux Guest Containers

Install LXC.
% sudo apt-get lxc
Initial LXC setup uses templates, and on Ubuntu there are several useful ones that come with the package. You can find them under /usr/lib/lxc/templates; I have templates for ubuntu, fedora, debian, opensuse, and other popular Linux distributions. To create a new container called “base” use lxc-create with a chosen template.
% sudo lxc-create -n base -t ubuntu
This takes a few minutes, because it needs retrieve a bunch of packages for a minimal Ubuntu system. You’ll see this message at some point:
##
# The default user is 'ubuntu' with password 'ubuntu'!
# Use the 'sudo' command to run tasks as root in the container.
##
Without starting the container, modify its network adapters to match the two we set up earlier. Edit the top of /var/lib/lxc/base/config to look something like this:
lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.hwaddr = 00:16:3e:c2:9d:71

lxc.network.type=veth
lxc.network.link=br1
lxc.network.flags=up
lxc.network.hwaddr = 00:16:3e:c2:9d:72
An initial MAC address will be randomly generated for you under lxc.network.hwaddr, just make sure that the second one is different.
Modify the container’s network interfaces by editing /var/lib/lxc/base/rootfs/etc/network/interfaces (/var/lib/lxc/base/rootfs is the root filesystem of the new container) to look like this:
auto eth0
iface eth0 inet dhcp
        dns-nameservers 8.8.8.8

auto eth1
iface eth1 inet dhcp
Now your container knows about two network adapters, and they have been bridged to the Linux host OS virtual machine NAT and host-only adapters. Start your new container:
% sudo lxc-start -n base
You’ll see a normal Linux login screen at first, use the default username and password “ubuntu” and “ubuntu” from above. The system starts out with minimal packages. Install a few so you can get around, and include language-pack-en so you don’t get a bunch of annoying character set warnings:
% sudo apt-get install language-pack-en
% sudo apt-get install git vim tcsh screen htop etckeeper
% sudo apt-get install avahi-daemon
Make a similar change to the /etc/avahi/avahi-daemon.conf as above:
allow-interfaces=eth1
deny-interfaces=eth0
Shut down to return to the Linux host OS.
% sudo shutdown -h now
Now, restart the container with all the above modifications, in daemon mode.
% sudo lxc-start -d -n base
After it’s started up, you should be able to ping and ssh to base.local from your Linux host OS and your Mac.
% ssh ubuntu@base.local

Cloning a Container

Finally, we will clone the base container. If you’re curious about the effects of Btrfs, check the overall disk usage of the /var/lib/lxc volume where the containers are stored:
% df -h /var/lib/lxc

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3        28G  572M   26G   3% /var/lib/lxc
Clone the base container to a new one, called “clone”.
% sudo lxc-clone  -o base -n clone
Look at the disk usage again, and you will see that it’s not grown by much.
% df -h /var/lib/lxc

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3        28G  573M   26G   3% /var/lib/lxc
If you actually look at the disk usage of the individual container directories, you’ll see that Btrfs is allowing 1.1GB of files to live in just 573MB of space, representing the repeating base files between the two containers.
% sudo du -sch /var/lib/lxc/*

560M /var/lib/lxc/base
560M /var/lib/lxc/clone
1.1G total
You can now start the new clone container, connect to it and begin making changes.
% sudo lxc-start -d -n clone
% ssh ubuntu@clone.local

Conclusion

I have been using this setup for the past few weeks, currently with a half-dozen containers that I use for a variety of jobs: testing TileStache, installing Rails applications with RVM, serving Postgres data, and checking out new packages. One drawback that I have encountered is that as the disk image grows, my nightly time machine backups grow considerably. The Mac host OS can only see the Linux disk image as a single file.
On the other hand, having ready access to a variety of local Linux environments has been a boon to my ability to quickly try out ideas. Special thanks again to Seth for helping me work through some of the networking ugliness.

Further Reading

Tao of Mac has an article on a similar, but slightly different Virtualbox and LXC setup. They don’t include the promiscuous mode setting for the second network adapter, which I think is why they advise using Avahi and port forwarding to connect to the machine. I believe my way here might be easier.
Shift describes a Vagrant and LXC setup that skips Avahi and uses a plain hostnames for internal connectivity.

The Owner of this post is Michal Migurski
Find is Blog here http://mike.teczno.com/notes/disposable-virtualbox-lxc-environments.html 

Thursday, 11 July 2013

Solve VMWare Workstation 9 Error on Linux Kernel 3.8.0-26



I have VMware Workstations 9 installed on my uBuntu 13 machine and today without any apparent reason it stop working throwing me the following error, every time I've tried to boot up any VM machine.


To solver the problem .. here is what I have done ... created bash script to handle problems with VMware Player on 13.04 ...




  • #!/bin/bash
  • if [[ $UID != 0 ]]; then
  •     echo "Please run this script with sudo:"
  •     echo "sudo $0 $*"
  •     exit 1
  • fi
  • sudo ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linux-headers-$(uname -r)/include/linux/version.h
  • cd /usr/lib/vmware/modules/source
  • sudo tar -xf vmci.tar
  • cd vmci-only
  • sudo sed '127s/.*/   .remove = vmci_remove_device,/' driver.c > driver.c.tmp
  • mv driver.c.tmp driver.c
  • sudo sed '1753s/.*/static int/' driver.c > driver.c.tmp
  • mv driver.c.tmp driver.c
  • sudo sed '1981s/.*/static void/' driver.c > driver.c.tmp
  • mv driver.c.tmp driver.c
  • cd ..
  • sudo tar -cf vmci.tar vmci-only/
  • sudo rm vmci-only/ -Rf
  • sudo vmware-modconfig --console --install-all
  • sudo rm /usr/src
  • Before write the script I've open the terminal and type " #sudo kate " then when kate opened I entered the script and saved on " /usr/src/open-vm-tools-xxxx.xx.xx" (replace the x with year month and day) and save it. Then close Kate

    The Open terminal again and do the following;


    after you should have VMware workstation running...



    This is another posting showing "how to do computing" for everyday computer usages... For a general public

    Friday, 21 June 2013

    Friday, 7 June 2013

    POSSIBLE WordPress Under Attack again !!!

    ALERT - ALERT - WordPress Based website under attack Again !!!



    Potential WordPress problem (Brute Force attack against WordPress websites)
    We have monitored on-going brute-force attack against WordPress websites, in order to keep your WordPress website secure, we recommend you do the following:

    1. Please change your password for WordPress admin area.

    2. Go to your cPanel > File Manager and find your wp-login.php file.



    Temporary rename wp-login.php file (for example into wp-login1.php).

    You need to change a line in your wp-login.php to reflect the change to the file name. Its line 671 where the form action refers to wp-login.php

    -------------------------Update---------------------------

    wp-login.php is temporary disabled because of huge brute force attack. Please rename wp-login.php to something else.

    Thursday, 4 April 2013

    HOW TO Solve issue Nvidia & X.org Server Problems on Linux or BackTrack5


    1. I spent a week trying to resolve the error generated by X.org Server and Nvidia drivers, and I think I've finally solved.
      This is the solution for my Nvidia GT540M & Intel i7-2670QM (ASUS X53SV-SX598V)
      1. Download NVIDIA driver from here: http://www.nvidia.com/object/unix.html.
      I use Linux x86_64/AMD64/EM64T (NVIDIA-Linux-x86_64-285.05.09.run) for my system at 64bit
      2. Install system updates
      Code:
      sudo apt-get update && sudo apt-get upgrade
      3. Install linux-header to the upgraded kernel
      Code:
      sudo apt-get install linux-headers-$(uname -r)
      4. If dkms and build essential haven't been installed
      Code:
      sudo apt-get install dkms build-essential
      5. Open blacklist.conf file to add some lines (I use vi command)
      Code:
      vi /etc/modprobe.d/blacklist.conf
      6. Press i and after others “blacklist” list add this list
      Code:
      blacklist vga16fb
      blacklist nouveau
      blacklist rivafb
      blacklist nvidiafb
      blacklist rivatv
      7. After that, press ESC and type :wq (this write the file)
      8. Make grub.cfg writable
      Code:
      chmod +w /boot/grub/grub.cfg
      9. Open grub.cfg file
      Code:
      vi /boot/grub/grub.cfg
      10. Find text splash text inside the document and add nouveau.modeset=0 text like this
      Code:
      text splash nouveau.modeset=0 vga=791
      11. After that, press ESC and type :wq (this write the file)
      12. Disable writable mode to grub.cfg file
      Code:
      chmod -w /boot/grub/grub.cfg
      13. Update grub.cfg file
      Code:
      update-grub‎
      14. Reboot
      15. Login and don’t write startx
      16. Remove all previous Nvidia drivers
      Code:
      sudo apt-get --purge remove nvidia-*
      17. Remove default drivers
      Code:
      sudo apt-get --purge remove xserver-xorg-video-nouveau
      18. Chmod the nvidia driver file
      Code:
      chmod a+x NVIDIA-Linux-x86_64-285.05.09.run
      19. Run the nvidia driver*
      Code:
      sh ./NVIDIA-Linux-x86_64-285.05.09.run
      *If you use a 64bit system don’t install the OpenGL 32bit
      20. Reboot

      If you have a problem like this:
      Code:
       
      X.Org X Server 1.7.6
      Release Date: 2010-03-17
      X Protocol Version 11, Revision 0
      Build Operating System: Linux 2.6.24-28-server x86_64 Ubuntu
      [...]
      Fatal server error:
      no screens found

      It means that the automatic writing of xorg.conf (nvidia-xconfig command) during installation is not successful., but the driver has been installed correctly.
      To solve this problem just delete the xorg.conf file:

      Code:
      rm /etc/X11/xorg.conf
      When you restart the PC the file xorg.conf file will be created automatically.
      Reebot and type
      Code:
      startx
      I hope it helps

    Thursday, 21 March 2013

    How to Disable Guest Account Login on Ubuntu



    By default ubuntu 12.04 comes with guest account.You can disable this account using the following procedure.Guest account is a paswordless account which allow users to get access to Ubuntu machine


    Open /etc/lightdm/lightdm.conf file from your terminal using the following command
    gksudo gedit /etc/lightdm/lightdm.conf
    Add the following line
    allow-guest=false
    Save and exit the file
    After adding the above line you should see similar to the following in lightdm.conf file
    [SeatDefaults]
    user-session=ubuntu
    greeter-session=unity-greeter
    allow-guest=false
    Finally you have to restart lightdm using the following command from your terminal
    sudo restart lightdm
    Note:- After executing above command all graphical programs running will be close

    Thursday, 13 December 2012

    Using Virtual Ethernet Adapters in Promiscuous Mode on a Linux Host


    VMware Workstation does not allow the virtual Ethernet adapter to go into promiscuous mode unless the user running VMware Workstation has permission to make that setting. This follows the standard Linux practice that only root can put a network interface into promiscuous mode.

    When you install and configure VMware Workstation, you must run the installation as root. VMware Workstation creates the VMnet devices with root ownership and root group ownership, which means that only root has read and write permissions to the devices.

    To set the virtual machine's Ethernet adapter to promiscuous mode, you must launch VMware Workstation as root because you must have read and write access to the VMnet device. For example, if you are using bridged networking, you must have access to /dev/vmnet0.

    To grant selected other users read and write access to the VMnet device, you can create a new group, add the appropriate users to the group and grant that group read and write access to the appropriate device. You must make these changes on the host operating system as root (su -). For example, you can enter the following commands:

    chgrp <newgroup> /dev/vmnet0

    chmod g+rw /dev/vmnet0

    <newgroup> is the group that should have the ability to set vmnet0 to promiscuous mode.
    The command to run vmware workstations ads root is simple: user@user#:~$ sudo vmware start

    If you want all users to be able to set the virtual Ethernet adapter (/dev/vmnet0 in our example) to promiscuous mode, run the following command on the host operating system as root:

    chmod a+rw /dev/vmnet0


    This is another posting showing "how to do computing" for everyday computer usages... For a general public

    VMware on Linux : Running in Permiscuous Mode


     VMware on Linux: Promiscuous Mode

    When VMware Workstation is hosted under Linux, by default it doesn't allow VM Guests to access the network in Promiscuous mode.  There's an easy fix for this...

    If you run something like Wireshark from a VM Guest, you'll see VMware display an error message.

    The problem lies with the permissions on the Host.  When VMware is started without root privileges, it doesn't have the permissions necessary to access the /dev/vmnet0 device.

    A quick temporary bodge is to use chgrp and chmod on the Host, to tweak the permissions on /dev/vmnet* until the next reboot (where yourgroup is a group that your user account is in - typically admin on my Ubuntu machines):
       chgrp yourgroup /dev/vmnet*
       chmod g+rw /dev/vmnet*

    A more permanent fix is to edit /etc/init.d/vmware on the Host, and tweak the ownership and permissions when the device is created, by adding the lines in red:
      # Start the virtual ethernet kernel service
       vmwareStartVmnet() {
          vmwareLoadModule $vnet
          "$BINDIR"/vmware-networks --start >> $VNETLIB_LOG 2>&1
          chgrp yourgroup  /dev/vmnet*
          chmod g+rw /dev/vmnet*

    After you restart the Host's VMware daemon ...

       /etc/init.d/vmware stop
       /etc/init.d/vmware start

    you'll be able to boot your Guest VM, and use Wireshark or whatever in the Guest.  Just Remember!   Your VM Guest's Network Adapter must be set to BRIDGED (connected directly to the physical network), not NAT (used to share the host's IP address).

    Aside: I did think it ought be possible to achieve the same effect a little more cleanly, by creating a file in /etc/udev/rules.d to set the desired ownership and permission modes for /dev/vmnet*.  But nothing I've tried has worked.  Anyone?

    How to check for open ports on Linux

    Checking for open ports is among the first steps to secure your device. Listening services may be the entrance for attackers who may exploit...