Smathermather's Weblog

Remote Sensing, GIS, Ecology, and Oddball Techniques

Archive for March, 2012

Arming an escaped convict– giving Artillery to a Jailbroken iPod Touch

Posted by smathermather on March 26, 2012

Some achievements are too easy, but that shouldn’t be construed as complaint. This one was pure fun.

Keeping in mind dire warnings of the dangers of rooting my iPod from security professionals I know and respect, I decided to root a spare iPod, so I wouldn’t have to worry so much about security for my primary one with all its precious info.

Once rooted, how would one secure such a device? Let’s throw a honeypot/monitoring/prevention tool at it, say Artillery.

First the rooting/jailbreaking. I used http://blog.iphone-dev.org/tagged/redsn0w to jailbreak my iPod, as it matched up with my iOS version in the list of jailbreaking software at http://en.wikipedia.org/wiki/IOS_jailbreaking. It was wicked easy. Just follow the instructions. At the end it installs http://cydia.saurik.com/ which is an alternate app store/package management suite. For the linux users out there, this is very familiar. There are three levels to the package categorization, User, Hacker, and Developer. If you want Python like I did, you need to choose Developer.

Next Python. If you install Python, it auto installs SSH. This is good. What’s bad is SSH is automatically turned on– I do wish there was a graphical (iOS) interface for turning SSH on and off, so I could turn it on when only on a dedicated wifi network. Anyway, log in quickly using these instructions: http://cydia.saurik.com/openssh.html and change your password to something secure. Better yet, change your password and then generate some keys to use for login, but that’s another post.

You will also need to install subversion from cydia, plus I recommend a text editor. I chose vim, but I think I’ll probably switch to a less painful vi-like editor soon.

Now the rest is basically the directions on http://secmaniac.com… .


iPod:~/Library root# svn co http://svn.secmaniac.com/artillery artillery/

iPod:~/Library root# cd artillery/
iPod:~/Library/artillery root# ls
artillery.py  config  database    readme    remove_ban.py  restart_server.py  setup.py  src
iPod:~/Library/artillery root# ./setup.py

I did run into one problem which I haven’t solved yet:


iPod:~/Library/artillery root# Unhandled exception in thread started by <function ssh_monitor at 0x61d41c>
Traceback (most recent call last):
File &amp;quot;/private/var/artillery/src/ssh_monitor.py&amp;quot;, line 42, in ssh_monitor
for line in fileopen1:
UnboundLocalError: local variable 'fileopen1' referenced before assignment

So, I hacked it for the moment:


iPod:~/Library/artillery root# vim /var/artillery/config

and turned off brute force monitoring. I suspect I can just modify ssh_monitor.py and define fileopen1 in the correct sequence, but haven’t looked under the hood yet.


# DO YOU WANT TO MONITOR SSH BRUTE FORCE ATTEMPTS
SSH_BRUTE_MONITOR=OFF

Now to restart Artillery:


iPod:~/Library/artillery root# python /var/artillery/restart_server.py

Now, I didn’t really want to ban my laptop, so I opted instead to ban my other iPod by using Scanny http://itunes.apple.com/us/app/scany-network-port-scanner/id328077901?mt=8 :

Checking the ban list:


iPod:/var/artillery root# vim /var/artillery/banlist.txt

I see my IP in the banlist. No banning in place though, just constant honeypots. Maybe I need to add iptables… .

–edit–BSD, not linux… Different firewall rules, ala: http://modmyi.com/forums/iphone-ipod-touch-sdk-development-discussion/733566-iptables-iphone.html

Posted in Security | Leave a Comment »

Beefing up the firewall using Artillery — part 2

Posted by smathermather on March 18, 2012

So, how easy is it to install and use Artillery?  Really easy.  I’ve now installed it on Debian, Ubuntu, and Mac OS X.  But, assuming you don’t believe me, I’ll walk you through the steps.  Warning for my advanced readers– this is an entry level post… .

Artillery is maintained in a subversion repository, so the best way to get it and keep it up-to-date is the subversion.  On a Mac, you already have subversion installed, so downloading it is as easy as going to the terminal, and running:

svn co http://svn.secmaniac.com/artillery artillery/

This will create a subdirectory called artillery.  Change to that directory:

cd artillery/

And look at the contents:

You should see the following:

artillery.py        database        remove_ban.py        setup.py
config            readme            restart_server.py    src

To install, simply run:

sudo ./setup.py

If this doesn’t work, try:

sudo python setup.py

Follow the prompts, and you should be set up. If you want to change the default configuration, have it e-mail you when there are changes to the monitored directories, etc., type:

sudo cp /var/artillery/config /var/artillery/config.backup
sudo chmod -w /var/artillery/config.backup
sudo nano /var/artillery/config

(Of course if you feel that nano is beneath you you can use vim or emacs I guess… .)
When you’re done changing the configuration, just restart the server:

sudo python restart_server.py

Posted in Security | Tagged: , | Leave a Comment »

Beefing up the firewall using Artillery

Posted by smathermather on March 13, 2012

We have a project that an external group is helping with, and wanted a hardened machine for them to ssh into without worries.

For projects like this, I recommend you wander over to secmaniac to see Dave Kennedy’s blog on security related stuff.  He’s got out a relatively new tool (a few months old) that’s (a first for him) on the defensive side of security (as opposed to the breaking stuff side of security) called Artillery.  Now I know, you are probably a geospatial professional and therefore leave the security to someone else (if at all).  Don’t.  It’s no fun to be pwned.

Anyway, I deployed it on Ubuntu 11.10 with great ease, just svn a copy and follow the directions in the readme.  It will re-write your firewall rules, leave some ports of your choice open for sniffing, and then write a permanent deny entry for connecting on your machine’s ports.  I banned my own machines pretty quickly before remembering to whitelist… .  In Dave’s words:

“Artillery is a tool designed to confuse attackers and block them before an actual attack occurs. Artillery is a newer project and does a combination of host monitoring, security hardening, and honeypot type defensive strategies. Artillery has an active component where if it detects a connection on a given port that is triggered as a honeypot, it will automatically block the offending IP address.”

I’m hoping to modify it a bit to handle whitelisting dynamic IPs, but I don’t think I even need to poke under the hood to do that– just write a script to modify the config file whitelist and reload.

While I advocate you look into this tool, do watch the licensing– while released under a modified BSD, it does have a clause requiring a hug and a beer be offered if you meet Dave in a bar.  Don’t use it if you aren’t comfortable with the terms.

Posted in Security | Tagged: , | 1 Comment »

Making a link use post instead of get

Posted by smathermather on March 10, 2012

This is such a small post, it could be a tweet, but since I re-read my blog and rarely my tweets (and as this is as much for me as for anyone else):

http://stackoverflow.com/questions/3915917/make-a-link-use-post-instead-of-get

Posted in Javascript | Tagged: , | Leave a Comment »

Building simple clients for MapFish — Beginnings of a PL/pgSQL function

Posted by smathermather on March 10, 2012

I’ve had a couple of other posts (1 and 2 and 3 and) on simple clients for MapFish.  I like the client server infrastructure for MapFish– with the client end of things built up in GeoExt, it makes for a really elegant combo.  But I’d like articulate my vision for simple clients for MapFish a little further.  One thing that seems quite feasible is to embed the JSON for the MapFish requests in a PostgreSQL table.  Why there and not just within our client?  Well, we can use PostGIS to construct really clever multi-page prints if we want to, build into PostGIS the logic to decide the orientation, number of pages, scale, and other information needed to decide how best to print this object, and we can access that JSON through a GetFeatureInfo Request through any WMS compliant server (e.g. GeoServer).  In this way, we can use the GetFeatureInfo bubble as a place where we have links (enhanced with a little javascript) to post the JSON to our MapFish service and return a PDF.

Any object we want exposed through our interface could have a link associated with it that generates a pdf map of that object.  Let’s start with the functionality we want in our PostgreSQL function and figure out what it needs to generate the JSON we want. Here’s what we want our JSON to look like, at least for a very simple example:

{
	"units" : "ft",
	"srs" : "EPSG:3734",
	"layout" : "1) LETTER 8.5x11 Portrait",
	"dpi" : 300,
	"serviceParams" : {
		"locale" : "en_US"
	},
	"resourcesUrl" : "http://maps/geoserver/www/printing",
	"layersMerging" : true,
	"preferredIntervalFractions" : [0.1, 0.2, 0.4],
	"metaTitle" : "Title Here Please! GIS Print",
	"metaAuthor" : "Title Here Please!",
	"metaSubject" : "Title Here Please! GIS Print",
	"metaKeywords" : "",
	"outputFilename" : "cm_gis",
	"legends" : [],
	"layers" : [{
			"baseURL" : "http://maps/geoserver/wms?",
			"opacity" : 1,
			"singleTile" : false,
			"type" : "WMS",
			"layers" : ["cuy_bridge_decks", "planet_osm_line_outside_cuy_map", "cuy_roads_poly", "cuy_street_centerlines", "reservation_bounds_solid"],
			"format" : "image/png",
			"styles" : [""],
			"customParams" : {
				"TILED" : "false",
				"TRANSPARENT" : true
			}
		}
	],
	"pages" : [{
			"center" : [2160649.7795275, 597547.8687664],
			"scale" : 6000,
			"rotation" : 0,
			"mapTitle" : "Title Here Please!"
		}
	]
}

As a starting point, we can split this into two sections, the global parameters, i.e. everything except “pages” (pages is what we want postgis to calculate for us).  In the most generic sense, we would want to pass all of the parameters in the global section to the function, plus the geometry of the object over which we want to print the extent, plus the actual print size of the printable area for the desired layout have it return the json, with a population of pages section done by a little PostGIS magic. PL/pgSQL to come… .

Posted in Database, GeoExt, GeoExt, GeoServer, MapFish, PostGIS, PostgreSQL, SQL | Tagged: , , , , , , , , | Leave a Comment »

Nice post on installing pgRouting on Ubuntu

Posted by smathermather on March 9, 2012

Just a quick link to a post I found on installing pgRouting on Ubuntu:

http://obsessivecoder.com/2010/02/01/installing-postgresql-8-4-postgis-1-4-1-and-pgrouting-1-0-3-on-ubuntu-9-10-karmic-koala/

Posted in Database, pgRouting, PostGIS, PostgreSQL, Recreation, SQL, Trails | Tagged: , , , , , | Leave a Comment »

Mapfish Play cont. Musings on PostGIS driven Mapfish requests– Code only

Posted by smathermather on March 8, 2012

Code only post-- which only means it's been out here not-quite ready to post for a month.  Now I post out of shear annoyance with myself... .
SELECT '{"units":"ft","srs":"EPSG:3734","layout":"1) LETTER 8.5x11 Portrait","dpi":300,"serviceParams":{"locale":"en_US"},"resourcesUrl":"http://maps/geoserver/www/printing","layersMerging":true,"preferredIntervalFractions":[0.1,0.2,0.4],"metaTitle":"GIS Print","metaAuthor":"","metaSubject":"GIS Print","metaKeywords":"","outputFilename":"cm_gis","legends":[{"name":"","classes":[{"name":"Reservation","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=reservation_bounds&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=unrestricted"]},{"name":"Restricted","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=reservation_bounds&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=restricted"]}]},{"name":"Detailed Hydro","classes":[{"name":"Ditch","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=detailed_hydro_view&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=cm_streams_ditch"]},{"name":"Non-Stream Waterway","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=detailed_hydro_view&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=cm_streams_ditch"]},{"name":"Stream","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=detailed_hydro_view&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=cm_streams_stream"]},{"name":"Stream or River","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=detailed_hydro_view&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=Stream%20or%20River"]},{"name":"Pond","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=detailed_hydro_view&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=Pond"]},{"name":"Lake Erie","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=detailed_hydro_view&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=Lake"]},{"name":"Other Wet Areas","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=detailed_hydro_view&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=Other%20Wet%20Areas"]}]},{"name":"Trails","classes":[{"name":"ADA, APT","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=cm_trails&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=rule01"]},{"name":"Bridle","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=cm_trails&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=rule02"]},{"name":"Hiking","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=cm_trails&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=rule03"]},{"name":"Mountain Bike Trails","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=cm_trails&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=rule04"]},{"name":"Connector Trail","icons":["http://maps/geoserver/wms?&VERSION=1.1.0&REQUEST=GetLegendGraphic&LAYER=cm_trails&HEIGHT=10&WIDTH=10&FORMAT=image%2Fpng&TRANSPARENT=true&LEGEND_OPTIONS=forceLabels%3Afalse&EXCEPTIONS=application%2Fvnd.ogc.se_xml&RULE=rule05"]}]}],"layers":[{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["cuy_bridge_decks","planet_osm_line_outside_cuy_map","cuy_roads_poly","cuyahoga_street_centerlines","reservation_bounds_solid"],"format":"image/png","styles":[""],"customParams":{"TILED":"false","TRANSPARENT":true}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["reservation_bounds"],"format":"image/png","styles":[""],"customParams":{"TRANSPARENT":true,"TILED":false}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["detailed_hydro_view"],"format":"image/png","styles":[""],"customParams":{"TRANSPARENT":true,"TILED":false}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["cm_bridge_view"],"format":"image/png","styles":[""],"customParams":{"TRANSPARENT":true,"TILED":false}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["cm_trails"],"format":"image/png","styles":[""],"customParams":{"TRANSPARENT":true,"TILED":false}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["impervious_update","cm_buildings","cm_buildings_outline"],"format":"image/png","styles":[""],"customParams":{"TILED":"false","TRANSPARENT":true}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["golf_view"],"format":"image/png","styles":[""],"customParams":{"TILED":"false","TRANSPARENT":true}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["nhd_lake_erie"],"format":"image/png","styles":[""],"customParams":{"TILED":"false","TRANSPARENT":true}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":false,"type":"WMS","layers":["reservation_boundaries_public_private_cm_dissolved_mask_gradien"],"format":"image/png","styles":[""],"customParams":{"TILED":"false","TRANSPARENT":true}},{"baseURL":"http://maps/geoserver/wms?","opacity":1,"singleTile":true,"type":"WMS","layers":["supplementary_shields","odot_interstate","odot_us_routes","odot_state_routes","planet_osm_line","cuyahoga_street_centerlines_labels","planet_osm_line_outside_cuy","detailed_hydro_labels","facilities_cm","facility_areas_cm"],"format":"image/png","styles":[""],"customParams":{"TILED":"false","TRANSPARENT":true}}],"pages":[{"center":[' || ST_X(ST_Centroid(the_geom)) || ',' || ST_Y(ST_Centroid(the_geom)) || '],"scale":2400,"rotation":0,"mapTitle":""}]}'::text
FROM loops
WHERE (ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) < (ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom)))
AND
(ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom))) < 7900
SELECT 'landscape, linear follow'::text, ST_Centroid(the_geom)
	FROM loops
		WHERE (ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) > (ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom)))
			AND
		(ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) > 15800

UNION ALL

SELECT 'landscape, quad page'::text, ST_Centroid(the_geom)
	FROM loops
		WHERE (ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) > (ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom)))
			AND
		(ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) > 7900
			AND
		(ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) <= 15800

UNION ALL

SELECT 'landscape, single page'::text, ST_Centroid(the_geom)
	FROM loops
		WHERE (ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) > (ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom)))
			AND
		(ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) < 7900

UNION ALL

SELECT 'portrait, quad page'::text, ST_Centroid(the_geom)
	FROM loops
		WHERE (ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) < (ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom)))
			AND
		(ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom))) > 7900
			AND
		(ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom))) <= 15800

UNION ALL

SELECT 'portrait, single page'::text, ST_Centroid(the_geom)
	FROM loops
		WHERE (ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) < (ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom)))
			AND
		(ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom))) < 7900

UNION ALL

SELECT 'portrait, linear follow'::text, ST_Centroid(the_geom)
	FROM loops
		WHERE (ST_XMax(ST_Envelope(the_geom)) - ST_XMin(ST_Envelope(the_geom))) < (ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom)))
			AND
		(ST_YMax(ST_Envelope(the_geom)) - ST_YMin(ST_Envelope(the_geom))) > 15800
;

Posted in Database, GeoServer, MapFish, Other, PostGIS, PostgreSQL, Recreation, SQL, Trail Curation, Trails | Tagged: , , , , , , | 1 Comment »

#OGC Web Services and #Security

Posted by smathermather on March 6, 2012

A while back, I had a (somewhat cryptic) post on OGC services and security.  A couple months later, I saw this post on GeoSolution’s site on GeoServer security and the ins and outs of various options, from native to proxied security.  It is quite a bit more nuanced than my own… .  I recommend you read it, even if you don’t use GeoServer– it is enlightening about the specific problems of securing spatial data that go beyond the simple authentication/authorization models that apply to most other datasets.

Posted in GeoServer, Other, Security | Tagged: , , | Leave a Comment »