Jun 23, 2012

Hooking up Thunderbird to Exchange via DavMail (I)

I wanted to write down a good way to set up Thunderbird so as to fully work with Microsoft Exchange, since this is the typical situation that many people have to overcome in Windows environments. The solution is going to be made up by DavMail as a gateway connected to Exchange, and Lightning, a Mozilla extension aimed at providing users of Thunderbird an integrated calendaring and task management tool, which may perfectly compete with Microsoft Outlook.

DavMail is a POP, IMAP, SMTP, Caldav, Carddav and LDAP gateway which allows users to use any mail or calendar as a client (for instance Thunderbird or Lightning) with an Exchange server. The unique requirement is that OWA (Outlook Web Access) or EWS (Exchange Web Services) is enabled on Exchange.

First of all, let's get started by installing DavMail (3.9.8) on Ubuntu 12.04. DavMail is not included on the official Ubuntu repositories but you can grab it from its web page. Also mention that DavMail needs Java to work.

javi@ubuntu:~$ sudo aptitude install openjdk-6-jre libswt-gtk-3-java

javi@ubuntu:/tmp$ sudo dpkg -i davmail_3.9.8-1921-1_all.deb

Now you have to run DavMail and configure it. In my case for example, I have enabled IMAP (1143), SMTP (1025), HTTP (1080) and LDAP (1389). In addition, I have also fulfilled the URL of the server (OWA).




If you want to modify the configuration of DavMail later (there is a problem with the notification icon in this version of Ubuntu in order to open the graphical screen again), you have to edit the davmail.properties file. Also say that you can check out now the new services started.

javi@ubuntu:~$ ls -l /home/javi/.davmail.properties 
-rw-rw-r-- 1 javi javi 1471 Jun 18 19:36 /home/javi/.davmail.properties

javi@ubuntu:~$ netstat -natp | grep LISTEN | grep java
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp6       0      0 :::1389                 :::*                    LISTEN      2771/java       
tcp6       0      0 :::1143                 :::*                    LISTEN      2771/java       
tcp6       0      0 :::1080                 :::*                    LISTEN      2771/java       
tcp6       0      0 :::1025                 :::*                    LISTEN      2771/java

To automatically start DavMail during the booting of your Desktop, you have to set it up by adding a startup program.




Jun 17, 2012

Apache performance tuning: security (II)

This is the second part of the article Apache performance tuning: security (I).

Disable DNS reverse

Apache has a special directive, HostnameLookups, that if it is set on, the web server will always try to resolve the IP address for each connection. This situation adds an unnecessary overload to the system, because if you need to know the names of the machines involved, you can use the logresolve tool later.

[root@localhost ~]# cat /etc/httpd/conf/httpd.conf
...
HostnameLookups Off
...

Unnecessary information provided by Apache

Disable the information introduced by Apache about its version and the kind of operating system on where it is running, both HTTP response headers from the server and error messages.

[root@localhost ~]# cat /etc/httpd/conf/httpd.conf
...
ServerTokens Prod
ServerSignature Off
...

Customize error messages

By using the ErrorDocument directive, you can pick out which error message should be showed the client when a particular error takes place.

[root@localhost ~]# cat /etc/httpd/conf/httpd.conf
...
ErrorDocument 404 "Error 404 !!!"
ErrorDocument 500 /error_500.html

Limit HTTP access methods

The HTTP protocol defines eight different methods: GET, POST, CONNECT, etc. You can use the Limit directive in order to restrict the effect of the access controls to the aforementioned HTTP methods, for instance avoiding that one of this methods works on a directory or virtual host.

[root@localhost ~]# cat /etc/httpd/conf/httpd.conf
...
<Limit POST>
    Order deny,allow
    Deny from all
</Limit>
...

The preceding configuration will not allow to upload any file to the server, returning a 403 Forbidden error if you try it.

Set the right permissions to the Apache binary

Every user who is not the owner or does not belong to the Apache group, cannot access the Apache executable file.

[root@localhost ~]# chown o-rwx /usr/sbin/httpd

Remove the welcome message

The welcome message is a web page which is displayed to the user when no index.html document exists in the DocumentRoot of the server, and the indexation is disabled (Options -Indexes).

[root@localhost ~]# rm /etc/httpd/conf.d/welcome.conf

Perform a security analysis through Nikto

Nikto is an open source web server scanner (developed in Perl) which carries out comprehensive tests against web servers for multiple items, including around 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also verifies for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

[root@localhost ~]# wget --no-check-certificate https://cirt.net/nikto/nikto-2.1.4.tar.gz

[root@localhost ~]# tar xvzf nikto-2.1.4.tar.gz ; cd nikto-2.1.4

[root@localhost nikto-2.1.4]# ./nikto.pl -host localhost
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        80
+ Start Time:         2012-05-32 22:16:13
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (CentOS)
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6448 items checked: 1 error(s) and 5 item(s) reported on remote host
+ End Time:           2012-05-32 22:16:39 (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto also has other useful option that you can take a look at. In addition, you can run Nikto with the "-update" option, so as to update databases and plugins from CIRT.net.

[root@localhost nikto-2.1.4]# ./nikto.pl -update


Jun 9, 2012

Cloning encrypted hard drives with Clonezilla

Clonezilla is a fantastic tool aimed at cloning hard drives and partitions, and afterwards, being able to recover them at the moment you want. It is based on several open source solutions such as partclone, partimage, ntfsclone and dd. The target of this article is to explain you why I have had to use this tool recently, :).

I have started to work in a new company last month. I received a new laptop with Windows Vista as operating system. I was working with it during the first week, then I installed Ubuntu 12.04 on a memory stick and I have been using it so far, and now, I have decided to install Ubuntu directly on the laptop.

What are the reasons? Windows Vista is terrible in order to work, spends a lot of time throughout the booting, runs very slowly and is not practical for the work that I have to carry out. Also mention that I am really surprised with Ubuntu running on a memory stick (USB 3.0), because the performance is pretty good, but the main handicap is its size (32 GB) and the requirements to work with virtual machines.

So what are the steps that I have had to follow up?

  • First of all, to make a backup of the entire disk through Clonezilla so as to be able to bring it back later.
  • Secondly, to convert the Windows installed on the laptop into a virtual machine by means of VMware Converter.
  • And finally, to install Ubuntu on the laptop. I also have installed VMware Player in order to be able to run that VM.

So as to clone the hard disk, I downloaded Clonezilla (1.2.12-60) and burned it on a memory stick, by means of UNetbootin, to be able to create a bootable USB flash drive. Once I had a Clonezilla Live media, I booted it on my laptop.




After booting Clonezilla, choosing the language and the keyboard layout (don't touch keymap), you have to select the option of Start_Clonezilla and device-image, in order to clone the disk by using an image.

Before cloning, you have to assign where the Clonezilla image will be saved to. In my case for example, I chose local_dev because I wanted to store the image on a external disk. For this purpose and after pressing the Ok button, I inserted the USB device into the laptop, and the operating system automatically detected the USB disk and mounted it as /home/partimag.

Then, I had to pick out the partition of the external USB hard drive where I wanted to mount the aforementioned directory.

On the next screen, the first time that I run Clonezilla I chose Beginner mode, so as to accept the default options. That was an error because Clonezilla was not able to recognize the file system used on the disk (as I mentioned before, it was cyphered), and it failed. Therefore, I had to select the other one, Expert mode, and in this way I was able to make the copy by fitting different parameters.

The following step is to choose the option savedisk, to be able to store the local disk as an image. Then you have to input a name for the saved image and select the source disk that you want to back up.

Now you get to the Clonezilla advanced extra parameters, whereby you can decide what cloning programs and priorities you prefer. Because the hard drive was encrypted, I had to pick out the "-q1" option, in order to only use dd to clone the disk.

The next screen allows you to set various parameters about the cloning method (I left the options which come by default). And finally, you have to select the compression option. I went with the last choice, -z0 (no compression), because I preferred to manually compress it after the cloning. Below you can appreciate the command executed (bzip2 compression).

$ tar cvjf 2012-06-08-ec-img.tbz2 /media/707f1d41-f3b5-4658-aa6f-c77a7cda380a/2012-06-08-ec-img

And this is the structure of files generated by Clonezilla.

$ ls -lh /media/707f1d41-f3b5-4658-aa6f-c77a7cda380a/2012-06-08-ec-img/
total 233G
-rw-r--r-- 1 root root   69 jun  8 20:18 clonezilla-img
-rw-r--r-- 1 root root    4 jun  8 20:18 disk
-rw-r--r-- 1 root root 8,1K jun  8 20:18 Info-dmi.txt
-rw-r--r-- 1 root root  22K jun  8 20:18 Info-lshw.txt
-rw-r--r-- 1 root root 4,0K jun  8 20:18 Info-lspci.txt
-rw-r--r-- 1 root root  171 jun  8 20:18 Info-packages.txt
-rw-r--r-- 1 root root    5 jun  8 20:18 parts
-rw------- 1 root root 233G jun  8 20:18 sda1.dd-img.aa
-rw-r--r-- 1 root root   37 jun  8 19:18 sda-chs.sf
-rw-r--r-- 1 root root 1,0M jun  8 19:18 sda-hidden-data-after-mbr
-rw-r--r-- 1 root root  512 jun  8 19:18 sda-mbr
-rw-r--r-- 1 root root  261 jun  8 19:18 sda-pt.parted
-rw-r--r-- 1 root root  259 jun  8 19:18 sda-pt.sf