Tag: PHP

Nuubz. And Project Indigo.

Z3R0 One

A couple months ago while I was trying to make some decent progress on Nuubz when I came to a point that I realized I needed to start and do some serious work on an unrelated project before I could advance what I wanted to work on. In particular, I wanted to move the system/site security forward, which I hope will lead to better comment spam prevention and better all around security. I already had a plan in place, I just needed to actually implement it.

Enter Project Indigo. Or at least *MY* Project Indigo.

Some years ago, while working at a web hosting company, I noticed that people kept trying to break into a site of mine for which I literally had no content. There was a single, simple HTML file saying “There’s nothing here yet.” So, I quickly wrote a script and database to record those attacks. That system has been tracking these attacks for 6 years. Last year, I noticed an abundance of brute force ssh attacks on the server as well, and started recording those in a separate system. I decided to put this data together in a security web site project to help the masses, and myself, but I just didn’t get around to doing it until Nuubz prodded me to do so.

So, I put an old domain name I owned to use and Project Indigo was born. I still have a lot to do on it, including actually providing some useful information beyond some statistics on the home page, but as you can see, it’s receiving live information currently from two virtual private servers. (I’m getting ready to shut one down, however.) There have been over 700,000 SSH attacks detected and reported to the system as of this moment, while only 2,700 “404” attacks. I emphasize “404” attacks because these are just pure page not found attacks; in my honeypot site, these are requests for pages that don’t currently and have never existed on the site, and don’t have any additional attack parameters. There’s another similar attack that I’m simply calling “web attacks” that aren’t yet reported, these are (again on my honeypot sites) page requests with GET, POST, and/or cookie values that were never requested, used, or expected on the site, regardless of whether the requested page has existed or not. (Again, on the honeypot site, most of the pages that have been targeted have never existed.)

I’m still debating whether I should try to make a business out of this or not, but I’m willing to accept donations. I’ll provide that information when I make it possible to register an account on the site and put a little more polish into it. In the mean time, some attack data is available on Google if you search for “site:prjindigo.com” and machine readable data on a given IP address is available at https://www.prjindigo.com/data/<ip address>.json . Both IPv4 and IPv6 addresses are supported though I’ve only seen a few v6 addresses enter the system at this point. (Be sure to URL encode IPv6 addresses.)

I have created a Github repo for the honeypot software, which is still in active development as well, and I’m working on a Go language program to report the data and possibly parse log files to get ssh failure data. (I’m still unsure about using Go to parse that data as the log files may change from OS to OS.) Don’t rush out and clone either repo yet, both depend on client identifiers and encryption keys that depend on having an account at the Project Indigo website, which, as I indicated above, isn’t quite ready for that yet. But I’ll be sure to post here when the time has come.

Nuubz Updates (Silence and Progress Part 2)

Z3R0 One

It’s been a while since I wrote anything here, and probably longer since I actually made any real progress on Nuubz. As was the case in 2017, life has been kind of hectic thanks to my day job. (Example, I spent roughly 2 months out of town for work out of the last 3.5 months of the year.) Well, over the last 10 days or so, I’ve made some pretty good progress.

First and foremost, I got back to work on the OAuth2 system, and I’ve managed to actually receive usable account data from both Google and Facebook with it. I have received some limited user account data from Twitch, which may just be an issue of expectations, but I’m also reconsidering Twitter support. (Up until now, I’ve thought that the lack of email or real user information in their responses made supporting Twitter pointless, but as long as an account ID is supplied, I guess it’s enough to identify a particular Twitter account.) I have updated the publicly available open source versions of these OAuth classes I implemented over at GitHub.

What I’m working on at this precise moment is encryption support. Up until now, I’ve been using mcrypt to encrypt email addresses and other important tidbits, but as of PHP 7.2, that’s deprecated. Yes, you can fight to get it installed as a PECL extension, but if you’re using the IUS version of PHP, that is exceptionally difficult to do since they don’t include a PECL binary. (I’ve done it on this server, but I can’t remember precisely how I accomplished it to tell anyone else or repeat it for my own development server.) So, I’m switching over to use Sodium, the [current] new wave of the future. In general, there are fewer commands to use to accomplish good encryption, however, it’s also more tedious because if you actually want to decrypt something you encrypted with it, you not only have to have the key, but you also have to have the nonce that was used. Which means you need to store both somewhere. There’s a trade off between security and practicality that has to be made as a result. A site I read while implementing this literally said “never use the same key and nonce twice” but how can you encrypt important data on a website without using them twice or more? That I haven’t figured out yet.

Once I get the new encryption working, I can officially implement the OAuth2 registration and login paths; I am hesitant to store the OAuth2 provider’s access key, client ID, and client secret in the database unencrypted. While I could do that on disk in the configuration file, I’m trying to minimize the important data that’s present there for fear of misconfigured web servers or clever exploits of the code I’m writing. I’m trying to be as mindful as possible of potential exploits as I write Nuubz, but there’s always something that you overlook as a programmer, and always potential and actual bugs in the software that yours depends on. Of course, once an attacker has access to the database, it’s all over. That could come from SQL injection (hopefully a path eliminated by proper use of PHP’s PDO database abstraction which I’ve used for years), some sort of cross site exploit that might elevate privileges, or a shell script of some sort that gives them access to the files on the server as if the user running the server. (Usually “apache”, “httpd”, or “www”.) Nonetheless, security is on my mind as I code.

Finally, for this update at least, I’m looking for some comic strips to post as a demo once I get that far. I really wanted to steal… ahem, borrow some strips from comics I read (Grrl Power Comic, Least I Could Do, LFG, TMI Comic, Megatokyo) to for the demo, but I think it’s better if I get some creator/writer/artist to volunteer some of their work or at least give me permission to go through their stuff. It doesn’t even have to be a real comic or part of a regular series, I just need something to showcase for Nuubz. Eventually. I’m hoping this will be the year that I have something usable to demonstrate, and not just a bunch of code tests. If you’d like to help out, drop me a line with the form below.

Beyond that, happy New Year!

Silence and Progress

Z3R0 One

I’ve been mostly quiet for the last year or so, the main reason being that I’ve been either waiting anxiously for news on an exciting job (which I got) or just plain working it. BLS, as much as I like the idea of it being something that keeps food on the table, really is nothing more than my hobby at best.
That said, I haven’t had much time to try to catch up on Android development though I continue to be intrigued by it, and I’ve been slow on my web projects. There’s little excuse for it, but work has had a major impact on my activity levels at the end of the day and on weekends.


Not that I’m complaining about work…! I absolutely love my job!


That said, I’ve been trying to get back in the swing of things lately, and in particular have been working on the OAuth 2 implementation I started for Nuubz.


The first question in your mind may be “What is OAuth?” The simple explanation is that is an open standard for communicating with supporting services to allow you to register and login to websites without needing to manually create an account there. You’ve probably seen Facebook and Google login options on many websites already; OAuth is what allows that magic to work.


So why, as I’m sure your next question would be, am I implementing this myself? While there are libraries to do it, the problems are that either they’re difficult to use and/or understand, under documented, or have a license that would get in my way. I’ve tried to use a particular OAuth library I found on SourceForge several times over several years; while I got it to work somewhat, it confused the hell out of me in terms of actual usage, what data was safe to store and how to resume login sessions. The reason, besides the complexity of the library, was that it wasn’t well documented. In fact, the example code they provided literally answered nothing, not even what elements of the code were required.


While I’ve downloaded but haven’t looked at other implementations, I’ve been very hesitant too even think about using them because of licensing. I think I’ve made it clear that I hate the GPL license; I don’t want to make Nuubz open source just because I used a GPL’ed library in the software! If I decide to open source Nuubz, I want it to be because I chose to make it open source! Sure there are probably a number of OAuth libraries that are open source with a compatible license like BSD or MIT and are documented with decent examples, but I really didn’t feel like trying to hunt them down and keep them updated.


So, I decided to write my own. While I’ve been stalled for much of the last year as I mentioned above, I’ve made some important progress this week. As of this moment, my code (available at GitHub) can initiate the handshake and retrieve account information from Google. As the code is very similar for many other OAuth providers (such as Patreon, Disquss, and even Twitch)  only a few relatively minor changes are necessary to get it to work with them as well. Facebook support is coming too, though they have some additional hoops to jump through. I’m still debating Twitter… Last time I looked at implementing support for them, they didn’t provide any useful account information like email address or real name.


Now before you go off and download my code to use it, the latest changes [to make this battle station fully operational] aren’t on GitHub yet; I need to remove some debug code and clean things up a bit but I’ll have it there before this weekend ends.

Nuubz

Z3R0 One

Over the last few months, I’ve been [albeit slowly] working on a new piece of software. Instead of something for Android or a particular operating system, this one is for the web. While browsing my favorite webcomics, I came to realize that many were using WordPress which seemed like a problem to me. While WordPress is a hugely popular and flexible piece of software, it’s really overkill for webcomics. So, I started developing my own dedicated piece of software that I’m calling Nuubz.

It’s still relatively early in development, but if you want to watch on progress, you can visit http://dev.nuubz.com to take a look. Be sure to check back regularly as I make progress.