Slides of course about how to evade the fingerprinting test with FreeBSD and some services, like: nginx, ftp and openssh.
Also explore the techniques to securize WordPress.
The document discusses techniques for disguising and anti-fingerprinting systems and networks. It begins with an introduction to FreeBSD and how it differs from Linux. It then explains how fingerprinting works at the operating system, service, and application levels. Specific examples are given around banners, metadata, and lost files. Finally, it outlines approaches for defeating fingerprinting such as modifying kernel parameters, changing service configurations and banners, and patching applications.
Gerald Z. Villorente presents on the topic of web security. He discusses security levels including server, network, application, and user levels. Some common web application threats are also outlined such as cross-site scripting, SQL injection, and denial-of-service attacks. The presentation provides an overview of aspects of data security, principles of secure development, and best practices for web security.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
The document discusses various web application security issues like SQL injection, input validation, cross-site scripting and provides recommendations to prevent these vulnerabilities when developing PHP applications. It emphasizes the importance of validating all user inputs, using prepared statements and output encoding to prevent code injection attacks and ensuring session security. The document also covers other attacks like cross-site request forgery and provides mitigation techniques.
Introduction to web security @ confess 2012jakobkorherr
The document introduces various topics related to web security including an overview of common web application vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery as well as potential countermeasures. It also provides background on typical web application architecture and outlines the OWASP top 10 list of most critical web application security risks.
Este documento describe la creación de una herramienta de hacking en vivo utilizando Python y Jupyter Notebook. Explica que no se debe reinventar la rueda y se deben seguir las mejores prácticas. Luego, presenta un ejemplo práctico demostrando la herramienta. Finalmente, invita a hacer preguntas.
Slides of course about how to evade the fingerprinting test with FreeBSD and some services, like: nginx, ftp and openssh.
Also explore the techniques to securize WordPress.
The document discusses techniques for disguising and anti-fingerprinting systems and networks. It begins with an introduction to FreeBSD and how it differs from Linux. It then explains how fingerprinting works at the operating system, service, and application levels. Specific examples are given around banners, metadata, and lost files. Finally, it outlines approaches for defeating fingerprinting such as modifying kernel parameters, changing service configurations and banners, and patching applications.
Gerald Z. Villorente presents on the topic of web security. He discusses security levels including server, network, application, and user levels. Some common web application threats are also outlined such as cross-site scripting, SQL injection, and denial-of-service attacks. The presentation provides an overview of aspects of data security, principles of secure development, and best practices for web security.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
The document discusses various web application security issues like SQL injection, input validation, cross-site scripting and provides recommendations to prevent these vulnerabilities when developing PHP applications. It emphasizes the importance of validating all user inputs, using prepared statements and output encoding to prevent code injection attacks and ensuring session security. The document also covers other attacks like cross-site request forgery and provides mitigation techniques.
Introduction to web security @ confess 2012jakobkorherr
The document introduces various topics related to web security including an overview of common web application vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery as well as potential countermeasures. It also provides background on typical web application architecture and outlines the OWASP top 10 list of most critical web application security risks.
Este documento describe la creación de una herramienta de hacking en vivo utilizando Python y Jupyter Notebook. Explica que no se debe reinventar la rueda y se deben seguir las mejores prácticas. Luego, presenta un ejemplo práctico demostrando la herramienta. Finalmente, invita a hacer preguntas.
El documento describe la herramienta Topera v0.2, la cual combina ataques de escaneo TCP indetectables utilizando extensiones de encabezados IPv6 junto con ataques de denegación de servicio lentos (Slow HTTP) para evadir detección por sistemas IDS como SNORT. La versión actualizada de Topera se presenta junto con una demostración de su funcionamiento.
El documento proporciona una introducción a Python, describiendo que es un lenguaje de programación interpretado, de fácil aprendizaje y desarrollo rápido. Explica las diferencias entre las versiones 2.7 y 3.x de Python, y destaca algunas de sus fortalezas como el tratamiento de cadenas, marco de trabajo incluido y gestión de paquetes. También menciona algunas de las bibliotecas más populares para Python.
Slides de mi charla en: V Navaja Negra & ConectaCON
Scapy es una herramienta y librería de generación de paquetes y tramas de red escrita en Python que nos permite especificar a muy bajo nivel qué y cómo es lo que queremos enviar.
Scapy tiene integrado la poca conocida librería "Automaton". Esta librería nos permite crear autómatas de estados finitos para sistemas de comunicaciones... No asustarse, que no es tan complicado :)
Las pilas de protocolos, como el conocido TCP/IP, están basadas en el comportamiento definido por un autómata finito. Estos autómatas se basan, habitualmente, en su estándares RFC (que definen gran parte de las comunicaciones de Internet) aunque cada sistema operativo lo implementa a su manera, pero siguiendo el estándar, claro.
En la charla SE PRESENTARÁ cómo simular una pila de protocolos de cualquier tipo y para que se vea lo sencillo que es. Además, se explicará cómo se puede usar esta técnica para realizar ataques de hacking, modificar tráfico de red al vuelo o implementar servicios que de otra forma sería tremendamente complejo.
Como EJEMPLO FINAL, se mostrará como modificar determinados bits que cumplan ciertas condiciones y como poder modificar parte del comportamiento del protocolo, para provocar reacciones inesperadas en el sistema atacado/auditado.
This document is a chapter from a textbook on web development security. It covers several key security principles for web development, including the CIA triad of confidentiality, integrity and availability. It discusses risk assessment and management, including identifying actors, impacts, threats and vulnerabilities. Authentication methods like passwords, multifactor authentication and third party authentication are explained. The importance of authorization to define user privileges is also covered. Overall security practices like secure design, testing, policies and business continuity planning are recommended.
This session explains how the combination of IEEE 802.1AE (data link encryption) with the power of Session Group Tags achieves trusted security in a network. It covers the protocols details as well as use case and more importantly how CTS can be deployed in a network. This session is targeted mainly to enterprise customers.
Python, hacking y sec-tools desde las trincheras
Un recorrido por hacking de redes a bajo nivel y protocolos de comunicaciones, con la navaja suiza del bajo nivel: Scapy.
Aprenderemos cómo transformar en herramientas de hacking bien construidas lo que hasta ahora resolvías con scripts para "salir de paso" de esa auditoría que se te está resistiendo.
Crearemos varias herramientas de hacking desde cero, explicando:
- Cómo diseñar y escalar aplicaciones de seguridad,
- Construir aplicaciones re-usables,
- Usar librerías de terceros en nuestro código,
- Generar lineas de comando (CLI) útiles y fáciles de usar,
- Exportar los resultados en JSON, xml o Excel,
- Crear un sistema de plugins sencillo pero potente
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
Cómo aplicar técnicas de fingerprinting en las 4 capas de TCP / IP y lograr hacer un perfil de un objetivo deduciendo las tecnologías usadas en base a ciertos parámetros obtenidos usando este tipo de técnicas
Basic security concepts for web applications and web sites for today's environment. Server Configuration, Site Configuration, Best Practices, and Passwords.
Este documento describe un curso sobre hacking de redes con Python y Scapy. Explica que Scapy es una herramienta para generar y manipular paquetes de red que permite funciones como enviar y recibir información a nivel de paquetes, manipular campos de protocolos, analizar tráfico de red, y crear nuevos protocolos. También cubre cómo exportar paquetes capturados por Scapy a formato JSON para almacenar la información de manera no estructurada en una base de datos NoSQL como MongoDB, permitiendo búsquedas y
The document summarizes the top 10 web application security risks as identified by OWASP (Open Web Application Security Project). It describes each of the top 10 risks, including injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery, use of vulnerable components, and unvalidated redirects/forwards. It provides examples of how attackers could exploit each risk. The risks are presented along with their likelihood and potential technical impact based on OWASP's risk rating methodology.
Este documento presenta varios problemas comunes en el desarrollo de herramientas de hacking y propone soluciones basadas en Python. Explica conceptos como la estructuración del proyecto, el uso de objetos para parámetros y resultados, APIs, coroutinas, multiprocessing, y Celery para ejecución de tareas en segundo plano. Incluye ejemplos prácticos de implementación de estas soluciones.
This document provides an overview of common security vulnerabilities in Node.js code and their solutions. It discusses injection flaws like SQL injection and log injection, broken authentication and session management issues like insecure cookie handling, cross-site scripting vulnerabilities, insecure direct object references, sensitive data exposure without encryption, cross-site request forgery, and unvalidated redirects/forwards. For each vulnerability, it provides an example of vulnerable Node.js code, how an attacker could exploit it, and recommendations for more secure coding practices. The goal is to help developers learn security best practices through examples of real flaws and their fixes.
Presentación de un nuevo concepto de ataques: Broker Injection, así como la herramienta de explotación: Enteletaor Broker injector.
El video con todas las animaciones lo puedes encontrar en:
https://youtu.be/OxtBiQ7n60Y
Web security involves protecting websites and web applications from various cyber threats. The document outlines the top 10 PHP application vulnerabilities in 2016, including information leakage, man-in-the-middle attacks, injection attacks, and SQL truncation exploits. It provides tips for preventing vulnerabilities such as checking error logs, updating software regularly, and using strong password hashing. The key is to stay vigilant by monitoring logs and source code for signs of intrusion and preparing to reinstall systems if needed.
The document discusses various topics related to web security including what it is, why it is important, common types of web attacks like SQL injection, cross-site scripting, password cracking, and phishing. It also discusses methods to provide security, such as using high security passwords, digital signatures, encryption/decryption, and biometric authentication. The conclusion states that as more security methods are available for websites, the future will be safer.
El documento habla sobre el fingerprinting en informática. Explica que el fingerprinting es la identificación de la versión de software de servidores, lo que expone vulnerabilidades conocidas. Recomienda configurar servidores para no mostrar información como la versión de PHP o cambiar parámetros del sistema operativo para dificultar la identificación. La conclusión es que la información más trivial puede ser peligrosa, por lo que se debe dar la menor información posible a atacantes potenciales.
This document discusses various topics related to web server and website security including demilitarized zones (DMZs), firewalls, intrusion detection systems, secure web protocols like SSL and HTTPS, common gateway interfaces (CGIs), web form validation, SQL injection, and cross-site scripting (XSS) prevention. It explains that a DMZ is a network area between an internal and external network that allows limited connections, firewalls filter incoming network traffic using methods like packet filtering and stateful inspection, and an IDS monitors network traffic for malicious activity. It also describes secure web protocols that encrypt data transmission and how to properly validate web forms and user input to prevent vulnerabilities like SQL injection and XSS attacks.
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
This document provides tips and best practices for securing a Drupal site, including hardening servers, locking down access, using HTTPS, keeping software updated, encrypting sensitive data, reviewing logs, and questions from the presenter. Some key recommendations are to redirect all traffic to HTTPS, secure Drupal user 1, remove clues about Drupal from headers and files, use strong and unique passwords, and store backups and credentials securely offline. The presenter provides many module and tool recommendations for implementing security measures in Drupal.
Puppet and your Metadata - PuppetCamp London 2015Marc Cluet
How do you organise your metadata in Puppet, it's important to know all the different options, choices and steps you can do to make your metadata rock!
El documento describe la herramienta Topera v0.2, la cual combina ataques de escaneo TCP indetectables utilizando extensiones de encabezados IPv6 junto con ataques de denegación de servicio lentos (Slow HTTP) para evadir detección por sistemas IDS como SNORT. La versión actualizada de Topera se presenta junto con una demostración de su funcionamiento.
El documento proporciona una introducción a Python, describiendo que es un lenguaje de programación interpretado, de fácil aprendizaje y desarrollo rápido. Explica las diferencias entre las versiones 2.7 y 3.x de Python, y destaca algunas de sus fortalezas como el tratamiento de cadenas, marco de trabajo incluido y gestión de paquetes. También menciona algunas de las bibliotecas más populares para Python.
Slides de mi charla en: V Navaja Negra & ConectaCON
Scapy es una herramienta y librería de generación de paquetes y tramas de red escrita en Python que nos permite especificar a muy bajo nivel qué y cómo es lo que queremos enviar.
Scapy tiene integrado la poca conocida librería "Automaton". Esta librería nos permite crear autómatas de estados finitos para sistemas de comunicaciones... No asustarse, que no es tan complicado :)
Las pilas de protocolos, como el conocido TCP/IP, están basadas en el comportamiento definido por un autómata finito. Estos autómatas se basan, habitualmente, en su estándares RFC (que definen gran parte de las comunicaciones de Internet) aunque cada sistema operativo lo implementa a su manera, pero siguiendo el estándar, claro.
En la charla SE PRESENTARÁ cómo simular una pila de protocolos de cualquier tipo y para que se vea lo sencillo que es. Además, se explicará cómo se puede usar esta técnica para realizar ataques de hacking, modificar tráfico de red al vuelo o implementar servicios que de otra forma sería tremendamente complejo.
Como EJEMPLO FINAL, se mostrará como modificar determinados bits que cumplan ciertas condiciones y como poder modificar parte del comportamiento del protocolo, para provocar reacciones inesperadas en el sistema atacado/auditado.
This document is a chapter from a textbook on web development security. It covers several key security principles for web development, including the CIA triad of confidentiality, integrity and availability. It discusses risk assessment and management, including identifying actors, impacts, threats and vulnerabilities. Authentication methods like passwords, multifactor authentication and third party authentication are explained. The importance of authorization to define user privileges is also covered. Overall security practices like secure design, testing, policies and business continuity planning are recommended.
This session explains how the combination of IEEE 802.1AE (data link encryption) with the power of Session Group Tags achieves trusted security in a network. It covers the protocols details as well as use case and more importantly how CTS can be deployed in a network. This session is targeted mainly to enterprise customers.
Python, hacking y sec-tools desde las trincheras
Un recorrido por hacking de redes a bajo nivel y protocolos de comunicaciones, con la navaja suiza del bajo nivel: Scapy.
Aprenderemos cómo transformar en herramientas de hacking bien construidas lo que hasta ahora resolvías con scripts para "salir de paso" de esa auditoría que se te está resistiendo.
Crearemos varias herramientas de hacking desde cero, explicando:
- Cómo diseñar y escalar aplicaciones de seguridad,
- Construir aplicaciones re-usables,
- Usar librerías de terceros en nuestro código,
- Generar lineas de comando (CLI) útiles y fáciles de usar,
- Exportar los resultados en JSON, xml o Excel,
- Crear un sistema de plugins sencillo pero potente
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
Cómo aplicar técnicas de fingerprinting en las 4 capas de TCP / IP y lograr hacer un perfil de un objetivo deduciendo las tecnologías usadas en base a ciertos parámetros obtenidos usando este tipo de técnicas
Basic security concepts for web applications and web sites for today's environment. Server Configuration, Site Configuration, Best Practices, and Passwords.
Este documento describe un curso sobre hacking de redes con Python y Scapy. Explica que Scapy es una herramienta para generar y manipular paquetes de red que permite funciones como enviar y recibir información a nivel de paquetes, manipular campos de protocolos, analizar tráfico de red, y crear nuevos protocolos. También cubre cómo exportar paquetes capturados por Scapy a formato JSON para almacenar la información de manera no estructurada en una base de datos NoSQL como MongoDB, permitiendo búsquedas y
The document summarizes the top 10 web application security risks as identified by OWASP (Open Web Application Security Project). It describes each of the top 10 risks, including injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery, use of vulnerable components, and unvalidated redirects/forwards. It provides examples of how attackers could exploit each risk. The risks are presented along with their likelihood and potential technical impact based on OWASP's risk rating methodology.
Este documento presenta varios problemas comunes en el desarrollo de herramientas de hacking y propone soluciones basadas en Python. Explica conceptos como la estructuración del proyecto, el uso de objetos para parámetros y resultados, APIs, coroutinas, multiprocessing, y Celery para ejecución de tareas en segundo plano. Incluye ejemplos prácticos de implementación de estas soluciones.
This document provides an overview of common security vulnerabilities in Node.js code and their solutions. It discusses injection flaws like SQL injection and log injection, broken authentication and session management issues like insecure cookie handling, cross-site scripting vulnerabilities, insecure direct object references, sensitive data exposure without encryption, cross-site request forgery, and unvalidated redirects/forwards. For each vulnerability, it provides an example of vulnerable Node.js code, how an attacker could exploit it, and recommendations for more secure coding practices. The goal is to help developers learn security best practices through examples of real flaws and their fixes.
Presentación de un nuevo concepto de ataques: Broker Injection, así como la herramienta de explotación: Enteletaor Broker injector.
El video con todas las animaciones lo puedes encontrar en:
https://youtu.be/OxtBiQ7n60Y
Web security involves protecting websites and web applications from various cyber threats. The document outlines the top 10 PHP application vulnerabilities in 2016, including information leakage, man-in-the-middle attacks, injection attacks, and SQL truncation exploits. It provides tips for preventing vulnerabilities such as checking error logs, updating software regularly, and using strong password hashing. The key is to stay vigilant by monitoring logs and source code for signs of intrusion and preparing to reinstall systems if needed.
The document discusses various topics related to web security including what it is, why it is important, common types of web attacks like SQL injection, cross-site scripting, password cracking, and phishing. It also discusses methods to provide security, such as using high security passwords, digital signatures, encryption/decryption, and biometric authentication. The conclusion states that as more security methods are available for websites, the future will be safer.
El documento habla sobre el fingerprinting en informática. Explica que el fingerprinting es la identificación de la versión de software de servidores, lo que expone vulnerabilidades conocidas. Recomienda configurar servidores para no mostrar información como la versión de PHP o cambiar parámetros del sistema operativo para dificultar la identificación. La conclusión es que la información más trivial puede ser peligrosa, por lo que se debe dar la menor información posible a atacantes potenciales.
This document discusses various topics related to web server and website security including demilitarized zones (DMZs), firewalls, intrusion detection systems, secure web protocols like SSL and HTTPS, common gateway interfaces (CGIs), web form validation, SQL injection, and cross-site scripting (XSS) prevention. It explains that a DMZ is a network area between an internal and external network that allows limited connections, firewalls filter incoming network traffic using methods like packet filtering and stateful inspection, and an IDS monitors network traffic for malicious activity. It also describes secure web protocols that encrypt data transmission and how to properly validate web forms and user input to prevent vulnerabilities like SQL injection and XSS attacks.
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
This document provides tips and best practices for securing a Drupal site, including hardening servers, locking down access, using HTTPS, keeping software updated, encrypting sensitive data, reviewing logs, and questions from the presenter. Some key recommendations are to redirect all traffic to HTTPS, secure Drupal user 1, remove clues about Drupal from headers and files, use strong and unique passwords, and store backups and credentials securely offline. The presenter provides many module and tool recommendations for implementing security measures in Drupal.
Puppet and your Metadata - PuppetCamp London 2015Marc Cluet
How do you organise your metadata in Puppet, it's important to know all the different options, choices and steps you can do to make your metadata rock!
This document discusses securing microservices by exploring security in the open source Sock Shop application. It covers container security concepts like restraint, immutability and provenance. It demonstrates adding a user to container Dockerfiles and making the filesystem read-only. It also discusses network segmentation and limiting network access between internal services and externally. The document encourages exploring security failures and limiting attack surfaces.
Undefined Behavior and Compiler Optimizations (NDC Oslo 2018)Patricia Aas
This document summarizes Patricia Aas' presentation on secure programming practices in C++. It introduces Patricia and her background programming mainly in C++. The presentation covers topics like undefined behavior, compiler optimizations, and examples of insecure code. It provides code samples to demonstrate undefined behavior and how compilers can remove code meant to clear buffers due to optimizations. It recommends using functions like memset_s or SecureZeroMemory to clear sensitive information instead.
This document discusses strategies for securely operating Docker containers. It begins by acknowledging valid security concerns with Docker and advocating understanding threat models and limitations. The document then explores issues of trust in Docker images and potential solutions like auditing tools and private registries. It outlines opportunities to automate security configuration checks and generate AppArmor profiles. Finally, it presents a vision for a registry of security profiles that could reduce the burden of container hardening. Overall, the document takes an empathetic approach to security concerns while highlighting practical steps and potential technical improvements.
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...Agile Testing Alliance
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Quality Engineering in Remote IoT System" at #ATAGTR2023.
#ATAGTR2023 was the 8th Edition of Global Testing Retreat.
To know more about #ATAGTR2023, please visit: https://gtr.agiletestingalliance.org/
Creating Developer-Friendly Docker Containers with ChaperoneGary Wisniewski
The document discusses creating developer-friendly containers using Chaperone and the chaperone-baseimage family. Chaperone is a process manager that provides services like logging, cron jobs, and orderly shutdown within containers. The chaperone-baseimage images use Chaperone to provide three personalities for containers: closed, attached-data, and development. This allows developers to have a consistent environment to develop applications without understanding container internals. The development model mounts the container's infrastructure to the developer's local directory for easy editing of code and data outside the container.
Finding target for hacking on internet is now easierDavid Thomas
Finding target on internet for penetration testing involves searching internet using google or using Google Hacking/Dorking. There are google hacking queries available on internet, according to ethical hacking researcher of International Institute of Cyber Security it is the main source of passive attacks on internet. This whole process of finding target on internet using GHDB is automated using python based framework named as Katana framework.
Microsoft Power Point Best Practices For Scaling Heavily Adopted And Concur...Steve Feldman
The document discusses various tools used for monitoring and optimizing performance in a Blackboard environment. It recommends using Toad as the primary database access tool for tasks like script execution and basic DBA work. It also recommends using PAO (Performance Analysis for Oracle) as the primary monitoring tool for its warehousing capabilities and ability to compare workloads over time. Foglight is highlighted as a favorite tool for its lightweight instrumentation, ability to define rule-based traces to identify slow method calls and SQL statements, and other features. Configuration examples are provided for optimizing Java settings like heap size and garbage collection with aggressive -XX options.
Course in Big Data Analytics in association with IBM
Everyday huge amount of data is created. This data comes from everywhere : sensors used to gather climate information, post to social media sites, digital pictures and videos, purchase transaction records and Cell phone GPS signals to name a few. This data is Big Data.
Big data is a blanket term for any collection of data set so large and complex that it becomes difficult to process using on hand data management tools or traditional data processing applications. The challenges include capture, storage, search, sharing, transfer, analysis and visualization. Anyone who has knowledge on Java, basic UNIX and basic SQL can opt for Big Data training course.
This talk presents an approach to building free network services and introduces Libravatar, a Django-based project to provide a federated and Open Source alternative to the Gravatar profile image hosting service, a centralised web service used by a large number of social sites in the cloud.
The document describes the Application Research Group (ARG) and their work exploring applications built on Filecoin. ARG has created Estuary, an open source project that makes it easy to store data in the Filecoin network. Estuary provides a hosted node, website, and documentation. It handles storing user data through Filecoin storage deals with high replication for reliability. ARG shares details of Estuary publicly to help others learn and provide transparency into its performance and use of Filecoin miners. They aim to help others run their own Estuary nodes and improve the Filecoin storage experience.
The document discusses using Storm, Cassandra, and in-memory computing for real-time big data analytics. It describes Storm as a framework for real-time stream processing and Cassandra as a database for handling large volumes of data. The document proposes using an in-memory data grid to provide a high-performance interface between Storm and Cassandra for real-time analytics of streaming data.
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
Adversary Simulation pada lingkungan cloud memiliki karakteristik unik sehingga memerlukan pendekatan khusus. Stratus menawarkan fleksibilitas dalam melakukan simulasi attack secara native pada lingkungan cloud. Presentasi ini akan memberikan penjelasan tentang penggunaan Stratus dalam adversary simulation dan bagaimana mengembangkan skenario khusus sesuai kebutuhan.
Building Web Mobile App that don’t suck - FITC Web Unleashed - 2014-09-18Frédéric Harper
Mobility is everywhere. It’s even more important to think about smaller devices like smartphones when building application or game using web technology. Everybody wants to have a mobile application, but it's not sufficient: you need to create an awesome experience for your users, your customers. You need to be future proof, and think about different markets as users needs: you never know when your application will be the next Flappy Bird. This presentation is about concrete tips, tricks and guidelines for web developers using HTML, CSS, and JavaScript based on experience that will help you make a success of your next exciting mobile application or game idea.
This is the mago3D technical hands-on material prepared for the FOSS4G Tokyo 2017 attendees. mago3D is the brand-new web based 3D GeoBIM platform on top of Cesium or NASA World Wind. With mago3D, users can service complicated and very large size 3D BIM/AEC data through internet. This material covers what is mago3D, how it works, overall system architecture/components, how to install mago3D, how to convert data and how to get it started. After attending the seminar, users are expected to service their own data through internet using mago3D.
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
View the video of this webinar here: https://www.arangodb.com/arangodb-events/gvisor-kata-containers-firecracker-docker/
Containers* have revolutionized the IT landscape and for a long time. Docker seemed to be the default whenever people were talking about containerization technologies**. But traditional container technologies might not be suitable if strong isolation guarantees are required. So recently new technologies such as gVisor, Kata Container, or firecracker have been introduced to close the gap between the strong isolation of virtual machines and the small resource footprint of containers.
In this talk, we will provide an overview of the different containerization technologies, discuss their tradeoffs, and provide guidance for different use cases.
* We will define the term container in more detailed during the talk
** and yes we will also cover some of the pre-docker container space!
Kata Container & gVisor provide approaches to securely isolate containers by keeping them out of the direct kernel space. Kata Container uses virtual machines with lightweight kernels to isolate containers, while gVisor uses a userspace kernel implemented in Go to provide isolation. Both aim to protect the host kernel by preventing containers from accessing kernel resources directly. Kata Container has a larger memory footprint than gVisor due to its use of virtual machines, but provides stronger isolation of containers.
This document discusses how hackers can break CI/CD infrastructure by exploiting vulnerabilities at different stages of the software development process. It outlines attacks such as inserting malware in source code or libraries, exploiting privileged access in build pipelines to achieve remote code execution, deploying zip bombs or memory bombs to crash systems, and compromising shared infrastructure between development and production environments. The document emphasizes the importance of limiting permissions, isolating networks, monitoring for anomalies, and hardening CI/CD systems with the same care as production servers.
This document discusses security concerns related to continuous integration and continuous delivery (CI/CD) pipelines. It begins by defining key CI/CD concepts like continuous integration, continuous delivery, pipelines, DevOps, and DevSecOps. It then details several security risks that can occur at different stages of the CI/CD process, including in source code, during building, in deployment, and within infrastructure. Specific attacks mentioned include sensitive information leaks, trojanized artifacts, zip bombs, memory bombs, and more. The document emphasizes the importance of monitoring, limiting permissions, and network isolation to help secure CI/CD systems.
This document discusses 12 tricks hackers use to compromise continuous integration and continuous delivery (CI/CD) systems. It outlines attacks such as installing malware via libraries, leaking secrets, executing malicious code in pipelines, consuming cloud services to cause outages, zip bombs, memory bombs, fork bombs, and compromising APIs. The document emphasizes the importance of limiting permissions, monitoring systems, and assuming insider attackers when hardening CI/CD pipelines and infrastructure.
The document discusses a talk titled "Docker might not be your friend - Trojanizing Docker like a Sir" given by Daniel García and Roberto Muñoz. The talk covers what Docker is, the Docker environment including components like Docker hosts, registries, and orchestrators. It also discusses continuous integration/continuous deployment cycles and how Docker fits into those processes. The slides provide definitions and diagrams to explain these concepts.
Mi Charla en Codemotion 2015. En ella repasamos los principales de problemas de seguridad y olvidos en los sistemas puestos en producción: fingerprinting, configuraciones incompletas, cifrados insuficientes, aplicaciones de gestión por defecto en producción, kernel de *NIX etc.
Documento usado para dar mi charla en el III Hack&Beers en Madrid. Temática:
Cómo funciona el fingerprinting, como ocultarse y cómo nos pueden vulnerar sino lo tenemos en cuenta.
Ejemplos prácticos con Linux y Wordpress
GoLismero es una herramienta de pentesting de código abierto que realiza escaneos de vulnerabilidades en la web, redes y metadatos sociales. Consiste en fases de reconocimiento, escaneo, ataque e intrusión y limpieza. Proporciona informes dinámicos en múltiples formatos como HTML, JSON, XML y más. El proyecto tiene una filosofía de software libre y el equipo espera mejorar la herramienta en el futuro con nuevas características, manteniendo una buena base y construyendo
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Pushing the limits of ePRTC: 100ns holdover for 100 days
Extreme security in web servers
1. Extreme security in
web servers
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 1
2. Creative Commons License
The art of disguise - Anti-fingerprinting techniques
by Daniel García García a.k.a. cr0hn is licensed under a:
Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.
Permissions beyond the scope of this license may be available at: dani@iniqua.com.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 2
3. Acknowledgments
• Manuel Trujillo <TooManySecrets>
• Francisco Jesus Gomez Rodriguez (@ffranz)
• @capi_x <capi_x@haibane.org>
• Maikel Mayán <@AloneInTheShell>
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 3
4. About what is this talk?
1. Infrastructure: virtualization vs physical.
2. Choosing OS base: FreeBSD.
3. Brief intro to configuration of FreeBSD.
4. Isolating process.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 4
5. 1 - Infrastructure:
Virtualization vs physical
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 5
6. 1 – Infrastructure: Virtualization vs physical
a) Virtualization advantages.
b) Virtualization’s solutions.
c) Why use server virtualization system?
d) Organizing the virtual machines: approaches.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 6
7. 1.a - Virtualization advantages
• Less physical space.
• Less energy costs.
• More use of resources.
• Scalability.
• Simplicity of administration.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 7
8. 1.b - Virtualization solutions
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 8
9. 1.c - Why use server virtualization system?
• Scalability
• Centralized storage system.
• Hot cloning.
• Hot migrating of machines.
• Modular architecture.
• Simplicity management.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 9
10. 1.c - Why use server virtualization system?
Examples:
• VMWare ESXi
• Xen
• Proxmox
11. 1.d - Organizing the virtual machines: approaches
I. One machine for all.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 11
12. 1.d - Organizing the virtual machines: approaches
II. Two machines: frontend and backend.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 12
13. 1.d - Organizing the virtual machines: approaches
III. Multilevel:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 13
14. 2 – Choosing OS base:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 14
15. 2 – Choosing OS base: FreeBSD
a) Why use FreeBSD?
b) Who use FreeBSD?
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 15
16. 2.a – Why use FreeBSD?
• Simplicity of kernel.
• Simplicity of re-compile all system.
• Build-in security features.
• Isolating features, like jails.
• Administration simplicity.
• Can run Linux binaries
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 16
17. 2.b – Who use FreeBSD?
• JunOS
• Citrix
• Nokia’s firewalls
• PlayStation 3
• Netflix
• Netcraft
• Some parts of Apple OS X
• …
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 17
18. 3 – Configuration of system
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 18
19. 3 – Configuration of system.
a) Adjust system binaries.
b) Configuration files.
c) Kernel and “user-land”.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 19
20. 3.a – Adjust system binaries
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 20
21. I. Install LLVM/clang
Q: Why use LLVM/clang?
A: Generate more optimized code than gcc.
See a comparison:
http://blog.buguroo.com/?tag=compilador-gcc-llvm-clang-benchmark&lang=en
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 21
22. II. Patch and reinstall OpenSSH
Q: Why path openSSH?
A: Patch to evade fingerprinting techniques.
See how to path it in:
http://www.slideshare.net/cr0hn/the-art-of-disguise-antifingerprinting-techniques
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 22
23. 3.b – Configuration files.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 23
24. I. /etc/src.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 24
28. V. /etc/make.conf
Difficult the of
execution
exploits
Prevent
hooking
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 28
30. 3.c – Kernel and “user-land”
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 30
31. I. Update system source
• First, we need cvsup tool.
• Configure our repository config file:
• Update system source (also include kernel).
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 31
32. II. Configure kernel
• Configuration file:
• Adjust some basic parameters:
Only if you don’t need fat/vfat support!
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 32
33. III. Compile the kernel
Our kernel
configuration file
Enable LLVM static
analyzer
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 33
34. IIII. The “user-land”
Q: What’s “user-land”?
A: The user-land is a way to naming all basic
binaries and programs of system, like: syslog,
common commands (sed, awk, sort…), gcc,
clang…
Q: How configure the “user-land”?
A: You can customize what include the user-land
with the file: “/etc/src.conf”
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 34
35. IIII. Recompile the user-land
Delete old compiled objects
Make erasable all files
Enable static
optimizations of LLVM
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 35
36. 4 – Isolating processes
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 36
37. 4 – Isolating process
a) Concept of jail.
b) How to create basic a jail?.
c) Maintainable jail system.
d) Jail deploy: Approaches.
e) How deploy a web site using jails.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 37
38. 4.a – Concept of jail
Jail ≠ chroot
Jail
chroot rules Resources
Network tools
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 38
39. 4.a – Concept of jail.
Jail: Operating system level virtualization
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 39
40. 4.b – How to create a basic jail
Hand to work!
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 40
41. I. – Compilation variables
When can you use compilation variables?
• When compiling a port.
• When compiling the kernel.
• When compiling the user-land.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 41
42. I. – Compilation variables
• FORCE_PKG_REGISTER: Force reinstallation, if binary
is already installed.
• PORT_DBDIR: location of database that manager
what’s binaries are installed.
• PREFIX: destination of compiled binaries.
• DESTDIR: makes a chroot to indicated path, and
install binaries in it.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 42
43. II. – Create a jail
1. Creating root folder for our jail:
2. Copying common system binaries:
3. Copying system source code: Special command
that copy files,
permissions,
4. Installing port system into jail: hadlinks, softlinks,
etc
5. Copying missing system configuration files:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 43
44. II. – Create a jail
• Add to host /etc/rc.conf:
To allow to jail to access to outside of jail network,
each jail must have an alias and the same IP of alias.
• Manually start jail system:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 44
45. II. – Create a jail
• Add to jail /home/j/test_jail/etc/rc.conf:
This line allow to the jail outside connectivity
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 45
46. III. – Installation of programs
Installing nginx server into jail:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 46
47. 4.c – Maintainable Jail system
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 47
48. 4.c – Maintainable Jail system
I. Separating roles
II. Block diagram
III. Advantages
IV. Real example: role separated web server
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 48
49. I. – Separating roles
Isolated
system
Shared base Shared
Skeletons
binaries programs
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 49
50. I. – Separating roles
Q: What’s shared base binaries?
A: The user-land binaries. All jails have this in common.
Q: What’s Skeletons?
A: Collection of configuration files tuned for an specific
task. We have one skel for each role: webservers,
database servers, php, java… Also mush be called
templates
Q: What’s shared programs?
A: Any program you want to run: apache, mysql, etc
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 50
51. I. – Separating roles
In other words… Shared base binaries
Common commands: Resulting jail. E.g. ->
ls, sed, awk, sort, an jailed apache
uniq… web server.
Custom config files:
- /etc/rc.conf Shared programs:
-/etc/make.conf Apache, mysql,
-/etc/pf.conf php…
-….
Shared programs
Skeletons
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 51
52. II. – Block diagram
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 52
53. III. – Advantages
Q: Why is maintainable jail system?
A: Because all binaries are shared between all virtual
machines and jails in a shared storage.
Q: Why use skel templates?
A: Then you can deploy new jail only copying a template.
i.e: copying skel of a web server.
Q: How can I update the system and/or any binary?
A: You only must update shared binaries folder and/or
shared binaries folder. Updates will spread to all jails.
54. IV. – Role separated web server
a) Create folders for each type of role
b) Create shared base binaries container
c) Create base skeleton
d) Create shared web server
e) Mount the jail
f) Start the jail
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 54
55. a) Create folders for each type of role
• Skeletons:
• Shared base binaries:
• Shared binaries:
• Mounted jails:
Working directory for a
concrete jail.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 55
56. b) Create shared base binaries container
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 56
57. c) Create base skeleton
Move configuration and
non-shared info
to skel
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 57
58. c) Create base skeleton
Copy missing configuration files Not necessary for a template
Make relative links to
essential directories
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 58
59. c) Create base skeleton
Copy hardened configuration files, following
steps of point 3.b, at jail:
• src.conf
• auth.conf
• login.conf
• make.conf
• sysctl.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 59
60. d) Create shared web server
1. Create directory for binary:
2. Install nginx, and all dependences, into folder:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 60
61. e) Mount the jail Concrete skeleton of web server
• Create mounting folder for our web server:
Common and
shared binaries
• Like a puzzle, join roles in /etc/fstab:
• Add jail to /etc/rc.conf of host:
Shared of
web
server
binaries
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 61
62. f) Start the jail
And the end, we start the jail system typing:
Or, if is already started…
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 62
63. 4.d – Jail deploys:
Approaches
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 63
64. 4.d – Jail deploys: Approaches
a) Simple architecture I
b) Simple architecture II
c) Equilibrated architecture.
d) Complex architecture.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 64
65. Deploy approaches
Maintainability Security level
a) Simple architecture II
b) Simple architecture II
c) Equilibrated architecture
d) Complex architecture:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 65
66. a) Simple architecture I
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 66
67. a) Simple architecture I
• One machine for all services.
• Shared programs: nginx, php, MySQL,
pureFTPd…
• Separated type of storages: DB/web content.
• Isolated communications between jails.
• Isolated php runtime environment for each
web site.
• Shared web and ftp servers for all web sites.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 67
68. a) Simple architecture II
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 68
69. a) Simple architecture II
• One machine for all services.
• Shared programs: nginx, php, MySQL, pureFTPd…
• Separated type of storages: DB/web content.
• Isolated communications between jails.
• Isolated php runtime environment for each web site.
• Shared ftp servers for all web sites.
• Isolated web server for each web site.
Like Simple architecture I
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 69
71. b) Equilibrated architecture
• Separated backend and frontend in two virtual
machines.
• Shared programs in network storage: nginx,
php, MySQL, pureFTPd…
• Isolated communications between jails.
• Isolated php runtime environment for each
web site.
• Shared ftp servers for all web sites.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 71
73. c) Complex architecture
• 3 level in 3 virtual machines: load balancer,
business layer and backend.
• Separated storage out ouf virtualization
server.
• Isolated communications between jails.
• Isolated php runtime environment for each
web site.
• Isolated web server for each web site.
• Shared ftp servers for all web sites.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 73
74. 4.d – Deploying a web site using jails
Example: Deploy the WordPress Site
www.mytestsite.com
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 74
75. 4.d – Deploy a web site using jails
I. Select a deploy model
II. Create system binaries
III. Create binaries
IV. Create user content info
V. Create mounting folder
VI. Configure PHP
VII. Configure web server
VIII. Create PHP for site
IX. Create web server for site
X. Create FTP server
XI. Create web balancer
XII. Create MySQL server
XIII. Install WordPress
XIV. Configure jail and enable jail.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 75
76. I. – Select deploy model
This example follows mentioned model:
Simple architecture II
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 76
77. II. – Create system binaries
System binaries folder. Shared
for all jails
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 77
78. III. – Create binaries
• Install php Don’t forget
compile it
without CLI
option!
(for security)
• Install mysql
• Install nginx
• Install ftp
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 78
79. IV. – Create user content info
Directories that will contain site info.
For future
use
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 79
80. V. – Create mounting folder
1. Create mount point directory:
2. Create root directories:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 80
81. VI. – Configure php
• Modifying: /php/mytestsite.com/conf/php-fpm.ini
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 81
82. VI. – Configure php
• Modifying:
/home/js/mytestsite.com-php/usr/local/etc/php-fpm.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 82
83. VII. – Configure web server
• Configuring: /home/j/mytestsite.com/usr/local/etc/nginx/nginx.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 83
84. VIII. – Create PHP for site
• Create base folder and copy skeleton (or profile) for
web server
• Create mount point for each site of isolated php server.
• Create mount point web content.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 84
85. VIII. – Create PHP for site
• Configuration of init script for web server jail:
/home/j/mytestsite.com-php/etc/rc.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 85
86. IX. – Create web server for site
• Create base folder and copy skeleton (or profile) for
web server
• Create mount point for each site of isolated web server.
• Create mount point web content.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 86
87. IX. – Create web server for site
• Configuration of init script for web server jail:
/home/j/mytestsite.com-wserver/etc/rc.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 87
88. X. – Create FTP server
• Create base folder and copy skeleton (or profile) for FTP
server
• Create mount point of FTP isolated server.
• Create mount point for web content.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 88
89. X. – Create FTP server
• Configuration of init script for FTP server jail:
/home/j/ftpserver/etc/rc.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 89
90. X. – Create FTP server
• Configuring: /home/j/ftpserver/usr/local/etc/pure-ftpd.conf
There is more configuration parameters, but this is the
most important.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 90
91. XI. – Create web balancer
• Create base folder and copy skeleton (or profile) for
web balancer:
• Create mount point of web balancer isolated server.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 91
92. XI. – Create web balancer
• Configuration of init script for web balancer jail:
/home/j/webbalancer/etc/rc.conf
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 92
93. XI. – Create web balancer
• Configuring: /home/j/webbalancer/usr/local/etc/nginx/nginx.conf
Redirect to web server of isolated web site.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 93
94. XII. – Create MySQL server
• Create base folder and copy skeleton (or profile) for
mysql server:
• Create mount point of mysql isolated server.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 94
95. XII. – Create MySQL server
• Configuration of init script for web server jail:
/home/j/mysql/etc/rc.conf
Change listen address.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 95
96. XIII. – Install WordPress
• Install WordPress from FreeBSD sources, into host
system.
This method allows us to
easily install our own
patches.
• Copy sources to our site:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 96
97. XIII. – Install wordpress
• Configure our WordPress installation defining location
of MySQL.
IP of our jail
with MySQL
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 97
98. XIV. – Configure and enable de jail
Configure /etc/fstab.
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 98
99. XIV. – Configure and enable de jail
Configure /etc/fstab (cont).
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 99
100. XIV. – Configure and enable de jail
Enable jail in the system /etc/rc.conf:
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 100
101. XIV. – Configure and enable de jail
Enable jail in the system /etc/rc.conf (cont):
Daniel García García a.k.a cr0hn (@ggdaniel) http://es.linkedin.com/in/garciagarciadaniel 101