Because of the recent exposure of the httpd exploit on dd-wrt I took another look on the config of my reverse proxy.
Because the proxy is running as root a potential exploit would give a hacker root credentials. I therefore decided to run my reverse proxy as a different user. It is already running for a while and didn't notice any differences, so I thought it was time to post the changes....
I also tested to see which damage a potential hacker could use a potential exploit of pound. I'm sure I can improve on the privileges I gave pound, but my focus was on getting it to run properly... Suggestions are welcome.
This is the modified startup script:
# cat /opt/etc/init.d/S80pound
case "$rc" in
start)
echo "Writing $cfg"
/opt/sbin/write_pound_cfg
echo "Starting $NAME"
if [ -n "`pidof $NAME`" ]; then
echo "$NAME already running"
else
if [ ! -e $cfg ]; then
echo "missing $cfg"
exit 1
fi
$DAEMON -v -f $cfg
fi
;;
stop)
if [ -n "`pidof $NAME`" ]; then
echo "Stopping $NAME"
killall $NAME 2> /dev/null
else
echo "$NAME already stopped"
exit 1
fi
;;
restart)
"$0" stop
sleep 1
"$0" start
;;
status)
if [ -n "`pidof $NAME`" ]; then
$POUNDCTL_BIN -c /tmp/pound.ctl
else
echo "$NAME is not running"
exit 1
fi
;;
*)
echo "Usage: $0 (start|stop|restart|usage|status)"
;;
esac
exit 0
The three lines with "AS_USER" are added.
And this is the change in the 1st part of the config
# cat /opt/etc/pound/pound.pt1
Code:
User "pound"
Group "pound"
TimeOut 120
Alive 30
Control "/tmp/pound.ctl"
ListenHTTP
Address 0.0.0.0
Port 8080
As you can see as this less privileged user you can't see the /etc/passwd file nor can you reboot or login as root.
Code:
root@WAN:/# su pound
BusyBox v1.13.4 (2009-07-21 03:02:22 CEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
@WAN:/tmp$
@WAN:/tmp$ reboot
@WAN:/tmp$
@WAN:/tmp$
@WAN:/tmp$ echo "" >>/tmp/hosts
sh: can't create hosts: Permission denied
@WAN:/etc$ su -
Password:
incorrect password
@WAN:/tmp$
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
I have a landisk attached to dd-wrt router (192.168.10.1), and I have this configuration
acces over internet (mydomain.org with zoneedit):
-http://publicip -> web page thanks lighttpd
-http://publicip:81 -> configuration web menu
LAN
-http://192.168.10.11 -> configuration web menu
-ftp://192.168.10.11 -> ftp to the directory configured
the question is I want to acces to my lan over internet, and I read this topic (before, I have tried with a port forward in the nat menu, but it doesn´t work ).
I have follow all the setps (copy paste)
/opt/etc/init.d/S80pound
/opt/sbin/write_pound_cfg
/opt/etc/pound/pound.pt1
and in /opt/etc/pound/pound.pt2 I have write
Code:
Service "landisk"
HeadRequire "^Host:[\t ]*landisk\.mydomain\.org$"
BackEnd
Address 192.168.10.11
Port 80
End
End
Service "ftp"
HeadRequire "^Host:[\t ]*ftp\.mydomain\.org$"
BackEnd
Address 192.168.10.11
Port 21
End
End
End
In web menu I have add this rule in Port forwarding
Landisk
from 80
protocol both
ip adress 192.168.10.11
port to 8080
enable checked
Trying to setup subdomains. Getting this error trying to install optware:
Code:
root@ddwrt:/tmp# sh /tmp/optware-install.sh
Checking system config ...
Using xxx.xxx.xxx.xxx as default gateway.
Using the following nameserver(s):
nameserver 192.168.5.1
Installing package uclibc-opt_0.9.28-12_mipsel.ipk ...
Connecting to ipkg.nslu2-linux.org (140.211.169.169:80)
Installing package ipkg-opt_0.99.163-9_mipsel.ipk ...
Connecting to ipkg.nslu2-linux.org (140.211.169.169:80)
/tmp/optware-install.sh: line 90: /opt/sbin/ldconfig: not found
/tmp/optware-install.sh: line 91: /opt/bin/ipkg: not found
/tmp/optware-install.sh: line 92: /opt/bin/ipkg: not found
/tmp/optware-install.sh: line 93: /opt/bin/ipkg: not found
I have improved the S80pound script.
Please download this script so I can give you proper support....
Your config will be written to /tmp/pound/pound.cfg
pound.pt1 and pound.pt2 are replaced by /opt/etc/pound/pound.header and /opt/etc/pound/pound.tail
pound.pt1 is not the same as pound.header. Just don't create pound.header for the time being.....
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Hi Graegos....
If so, I can write a tutorial that doesn't need optware....
Hi frater,
that's exactly what I'm looking for, because I have enough space in my wrt54gs v1.1.
The problem is that I haven't found the binary of pound
Are you sure is is included in the mega version?
Many thanks in advance
--
fSeka _________________ E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
Yes, it should be in the mega-version.
What's the output of:
Code:
which pound
or
Code:
find / -name pound
btw.. Just found out it's not in Eko's 'big'. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Hi,
I've just installed DD-WRT v24-sp2 (12/28/09) mega
(SVN revision 13525) (dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/12-28-09-r13525/broadcom/dd-wrt.v24_mega_generic.bin) and now when I type which pound dd-rt respond /usr/sbin/pound.
So I think that pound is finnaly there :-)
@frater, do you have a tutorial to use pound without optware?
Many thanks in advance and best regards.
--
fSeka _________________ E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
I haven't got much time this month...
Check out this script...
It may need some changes to work....
Code:
wget http://wd.mirmana.com/S80pound
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Just tested it from a remote location and it works. I don't think you used "wget".
My apache-server wasn't working today, but this file is not on my apache-server. If you connect with wget instead of a normal browser you will get my WD Worldbook who's at your disposal to send you that file.
If you try it the same way again, you will get another error-message (from my Apache-server) which tells you to use "wget"
This is a demonstration of what pound can do for you.... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
I just have to enable jffs to store the pound.cfg and then it should work.
Thanks alot again for your support.
--
fSeka _________________ E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)