pitter patter on the keyboard

A few weeks ago Twitter stopped supporting this URL convention to grab XML feeds of a user’s timeline:

http://twitter.com/statuses/user_timeline/{{SCREEN_NAME}}.(xml|json)

Fortunately, it’s still possible to fix your apps with a drop-in replacement, which was probably always considered the “right way” to grab them anyway:

https://api.twitter.com/1/statuses/user_timeline.(xml|json)?screen_name={{SCREEN_NAME}}

The bad news is it doesn’t look like this will work for long. REST API 1 is now deprecated and the new REST API 1.1 is set to replace it any day now:

Version 1 of the REST API is now deprecated and will cease functioning in the coming months. Migrate to version 1.1 today.

Unfortunately, this migration path isn’t as easy as just dropping in a new URL. It appears even the read-only timeline XML/JSON feed requires an OAuth authentication token.

Suhosin is a Korean word which, roughly translated, means guardian angel. It is also the name of a clever PHP extension brought to us by the Hardened-PHP Project. When I found out it could provide transparent on-the-fly session and cookie encryption I thought sexual thoughts and sped off to install it. Fortunately for gentoo users, it’s a simple matter of adding the suhosin USE flag to PHP and (re)compiling:

# echo "dev-lang/php suhosin" >> /etc/portage/package.use
# emerge --newuse php

In fact, now is probably a good time to reevaluate your PHP USE flags; I tend to disable a bunch of functions that would simply not exist if certain extensions were not compiled in at all. This is what your stripped-down flags might look like:

[ebuild R ] dev-lang/php-5.2.13 USE="apache2 bcmath berkdb bzip2 cgi cli crypt ctype exif filter gd hash iconv ipv6 json mysql mysqli ncurses nls pcntl pcre pdo readline reflection session simplexml snmp spl ssl suhosin threads truetype unicode xml zip zlib -adabas -birdstep -calendar -cdb -cjk -concurrentmodphp -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -fastbuild -fdftk -firebird -flatfile -force-cgi-redirect -frontbase -ftp -gd-external -gdbm -gmp -imap -inifile -interbase -iodbc (-java-external) -kerberos -kolab -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -oci8 -oci8-instant-client -odbc -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -soap -sockets -solid -spell -sqlite -sybase -sybase-ct -sysvipc -tidy -tokenizer -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz"

Once you’ve recompiled you’re going to have to add the Suhosin configuration directives to your php.ini. For apache open /etc/php/apache-php5/php.ini and tack this on to the end:

; Logging
suhosin.log.syslog = S_ALL
suhosin.log.syslog.facility = LOG_USER
suhosin.log.syslog.priority = LOG_WARNING
suhosin.log.sapi = S_ALL
;suhosin.log.script
;suhosin.log.phpscript
;suhosin.log.script.name
;suhosin.log.phpscript.name
;suhosin.log.use-x-forwarded-for

; Executor Options
suhosin.executor.max_depth = 1000000
suhosin.executor.include.max_traversal = 3
;suhosin.executor.include.whitelist
;suhosin.executor.include.blacklist
;suhosin.executor.func.whitelist
suhosin.executor.func.blacklist = ""
;suhosin.executor.eval.whitelist
suhosin.executor.eval.blacklist = ""
suhosin.executor.disable_eval = On
suhosin.executor.disable_emodifier = On
suhosin.executor.allow_symlink = Off

; Misc Options
suhosin.simulation = Off
suhosin.apc_bug_workaround = Off
suhosin.sql.bailout_on_error = On
;suhosin.sql.user_prefix
;suhosin.sql.user_postfix
suhosin.multiheader = On
suhosin.mail.protect = 2
;suhosin.memory_limit

; Transparent Encryption Options
suhosin.session.encrypt = On
suhosin.session.cryptkey = "INSERT RANDOM CRAP HERE"
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On
suhosin.session.cryptraddr = 2
suhosin.session.checkraddr = 2
suhosin.cookie.encrypt = On
suhosin.cookie.cryptkey = "INSERT RANDOM CRAP HERE"
suhosin.cookie.cryptua = On
suhosin.cookie.cryptdocroot = On
suhosin.cookie.cryptraddr = 2
suhosin.cookie.checkraddr = 2
;suhosin.cookie.cryptlist
;suhosin.cookie.plainlist

; Filtering Options
suhosin.filter.action = 402
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_name_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 50000000
suhosin.post.max_vars = 200
suhosin.post.disallow_nul = On
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 200
suhosin.request.max_varname_length = 64
suhosin.request.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.upload.disallow_binary = Off
suhosin.upload.remove_binary = Off
;suhosin.upload.verification_script
suhosin.session.max_id_length = 128

Now head over to http://www.hardened-php.net/suhosin/configuration.html and tailor the configuration to suit your environment. Don’t forget to blacklist dangerous functions like apache_child_terminate, apache_setenv, define_syslog_variables, eval, exec, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode, exec, pipe, set_time_limit, popen, proc_open, parse_ini_file, show_source, mail, dl, ini_set, ini_alter, virtual, openlog, apc_add, apc_bin_dump, apc_bin_dumpfile, apc_bin_loadfile, apc_cache_info, apc_cas, apc_clear_cache, apc_compile_file, apc_dec, apc_define_constants, apc_delete_file, apc_delete, apc_exists, apc_fetch, apc_inc, apc_load_constants, apc_store, symlink and eval!

It seems Suhosin provides its own stack-smashing protection, potentially removing the need for the slow PIC (-fstack_protector_all) compile-time option. Until I get confirmation on this I’ll be using both just to be safe.

In my last post I shared a scriptlet that could be used to remote block access to your network with apache, sudo and iptables. This script suffers from the major flaw that appended iptables rules are read last and anywhere a universal ACCEPT rule preceded the script’s additions they would be ignored. Another major drawback is in the rules disappearing if the firewall is reloaded, the host is rebooted and so on. Fortunately ClearOS has an easy to use API that lets you directly manipulate its firewall properties the same way as webconfig. This script doesn’t require sudo rules or apache to be running. It DOES require ClearOS, and this is how to install it:

• wget http://foxpa.ws/dist/rcleartables.php.bz2
• bunzip2 rcleartables.php.bz2
• mv rcleartables.php /var/webconfig/htdocs
• chown webconfig: /var/webconfig/htdocs/rcleartables.php

The SSL certificate webconfig provides will probably cause problems, so call the script like this if you use wget:

wget -O - 'https://192.168.8.1:81/rcleartables.php?action=deny&name=$name&ip=$ip' --no-check-certificate >/dev/null 2>&1

Note that this script requires a name variable, it should be a unique identifier containing letters and numbers (no spaces). I keep the name and other data associated with the blocks on the client end of things so the blocks can be removed by a button that executes the script with action=remove and also take care of cleaning stale blocks by way of recorded  timestamps. How you choose to extend the functionality is up to you.

<?php
/*
           # Remote Controlled iptables ClearOS API
           # June 2010 http://foxpa.ws
           # WTFPL v.2 http://foxpa.ws/wtfpl/

/// DOCUMENTATION

DANGER: Improperly configured, this script could be used by an attacker to
        block legitimate traffic.

This script adds or removes a name/IP pair pssed to it through the GET
variables "ip", "name" and "action" to or from the ClearOS Incoming Block
firewall ruleset. Valid action values are deny, and remove.
The script will exit with a 0 on error or a 1 upon successful execution.
Place the script in /var/webconfig/htdocs and chown it to webconfig.

To block an IP, one would GET request it thus:

https://address:81/rcleartables.php?action=block&ip=222.222.222.222&name=

On a successful block you would receive HTTP headers and a single 1 in the
body, or a 0 if the block was unsuccessful.

$whitelist is an array of IP addresses that should never be blocked
$allowed_clients should be an array of IP addresses allowed to have access to
this script. leave it blank to allow any host (not recommended).
$shared_secret is an optional key that can be passed to the script as an MD5
hash via GET var "key" to authenticate your application. Blank to disable.
$log_path should be the path to the specific file you would like to log actions
to. Blank to disable logging. Remember to update your log rotater's config.
*/

// CONFIGURATION
$whitelist = array();
$allowed_clients = array('');
$shared_secret = '';
$log_path = '/var/log/riptables.log';

// FUNCTIONS
function log_action($line)
{
	global $log_path, $remote_addr;
	if(!empty($log_path))
	{
		$fh = fopen($log_path, 'a');
		$date = date("Y-m-d H:i:s", time());
		fwrite($fh, "$date $remote_addr - $line\n");
		fclose($fh);
	}
}

// SANITY CHECKING
if(empty($_GET['ip']))
{
	log_action("IP not specified");
	die('0');
}
if($_GET['action'] == 'deny' and empty($_GET['name']))
{
	log_action('Rule name not specified');
	die('0');
}
$ip = $_GET['ip'];
$name = $_GET['name'];
$remote_addr = $_SERVER['REMOTE_ADDR'];
$octets = explode('.', $ip);
foreach($octets as $octet)
{
	if($octet > 255 or $octet < 0)
	{
		log_action("Invalid IP Address $ip");
		die('0');
	}
}
$ip = escapeshellcmd($ip);
if(!empty($shared_secret) and $_GET['key'] != md5($shared_secret))
{
	log_action("DANGER Invalid shared secret. Remember to encrypt your key variable with MD5.");
	die('0');
}
if(!empty($allowed_clients[0]))
{
	$valid = false;
	foreach($allowed_clients as $allowed)
	{
		if($allowed = $remote_addr)
			$valid = true;
	}
	if(!$valid)
	{
		log_action("DANGER Client is not in \$allowed_hosts array. This could be a sign of exposure.");
		die('0');
	}
}

// THE BRAINS
require_once("/var/webconfig/api/FirewallIncoming.class.php");
$fw = new FirewallIncoming();

if($_GET['action'] == 'deny')
{
	$fw->AddBlockHost($name, $ip);
	$fw->Restart();
	log_action("$ip was blocked");
	print('1');
}
elseif($_GET['action'] == 'remove')
{
	$fw->DeleteBlockHost($ip);
	$fw->Restart();
	log_action("$ip was removed");
	print('1');
}
else
{
	log_action('Invalid action parameter.');
	die('0');
}

?>