sandboxing java plugins – security
Posted by admin - 13/04/13 at 12:04:58 amLink-time security:
– extend secure classloaders to load new jar files
– override :
public Class loadClass(String name) throws ClassNotFoundException {
— allow only safe classes to be visible.
– Important: disabling packages from classloader does not prevent malicious code from accessing objects through the reflect package. Disabling the reflect should make the sandbox safe, even without using security managers.
Runtime security:
– use custom security managers
– for every critical function, check if the context is restricted:
for (Class cls : getClassContext()) {
if (cls.getName().startsWith(”com.example.plugins”)) {
// context is restricted!
}
}
- Other considerations:
The custom security manager has to deny restricted calls from :
–setting a new security manager
— modifying the current security manager
— disable class loading
— disable reflection
— limit file system access
— disable java.lang.Runtime
convert openssl pem to java keystore jks
Posted by admin - 07/01/13 at 08:01:38 pm1- Export pem to p12 format using openssl:
openssl pkcs12 -export -out domain.com.pkcs12 -in domain.com.pem -inkey domain.com.key
2- convert p12 to jks
/opt/jdk/bin/keytool -importkeystore -srckeystore domain.com.pkcs12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore domain.com.jks
3- done
jks to p12:
keytool -importkeystore -srckeystore domain.com.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore domain.com.p12
Scalable transparent SSL load balancer using only HAProxy
Posted by admin - 17/11/12 at 10:11:21 pmHAproxy latest versions ( > 1.5) support the PROXY protocol- a clean straight forward protocol designed to attach the source information to the TCP streams. This means that a load balancer on layer 3-4 can offload SSL connections to more than one server, while preserving the source address.
Basic setup:
1-Install haproxy 1.5 on the TCP loadbalancer and on all SSL termination servers.
Download, untar, and go to the output directory, and compile ( with SSL for the SSL termination servers )
make TARGET=linux26 USE_OPENSSL=yes ; make install ;
2- Configure the TCP load balancer:
global
maxconn 200000
daemon
nbproc 8
defaults
timeout client 60000
timeout server 50000
timeout connect 25000
listen ssh *:443
mode tcp
balance source
server s1 10.10.10.10:8443 send-proxy
server s2 10.10.10.11:8443 send-proxy
server s3 10.10.10.12:8443 send-proxy
3- Configure all ssl termination servers:
global
maxconn 200000
daemon
nbproc 8
defaults
timeout client 60000
timeout server 50000
timeout connect 25000
frontend https
mode http
bind 0.0.0.0:8443 ssl crt /root/all.pem accept-proxy
default_backend https_backend
backend https_backend
mode http
option forwardfor
server s1 http-website.com:8080 check
4- Each of the SSL termination servers will forward the HTTP header with the X-Forwaded-For header to the main http server, Make sure the main http server is configured to read the X-Forwarded-For property from the HTTP header, and not from the connection source.
Given enough SSL offloading servers, the loadbalancer can support up to 10’s of thousands of connections. Thanks to willy tarreau for the wonderful piece of software.
XBee DIO
Posted by admin - 10/05/12 at 04:05:56 amThe configuration for two xbee modules to pass a digital signal:
Remote – TX setup (attached to doorbell input button)
- D0 – DIO Configuration – (3 – DI)
- IC – Dio Change Detect – (FF)
- Set sample rate to zero
Base – RX setup
- DO – DIO Configuration – (4 DO)
- Under I/O Line Passing set “Input Addresses” to 0xFFFF
- Set IU – I/O Output enable to Disabled
JMX
Posted by admin - 29/04/12 at 04:04:00 am-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=5678 -Dcom.sun.management.jmxremote.ssl=false
Tomcat for performance
Posted by admin - 19/12/11 at 01:12:13 amTomcat used to be a slow bulky java web server before version 6.x. After version 6 was released, it allowed to use a custom executor to handle requests, and introduced the non-blocking built-in connector protocol=”org.apache.coyote.http11.Http11NioProtocol” that required very little configuration unlike the old apr connectors. Follow the steps below to get the most of your tomcat installation:
-By default, tomcat is not configured to use the non blocking connector, this is the very first thing to add when installing tomcat (inside the Connector element in server.xml file)
<Connector port=”8080″ …. protocol=”org.apache.coyote.http11.Http11NioProtocol” connectionTimeout=”20000″/>
-Disable logging: this has its downsides, but the performance benefits are massive, especially if the webserver runs on a VPS. disable catalina logging at conf/logging.properties, also disable the access log in your server.xml file. This will save disk space, and most importantly will save some waiting time when your website’s traffic is massive or when using an SSL connector.
-IMPORTANT: increase OS limits, linux users increase file limits, (# ulimit -n) and /etc/sysctl.conf fs.file-max switches. This will prevent the “Too Many Connections” error.. (windows users do some google reasearch).
-Memory is important (depending on the application), add JAVA_OPTS=’-Xms1g -Xmx2g’ to your catalina.sh file, this highly depends on your installation. Remember to keep some memory for your OS kernel to run freely.
-Tested under oracle jdk, and open jdk delivered a very acceptable performance.
tomcat 6/7 without keytool
Posted by admin - 13/12/11 at 09:12:27 pmTo add SSL support to your tomcat installation without using the keytool and tomcat keystores, you can use your OpenSSL generated key file, CAFile and certificate files to generate a .p12 chain. To import the existing .crt signed by your own CA into a PKCS12 keystore using OpenSSL, execute :
openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain
This will generate a .p12 file, that you can use in your tomcat connector. But first you have to tell tomcat that this is a p12 file by editing your conf file (conf/server.xml)
<Connector port=”443″ minSpareThreads=”5″ maxSpareThreads=”75″ acceptCount=”400″ maxThreads=”400″ scheme=”https” secure=”true” SSLEnabled=”true” keystoreFile=”/path/to/mycerts/mycert.p12″ keystorePass=”changeit” keystoreType=”PKCS12″clientAuth=”false” sslProtocol=”TLS” compression=”on” compressionMinSize=”2048″ noCompressionUserAgents=”gozilla, traviata” compressableMimeType=”text/html,text/javascript,text/css” protocol=”org.apache.coyote.http11.Http11NioProtocol” connectionTimeout=”20000″/>
Repair mysql replication
Posted by admin - 14/10/11 at 12:10:11 amWhen mysql server is having problem replicating data on the slave, the slave stops running.
mysql> show slave status \g
Slave_SQL_Running: No
Last_Error: Error ‘Table ‘dbx.test’ doesn’t exist’ on query. Default database: ‘dbx’.
To fix the error, we just ignore the error and resume the replication by doing the following steps:
1. Stop slave: mysql> STOP SLAVE;
2. Ignore error: mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;
3. Resume: mysql> slave start;
At this point mysql> show slave status \G will return “Slave_SQL_Running: Yes”
Foreign Ambassadors in Lebanon (fun)
Posted by admin - 29/09/11 at 07:09:18 pmJapan: Yama Nikto Yama
Russian: Nico Balakhof
French: Jean Jabliquier
Greece: Yaniki Yatriki
Yemen: Abed al Haresss Bayddatou
Spain: Maria De Coussamantouf
Mexico: Franco Dandalaero
China: Shim Tizi Shim
Italy: Bitizou Fellini
Germany: Shlakto Btakhto
Turkey: Intisab Hamamat
Congo: Zibbo Wawa
Romania: Esseminshof Airomov
Jordan: Ba3ass Al Matayzeh
Kuweit: Abdalah Al-Nakkah
Saudi Arabia: Mahsour Bin Fakhdayn
Armenia: Tobtanik Bokhshakyan
Peru: Pedro tartash
India: Jawaher ejadahro
More to come…
create and sign your own mod_ssl httpd certificate
Posted by admin - 11/02/11 at 04:02:33 pmShort answer:
# openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024
# openssl rsa -in server.key -out server.pem
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 60000 -in server.csr -signkey server.key -out server.crt
httpd startup script:
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
# chmod 400 server.key
Powered by WordPress with GimpStyle Theme design by Horacio Bella.
Entries and comments feeds.
Valid XHTML and CSS.