Re: [SLUG] Looking for a firewall

From: thor_consulting@yahoo.com
Date: Wed Aug 13 2003 - 15:22:08 EDT


whoa chief!!!

i have a better understanding of your predicament.

another work-around i came across for NS servers was to hack the binary to
disable TRACE requests.

i'm a firm believer in hacking any binaries that exclude source code as a
means of security through obfuscation.

my favorite binary editor has always been beav:
ftp://rpmfind.net/linux/contrib/libc6/i386/beav-14.0.6-2.i386.rpm

i just hacked the httpd binary, changing TRACE to SPACE:

[apache@asgaard]$ GET -m TRACE http://asgaard.mineshaftgap.org:79/
--surrounding_h_t_m_l_tags_deleted_so_this_makes_it_through_the_anal_filteri
ng--
403 Forbidden

--surrounding_h_t_m_l_tags_deleted_so_this_makes_it_through_the_anal_filteri
ng--

20 minutes of hacking and voila! no TRACE!

thor

----- Original Message -----
From: "Greg Schmidt" <slugmail@gschmidt.net>
To: <slug@nks.net>
Sent: Wednesday, August 13, 2003 01:46
Subject: Re: [SLUG] Looking for a firewall

> Levi Bard wrote:
> >>The original poster may not want an HTTP proxy, but that's really the
best
> >>way to enforce these kinds of protocol-level restrictions. If it's the
> >>reconfiguration of clients that's holding you back, proxies can be
> >>transparent.
> >
> >
> > I agree, an http proxy is the way to go. For example, the proxy they
use at my work only allows GET and POST (I believe, they may be others, but
I'm sure it won't do CONNECT and probably not TRACE either).
> >
> > Levi
>
> OK, I'm convinced. Thanks everyone. If I'm going to do this I'll need
> a full-blown proxy.
>
> Brian, thanks for suggesting snort-inline, but the caveats you mention
> probably preclude it. You seemed to have the best answer to my
> original, ill-conceived question.
>
> Thor, to attempt to answer your questions, it is not IIS, but Apache,
> more specifically, tomcat. mod_rewrite, what I would likely use to
> disable HTTP TRACE, is not compiled in. Moreover, there seems to be not
> one line of source code on the box. When I ran ./configure I discovered
> there was also no C compiler. At least they left the man pages.
>
> Before I did anything significant to this appliance I cloned the drive.
> LILO now boots into "FIX" and "SUPPORTED". Anything about changing
> the config, much less recompiling apache, is completely and absolutely
> unsupported by the vendor. Without any tools on the drive to fix it,
> I'm leaning toward putting another box in front of it to protect it. It
> started life as a RedHat distro. The meat of the product they're
> selling is some reasonably significant java magic. I have lingering
> doubts about my ability to stick a tomcat apache I compiled under their
> java and still have it work. Nothing in the vendor's docs mentions a
> Linux console much less plugging a keyboard and monitor into the box.
> It's a 1-U server "appliance" you are supposed to be able to just plug
> into the network, and after setting an IP address through a java app
> with a serial cable, just stand up and run. It is, according to plan,
> completely managed by a java GUI. Yeah, they are certainly violating
> the spirit of GPL, if not the letter. Still, this made me go take a
> good look at the apache license, and it doesn't seem to require
> releasing source. All the apache projects seem to release souce code,
> even with a binary release, but I don't think the license requires them
> to do so. Still, no gcc is rude.
>
> Thor asked how this affects the vendor, and I'm not sure how to answer
> that. Apparently, they don't feel very affected. They are considering
> disabling HTTP TRACE in some future version. No definitive answer from
> them yet. Only two facts seem relevant. Some PHB already paid for it.
> Some other not-so-PHB says we can't put it on the network while HTTP
> TRACE is enabled.
>
> So.... I've been looking at squid. I haven't found any specific mention
> of a feature that can disable an HTTP method in squid's docs, yet.
>
> So now three questions:
>
> Can squid do that?
>
> I'm likely going to need more horsepower than just some old Pentium and
> two NICs can give me, right?
>
> Is there a better tool to use for this proxy than squid?
>
> Thanks again,
> Greg
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
>

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:49:24 EDT