Coto's Blog

Puppet Security Rules

Coto Cisternas — Fri, 30 Sep 2016 03:45:24 GMT

Some Useful safety rules for Puppet:

Puppetfile:

mod 'thias/sysctl', '1.0.2'  
mod 'puppetlabs/firewall', '1.8.0'

manifest.pp

  Firewall {
    require => undef,
  }
  firewall { '000 INPUT allow related and established':
    proto       => 'all',
    action      => 'accept',
    state       => ['RELATED', 'ESTABLISHED']
  }
  firewall { '001 accept all icmp':
    proto       => 'icmp',
    action      => 'accept'
  }
  firewall { '002 accept all to lo interface':
    proto       => 'all',
    iniface     => 'lo',
    action      => 'accept'
  }
  firewall { '003 reject local traffic not on loopback interface':
    iniface     => '! lo',
    proto       => 'all',
    destination => '127.0.0.1/8',
    action      => 'reject',
  }
  firewall { '004 drop FRAGMENTED PACKETS':
    chain       => 'INPUT',
    action      => 'drop',
    isfragment  => true,
  }
  firewall { '005 drop MALFORMED SYN-FLOOD':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK',
  }
  firewall { '006 drop MALFORMED SYN-FLOOD':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'FIN,SYN FIN,SYN',
  }
  firewall { '007 drop MALFORMED SYN-FLOOD':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'SYN,RST SYN,RST',
  }
  firewall { '008 drop SYN-FLOOD':
    chain       => 'INPUT',
    state       => 'NEW',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => '! FIN,SYN,RST,ACK SYN',
  }
  firewall { '009 MALFORMED NULL PACKETS':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'FIN,SYN,RST,PSH,ACK,URG NONE',
  }
  firewall { '010 drop MALFORMED XMAS PACKETS':
    chain       => 'INPUT',
    action      => 'drop',
    proto       => 'tcp',
    tcp_flags   => 'FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG',
  }

  sysctl { 'net.ipv4.conf.all.rp_filter':   value => '1'      }
  sysctl { 'net.ipv4.tcp_syncookies':       value => '1'      }
  sysctl { 'net.ipv4.tcp_tw_reuse':         value => '1'      }
  sysctl { 'net.ipv4.tcp_fin_timeout':      value => '30'     }
  sysctl { 'net.ipv4.tcp_keepalive_intvl':  value => '30'     }
  sysctl { 'net.ipv4.tcp_keepalive_probes': value => '5'      }

PIGZ | NC

Coto Cisternas — Thu, 07 May 2015 23:46:17 GMT

Just a memory aid:

Origin and Destination:

apt-get install pv pigz netcat-openbsd

Origin:

tar -cf -{$PATH} | pv -s {$SIZE} | pigz -9 | nc -l 8888

Destination:

nc {$ORIGIN_IP} 8888 | pigz -d | tar xf - -C  /

Rolify + CanCanCan #Instance level role ability

Coto Cisternas — Fri, 11 Jul 2014 23:23:21 GMT

This post is more of a memory aid, but a strange conjugation of black magic to do something impossible.
The solution is quite simple, but it took me several hours to realize it.
In simple terms, it is not so complex to do this if you are using ActiveRecords, I found a couple of post describing the solution:

app/model/ability.rb

can [:read, :update], Company, :id => Company.with_role(:manager, user).plug(id)

My problem is that I do not use ActiveRecords if not rather MongoID, and not until i check the documentation of Origin (MongoID DSL) that I realized the detail:

app/model/ability.rb

can [:read, :update], Company, :id.in => Company.with_role(:manager, user).map(&:id)

See the difference?. It took almost 4 hours to see it …

Rails 4.1 secrets.yml to SYM

Coto Cisternas — Sat, 14 Jun 2014 16:53:14 GMT

Usually i use a application.yml for this kind of stuff, devise secret, realm definition, host etc. Is nice to have all this things in one place. Today i start testing Rails 4.1 and i stumble on this new feature, work great but i like to manage my settings like symbols and the ‘Rails.application.secrets’ method is not available until the app start. So here a little help to handle this in that way.

config/secrets.yml

defaults: &defaults  
  devise_secret: 5d612bacfae3e470caef1782feb6e648391ea76a380d1910b9732c43e614398b7d297b9c13a803a5efb835db717fc9bd2e721c3d3ea45556297627b97f4b526d
  devise_pepper: 888d5b5b31563dc774bcf18c12h4lka242447d738921832c9e253c477628a21912535342455951ca6ca9fd02682b10cbb1deaeb8557aca1cab98de5eaffefc64
  realm: cotocisternas
  host: cotocisternas.cl

development:  
  <<: *defaults
  secret_key_base: 3eb6db5a9026c547c72708438d496d942e976b252138db7e4e0ee5edd7539457d3ed0fa02ee5e7179420ce5290462018591adaf5f42adcf855da04877827def2
  host: localhost:3000

test:  
  <<: *defaults
  secret_key_base: 3eb6db5a9026c547c72708438d496d942e976b252138db7e4e0ee5edd7539457d3ed0fa02ee5e7179420ce5290462018591adaf5f42adcf855da04877827def2
  host: test.local

production:  
  <<: *defaults
  secret_key_base: 3eb6db5a9026c547c72708438d496d942e976b252138db7e4e0ee5edd7539457d3ed0fa02ee5e7179420ce5290462018591adaf5f42adcf855da04877827def2

Now we need to symbolize this values before the app kicks up, so we add this piece of code

config/application.rb

Bundler.require(*Rails.groups)  
[...]
CONFIG = YAML.load(File.read(File.expand_path('../secrets.yml', __FILE__)))  
CONFIG.merge! CONFIG.fetch(Rails.env, {})  
CONFIG.symbolize_keys!  
[...]

Now we can simple use the key CONFIG[:value] where we need to set up some secret value, for Example:

config/initializers/devise.rb

Devise.setup do |config|  
  [...]
  config.secret_key = CONFIG[:devise_secret]
  [...]
  config.http_authentication_realm = CONFIG[:realm]
  [...]
  config.pepper = CONFIG[:devise_pepper]
  [...]
end

Asterisk MultiTrunk Dial Macro

Coto Cisternas — Tue, 14 Jan 2014 12:34:35 GMT

Easy solution for multi-provider/failover Asterisk SIP Trunks. Just put this config in your extensions.conf

[globals]   
TRUNK_1=sipprovider1  
TRUNK_2=sipprovider2  
TRUNK_3=sipprovider3  
TRUNK_4=sipprovider4  
TRUNK_5=sipprovider5  
TRUNK_6=sipprovider6  
TOTAL=6   

[macro-dial-out]
;ARG1 => Dialing Number
;ARG2 => Timeout   

exten => s,1,NoOp(== DIAL --> ${ARG1})  
exten => s,n,Set(COUNTER=1)  
exten => s,n(while),GotoIf($["${COUNTER}">"${TOTAL}"]?fin)  
exten => s,n,Dial(SIP/${ARG1}@${TRUNK_${COUNTER}},${ARG2},rg)  
exten => s,n,NoOp( DIAL STATUS --> ${DIALSTATUS})  
exten => s,n,GotoIf($["${DIALSTATUS}"="ANSWER"]?fin)  
exten => s,n,GotoIf($["${DIALSTATUS}"="NOANSWER"]?fin)  
exten => s,n,Set(COUNTER=$[${COUNTER}+1])  
exten => s,n,Goto(while)  
exten => s,n(fin),MacroExit     

[ldi]
; Example Dialplan for LDI calls

exten => _00.,1,NoOp(= DIAL STATUS --> ${DIALSTATUS}===)  
exten => _00.,n,Macro(dial-out,${EXTEN},60) exten => _00.,n,Hangup()

Phone Area Codes

Coto Cisternas — Tue, 14 Jan 2014 00:54:21 GMT

For some time, I am developing a VoIP solution Premise / Cloud, based on Freeswitch. I stumble on a pretty simple problem … All telephone area codes in the world. There are websites that contain the info, but in a sort of “phone book” and is not very useful for creating a database, so I wrote some scripts based on nokogiri to download and create YAML files for all available area codes in CountryCode.org
Here the result: AreaCodes

If you’re curious about the script, here I leave too …

require 'rubygems'  
require 'nokogiri'  
require 'open-uri'  
require 'yaml'

def write(filename, array)  
  File.open(filename, "a") do |f|
    f.write(array)
  end
end

codes = %w[AD AE AF AG AI AL AM AN AO AQ AR AS AT AU AW AZ BA BB BD BE BF BG BH BI BJ BL BM BN BO BR BS BT BW BY BZ CA CC CD CF CG CH CI CK CL CM CN CO CR CU CV CX CY CZ DE DJ DK DM DO DZ EC EE EG EH ER ES ET FI FJ FK FM FO FR GA GB GD GE GH GI GL GM GN GQ GR GT GU GW GY HK HN HR HT HU ID IE IL IM IN IO IQ IR IS IT JE JM JO JP KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LI LK LR LS LT LU LV LY MA MC MD ME MF MG MH MK ML MM MN MO MP MR MS MT MU MV MW MX MY MZ NA NC NE NG NI NL NO NP NR NU NZ OM PA PE PF PG PH PK PL PM PN PR PT PW PY QA RO RS RU RW SA SB SC SD SE SG SH SI SJ SK SL SM SN SO SR ST SV SY SZ TC TD TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG US UY UZ VA VC VE VG VI VN VU WF WS YE YT ZA ZM ZW]

codes.each do |code|  
  page_uri = "http://countrycode.org/#{code}"
  begin
    doc = Nokogiri::HTML(open(page_uri))
    array = Array.new
    doc.css('#child_center_column #common_table > tr').each do |node|
      node.css('td > b').children.each do |code|
        hash = Hash.new
        if code.name == "text"
          hash["name"] = node.css('.city').text
          hash["area_code"] = code.text.gsub(/^.*\s(\d*)$/,'\\1')  
        end
        array << hash
      end
    end
    file = File.dirname(__FILE__)+"/data/codes/#{code}.yaml"
    write(file, array.to_yaml)

  rescue OpenURI::HTTPError => e 
    if e.message == '404 Not Found'
      puts code+" 404 Error!"
    else
      raise e
    end
  end
end

Rails DIGEST Auth

Coto Cisternas — Thu, 21 Feb 2013 17:18:49 GMT

app/application_controller.rb

require 'digest/md5'

class ApplicationController < ActionController::Base  
  protect_from_forgery with: :exception

  digest_user = CONFIG[:digest_user]
  digest_pass = CONFIG[:digest_pass]

  REALM = CONFIG[:realm]
  USERS = {"dhh" => digest_pass, digest_user => Digest::MD5.hexdigest([digest_user,REALM,digest_pass].join(":"))}

  def digest_authenticate
    authenticate_or_request_with_http_digest(REALM) do |username|
      USERS[username]
    end
  end

end

And if you are using Devise as Auth GEM, just add this line to you’r controller:

respond_to :xml  
before_filter :digest_authenticate  
skip_before_filter :verify_authenticity_token