GPN22
Sweden
podman-compose Concept
Add a user like podman to your system and enable “auto start” for your user by enabling loginctl enable-linger podman.
In /etc/containers/registries.conf set unqualified-search-registries = [ "docker.io"].
As podman create two folders /home/podman/compose and /home/podman/storage.
Add a systemd user service:
[podman@53c70r ~]$ cat /home/podman/.config/systemd/user/podman-compose@.service
[Unit]
Description=%i podman compose service
Wants=network.target
After=network-online.target
[Service]
Type=forking
TimeoutStartSec=infinity
TimeoutStopSec=70
Restart=on-failure
RemainAfterExit=true
WorkingDirectory=/home/podman/compose/%I
ExecStart=podman-compose up -d
ExecStop=podman-compose down
[Install]
WantedBy=default.target
Reload systemd: systemctl --user daemon-reload.
Now put your docker-compose.yml to e.g. /home/podman/compose/nextcloud/docker-compose.yml.
For example (the :Z flag only works for SELinux enforced systems):
[podman@53c70r ~]$ cat /home/podman/compose/nextcloud/docker-compose.yml
version: '3'
services:
db:
image: mariadb:10.5
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- /home/podman/storage/nextcloud/db:/var/lib/mysql:Z
environment:
- MYSQL_ROOT_PASSWORD=
- MYSQL_PASSWORD=
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
dns: 127.0.0.53
cpus: 1
redis:
image: redis:alpine
restart: always
cpus: 1
app:
image: nextcloud:fpm-alpine
restart: always
volumes:
- /home/podman/storage/nextcloud/html:/var/www/html:z
- /home/podman/storage/nextcloud/php-fpm/www2.conf:/usr/local/etc/php-fpm.d/www2.conf:ro,Z
environment:
- MYSQL_HOST=db
- REDIS_HOST=redis
- MYSQL_PASSWORD=
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
depends_on:
- db
- redis
dns: 127.0.0.53
cpus: 1
web:
image: nginx:alpine
restart: always
ports:
- 127.0.0.1:10000:80
volumes:
- /home/podman/storage/nextcloud/nginx/nginx.conf:/etc/nginx/nginx.conf:ro,Z
- /home/podman/storage/nextcloud/html:/var/www/html:ro,z
depends_on:
- app
cpus: 1
dns: 127.0.0.53
cron:
image: nextcloud:fpm-alpine
restart: always
volumes:
- /home/podman/storage/nextcloud/html:/var/www/html:z
entrypoint: /cron.sh
depends_on:
- db
- redis
cpus: 1
dns: 127.0.0.53Now you can simple enable and start your service with systemctl --user enable --now podman-compose@nextcloud.
Fresh Install of LineageOS with MicroG
Since I flashed my phone a lot and had some corrupt partitions over time it was a good idea to wipe my whole phone clean;
Unlock your phones bootloader.
Download the official LineageOS image. (only the .zip is needed)
Follow this steps and extract all partition images.
You should get this files:
-rw-rw-r--. 1 user user 1785856 6. Dez 11:58 aboot.img -rw-rw-r--. 1 user user 67108864 6. Dez 11:57 boot.img -rw-r--r--. 1 user user 492 1. Jan 2009 care_map.pb -rw-rw-r--. 1 user user 266240 6. Dez 11:58 cmnlib64.img -rw-rw-r--. 1 user user 208896 6. Dez 11:58 cmnlib.img -rw-rw-r--. 1 user user 40960 6. Dez 11:58 devcfg.img -rw-rw-r--. 1 user user 16777216 6. Dez 11:58 dsp.img -rw-rw-r--. 1 user user 8388608 6. Dez 11:57 dtbo.img -rw-rw-r--. 1 user user 323584 6. Dez 11:58 keymaster.img -rw-rw-r--. 1 user user 61440 6. Dez 11:58 lksecapp.img -rw-rw-r--. 1 user user 17809408 6. Dez 11:58 mdtp.img drwxr-xr-x. 1 user user 6 6. Dez 11:55 META-INF -rw-rw-r--. 1 user user 92274688 6. Dez 11:58 modem.img -rw-r--r--. 1 user user 731475324 1. Jan 2009 payload.bin -rw-r--r--. 1 user user 155 1. Jan 2009 payload_properties.txt -rw-rw-r--. 1 user user 176128 6. Dez 11:58 rpm.img -rw-rw-r--. 1 user user 454656 6. Dez 11:58 sbl1.img -rw-rw-r--. 1 user user 3221225472 6. Dez 11:58 system.img -rw-rw-r--. 1 user user 1531904 6. Dez 11:58 tz.img -rw-rw-r--. 1 user user 4096 6. Dez 11:58 vbmeta.img -rw-rw-r--. 1 user user 1073741824 6. Dez 11:58 vendor.img
Now erase all partitions of your phone:
fastboot erase aboot_a fastboot erase aboot_b fastboot erase boot_a fastboot erase boot_b fastboot erase cmnlib64_a fastboot erase cmnlib64_b fastboot erase cmnlib_a fastboot erase cmnlib_b fastboot erase devcfg_a fastboot erase devcfg_b fastboot erase dsp_a fastboot erase dsp_b fastboot erase dtbo_a fastboot erase dtbo_b fastboot erase keymaster_a fastboot erase keymaster_b fastboot erase lksecapp_a fastboot erase lksecapp_b fastboot erase mdtp_a fastboot erase mdtp_b fastboot erase modem_a fastboot erase modem_b fastboot erase rpm_a fastboot erase rpm_b fastboot erase sbl1_a fastboot erase sbl1_b fastboot erase system_a fastboot erase system_b fastboot erase tz_a fastboot erase tz_b fastboot erase vbmeta_a fastboot erase vbmeta_b fastboot erase vendor_a fastboot erase vendor_b
Re-flash the following partitions:
fastboot flash aboot_a aboot.img fastboot flash aboot_b aboot.img fastboot flash cmnlib64_a cmnlib64.img fastboot flash cmnlib64_b cmnlib64.img fastboot flash cmnlib_a cmnlib.img fastboot flash cmnlib_b cmnlib.img fastboot flash devcfg_a devcfg.img fastboot flash devcfg_b devcfg.img fastboot flash dsp_a dsp.img fastboot flash dsp_b dsp.img fastboot flash keymaster_a keymaster.img fastboot flash keymaster_b keymaster.img fastboot flash lksecapp_a lksecapp.img fastboot flash lksecapp_b lksecapp.img fastboot flash mdtp_a mdtp.img fastboot flash mdtp_b mdtp.img fastboot flash modem_a modem.img fastboot flash modem_b modem.img fastboot flash rpm_a rpm.img fastboot flash rpm_b rpm.img fastboot flash sbl1_a sbl1.img fastboot flash sbl1_b sbl1.img fastboot flash tz_a tz.img fastboot flash tz_b tz.img
You can flash boot, dtbo, system, vbmeta and vendor too if you don’t want to use MicroG.
Do not forget to lock your bootloader in this case.
For LineageOS with MicroG download the second image now.
Extract the partition images again like we did before.
You now should get this files:
-rw-r--r--. 1 root root 67108864 6. Dez 01:57 boot.img -rw-rw-r--. 1 user user 506 1. Jan 2009 care_map.pb -rw-r--r--. 1 root root 8388608 6. Dez 01:57 dtbo.img drwxr-xr-x. 1 user user 6 6. Dez 01:36 META-INF -rw-rw-r--. 1 user user 728089673 1. Jan 2009 payload.bin -rw-rw-r--. 1 user user 155 1. Jan 2009 payload_properties.txt -rw-r--r--. 1 root root 3221225472 6. Dez 01:58 system.img -rw-r--r--. 1 root root 4096 6. Dez 01:58 vbmeta.img -rw-r--r--. 1 root root 1073741824 6. Dez 01:58 vendor.img
Flash the remaining files and wipe data to be sure no remaining userdata is left:
fastboot flash boot_a boot.img fastboot flash boot_b boot.img fastboot flash dtbo_a dtbo.img fastboot flash dtbo_b dtbo.img fastboot flash system_a system.img fastboot flash system_b system.img fastboot flash vbmeta_a vbmeta.img fastboot flash vbmeta_b vbmeta.img fastboot flash vendor_a vendor.img fastboot flash vendor_b vendor.img fastboot -w
Lock the bootloader.
You should now have a fully working and completely clean LineageOS.
F-Droid privileged extension installation (auto update)
Go to
https://f-droid.org/en/packages/org.fdroid.fdroid.privileged.ota/
download the latest package and do gpg signature verification
tmp=$(mktemp -d) && cd $tmp wget https://f-droid.org/repo/org.fdroid.fdroid.privileged.ota_2110.zip unzip org.fdroid.fdroid.privileged.ota_2110.zip
Activate ADB root shell under developer settings on your phone.
Install the packages
adb root adb remount adb push F-DroidPrivilegedExtension.apk /system/priv-app/ adb push 80-fdroid.sh /system/addon.d/ adb push permissions_org.fdroid.fdroid.privileged.xml /system/etc/permissions/
Install normal user space F-Droid and reboot your phone.
Done.
You should be able to see “Automatically install updates” in F-Droid settings.
Don’t forget to disable ADB root shell again.
Project “Find My Device”
Since I use LineageOS without any google services some important feature was still missing to find my phone once I lost it. The idea was simple. Gain persistent access, call API requests to get the needed information and send it back to my Nextcloud. I noticed that being able to access the API directly you could actually start to script your own little snippets but we will get to this later.
Lets start with the transport problem. Somehow we have to get access to our smartphone at any time punching holes through firewalls. First method would be to use your own VPN like Wireguard or OpenVPN. But a much more convenient (but battery draining method) would be to use a tor hidden service maybe even using bridges to obfuscate its real intention (Maybe “Orbot”).
Install Termux, Termux:API and Termux:Boot on your Android.
Lets setup the SSH Server and install some dependencies we need later:
Open Termux on your phone and type in:
pkg install root-repo pkg update pkg upgrade pkg install openssh termux-api jq zip # this will set the password for first login but it is highly advised to use pub-key authentication for your later ssh session passwd sshd
Now you should be able to access your phones Termux environment by ssh’ing into it from your Notebook:
ssh root@your.mobile -p 8022
Lets make the ssh session persistent over boot and change some settings (I’ll just show you the content of my setup):
cd ~ ~ $ cat /data/data/com.termux/files/usr/etc/ssh/sshd_config PrintMotd yes # set this to yes if you want to enable password authentication PasswordAuthentication no Subsystem sftp /data/data/com.termux/files/usr/libexec/sftp-server ~ $ cat ~/.termux/boot/start-sshd #!/data/data/com.termux/files/usr/bin/sh termux-wake-lock sshd
After that you should open Termux:Boot once on your phone. Maybe reboot your phone to check if everything works so far. (ssh should be available after reboot)
Well, let us start to have some fun.
Go to app permission settings of your android and give all permissions to Termux:API.
Now ssh into your phone and execute:
termux-setup-storage
tabbing “termux-” will actually show all your tools you can use to control your phone. Should look like this:
~ $ termux- termux-audio-info termux-fix-shebang termux-open termux-telephony-deviceinfo termux-battery-status termux-info termux-open-url termux-toast termux-brightness termux-infrared-frequencies termux-reload-settings termux-torch termux-call-log termux-infrared-transmit termux-reset termux-tts-engines termux-camera-info termux-job-scheduler termux-sensor termux-tts-speak termux-camera-photo termux-keystore termux-setup-storage termux-usb termux-change-repo termux-location termux-share termux-vibrate termux-chroot termux-media-player termux-sms-inbox termux-volume termux-clipboard-get termux-media-scan termux-sms-list termux-wake-lock termux-clipboard-set termux-microphone-record termux-sms-send termux-wake-unlock termux-contact-list termux-nfc termux-speech-to-text termux-wallpaper termux-dialog termux-notification termux-storage-get termux-wifi-connectioninfo termux-download termux-notification-list termux-telephony-call termux-wifi-enable termux-fingerprint termux-notification-remove termux-telephony-cellinfo termux-wifi-scaninfo
From this point it’s really up to the limitations of your imagination. Some examples could be…
Capture all telemetry and send it to your Nextcloud:
cd ~
~ $ cat scripts/get_telemetry
date="$(date +'%d-%m-%y_%H-%M-%S')"
path="/data/data/com.termux/files/home/records/$date"
echo "create dir..."
mkdir -p $path/txt
echo "get wifi..."
termux-wifi-scaninfo > $path/txt/wifi.txt
echo "get cellinfo..."
termux-telephony-cellinfo > $path/txt/cell.txt
echo "get all sensor data..."
termux-sensor -a -n 1 > $path/txt/sensor.txt
echo "get location..."
while :
do
echo "trying..."
termux-location > $path/txt/location.txt
if [ -s $path/txt/location.txt ]
then
echo "got location..."
break
fi
done
echo "export to nextcloud..."
zip -r $path/$date.zip $path/txt >&- 2>&-
curl -u USERNAME:GENERATE_YOUR_NEXTCLOUD_APP_KEY -T $path/$date.zip https://cloud.53c70r.de/remote.php/dav/files/sector/termux/
Play presidential alert:
cd ~ ~ $ cat scripts/presidential_alert lat=$(termux-location | jq -r ".latitude") long=$(termux-location -r last | jq -r ".longitude") termux-notification -c 'SEE EMERGENCY INFORMATION' -t "LOST DEVICE" setsid -f sh -c "while true; do termux-volume music 15; sleep 1; done" termux-torch on termux-vibrate -f -d 2000 sleep 2 termux-media-player play /data/data/com.termux/files/home/scripts/data/eas.mp3 sleep 11 termux-torch off termux-tts-speak -s MUSIC "GPS coordinates. latitude: $lat, longitude: $long. WARNING. This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials." killall sh
Some loud alarm:
cd ~ ~ $ cat scripts/loud_alarm setsid -f sh -c "while true; do termux-volume music 15; sleep 1; done" setsid -f sh -c "while true; do termux-torch on; sleep 1; termux-torch off; sleep 1; done" termux-media-player play /data/data/com.termux/files/home/scripts/data/alarm.mp3 termux-torch off killall sh
Persistent ssh root backdoor on android
Tested on Android 10.
Get a root shell to your android via adb and execute;
remount ssh-keygen -A mkdir /root cp -r /data/ssh /root cp /etc/ssh/sshd_config /root chmod 740 /root chmod 700 /root/ssh touch /root/ssh/authorized_keys chmod 600 /root/ssh/authorized_keys chown root:root -R /root
Add your ssh pub-key to “/root/ssh/authorized_keys” than execute:
sed -i 's/\/data\//\/root\//g' /etc/ssh/sshd_config echo "HostKey /root/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config
Add the file “/root/start” with content;
#!/bin/sh /bin/sshd -f /root/sshd_config
Add our daemon under “/system/etc/init/sshd.rc”;
service sshd /system/bin/sh /root/start
user root
group root
oneshot
seclabel u:r:su:s0
on property:sys.boot_completed=1 && property:sys.logbootcomplete=1
start sshd
Reboot your device, done.
(On LineageOS 18.1 sshd will crash at the moment)
https://gitlab.com/LineageOS/issues/android/-/issues/3437
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
x0 0000000000000000 x1 0000007b0bd1dfb8 x2 0000000000000008 x3 0000000000000010
x4 0000000000000000 x5 8080808080808080 x6 fefefefefefefeff x7 7f7f7f7f7f7f7f7f
x8 0101010101010101 x9 ffffff84f42e2047 x10 0000000000000068 x11 000000000b52b678
x12 000000004f1d3b2b x13 0000007ff25268cb x14 0000007b0b6ddd42 x15 0000ffff00000fff
x16 00000058c010e3f8 x17 0000007b0b66bb30 x18 0000007b0c578000 x19 0000000000000000
x20 00000058c0110000 x21 000000791b5241f0 x22 000000791b5248e0 x23 0000000000000000
x24 00000058c00d9e8d x25 0000007b0baa6ae0 x26 0000000000000001 x27 0000000000000003
x28 00000058c0111000 x29 0000007ff2527910
lr 00000058c01071c8 sp 0000007ff2527330 pc 0000007b0b66bb40 pst 0000000080000000
backtrace:
#00 pc 000000000004ab40 /apex/com.android.runtime/lib64/bionic/libc.so (strlen_default+16) (BuildId: be9c72fe4db37cd191b589b74d090d13)
#01 pc 00000000000361c4 /system/bin/sshd (main+1720) (BuildId: 610e2671bc203f1b61ef273d60564a86)
#02 pc 000000000004988c /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+108) (BuildId: be9c72fe4db37cd191b589b74d090d13)
NGINX with ModSecurity and Fail2ban
cat /etc/fail2ban/filter.d/modsecurity.conf
# Fail2Ban filter for modsecurity # [Definition] failregex = ^<HOST> \- \S+ \[\] \"(.*)\S+\" 444 .+$
will check for HTTP status code 444.
Add this to your “/etc/fail2ban/jail.local”:
[modsecurity] port = http,https logpath = %(nginx_access_log)s enabled = true
SELinux Murmur Server Policy for Fedora
sudo -i mkdir ~/selinux/murmur cd ~/selinux/murmur sepolgen --inetd /usr/sbin/murmurd -n murmur -u system_u
Add this to murmur.te:
# Add Port defenition type murmur_port_t; corenet_port(murmur_port_t)
Run
semanage dontaudit off ./murmur.sh semanage port -a -t murmur_port_t 64738 -p tcp semanage port -a -t murmur_port_t 64738 -p udp systemctl start murmur.service
Login to your server, restart it, generate some system calls…
Than execute and check if the policy is restrictive enough:
./murmur.sh --update
Clean up your audit log
> /var/log/audit/audit.log rm -rf /var/log/audit/audit.log.*
Generate system calls again and rerun “–update”.
If murmur does not generate any more violations your policy is good to go.
Set it to enforcing by removing “#” before “permissive murmur_t;” in “murmur.te”.
Rerun
./murmur.sh
Restart murmur and check if everything is working as expected.
Finally enable “don’t audit” again:
semanage dontaudit on
WordPress on SELinux enforced systems
First of all SELinux is your friend not your enemy.
Hosting WordPress on SELinux enforced systems like Centos8 will mostly ruin your security concept since the majority would straight away disable SELinux leaving the system open to all other nasty exploitation attacks against running services.
TL;DR
Please don’t forget to adjust your WordPress root path.
For more information read the man page semanage-fcontext(8).
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content" semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/plugins(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/themes(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/upgrade(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/uploads(/.*)?" semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/wflogs(/.*)?"
Make sure your default label for e.g. /usr/share/nginx/ is “httpd_sys_content_t”.
[root@53c70r wordpress]# semanage fcontext -l | grep /usr/share/nginx/ /usr/share/nginx/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
This will cause all other files not defined by our own file context to be read only.
Finaly execute
restorecon -RFv /usr/share/nginx/
After the command being executed labeling should look as follow:
[root@53c70r wordpress]# ll -Z total 208 -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 405 Apr 17 23:32 index.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 19915 Aug 27 23:24 license.txt -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 7278 Sep 23 00:56 readme.html -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 7101 Aug 27 23:24 wp-activate.php drwxr-xr-x. 9 nginx nginx system_u:object_r:httpd_sys_content_t:s0 4096 Jan 19 2020 wp-admin -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 351 Apr 17 23:32 wp-blog-header.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 2332 Aug 27 23:24 wp-comments-post.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 2897 Jan 19 2020 wp-config.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 2913 Apr 17 23:32 wp-config-sample.php drwxr-xr-x. 7 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0 96 Sep 23 00:57 wp-content -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 3940 Apr 17 23:32 wp-cron.php drwxr-xr-x. 24 nginx nginx system_u:object_r:httpd_sys_content_t:s0 8192 Aug 27 23:24 wp-includes -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 2496 Apr 17 23:32 wp-links-opml.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 3300 Apr 17 23:32 wp-load.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 48761 Aug 27 23:24 wp-login.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 8509 Jun 17 12:56 wp-mail.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 20181 Aug 27 23:24 wp-settings.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 31159 Aug 27 23:24 wp-signup.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 4755 Apr 17 23:32 wp-trackback.php -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 3236 Aug 27 23:24 xmlrpc.php [root@53c70r wordpress]# ll -Z wp-content/ total 4 -rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0 28 Jan 19 2020 index.php drwxr-xr-x. 7 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0 129 Sep 23 00:49 plugins drwxr-xr-x. 4 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0 56 Aug 27 23:17 themes drwxr-xr-x. 2 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0 6 Sep 23 00:56 upgrade drwxr-xr-x. 6 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0 68 Jan 19 2020 uploads drwxr-xr-x. 2 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0 224 Jan 19 2020 wflogs
If you want to upgrade your WordPress later just execute this before
setsebool httpd_unified 1
And when your upgrade is finished
setsebool httpd_unified 0