Study MongoDB security by setup and configure server and client on secure line

It's been a while since my last learning on MongoDB. The last learning on MongoDB was on administration. Today, we will learn another topic of mongoDB; MongoDB security. As a general for MongoDB security context, it means

Maintaining a secure MongoDB deployment requires administrators to implement controls to ensure that users and applications have access to only the data that they require. MongoDB provides features that allow administrators to implement these controls and restrictions for any MongoDB deployment.

This article is reference the official documentation which can be found here. As the security context is pretty huge, in this short article, we will focus how to setup mongdb server to use on ssl and how client will access the database resource securely.

First, make sure you have install the server and client package. If you are on deb package linux distribution, it is as easy as sudo apt-get install mongodb-clients mongodb-server. Once both packages are install, you can check in the log file at /var/log/mongodb/mongodb.log similar such as the following. So our mongodb version is 2.6.3 and it has support using openssl library.

 2015-09-27T16:04:48.849+0800 [initandlisten] db version v2.6.3  
 2015-09-27T16:04:48.849+0800 [initandlisten] git version: nogitversion  
 2015-09-27T16:04:48.849+0800 [initandlisten] OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014  

Next, let's generate a public and private key and a self sign certifcate.

 user@localhost:~/test1$ openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key  
 Generating a 2048 bit RSA private key  
 .............................+++  
 ..................................................................................................................................................................................................................+++  
 writing new private key to 'mongodb-cert.key'  
 -----  
 You are about to be asked to enter information that will be incorporated  
 into your certificate request.  
 What you are about to enter is what is called a Distinguished Name or a DN.  
 There are quite a few fields but you can leave some blank  
 For some fields there will be a default value,  
 If you enter '.', the field will be left blank.  
 -----  
 Country Name (2 letter code) [AU]:MY  
 State or Province Name (full name) [Some-State]:KL  
 Locality Name (eg, city) []:Kuala Lumpur  
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.com  
 Organizational Unit Name (eg, section) []:Engineering  
 Common Name (e.g. server FQDN or YOUR name) []:Jason Wee  
 Email Address []:jason@example.com  
 user@localhost:~/test1$ ls  
 mongodb-cert.crt mongodb-cert.key  

Now put everything into a file with extension .pem.

 user@localhost:~/test1$ cat mongodb-cert.key mongodb-cert.crt > mongodb.pem  

Now, stop mongodb instance if it is running. As we will now configured the server to use the certificate we generated previously.

 user@localhost:~/test1$ sudo systemctl status mongodb  
 ● mongodb.service - An object/document-oriented database  
   Loaded: loaded (/lib/systemd/system/mongodb.service; enabled; vendor preset: enabled)  
   Active: inactive (dead) since Sun 2015-09-27 16:13:34 MYT; 23min ago  
    Docs: man:mongod(1)  
  Main PID: 15343 (code=exited, status=0/SUCCESS)  
   
 Sep 27 16:04:48 localhost systemd[1]: Started An object/document-oriented database.  
 Sep 27 16:04:48 localhost systemd[1]: Starting An object/document-oriented database...  
 Sep 27 16:13:33 localhost systemd[1]: Stopping An object/document-oriented database...  
 Sep 27 16:13:34 localhost systemd[1]: Stopped An object/document-oriented database.  
 Sep 27 16:36:30 localhost systemd[1]: Stopped An object/document-oriented database.  
 user@localhost:~/test1$ sudo tail -10 /etc/mongodb.conf   
 # Size limit for in-memory storage of op ids.  
 #opIdMem = <bytes>  
   
 # SSL options  
 # Enable SSL on normal ports  
 sslOnNormalPorts = true  
 # SSL Key file and password  
 #sslPEMKeyFile = /etc/ssl/mongodb.pem  
 sslPEMKeyFile = /home/user/test1/mongodb.pem  
 #sslPEMKeyPassword = pass  
 user@localhost:~/test1$   

In the above output, as an example, I have set the file mongodb.pem to the configuration sslPEMKeyFile and also set sslOnNormalPorts to true. Now if you start mongodb instance.

 user@localhost:~/test1$ sudo systemctl start mongodb  
 user@localhost:~/test1$   

In the log file, noticed that ssl is enabled and no ssl related error.

 2015-09-27T16:46:41.648+0800 [initandlisten] options: { config: "/etc/mongodb.conf", net: { bindIp: "127.0.0.1", ssl: { PEMKeyFile: "/home/user/test1/mongodb.pem", mode: "requireSSL" } }, storage: { dbPath: "/var/lib/mongodb", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongodb.log" } }  
 2015-09-27T16:46:41.788+0800 [initandlisten] journal dir=/var/lib/mongodb/journal  
 2015-09-27T16:46:41.797+0800 [initandlisten] recover : no journal files present, no recovery needed  
 2015-09-27T16:46:42.162+0800 [initandlisten] waiting for connections on port 27017 ssl  

On the server configuration and setup, it is now done. Now, we will focus on the mongdb client. If you connect to mongodb using its client, you will get error.

 user@localhost:~/test1$ mongo foo  
 MongoDB shell version: 2.6.3  
 connecting to: foo  
 2015-09-27T17:22:54.300+0800 DBClientCursor::init call() failed  
 2015-09-27T17:22:54.302+0800 Error: DBClientBase::findN: transport error: 127.0.0.1:27017 ns: admin.$cmd query: { whatsmyuri: 1 } at src/mongo/shell/mongo.js:146  
 exception: connect failed  
 user@localhost:~/test1$ mongo --ssl --sslPEMKeyFile mongodb.pem  
 MongoDB shell version: 2.6.3  
 connecting to: test  
 Server has startup warnings:   
 2015-09-27T16:46:41.647+0800 [initandlisten]   
 2015-09-27T16:46:41.647+0800 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.  
 2015-09-27T16:46:41.647+0800 [initandlisten] **    32 bit builds are limited to less than 2GB of data (or less with --journal).  
 2015-09-27T16:46:41.647+0800 [initandlisten] **    See http://dochub.mongodb.org/core/32bit  
 2015-09-27T16:46:41.647+0800 [initandlisten]   
 > show dbs  
 admin (empty)  
 local 0.078GB  
 >   

As you can read above, you need to specify parameter ssl and the pem file. That's it for this article, if you want to go the distance, try using tcpdump to listen to this port traffic. Good luck!

Learning getting ssl traffic using wireshark and analyze ssl traffic.

Today we are going to study ssl using trace from wireshark. As such, there are few efforts we will need to do and summarize as below.

1. setup a web server that has ssl certificate configured.


2. get the network traffic using wireshark.


3. decode and analyze the network traffic using wireshark.

So first, what is SSL?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet.[1] They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key.

If you already have a web server with ssl certicate configured, you can skip step 1. This is the documentation which I used primarily. You may not succeed on the first attempt as it took me several attempts to get the ssl traffic decrypted.  Words of advice, just do not give up.

1. setup a web server that has ssl certificate configured.

With this, you can either get the certificate from an authority or you can generate one. If you do not know how, you can google or you can request in the comment, maybe in the future, I will write a simple one. But here, I assume you have the certicate ready.

In the web server, with apache httpd being the most common, edit the configuration file. In the apache directory, edit the ssl.conf. Example.

<apache httpd directory>/sites-available/default-ssl.conf

SSLCertificateFile /etc/apache2/sites-available/abc_cert.pem
SSLCertificateKeyFile /etc/apache2/sites-available/abc_private_key.pem

change to according where you place the certificate and its private key. Enable this site and restart apache httpd and then you are set. I won't go into details for troubleshoothing problem if you encounter as this is not the main focus of this article and should leave as an exercise.

2. get the network traffic using wireshark.

Make sure wireshark that is currently installed has GnuTLS compiled. You can check using command below. The output must have GnuTLS and Gcrypt available.

$ wireshark --version | grep GnuTLS
with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP, with
1.6.1, with libz 1.2.8, GnuTLS 2.12.23, Gcrypt 1.5.4, without AirPcap.

Then now launch wireshark using root. Ignore about the warnings or information you receive during launch wireshark as root. Note, you can also using dumpcap when you need to capture in the server, but I have not verify if this solution is working. $ sudo dumpcap -i wlan0 -f 'host 192.168.133.49 and tcp port 443' . Probably not because you need to configure the server private key and the client (browser) random key. That should leave as another exercise.

$ sudo wireshark

There are some fields black out for obvious reason, we want to protect the server and client. But it should be self descriptive when you complete the steps as mentioned here.

We will first configure section in ssl configuration so that wireshark will be able to decrypt the data traffic. As such, you will need the server private key, which you can get from step 1 above. To configure that, go to Edit then Preferences... see screenshot below.



A window from Wireshark: Preferences pop up. Now on the left menu, expand the Protocols in the tree and look for SSL.  See screenshot below.



First, we will configure RSA keys list. Click on the Edit... button. Then another window pop up. Now add the server key. There are four out of five fields you need to fill in. See screenshot below for final output. Here I will explain the fields.

IP address	The IP address of the SSL server in IPv4 or IPv6 format, or the following special values: any, anyipv4, anyipv6, 0.0.0.0. Put your server hostname or ip address if you know.
Port	The TCP port number, or the special value start_tls or 0. For web server, normally it run on port 443 and in this example, I gave port 443 because it is a remote server listening https traffic on port 443.
Protocol	A protocol name for the decrypted network data. Popular choices are http or data. If you enter an invalid protocol name an error message will show you the valid values. Because http data are encrypted using ssl, thus, we should put value http here.
Key File	path to the RSA private key. So locate where you put the server private key at your local workstation and then select the file here.
Password	only needed when the private key is in format PCKS#12 (typically a file with a .pfx or .p12 extension). In step 1, the server private key is in format PEM and thus, for this field, you can leave it empty. Saved by clicking OK. Click on Apply and then OK.

The next field we are going to configure is the SSL debug file. This is a file written by this ssl module and I recommend you put a valid value here. You can tail this file later when the capture is started and you can inspect this file quickly (on the fly) when the decryption is happening. It is very good when your ssl decryption went wrong and this serve as a source of debug.

You should check the following fields.

• Reassemble SSL records spanning multiple TCP segments


• Reassemble SSL Application Data spanning multiple SSL records

Leave the field Message Authentication Code (MAC), ignore "mac failed and Pre-Shared-Key as is.

For the last field, (Pre)-Master-Secret log filename, fill in a value where in the next step, you will configure for the web browser environment. This is a file written by the client (web browser in our example) which is used by the client as a key to encrypt the data. Wireshark will read this file to decrypt the data.

That's it for the configuration, click on Apply button and OK button.

Now open another terminal and we will setup the environment so that client (browser) will dump the random key. Browser chromium will start to dump the keys to the file premaster.txt.

user@localhost:~$ export SSLKEYLOGFILE=/home/user/premaster.txt
user@localhost:~$ chromium

Now tail the ssl debug file and this premaster file in another two terminal tabs and watch the progress.

Right now, we will capture the traffic. To do that, click on Capture from the menu then Options... See the screenshot below. Set the configuration correctly, I check wlan0 because this is a laptop where the https request will flow to and fro within this channel. Capture filter, put on the host and the IP address of the web server where you configure in step 1 above. In this example, my server ip address is 192.168.133.49, so host 192.168.133.49.



To start the capture, click on the Start button.

Now, trigger a https call to the server from the web browser (in this example, chromium) and watch wireshark capture and decrypt the https data! Check also the tabs in terminal when debug log and premaster.txt are rolling. Click on stop button when you are satisfy with the https request.

3. decode and analyze the network traffic using wireshark.

From step 2 above, you are now have a complete ssl dumped and it is decrypted! See screenshot below. You may have noticed that SSL data has another tab at the bottom know as Decrypted SSL data. In this screenshot, it is 9000bytes. Pretty awesome I must say.



Right click on the row of packet which has protocol TLSv1 and click on Follow SSL Stream. It will show the encrypted ssl traffic (https) which has been decrypted into a http traffic.

That's it folks. I hope you learn something and please visit on donation page to donate to us.

How to setup pidgin WhatsApp using credential from Nokia n900

If you own a smart phone from Nokia, model n900, you are in luck to use WhatsApp
on your pc. The intention here is personal usage as sometime you ran out of
power in n900 whilst on a important conversation with friends. By setup up
whatsapp in pidgin messenger chatting software on linux, you can also save the
trouble of switch devices back and forth. This is intended for personal usage.

In this article, we are going to learn how to setup pidgin and so it can connect
to WhatsApp with the registration made in Nokia n900. Of cause, first, in n900,
you will need to install yappari, a whatsapp client for n900 and register yourself
an account in whatsapp. This article will not cover on how to install yappari
in n900 and getting an whatsapp account in yappari because it is very easy.

The official website of this plugin available here.  At the bottom of the site, there are several links to the operating system.

• Windows/Linux: http://davidgf.net/nightly/whatsapp-purple/


• Ubuntu/Debian: https://launchpad.net/~whatsapp-purple/+archive/ubuntu/ppa


• Fedora: https://copr.fedoraproject.org/coprs/davidgf/whatsapp-purple/


• ArchLinux: https://aur.archlinux.org/packages/purple-whatsapp/

If you do not want to go through the hassle of setting up apt repository , what you can do quickly is by

1. go to this link


2. depending on what cpu architecture, if it is 64bit cpu, click on x64/ http://davidgf.net/nightly/whatsapp-purple/x64/


3. pick the latest version, that is last-whatsapp.so and download to your computer.


4. then with root access, copy the lib to pidgin plugin directory.
   # cp last-whatsapp.so /usr/lib/purple-2


5. restart your pidgin.

At this moment of writing, I'm using last-whatsapp.so on the server with date of
this file is 31-Jul-2014 01:02 of 313075 bytes. Meanwhile for pidgin, the version
I'm using in debian is Pidgin 2.10.9 (libpurple 2.10.9) and this works very well for
me.

Once pidgin restarted, go to Manage Accounts and then click on Add button. This is
to add the WhatsApp account that you have setup in yappari. In the pop up Add Account
window, under protocol field, there should be a new protocol WhatsApp available in the
drop down selection. Pick that.

For Username and Password is very tricky here.
Username will be the phone number that you registered in yappari and as for password, you will need some work to retrieve from yappari configuration file in n900. But we will goes through this step by step.

Let's start with the easy one. The username field. It will be your country code follow by your mobile number without the prefix plus sign. For instance, if your mobile sim card is malaysian registered, it will be something like.

Username: 60123456789

Because the password which I'm gonna show you later will be a difficult one, I suggest you check the button Remember password. Unless you are paranoid, you can try to remember your password. Your choice.

For the field Local alias, it will be your name, just put anything that you like to identify yourself.

Now onto the password field, if you notice during registration, there is no procedure nor password sent to you. The only verification WhatsApp need is to identify this is a valid registration when you register an account. Note that WhatsApp code that sent to your phone is not your password.

I have been following the tutorial like using wireshark and tcpdump to get the password, see the attached screen below. This is just not possible because the traffic is encrypted using ssl.

12:07:45.317453 IP (tos 0x0, ttl 64, id 29179, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.0.82.62751 > 208.43.122.151-static.reverse.softlayer.com.https: Flags [S], cksum 0x938f (correct), seq 416925910, win 5840, options [mss 1460,sackOK,TS val 2996526 ecr 0,nop,wscale 4], length 0
	0x0000:  4500 003c 71fb 4000 4006 bd03 c0a8 0052  E..<q.@.@......R
	0x0010:  d02b 7a97 f51f 01bb 18d9 c8d6 0000 0000  .+z.............
	0x0020:  a002 16d0 938f 0000 0204 05b4 0402 080a  ................
	0x0030:  002d b92e 0000 0000 0103 0304            .-..........
12:07:46.135812 IP (tos 0x0, ttl 54, id 37650, offset 0, flags [DF], proto TCP (6), length 60)
    208.43.122.151-static.reverse.softlayer.com.https > 192.168.0.82.62751: Flags [S.], cksum 0xb738 (correct), seq 2641574608, ack 416925911, win 65535, options [mss 1452,nop,wscale 9,sackOK,TS val 3690413789 ecr 2996526], length 0
	0x0000:  4500 003c 9312 4000 3606 a5ec d02b 7a97  E..<..@.6....+z.
	0x0010:  c0a8 0052 01bb f51f 9d73 3ad0 18d9 c8d7  ...R.....s:.....
	0x0020:  a012 ffff b738 0000 0204 05ac 0103 0309  .....8..........
	0x0030:  0402 080a dbf7 3edd 002d b92e            ......>..-..
12:07:46.136301 IP (tos 0x0, ttl 64, id 29180, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.82.62751 > 208.43.122.151-static.reverse.softlayer.com.https: Flags [.], cksum 0xe429 (correct), seq 1, ack 1, win 365, options [nop,nop,TS val 2996630 ecr 3690413789], length 0
	0x0000:  4500 0034 71fc 4000 4006 bd0a c0a8 0052  E..4q.@.@......R
	0x0010:  d02b 7a97 f51f 01bb 18d9 c8d7 9d73 3ad1  .+z..........s:.
	0x0020:  8010 016d e429 0000 0101 080a 002d b996  ...m.).......-

That's impossible to decode the traffic if you do not have good knowledge on ssl but that's the whole point of ssl encrypt the message in the transport. So retrieving password via sniffing on the network packet will not work. We will now go to n900 and retrieve the password.

1. open a X terminal in n900. (if you do not have, you should install now)


2. change directory to .config/scorpius and check your current directory should be /home/user/.config/scorpius
   $ cd .config/scorpius
   $ pwd
   /home/user/.config/scorpius 


3. check current directory content with ls
   $ ls
   counters.conf yappari.conf yappari.log


4. what is important is yappari.conf where it contain the password that is needed. so cat yappari.conf
   $ cat yappari.conf
   [General]
   whatsnew=555555555
   imsi=502121212121212
   registered=true
   number=123456789
   cc=60
   phonenumber=60123456789
   password="ABCDEFGHIJKLMNOPQRSTUVWXYZ/="
   username=JohnSmith
   creation=1407484663
   expiration=1439020663
   kind=free
   accountstatus=active
   lastsync=1407484676392
   status=Available
   lastimagedir=/home/user/MyDocs/DCIM
   nextchallenge="APAPAPAPAPAPAPAPAPAPAPAPAPAP"

You will see similar content as of above, and you should copy and paste the password to your pidgin. Note, because it is long, you might want to copy this file out and copy and paste it.

Fill in the password from step 4 into pidgin password field. Note that below is just an example of demonstration, you should replace your own value.

Password: ABCDEFGHIJKLMNOPQRSTUVWXYZ/=

When you click the checkbox for 'Enabled' for your account, it should now connect.

WhatsApp has a smiley theme called emoji. So you might want to install that as WhatsApp users normally will send in emoji that pidgin will not able to decode and display as a rectangular box with hexadecimal. To install emoji for your what's app, you can follow these steps.

1. read introduction at https://github.com/davidgfnet/whatsapp-purple/blob/master/README.md#how-do-i-get-graphical-whatsapp-smileys


2. download the unicode-emoji and emoji-for-pidgin to your home directory.


3. extract the zip files and copy the directory to your pidgin home.
   $ cp -R android apple symbola $HOME/.purple/smileys
   $ cp -R Emoji-for-Pidgin $HOME/.purple/smileys
   $ ls $HOME/.purple/smileys
   android apple Emoji-for-Pidgin symbola


4. restart your pidgin and go to Tools -> Preferences -> Themes.


5. under Smiley Theme, select the emoji you want. :)

That's it. Start sending WhatsApp message from your pc!

---

UPDATE 

If you have setup whatsapp on pidgin using this published article during the period on 31 August 2014 to 22 November 2014, you should really get the update again. Then in the setting for this whatsapp account in pidgin, under Advanced tab, in the resource field , change to Android-2.31.151-443. Restart pidgin and it should connect again.