I am using rpcbind (SunRPC) on Arch linux and the Python rpc.py (which use standard python socket module) interface for comunication with it. Every time I try to send a request for registration or unregistration to rpcbind, I get message that I am rejected for security reasons. The only situation where everything works is when I call rpcbind in insecure mode (rpcbind -i), but I really want to make everything works in secure mode. I found information from the rpcbind datasheet that I can make a request in secure mode only from the loopback address, but I have tried every approach I had knew to make such a socket and everything fell down. How do I connect to rpcbind in secure mode?
Related
i found this vulnerability CVE-2021-4189 (https://bugzilla.redhat.com/show_bug.cgi?id=2036020)
in ftblib library in python
CVE description : A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.
now i am confused if this vulnerability affected my code using a ftp upload in passive mode as below or should i use ftp.set_pasv(False) to use active mode only
# Init Connection
ftp = FTP()
ftp.connect(FTP_ADDRESS, FTP_PORT)
ftp.login(*FTP_CREDENTIALS)
Yes, your code would be vulnerable, if you did not update to a fixed version of Python yet. And if it is using IPv4 (PASV) for data connections (what is likely does).
I'd not recommend switching to the active mode though, as that will likely cause you problems.
Rather fix your code the same way the ftplib fix works – by ignoring the IP returned by the server in the FTP.makepasv.
See SmartFTP implementation in my answer to:
Cannot list FTP directory using ftplib – but FTP client works
Having that said, I do not consider the vulnerability serious enough to even worry about – unless your code connects to random FTP servers.
I write a reverse proxy accroding to this https://gist.github.com/voorloopnul/415cb75a3e4f766dc590#file-proxy-py.
I need this to overwrite the authentication infomation from client side. Like following.
Client(passA) ---> Proxy(overwrite passA into passB) ---> Server(passB)
Where passB is the correct password and passA is random number.
The algorithms is SCRAMSHA256, a little bit complex but I manage to do this.
Eventhing works well when the proxy and the server is not on the same machine.
I have tried to deploy the proxy on both windows and linux. The proxy uses 'ip address' to point to Server
While, when the proxy using 'localhost' to point the Server, it is broken, that the authentication cannot be passed with one certain client(for which I made the proxy). But with the other clients, it also works well.
Shouldn't this be encapsulation and transparent to user?
Why the localhost so special and how can I fix this?
Update the latest research
The authenication failed because the client connect to the server directly, so the password is not modified by my proxy.
Condition 1: Proxy on another machine. The proxy works.
Client(192.168.1.1) ==> Proxy(192.168.1.3:8000) ==> Server(192.168.1.2:6000)
-
Condition 2: Proxy on the same machine as the Server.
The proxy listen 0.0.0.0:8000 and forward packets to localhost:6000.
Client(192.168.1.1) ==> Proxy(192.168.1.2:8000) ==> Server(192.168.1.2:6000)
After the first connection, the rest connection becomes
Client(192.168.1.1) =====> Server(192.168.1.2:6000) without proxy.
That makes the proxy not work anymore.
Why the client will skip it in condition 2?
I'm trying to run a simple FTPServer on EC2. My client connects to it fine, and I can make and remove directories. However, I get the following error whenever I try to store or retrieve a file: Failure: twisted.protocols.ftp.CommandFailed: ["425 Can't open data connection."]
I've tested the server on my localhost, and everything behaves as normal. I was paranoid and decided to turn on all ports in my security groups, but it still doesn't work. Am I missing something when setting up my EC2 machine?
Your FTP client appears to be in active mode, and is (like most client computers these days) behind a NAT or firewall which does not permit inbound connections.
There's another question on Stack Overflow about this topic that quite clearly explains the differences between active and passive mode in FTP; you should read it.
Configure your client to use passive mode, or "PASV", and it ought to work.
What's the easiest way to establish an emulated TCP connection over HTTP with python 2.7.x?
Server: a python program on pythonanywhere (or some analogue) free hosting, that doesn't provide a dedicated ip. Client: a python program on a Windows PC.
Connection is established via multiprocessing.BaseManager and works fine when testing both server and client on the same machine.
Is there a way to make this work over HTTP with minimal additions to the code?
P.S. I need this for a grid computing project.
P.P.S. I'm new to python & network & web programming, started studying it several days ago.
Found this: http://code.activestate.com/recipes/577643-transparent-http-tunnel-for-python-sockets-to-be-u/. Appears to be exactly what I need, though I don't understand how to invoke setup_http_proxy() on server/client side. Tried setup_http_proxy("my.proxy", 8080) on both sides, but it didn't work.
Also found this: http://docs.python.org/2/library/httplib.html. What does the HTTPConnection.set_tunnel method actually do? Can I use it to solve the problem in question?
Usage on the client:
setup_http_proxy("THE_ADRESS", THE_PORT_NUMBER) # address of the Proxy, port the Proxy is listening on
The code wraps sockets to perform an initial HTTP CONNECT request to the proxy setup to get an HTTP Proxy to proxy the TCP connection for you but for that you'll need a compliant proxy (most won't allow you to open TCP connections unless it's for HTTPS).
HTTPConnection.set_tunnel basically does the same thing.
For your use case, a program running on free hosting, this just won't work. Your free host probably will only allow you to handle http requests, not have long running processes listen for tcp connections(which the code assumes).
You should rethink your need to tunnel and organize your communication to post data (and poll for messages from the server, unless they're answers to the stuff you post). Or you can purchase a VPS hosting that will give you more control over what you can host remotely.
I am little stumped: I have a simple messenger client program (pure python, sockets), and I wanted to add proxy support (http/s, socks), however I am a little confused on how to go about it. I am assuming that the connection on the socket level will be done to the proxy server, at which point the headers should contain a CONNECT + destination IP (of the chat server) and authentication, (if proxy requires so), however the rest is a little beyond me. How is the subsequent connection handled, specifically the reading/writing, etc...
Are there any guides on proxy support implementation for socket based (tcp) programming in Python?
Thank you
Maybe use something like SocksiPy which does all the protocol details for you and would let you connect through a SOCKS proxy as you would without it?
It is pretty simple - after you send the HTTP request: CONNECT example.com:1234 HTTP/1.0\r\nHost: example.com:1234\r\n<additional headers incl. authentication>\r\n\r\n, the server responds with HTTP/1.0 200 Connection established\r\n\r\n and then (after the double line ends) you can communicate just as you would communicate with example.com port 1234 without the proxy (as I understand you already have the client-server communication part done).
Have a look at stunnel.
Stunnel can allow you to secure
non-SSL aware daemons and protocols
(like POP, IMAP, LDAP, etc) by having
Stunnel provide the encryption,
requiring no changes to the daemon's
code