Time Nick Message 13:55 pdurbin does anyone have django running on centos under virtualenv? 15:22 pdurbin bah! permissions issue 15:40 hydrajump bash remote execution vulnerability http://seclists.org/oss-sec/2014/q3/651 15:56 pdurbin yikes 18:52 semiosis http://s3-ec.buzzfed.com/static/2014-09/23/12/enhanced/webdr04/anigif_enhanced-4630-1411491004-1.gif 18:52 semiosis enjoy 21:33 codex details about the bash thing in one place: http://blog.vpetkov.net/2014/09/24/bash-remote-exploit-vulnerability/ 21:38 semiosis meh 21:38 semiosis i dont always use bash, but when i do i 'curl | sudo bash' 21:38 semiosis brb, memeing that 21:42 semiosis codex: can you clear this up for me... in that post's example, is it intended for there to be an unmatched single quote? 22:16 codex semiosis: no, sorry -- wordpress "annoyances" 22:16 codex check now 22:20 semiosis i'm vulnerable! 22:23 pdurbin codex: can you make the links clickable? 22:26 codex if you are running bash -- chances are you are 22:27 codex pdurbin: yea, new version of wp is doing some really weird things 22:27 codex it looks nicer, but it's less functional 22:28 semiosis codex: bash all the things! 22:28 codex pdurbin: done 22:28 codex heh 22:29 codex pdurbin: btw, I have a scanner in AWS for this 22:29 pdurbin much better. thanks 22:29 codex if you have some external space, I can scan it 22:29 codex (for the cgi/http vuln) 22:29 pdurbin codex: I just have the one VM with you and sounds like you patched already 22:30 semiosis people still use CGI? 22:30 codex pdurbin: i don't patch people's vms -- due to, not having access to people's vms :) 22:30 codex pdurbin: but a simple "yum update" will get you there 22:31 pdurbin oh good 22:34 hydrajump hi guys 22:34 hydrajump codex: quick docker q. Are you running any databases in containers? 22:36 codex I am - not personally, but managing a few for different projects 22:40 hydrajump codex: just trying to decide whether to run DBs in docker containers or on raw EC2. 22:47 codex i think it really depends. If you are going w/ the docker way for "custom" apps, it's great 22:47 codex i actually have a dual mysql setup. If within AWS -- docker is super easy b/c you get the site to site vpn and such 22:47 codex but having a dual mysql-cluster is actually pretty simple 22:49 semiosis why not just use RDS if you want mysql in ec2? 22:50 hydrajump codex: do you setup iptables in each container as an extra layer of security? 22:53 codex yea -- you actually need it for the routing 22:53 codex between the "host" and the containers -- so that you can pop open dynamic ports on the outside 22:54 codex semiosis: you can -- this really becomes a portability/size of app/what the goal of the project/etc... 22:54 codex for my personal blog, i wouldn't get RDS 22:54 codex for a production setup, probably will 22:56 hydrajump codex: are you using port binding to expose a containers ports to the outside or you're going and modifying the iptables directly? I'm still figuring out the networking of docker 22:59 codex hydrajump: sadly, the networking in docker is still "crapy" -- they really need a "routing" engine that lets you modify stuff on the fly easily. They have something like this already, but it's not great 23:00 codex so you can either use their "bind" to bind a port to a dedicated external, but if you are following the prefered setup -- and you are abstracting things -- you can't hard code ports. So then you would get the random port assigned, and end up iptabling that to the "host" VM 23:01 codex hydrajump: so for example, you can do the '-p 3306:3306' type of thing 23:01 hydrajump ah so you do docker run -P codex/myapp and it will bind what EXPOSE ports you have such as 80 to 41900 on the host 23:02 codex or 23:03 codex MYSQL01_HOST=`docker inspect mysql01 | grep Addr | awk -F'"' {'print $4'}` && iptables -t nat -I PREROUTING -p tcp --dport 3306 -j DNAT --to $MYSQL01_HOST:3306 23:03 codex s/or/and ^^ 23:03 codex that is the prefered method 23:04 codex hydrajump: correct about the expose. You "expose" them esentially, and then bind them w/ iptables 23:04 codex another method (totally different) is not to even have networking, and later add things to the specific bridge that you create w/ pipework, but again, currently the network state could be much better 23:05 codex and they are already working it out. I believe the next couple of releases will fix it completely. The big push was to realease a v1 so that companies that start incorporating the main stuff 23:05 hydrajump so that iptables command is modifying a rule on the host and not in the container? 23:14 codex correct 23:15 codex it's bridging your container (docker) with the host port so that stuff on the outside can communicate out. And if you think about it -- this is ONLY needed if 1.) you need someone from the outside to access mysql (in this case) OR if you want to create a cluster between multiple mysql instances 23:15 codex normally, you would use the "link" method to feed your MySQL instance to your webapp 23:16 codex or even if you don't use link, you would not expose the DB to the container, because generally it's not needed -- unless you need to replicate/cluster/etc... 23:16 codex gota run ttyl 23:16 hydrajump bye codex