Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

0xacab.org/kali/nowin

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

0xacab.org/kali/nowin

  • v0.0.0-20211116190907-448d2e27b38c
  • Go
  • Socket score

Version published
Created
Source

Selective access howto

Let's say you need to leave certain machines out of your http server. Passive fingerprinting to the rescue!

http

This example uses nginx sub-requests for authorization on a particular location. It could be ported to apache, but I don't know how.

Location /nowin is the selective authorization. It delegates the request to /auth, which is a proxy-pass to a local-only, not exposed service that we'll be running.

location /nowin {
   auth_request /auth;
   auth_request_set $auth_status $upstream_status;
   error_page 403 /403.html;
}

location /auth {
   internal;
   proxy_pass              http://localhost:8000;
   proxy_pass_request_body off;
   proxy_set_header        Content-Length "";
   proxy_set_header        X-Original-URI $request_uri;
   proxy_set_header        X-Forwarded-For $remote_addr;
}

A nice detail is to specify a custom 403 template, like this one:

<html>
<head><title>403 Forbidden for windows</title></head>
<body>
<center><h1>403 Forbidden for windows</h1></center>
<center>please upgrade your client</center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

p0f

I'm using a fork that attempted to modernize a bit the original from Zalewski:

sudo apt install libcap-ng-dev
git clone https://github.com/eteran/libp0f
cd libp0f
mkdir build && cd build
cmake .. && make

We have to pass the interface (if not the default) and the path to the unix socket where our service will connect:

❯ sudo ./p0f -i wlp0s20f3 -s /var/run/p0f.socket
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from 'p0f.fp'.
[+] Intercepting traffic on interface 'wlp0s20f3'.
[#] Computed rule: tcp or (vlan and tcp)
[+] Default packet filtering configured [+VLAN].
[+] Listening on API socket '/var/run/p0f.socket' (max 20 clients).
[+] Entered main event loop.

auth proxypass

Compile and run the go module in this repo. Runs on port 8000 by default. The service will query p0f's in memory database via the binary API over the unix domain socket: If the info p0f has gathered tells us that this IP is identified as windows (and the user-agent is not set to the magic string), a 403 will be returned.

go build && ./nowin

Install

make build
make install-service
make run-service

Caveats

  • Right now, the first connection by a windows client will be allowed (which is perhaps not a problem, since the request we're interested in is not the first).
  • What about NATs? (p0f gathers some info about them. One heuristic might be to try to close in the last_seen time window).
  • Need more error checks.
  • Check memory usage.
  • Write a service file to relaunch p0f every x hours.
  • Need to extend the gop0f library for ipv6 support.

FAQs

Package last updated on 16 Nov 2021

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc