Archive for the ‘Security’ Category

« Older Entries

10 years of OpenSSH

Friday, October 2nd, 2009

Thank you to everyone that has contributed to OpenSSH over its lifetime. It has made our life as Sysadmins a bit easier.

The version 5.3 has been released and marks the 10th anniversary of this project. From OpenSSH:

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

This release marks the 10th anniversary of the OpenSSH project. We would like to thank the OpenSSH community for their support, especially those who will continue to contribute code or patches, report bugs, test snapshots or donate to the project during the next 10 years.  More information on donations may be found at:

http://www.openssh.com/donations.html

Posted in General, Security | No Comments »

OpenSSH: simplifying logins

Thursday, December 6th, 2007

OpenSSH provides a per-user configuration file usually located in ~/.ssh/config. This file can help ease your life as Sysadmin. Let’s say that you frequently connect to a server in this way:

ssh admin@boring-servername.boring-domain.com

With OpenSSH there is an easy way to do the job. Edit or create a config file:

vi ~/.ssh/config

and then add the following:

Host servername
     User admin
     HostName boring-servername.boring-domain.com

Where Host is the alias for the remote server you want to connect to, HostName is the full name of the remote server and User is the login name.

References:

Tags: ,
Posted in Security, Tips and Tricks | No Comments »

DNS recursion and DDOS

Wednesday, March 22nd, 2006

According to security news, it seems that Sysadmins are becoming more and more concerned about poorly configured DNS servers, specially when recent reports show an increase of distributed denial of service attacks targeted to recursive DNS servers. Next I’ll show you some very basic tips to protect your machines against this kind of attacks.

As you probably know, a recursive DNS server (a caching DNS) tells clients the answers to queries for various DNS records. Queries not resolvable directly (non-local records) are forwarded to servers that can resolve them. Once it get answers they are stored in its cache for future use (note that this data is not cached forever).

On the other hand, a DNS server only shows to the world DNS records for a specific domain and is known to be authoritative for that domain.

Nowadays everybody with some security skills seems to agree in the importance of separating DNS caches from DNS servers. Even Bind (the most widely used DNS implementation) seems to follow this recommendation.

The easiest way to limit recursion in Bind9 is to put something like this in your config file:

options { allow-query { any; }; allow-recursion { 192.168.1.0/24; localhost; };

This will allow recursion from your internal net and from localhost. A better solution… SWITCH TO DJBDNS!!

And now some interesting links:

Tags:
Posted in Security | No Comments »

Encrypting files with OpenSSL

Tuesday, August 16th, 2005

The OpenSSL Project is an Open Source implementation of the Secure Sockets Layer and Transport Layer Security protocols as well as a cryptography library. In this tip I will show you how to encrypt an individual file using the openssl tool.

Probably GPG is a better choice for simple file encryption, but in some ocassions (i.e. encrypt without building keys or certificates) OpenSSL could be very useful. It’s very simple:

openssl enc -aes-256-cbc -salt -in SuperSecretFile.txt -out SuperSecretFile.txt.enc

And your are done! Now to decrypt the file:

openssl enc -d -aes-256-cbc -in SuperSecretFile.txt.enc -out SuperSecretFile.txt

A note from the man pages.

use a salt in the key derivation routines. This option should *ALWAYS* be used unless compatibility with previous versions of OpenSSL or SSLeay is required. This option is only present on OpenSSL versions 0.9.5 or above.

Posted in Security | No Comments »

Ports used by trojans and viruses

Thursday, September 23rd, 2004

Here goes a list of useful links to ports used by trojans and viruses…

If you are aware of new links, post a comment please.

Posted in Security | No Comments »

Memory allocation DOS

Monday, July 12th, 2004

A bug in Apache 2.0.49 may allow a remote attacker to perform a Denial of Service attack by exhausting memory. It seems that 1.3.x releases are safe.

For more information:

Posted in Apache, Security | No Comments »

OpenSSH: port forwarding during active sessions

Tuesday, June 8th, 2004

Imagine you are logged into a remote system and want to forward a local port to the remote system without logging out and logging in again. This little trick will tell you how to do this.

According to OpenSSH man pages:

Escape Characters
When a pseudo terminal has been requested, ssh supports a number of
functions through the use of an escape character.
....

The supported escapes (assuming the default `~') are:
.....

~C Open command line (only useful for adding port forwardings using
the -L and -R options)

.....

So, to add a local forward after logging into the remote system procede as follows:

ssh user@remote_host

Once logged in…

CR~C

Hit carriage return then ~ and the C and you’ll get a prompt where you could type something like this:

ssh> -L 8022:127.0.0.1:22
Forwarding port

Posted in Security | No Comments »

Linux kernel vulnerability

Sunday, April 25th, 2004

According to NetSecurity

The ip_setsockopt() function code is a subroutine of the setsockopt(2) system call. This function allows manipulation of various options of the IP socket. The MCAST_MSFILTER option can be used to provide the kernel with a list of multicast addresses to be received on the socket. This code has been introduced with the 2.4.22/2.6.1 kernel releases. Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. Unsuccesfull exploitation of the vulnerability may lead to a denial-of-service attack causing machine crash or instant reboot.

This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases.

References:

Posted in Security | No Comments »

Apache as an open proxy?

Sunday, April 25th, 2004

If you have seen entries in your access.log file like this one…

a.b.c.d – - [24/Apr/2004:23:00:00 +0200] “GET http://www.google.com/” 200 46124

This means that a.b.c.d is trying to access www.google.com using your Apache as a proxy. As you can see the response status 200 indicates success and the data returned is 46124 bytes long.

If you don’t want your server to be used as a forward proxy make sure that ProxyRequests directive is set to Off, even better do not load mod_proxy module.

Despite the fact the entry shown in the previous example says that the request succeded, this is not necessarily true. Try the following to test your server:

telnet www.yoursite.com 80
GET http://www.google.com/

Watch the access.log file. If you see the code status 200, compare the bytes returned by Apache (the last field in the log entry) with your homepage size (your index.html). If they match, Apache is serving your homepage instead of forwarding the request to google. If they don’t, probably your Apache is an open forwarding proxy.

References:

Posted in Apache, Security | No Comments »

Editing remote files with OpenSSH

Sunday, April 18th, 2004

As you know, the main feature of OpenSSH is to establish secure connections to remote machines, so you get interactive sessions against them. However, OpenSSH also allows you to execute commands on remote machines. You can execute commands and have the output returned to the screen without logging in to the remote machine.

To execute a command remotely simply type:

ssh user@remote_host ‘ls -al /etc’

However, some commands require a terminal to run properly. For example, if you want to edit a remote file using vi you probably will try something like this:

ssh user@remote_host ‘vi /etc/passwd’

And you’ll get warnings like this:

Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal

To avoid such warnings and cleanly edit your remote files type the following:

ssh -t user@remote_host ‘vi /etc/passwd’

The -t option will… (from OpenSSH man pages)

Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

Posted in Security | No Comments »

« Older Entries