The version 5.3 has been released and marks the 10th anniversary of this project. From OpenSSH:

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

This release marks the 10th anniversary of the OpenSSH project. We would like to thank the OpenSSH community for their support, especially those who will continue to contribute code or patches, report bugs, test snapshots or donate to the project during the next 10 years.  More information on donations may be found at:

http://www.openssh.com/donations.html

ssh admin@boring-servername.boring-domain.com

With OpenSSH there is an easy way to do the job. Edit or create a config file:

vi ~/.ssh/config

and then add the following:

Host servername
     User admin
     HostName boring-servername.boring-domain.com

Where Host is the alias for the remote server you want to connect to, HostName is the full name of the remote server and User is the login name.

References:

• man ssh_config

As you probably know, a recursive DNS server (a caching DNS) tells clients the answers to queries for various DNS records. Queries not resolvable directly (non-local records) are forwarded to servers that can resolve them. Once it get answers they are stored in its cache for future use (note that this data is not cached forever).

On the other hand, a DNS server only shows to the world DNS records for a specific domain and is known to be authoritative for that domain.

Nowadays everybody with some security skills seems to agree in the importance of separating DNS caches from DNS servers. Even Bind (the most widely used DNS implementation) seems to follow this recommendation.

The easiest way to limit recursion in Bind9 is to put something like this in your config file:

options { allow-query { any; }; allow-recursion { 192.168.1.0/24; localhost; };

This will allow recursion from your internal net and from localhost. A better solution… SWITCH TO DJBDNS!!

And now some interesting links:

• Notes from DjbDNS site
• DjbDNS site
• Threats posed by DNS recursion
• If you insist in using Bind

Probably GPG is a better choice for simple file encryption, but in some ocassions (i.e. encrypt without building keys or certificates) OpenSSL could be very useful. It’s very simple:

openssl enc -aes-256-cbc -salt -in SuperSecretFile.txt -out SuperSecretFile.txt.enc

And your are done! Now to decrypt the file:

openssl enc -d -aes-256-cbc -in SuperSecretFile.txt.enc -out SuperSecretFile.txt

A note from the man pages.

use a salt in the key derivation routines. This option should *ALWAYS* be used unless compatibility with previous versions of OpenSSL or SSLeay is required. This option is only present on OpenSSL versions 0.9.5 or above.

• Linux firewall and security site
• This is from ISC
• Doshelp
• From Network ICE
• More on trojans and ports they like
• Simovits consulting

If you are aware of new links, post a comment please.

For more information:

• Georgi Guninski security advisory #70, 2004
• Gentoo GLSA 200407-03 / Apache
• Apache 2.0 Security Vulnerabilities

According to OpenSSH man pages:

Escape Characters
When a pseudo terminal has been requested, ssh supports a number of
functions through the use of an escape character.
....

The supported escapes (assuming the default `~') are:
.....

~C Open command line (only useful for adding port forwardings using
the -L and -R options)

.....

So, to add a local forward after logging into the remote system procede as follows:

ssh user@remote_host

Once logged in…

CR~C

Hit carriage return then ~ and the C and you’ll get a prompt where you could type something like this:

ssh> -L 8022:127.0.0.1:22
Forwarding port

The ip_setsockopt() function code is a subroutine of the setsockopt(2) system call. This function allows manipulation of various options of the IP socket. The MCAST_MSFILTER option can be used to provide the kernel with a list of multicast addresses to be received on the socket. This code has been introduced with the 2.4.22/2.6.1 kernel releases. Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. Unsuccesfull exploitation of the vulnerability may lead to a denial-of-service attack causing machine crash or instant reboot.

This bug has been fixed in the 2.4.26 and 2.6.4 kernel releases.

References:

• NetSecurity

a.b.c.d – - [24/Apr/2004:23:00:00 +0200] “GET http://www.google.com/” 200 46124

This means that a.b.c.d is trying to access www.google.com using your Apache as a proxy. As you can see the response status 200 indicates success and the data returned is 46124 bytes long.

If you don’t want your server to be used as a forward proxy make sure that ProxyRequests directive is set to Off, even better do not load mod_proxy module.

Despite the fact the entry shown in the previous example says that the request succeded, this is not necessarily true. Try the following to test your server:

telnet www.yoursite.com 80
GET http://www.google.com/

Watch the access.log file. If you see the code status 200, compare the bytes returned by Apache (the last field in the log entry) with your homepage size (your index.html). If they match, Apache is serving your homepage instead of forwarding the request to google. If they don’t, probably your Apache is an open forwarding proxy.

References:

• Apache FAQ

To execute a command remotely simply type:

ssh user@remote_host ‘ls -al /etc’

However, some commands require a terminal to run properly. For example, if you want to edit a remote file using vi you probably will try something like this:

ssh user@remote_host ‘vi /etc/passwd’

And you’ll get warnings like this:

Vim: Warning: Output is not to a terminal
Vim: Warning: Input is not from a terminal

To avoid such warnings and cleanly edit your remote files type the following:

ssh -t user@remote_host ‘vi /etc/passwd’

The -t option will… (from OpenSSH man pages)

Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g., when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.