Archive for the ‘Security’ Category

Newer Entries »

Avoiding nimdas and alike

Sunday, June 1st, 2003

If you have your Apache listening to the outside world probably you have received and seen in your logs these anoying entries regarding nimdas, redcodes and so.

As those kiddies really bother me I have made some modifications in my Apache config file.

Although there are other approaches to this problem, I find this one easy and clean.

Edit your httpd config file and add the following:

SetEnvIf Request_URI MSADC imbecil
SetEnvIf Request_URI scripts imbecil
SetEnvIf Request_URI default.ida imbecil
SetEnvIf Request_URI .exe$ imbecil
SetEnvIf Request_URI .dll$ imbecil
SetEnvIf Request_URI .dll$ imbecil
SetEnvIf Request_URI cgi-bin msadc imbecil
CustomLog /var/log/httpd/imbecil.log common env=imbecil

ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log common env=!imbecil

This will log your kiddies in imbecil.log, so you can take further measures. Bear in mind that requests behind a proxy will be masked by this proxy.

Have a good approach to this problem?

Posted in Apache, Security | No Comments »

More security for your files and directories

Monday, May 12th, 2003

There is a tool called chattr that allows you to change/set file attributes on a GNU/Linux second extended (ext2) filesystem.

For example to protect myfile.txt, proceed as follows…

chattr +i myfile.txt

A file with the “i” (immutable) attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process pessessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Posted in Security | No Comments »

Tunneling over OpenSSH

Sunday, May 11th, 2003

One of the beauties of the OpenSSH suite tools is that you can connect to remote host from your localhost by creating a secure connection through both ends.

Let’s say you want to “tunnel” mail from your laptop to your remote mail server…

ssh -l user -L 110:mailhost:110 -N mailhost

Specifies that the given port on the local host is to be forwarded to the given host and port on the remote side (-L).

The -l switch specifies a login name and -N avoids the execution of a remote command.

Posted in Security, Tips and Tricks | No Comments »

Using GnuPG

Saturday, May 10th, 2003

GnuPG is the GNU Privacy Guard, the open source equivalent to Pretty Good Privacy (PGP). You can use GnuPG to encrypt and/or sign your mails or files and hence transmit them in a more secure fashion and ensure their integrity.

There are graphical environments to handle GnuPG but here we are going to use text-based commands.

First of all me must generate a key pair:

gpg –gen-key

The first time you run this command it will create some directories and files, so you need to launch the command again to create the keyrings.

When prompted select these options:

DSA and ElGamal
Keysize 1024
Expire time 0 (never expires)
Personal info
Passphrase

For the moment accepting default values is fine. Be careful with your passphrase as it will be used to encrypt/decrypt and sign your data, so do not simply choose the first silly words you guess ;-)

Once you have your key-pairs, you are ready to start using GnuPG.

gpg -ea -r karkoma myfile.txt

Encrypts myfile.txt using karkoma’s public key with an ASCII armor (more on this in my next article).

gpg -d myfile.txt.asc >myfile.txt

Decrypts myfile.txt.asc (enter your passphrase)

gpg –clearsign -a myfile.txt

Signs myfile.txt. Once signed, the smallest modification to the file will indicate an invalid signature.

gpg –verify myfile.txt.asc

Verifies your file signature.

gpg -ba myfile.tar.gz

Signs a binary file

That’s all folks, just for now. I am preparing a more complete article regarding GnuPG, so come back soon.

Posted in Security | 3 Comments »

Newer Entries »