Friday, December 22, 2006

The 2007 security focus in my world

After reading the various links on the web of 2007 predictions for both IT and Security, I asked myself "What are we going to do in 2007?"

1)It is clear that spam will continue to be a big problem. The new email born threats will be via images and video clips. It makes sense then to strip those images and mpeg files at the email gateway. Users won't like it, but think of it this way: We are saving our users from network death by infection. They don't appreciate losing network services and access to resources and we don't appreciate the clean up efforts.Equal ? We will also be regularly scanning our file servers for files of that type and just blitzing them, no questions asked. Downloading these types of files is forbidden by policy

Let our systems be configured to continually check for updates which is the sole solution. I have not had a virus infection in previous 1 year.

2)We may migrate to Firefox as the web browser of choice.I still believe (see, there's the passion) that Firefox is going to protect my web surfing experience sooner and more reliably than IE. And no, we have not migrated to IE7 because we don't trust it yet. Microsoft still has a consumer confidence problem when it comes to security.

3)And we can include the migration to Vista into the same distrust bucket. If I had my way we would go open source all the way around. However, we are upgrading our hardware (who would've thought you would need 2GB of RAM on a desktop computer?) As much as I love and am passionate about open source on the desktop, it's just not quite ready for enterprise prime time. Not because the product is not great, but because of the end (L)user learning curve we would face.

4)Our biggest focus should be encryption in 2007. We aren't going mobile or doing VoIP. We are just concentrating on the basics and doing those things well. We shall be encrypting network traffic, hard disks, file systems, etc

5)And on the base is security awareness training because we have found that no matter how hard we work, our end users will find a way to unknowingly circumvent security technology. We need the end users in our camp and on our side helping us fight the war against hackers and spammers.

I'd like to hear what your organization is doing to improve security in 2007.

Sunday, December 17, 2006

SSH keys and SSH key generation

Background and Terminology:

SSH - Secure SHell: SSH is both a program and a network protocol that provides strong authentication and secure encrypted communications between two machines over an insecure network. It is designed for logging into and executing commands on a remote machine, as well as moving files back and forth between the two machines. SSH has various authentication mechanisms and the most secure is based on keys rather than passwords. Using keys, SSH can authenticate you to all your computer accounts securely without the need to memorize many passwords or enter them repeatedly. SSH generates a private and a public key. The public key can be put on the machines you wish to communicate with. SSH will then connect to those machines with keys instead of your standard account password. SSH protocols: SSH1 and the SSH-1 protocol were developed in 1995 by Tatu Ylonen, a researcher at the Helsinki University of Technology in Finland. It is still distributed and maintained, though not actively developed (bug fixes only). SSH2 and the superior SSH-2 protocol were released in 1998. SSH-2 is a commercial product, but is available free for use by qualifying educational entities. Public-Key Algorithms used by SSH: The Digital Signature Algorithm (DSA) was developed by the U.S. National Security Agency (NSA), and promulgated by the U.S. National Institute of Standards and Technology (NIST) as part of the Digital Signature Standard (DSS). DSA can only be used to provide digital signatures and can't be used for encryption. DSA has an intrinsic weakness which makes it very easy to create a signature which contains enough information to give away the private key! The Rivest-Shamir-Adleman public-key algorithm (RSA) is the most widely used asymmetric cipher. RSA can be used for both encryption and digital signatures. It is currently difficult to obtain the private key from the public key.

Generating the SSH key pairs

In this tutorial there will be two machines represented:

[user_name@local_host ~]$

This will represent the user's account on the local machine - the machine that you are physically sitting in front of.

[user_name@remote_host user_name]$

This will represent the user's account on the remote machine - the machine that you will be accessing via ssh. To create the public and a private keys, on the computer from which you will be connecting to various computers, generate SSH key pairs as follows (I recommend using the RSA algorithm):

[user_name@local_host ~]$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.

Note:

The -t option specifies the type of the key to create. The possible values are:

rsa1 for SSH-1 protocol
The file in which you save the keys should be in /home/user_name/.ssh/identity
rsa for SSH-2 protocol
The file in which you save the keys should be in /home/user_name/.ssh/id_rsa
dsa for SSH-2 protocol
The file in which you save the keys should be in /home/user_name/.ssh/id_dsa

The -b option specifies the number of bits in the key to create. The minimum is 512 bits and the default is 1024 bits. Generally, 1024 bits is considered sufficient.

Enter file in which to save the key (/home/user_name/.ssh/id_rsa): [press enter]

If you get the following message after you press enter to save the key:

/home/user_name/.ssh/id_rsa already exists.
Overwrite (y/n)?

It means that an SSH key of that type was previously created. It is up to the user to decide whether or not to overwrite the existing key. It you decide to overwrite the existing key, any machine that you were previously accessing with key authentication will now fail.

Enter passphrase (empty for no passphrase): [press enter]
Enter same passphrase again: [press enter]

Note:

The passphrase is basically the password for your key and the simplest approach is not to set a passphrase. For certain purposes, this is necessary (such as cron jobs) since no opportunity will be presented to provide passwords. Hence a passphrase-less key is called for. There is a problem with this: if your private key is stored unprotected on your own computer (meaning an empty passphrase), then anybody who gains access to it will be able to generate signatures as if they were you. This is the reason your private key is usually encrypted when it is stored on your local machine, using a passphrase.

Your identification has been saved in /home/user_name/.ssh/id_rsa.
Your public key has been saved in /home/user_name/.ssh/id_rsa.pub.
The key fingerprint is:
1a:2b:3c:4d:5e:6f:7a:8b:9c:0d:1e:2f:3a:4b:5c:6d user_name@machine_name.bscb.cornell.edu
[user_name@local_host ~]$

There are two files generated: one with and one without the .pub extension. The one with .pub extension is your public-key and can be safely divulged. The other is your private-key and must be safeguarded from being read by others. Now that you have generated your key, you will need to put your public key in the authorized keys file on all of the machines you want to connect to using ssh. You will do this using scp. SCP (Secure Copy Program) is a utility which copies files between hosts on a network. It uses ssh for data transfer, and uses the same authentication and provides the same security as ssh. The general form of the command is:

[user_name@local_host ~]$ scp source-specification destination-specification

In the case above we will use:

[user_name@local_host ~]$ scp /home/user_name/.ssh/id_rsa.pub remote_host.bscb.cornell.edu:/home/user_name/id_rsa.pub

SCP will prompt you for the password to the remote machine. After entering the password, the public key will be copied into your home directory on the remote machine.

Note:

If this is the first time you have connected to this particular remote_host, you will see something like:

The authenticity of host 'remote_host (132.236.123.102)' can't be established.
RSA key fingerprint is 17:a7:ac:13:07:5b:5d:2b:d7:22:16:c7:61:01:20:33.
Are you sure you want to continue connecting (yes/no)?

Type yes and press enter if you are sure that you are connecting to the proper remote_host.

The next thing that we need to do is connect to the remote machine via ssh:

[user_name@local_host ~]$ ssh -l user_name remote_host.bscb.cornell.edu
user_name@remote_host.bscb.cornell.edu's password: [enter user_name password]

Now that we are on the remote_host, we need to concatenate the contents of the public key to a file called authorized_keys which is located in the .ssh directory of your home directory.

[user_name@remote_host user_name]$ cat /home/username/id_rsa.pub >> /home/username/.ssh/authorized_keys

Be sure to use the double ">>" so you do not overwrite any other authorized keys you may have already added to the authorized_keys file. You can then remove the id_rsa.pub file from your home directory since it is no longer needed.

[user_name@remote_host user_name]$ rm -f id_rsa.pub

Optional:

Your authorized_keys file should now look something like this: ssh-rsa AAAAB3NzaC1y ... gwWhN/sYw== user_name@machine_name.bscb.cornell.edu If you are familiar with editing files using vi or emacs, you can add an additional security feature to the ssh key. By adding the hostname of the local machine from which you will be connecting to the ssh key, you further restrict machine access. First, we need to obtain the hostname of the local machine:

[user_name@local_host ~]$ hostname
machine_name.bscb.cornell.edu

Next, we will add this information to the appropriate entry in the authorized_keys file:

[user_name@remote_host user_name]$ vi /home/user_name/.ssh/authorized_keys

Add the hostname information obtained above to the beginning of the appropriate key as such: from="machine_name.bscb.cornell.edu" The authorized_keys file should now look something like: from="machine_name.bscb.cornell.edu" ssh-rsa AAAAB3NzaC1y ... gwWhN/sYw== user_name@machine_name.bscb.cornell.edu

Setting Permissions:

Lastly, we need to ensure that permissions are set correctly. The .ssh directory should have permissions of 700 and the authorized_keys file should have permissions of 644. SSH will totally ignore the keys if the permissions are not correct.

[user_name@remote_host user_name]$ chmod 700 /home/user_name/.ssh

This will allow read, write and execute permissions on the directory for the owner, and give no permissions to everyone else.

[user_name@remote_host user_name]$ chmod 644 /home/user_name/.ssh/authorized_keys

This will allow read and write permissions on the file for the owner, and give only read permissions to everyone else. At this point, when you ssh into the remote machine you just copied your public (possibly edited) ssh key into, you will no longer be prompted for the user_name password.

From Cornell University Page

Saturday, December 16, 2006

Securing and Hardening Red Hat Linux Production Systems

A Practical Guide to Basic Linux Security in Production Enterprise Environments

Written by Werner Puschitz

This article is a practical step-by-step guide for securing Linux production systems. It discusses basic Linux Security requirements for systems that need to pass various audits in an enterprise environment. If you work on a corporate Linux Security Standard, or if you do Sarbanes-Oxley Act (SOX) or Statement on Auditing Standards No. 70 (SAS 70) related work, then you will find useful and practical information here

Link : http://www.puschitz.com/SecuringLinux.shtml

Monday, December 04, 2006

How to mount your NTFS volume to Linux

This is a handy post for people who have installed linux and WindowsXP side-by-side and want to have interoprability between them.

A linux-ntfs interoperability project has been constituted at http://www.linux-ntfs.org/ .You can get the necessary details from this page.Also the OS forms we are dealing with are Redhat,Ubuntu.

Choose one of the following three options:

1) Linux has an integrated kernel driver. It allows reading of files, and rewriting existing files. It does not support creation of new files or deletion of existing files. It works out of the box in most modern Linux distributions except Redhat/Fedora.The kernel contains the different filesystem supported as modules.By default other legacy filesystems like FAT,DOS etc are supported,but NTFS is not natively supported.

First of all, check your partitions using hardware browser or fdisk utility through command prompt to know exact linux partition number listing

Check mounting using these commands:

# mkdir /mnt/windows
# mount /dev/ (eg: hda5) /mnt/windows -t ntfs -o umask=0002,nls=utf8

If NTFS is not supported, we get error messages.What we have to do is to download approprate NTFS kernel module and install it.We can also issue command for FTP update of kernel module

Open a terminal.Be root user using command

# su -

and issue:

# yum install kmod-ntfs (for uniprocessor)
# yum install kmod-ntfs-smp (for dual core)

Otherwise search for kernel drivers for NTFS in the net and install manually.Once again issue above said commands:

# mkdir /mnt/windows
# mount /dev/hda1 /mnt/windows -t ntfs -o umask=0002,nls=utf8

Add the entry permenantly to fstab file :

/dev/hda1 /mnt/windows ntfs ro,umask=0002,nls=utf8

This is it.Restart the OS for changes.

2) ntfsprogs includes an improved driver, ntfsmount, which provides the same functionality as the kernel driver. Additionally it also supports basic cases of directory, symlink, device and FIFO file creation, deletion and renaming. Note: That doesn't mean it always succeeds, it is still experimental and might just as well refuse to complete an operation in order to prevent corruption. See the ntfsmount page for more details.

3) On 07/14/2006, project member Szabolcs Szakacsits presented a new version of ntfsmount and libntfs, given the project title ntfs-3g. This version has full read/write capabilities, many bug fixes and improved performance. It has already been downloaded over 66,000 times, tested and regularly used by users with satisfaction over the last three months. Despite of that it is still a strong beta, and will upon (in some way or the other) merge also into the linux-ntfs ntfsprogs package.

The beta version of the ntfs-3g driver can be downloaded from http://www.ntfs-3g.org

You can use the abovesaid three methods based on situations.In the first and the normal method, i had elaborated the steps exhaustively.

Sunday, December 03, 2006

Stage6 from Divx

I like this idea, like Youtube, the developers of the divx codec have got a social video site that has full dvd type quality movies... for those with broadband2 (ie ADSL2) it works pretty sweet.

http://stage6.divx.com

Perhaps Google, having now purchased YouTube, might consider a part of YouTube for high quality video with their massive bandwidth. It is one of the things that currently sucks about Internet video - watching crappy quality in little square - when I can turn on my TV and get a nice large good looking picture (even if in reality it is fairly low resolution... unless you have a HD-TV of course).

From CodeMonkey Blog

Friday, December 01, 2006

Server setup of wireless LAN over the wired LAN as part of Wireless Workshop at IIITMK

Overview: Wireless Local Area Networks (WLAN) are implemented as an extension to wired LANs within a building and can provide the final few meters of connectivity between a wired network and the mobile user. WLANs are based on the IEEE 802.11 standard. Most WLANs operate in the 2.4 GHz license-free frequency band and have throughput rates up to 2 Mbps. WLAN configurations vary from simple, independent, peer-to-peer connections between a set of PCs, to more complex, intra-building infrastructure networks

In a typical WLAN infrastructure configuration, there are two basic components:

Access Points - An access point/base station connects to a LAN by means of Ethernet cable.A building may require several access points to provide complete coverage and allow users to roam seamlessly between access points.
Wireless Client Adapter - A wireless adapter connects users via an access point to the rest of the LAN. A wireless adapter can be a PC card in a laptop, an ISA or PCI adapter in a desktop computer, or can be fully integrated within a handheld device.

Server : rbs.iiitmk.ac.in

Configuration : Adding a host with IP and MAC into the DHCP Pool of IP’s so that is is detected automatically by the DHCP when the wireless LAN is up within the network.

Background : IIITMK is having a wired LAN with 2 proxies at two end-points of service - one at Park Center and one at Nila facility.Wireless routers have been purchased for setting up wireless LAN over the wired LAN in the institution.A wireless test machine has also been set up with a wiki suite running on it for further activities in the wireless area.The first event organized associated with it is a ‘Workshop on Wireless Technologies’ with many international participants with it.The event had the wiki site running and to be accessed by every registered participants having notebook PC’s at the end-point.

Step 1 : First the wireless machine is set with the internal static IP addressing scheme.The wiki is running in it and is to be accessible to the wireless LAN.The static IP should be unassigned in any part of the LAN.For this, we have to lookup on the static IP tables assigned on the dhcp.conf file of the server.

Step 2 : Log on to the server rbs.iiitmk with root-level access privileges obtained from sysadmin and add WLAN host to the DHCP

#vi /etc/dhcp.conf

line 121/22 : host DabbaWLANTestServer { hardware Ethernet ;

fixed address ; }