IT Security | Robert Penz Blog

Free SSL certificates will be supported in IE/Windows [Update]

August 21, 2009

In the StartCom Blog the head of the company writes that its CA will be included by Microsoft. He states, “Starting approximately the 22nd of September, Microsoft intends to distribute a non-security update package to the Windows operating systems which includes the trusted StartCom root certificate and the automatic root certificate update service will update the cryptographic certificates root store on those systems whenever a StartCom issued certificate is encountered.”

Why is this worth reporting? This CA is with the above mentioned date the first CA which provides a Free SSL certificate which is supported by Microsoft and therefore by all Internet Explorer browsers. Sure this is “only” a SSL certificate which only assures the domain name or email address, but this is much more than now. You find many small mail servers where the webmail/IMAP/POP3/SMTP or a small homepage for a few users is self signed. All these can now be protected much better, the only problem seems to be that the CA is not supported by Firefox and other open source players. The other authority I know which provides free SSL certificates is CAcert. They are much stronger in the open source world, but with the inclusion of the StartSSL CA by Microsoft, they will have a much lower install base of browsers than StartSSL.

[Update] Mozilla and Apple support this CA for years already. My error – sorry. So these Free SSL certs are really something for a small website or mail server.[/Update]

In IT Security | 3 Comments

The Search for reduced SPAM load – Part 2

July 28, 2009

As my first ideas discussed in the first part of this series didn’t work out as I liked it, I went ahead and looked for other means to withstand these waves. If packets and connections should not reach courier, I would need to use a smtp proxy or to something with the Linux kernel. As the OpenBSD spamd is not available for Linux, I looked than through the iptables documentation and found the ipt_recent module.

It provides a userspace interface which enables a script/program to add IP addresses to a list which get them drop/reject for a given time. I thought this is exactly what I need. Why?

I cannot just drop/reject packages of IPs which are in DNS RBL, as maybe there is a false positive and he needs to know that there is a problem. The mail server needs therefore to send a 5xx the first time, but it is quite ok I think to not except connections for him some minutes after this.

This setup should at least give courier time to close the connections within the timeout, and denies a spammer trying to deliver more than one mail, or keep the connection up by ignoring the 5xx. So I went ahead. First I loaded the iptables module with an option to allow more IP addresses stored.

modprobe ipt_recent ip_list_tot=1000

I think 1000 is quite on the low end, as the spam waves easily reach them. Than I added following iptables commands to my firewall script.

# build sub chain $iptables -N SPAMMER # move all incomming smtp traffic there $iptables -A INPUT -p tcp --dport 25 -j SPAMMER # check if the source ip is already in the list, if so give it another 60 sec and drop the packages $iptables -A SPAMMER -m recent --name spammer --update --seconds 600 -j DROP

As you can see we drop the packets for 10 minutes. If a packet is send within that 10min the time period starts again.

You can test your setup by doing following.

echo +1.1.1.1 >/proc/net/ipt_recent/spammer

and take a look at

cat /proc/net/ipt_recent/spammer

Replace 1.1.1.1 by an IP address of a spammer (just look in your logfile ) and see it working. Ok, now that we have the kernel/iptables part we need a script which adds the IP addresses of spammers on a DNS RBL after the first 5xx to the ipt_recent list.

As this is only for testing at this point I wrote a small script which watches the mail.log file and looks for 511 errors (the courier error code for DNS RBL hits) and add the IP addresses of the sending servers/zombies to ipt_recent.

Here is the python script: watchForSpammers.py. I don’t go into any details it is quite easy anyway. Start it like this within screen (apt-get install screen) to keep it alive even after logout.

./watchForSpammers.py /var/log/mail.log

The script does its work and adds IP addresses to the ipt_recent list which blocks them also nicely. Just type following to verify it.

iptables -L -xvn

You will see a line like this.

Chain SPAMMER (1 references) pkts bytes target prot opt in out source destination 15213 724935 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 600 name: spammer side: source

But the big question is, does it help against the spam waves and its length and heights? More No than Yes . It does almost nothing against the height, but it allows courier to go back a little faster to normal. But still my mail server is maxed out.

So I continue to search for another way. Any ideas?

In IT Security, Linux | No Comments

The Search for reduced SPAM load – Part 1

July 27, 2009

This is the first part of a series of articles which show the various ways I try to reduce the memory and CPU usage on one of my mail server due spammer. Why a series? The first and obvious ideas didn’t work …… but lets start from the beginning.

One of the mail server I manage is for a small software company which sells products mainly to Windows power users. As the email addresses are in every product/readme and on the homepage the server get a lot of spam. I use courier as MTA and IMAP backend for it. To fight the spam I’m using DNS RBL as first line of defense, followed by greylisting, spam assassin and some other stuff.

The ratio of spam which gets through is quite low but thats not the problem at this point. The problem are the spam waves that hit the server several times a day. Normally the system has under 30 open SMTP connections to/from others server, but within minutes that value raises drastically. For example look these values which show the amount of open SMTP connections at the given moment.

Mon Jul 27 19:12:17 CEST 2009 4 Mon Jul 27 19:12:22 CEST 2009 5 Mon Jul 27 19:12:27 CEST 2009 5 Mon Jul 27 19:12:32 CEST 2009 7 Mon Jul 27 19:12:37 CEST 2009 13 Mon Jul 27 19:12:42 CEST 2009 9 Mon Jul 27 19:12:47 CEST 2009 8 Mon Jul 27 19:12:52 CEST 2009 50 Mon Jul 27 19:12:57 CEST 2009 88 Mon Jul 27 19:13:02 CEST 2009 101 Mon Jul 27 19:13:07 CEST 2009 120 Mon Jul 27 19:13:12 CEST 2009 129 Mon Jul 27 19:13:17 CEST 2009 135 Mon Jul 27 19:13:23 CEST 2009 145 Mon Jul 27 19:13:28 CEST 2009 150 Mon Jul 27 19:13:33 CEST 2009 163 Mon Jul 27 19:13:38 CEST 2009 167 Mon Jul 27 19:13:43 CEST 2009 175 Mon Jul 27 19:13:48 CEST 2009 180 Mon Jul 27 19:13:53 CEST 2009 183 Mon Jul 27 19:13:58 CEST 2009 190 Mon Jul 27 19:14:03 CEST 2009 202 Mon Jul 27 19:14:08 CEST 2009 204 Mon Jul 27 19:14:13 CEST 2009 204 Mon Jul 27 19:14:18 CEST 2009 203 Mon Jul 27 19:14:23 CEST 2009 206 Mon Jul 27 19:14:28 CEST 2009 207 Mon Jul 27 19:14:33 CEST 2009 211 Mon Jul 27 19:14:38 CEST 2009 216 Mon Jul 27 19:14:43 CEST 2009 218 Mon Jul 27 19:14:48 CEST 2009 220 Mon Jul 27 19:14:53 CEST 2009 222 Mon Jul 27 19:14:58 CEST 2009 227 Mon Jul 27 19:15:03 CEST 2009 229 Mon Jul 27 19:15:08 CEST 2009 228 Mon Jul 27 19:15:13 CEST 2009 229 Mon Jul 27 19:15:18 CEST 2009 232 Mon Jul 27 19:15:23 CEST 2009 234 Mon Jul 27 19:15:28 CEST 2009 234 Mon Jul 27 19:15:34 CEST 2009 237 Mon Jul 27 19:15:39 CEST 2009 240 Mon Jul 27 19:15:44 CEST 2009 241 Mon Jul 27 19:15:49 CEST 2009 243 Mon Jul 27 19:15:54 CEST 2009 244 Mon Jul 27 19:15:59 CEST 2009 244 Mon Jul 27 19:16:04 CEST 2009 246 Mon Jul 27 19:16:09 CEST 2009 245 Mon Jul 27 19:16:14 CEST 2009 246 Mon Jul 27 19:16:19 CEST 2009 247 Mon Jul 27 19:16:24 CEST 2009 246 Mon Jul 27 19:16:29 CEST 2009 244 Mon Jul 27 19:16:34 CEST 2009 250 Mon Jul 27 19:16:39 CEST 2009 253 Mon Jul 27 19:16:44 CEST 2009 252 Mon Jul 27 19:16:49 CEST 2009 253 Mon Jul 27 19:16:54 CEST 2009 256 Mon Jul 27 19:16:59 CEST 2009 258 Mon Jul 27 19:17:04 CEST 2009 260 Mon Jul 27 19:17:09 CEST 2009 264 Mon Jul 27 19:17:14 CEST 2009 262 Mon Jul 27 19:17:19 CEST 2009 273 Mon Jul 27 19:17:24 CEST 2009 301 Mon Jul 27 19:17:30 CEST 2009 301 Mon Jul 27 19:17:35 CEST 2009 301 Mon Jul 27 19:17:40 CEST 2009 301

It is important to notice these are the values after some tuning on my side already and running a special iptables filter, which I describe in a later articel. They where worse before. The current limit are 300 active connections which lead to following entries by courier.

Jul 27 19:17:23 mail courieresmtpd: 300 maximum active connections. Jul 27 19:18:24 mail courieresmtpd: 300 maximum active connections. Jul 27 19:21:14 mail courieresmtpd: 300 maximum active connections.

At this point my monitoring reports that the SMTP service is not reachable as courier does not handle new connections. After some minutes the wave got past my server and the active connections go down again and the monitoring reports the the SMTP service is up again.

You may ask why I don’t just raise the limit of 300 active connections? Because with 300 connections I need already 1GB of RAM only for SMTP stuff. This is because courier forks for every connection a “small” process which handles it. Almost all of the connecting servers are in a DNS RBL so it should be quite easy to just block them. But it is not that easy.

First Idea:
courier is waiting a log time before it closes a connection after sending the 5xx verdict. So I looked at a way to reduce the time, by setting following values in seconds:

root@mail:~# cat /etc/courier/esmtptimeout 30 root@mail:~# cat /etc/courier/esmtptimeoutconnect 30 root@mail:~# cat /etc/courier/esmtptimeoutdata 180 root@mail:~# cat /etc/courier/esmtptimeouthelo 30

Which are quit on the lower end and they helped a little bit, specially to get down to normal business after the top of the spam wave has past. But the wave still maxed my system out.

Second Idea:

I thought at first why does courier wait for the spammer to send a mail before sending a 5xx as the IP is on a DNS RBL? A special process could just drop the connections after doing asynchron DNS RBL check and sending a 5xx to the other server.

Sam Varshavchik the lead programmer of courier told me following:

Except that dropping a connection at this point has proven not to work, as soon as you run into a real mail server, but a broken one that interprets an immediately disconnected connection as an invitation to reconnect immediately.

So ok not good and he said following about my idea to drop the connection ….

And watch your bandwidth get eaten up by a broken server that’s trying to dump on you a load of spam, using multiple connections which immediatly try to reconnect as soon as you drop them.

The most reliable way to reject unwanted mail is by RCPT TO. This is why even when it’s a blacklisted sender, it doesn’t get rejected until it actually sends an RCPT TO. Which means that you have to fully implement SMTP up to that point.

This means that you’ll wind up with a model of using a monolithic, huge process for all SMTP connections, or a single lightweight process per connection.

So this is the starting point of my search for a solution to fix my problem with the exception of replacing courier as MTA at this point (if there is nothing really better out there) and specially no hardware upgrades. I hope some readers have some ideas (please write comments!). I had already one which invokes iptables, but it is a more complex setup which I’ll write in the next article of this series.

In IT Security, Linux | 4 Comments

Firefox Addons I use and recommend

July 25, 2009

I thought I share the Firefox plugins I use and which make me use Firefox in the first place. Without these plugins Firefox would be just a browser of many and the webkit browsers render faster on my Kubuntu . So these Plugins make the difference for me.

NoScript: Without I feel “unsafe” in the internet. It allows JavaScript, Java and other executable content to run only from trusted domains of your choice. You can activate JS only for a session also, so you’re save again next time.
Cookie Monster: This plugin allows me to manage my cookies. I can set from which domains I accept which kind. e.g. I accept cookies only for the session from a domain if it is needed.
Xmarks: I use this plugin to sync my bookmarks between systems and also to have a backup at all times of them. You can also use it do sync/save your stored passworts securely. You can also use your own server.
DownloadHelper: You never know when you would like to download a flash movie or something like this onto your PC. This plugin will enable you to do so.
Yip: If you’re using something like meebo.com for instant messaging you surely would like to get notifications of a new message also outside the tab in your browser, as it mostlikely happens that you’re working with an other program or in an other tab. If so, take a look at Yip, as its supports supports Fluid and Prism which cover the large majority (100%?) of currently implemented notifications.

In General, IT Security, Linux | 4 Comments

All SSL Sites are fake-able with new real world MD5 collision attack [Update]

December 30, 2008

You really should look at this video of a presentation (in English) which was just given at the 25C3 in Berlin. Alexander Sotirov, Marc Stevens and Jacob Appelbaum have generated an intermediate certificate which is “signed” by RapidSSL which is shipped with all browsers. As there is no limit which certificates can be signed by which CA, it is possible to fake any SSL site!!

The good news is that they don’t indent to release the private key.

Basically they took the 2007 shown theoretical MD5 collision attack and improved it and the major part: They took it onto a real world CA. They used the RapidSSL CA as they still use MD5 and have a nice automatic and predictable generation process. It takes always 6 seconds to generate one and they increment the serial number of the certificates by one every time. As for the collision attack it is important to previously know the timestamp and the serial number. Both was not that hard at RapidSSL, specially if you did some requests at Sunday night. Here is the link to a document from the guys describing it more in detail.

Ok, this time it maybe the good guys but who can prove to me that nobody else did this, as it cost them under 700 Euros. And removing all MD5 signing CAs is also not a solution at this point of time as up to 30% of the websites are signed by such CA’s. And for server admins it is also almost impossible to find CAs which report which hash functions they use. And there is still the revoke list problem, I’ve written previously (and also here).

In IT Security | 1 Comment

Home partition encryption with LUKS under Linux

December 25, 2008

I’m often asked how I crypt my notebooks. I normally crypt only my home partition and sometimes (more on servers in remote locations, than on notebooks) the swap partition. I use for this Linux Unified Key Setup (Luks), as it allows up to 8 passwords for a partition and you can change them without reformatting the partition. It also stores the used encryption method so you can use it also for encrypting external hard disks and you don’t need to keep track which encryption algorithms you used for it.

First you install your notebook with a swap and a root partition, but leave space for a /home partition. After the installation is finished you create the partition e.g. with cfdisk or fdisk. You need to restart your system after creating a new partition. In my example I call it /dev/sda3. Now you can tell cryptsetp (which you need to install on Ubuntu with apt-get install cryptsetup, reboot after installing it if the setup does not work) to create a container with following command

cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 128 luksFormat /dev/sda3

After you did this, you need to open the container with

cryptsetup luksOpen /dev/sda3 home

Now you can format the container:

mkfs.ext3 -m 0 /dev/mapper/home

ps: -m 0 means that no blocks are reserved for root, as it is our home partition.

Now you need to go to the console of your system (ALT-CTRL-F1) and login there and stop the X server (log off before that ). On Ubuntu you do this by calling /etc/init.d/gdm stop on Kubuntu /etc/init.d/kdm stop.

Now you can mount the new partition on a temporary location and copy your home directory over.

mount /dev/mapper/home /mnt/ cp -a /home/* /mnt/.

Now we need to unmount it and close the crypto container.

umount /mnt/ cryptsetup luksClose home

Now we need to configure the system that it is launched at the boot time. Add following line to /etc/crypttab:

home /dev/sda3 none luks

and in your /etc/fstab you add following:

/dev/mapper/home /home ext3 noatime,nodiratime 0 0

Now everything is done. Reboot your system and you will be prompted for the password of your home partition. If you don’t enter it your system will use the “old” home directory.

In HowTo, IT Security, Linux | 4 Comments

Clicky Web Analytics the alternative to Google Analytics

December 14, 2008

I’m using Google Analytics for some time now, it basically works, but it has some short comings like that the reports do only get updated every 24h, or that it is not able to track bound links without extra work on my side. But the most import part is that I don’t want that google knows everything. So I started to look for a valid alternative. I tried some local installable open source tools but decided to go with an other SaaS. If you’re using NoScript for your Firefox you might know it already I started using Click Web Analytics. Take a look at this screenshot, it looks like most web 2.0 sites, simple, clean design with a white background.

Whats nice is that you can do a real time campaign and goal tracking and that you can track every visitor who comes to your web site and if they accept cookies all their history. This will show you which power cookies gives website providers. You should really think to disable them or remove them on every start of your browser. But as long the most users have activated it I will also take a look at it and have a nice show case for people I talk over this.

In General, IT Security, Other | 1 Comment

No SWAP Partition, Journaling Filesystems, … on a SSD?

December 7, 2008

I’m going to get an Asus Eee PC 901go, which has a Solid State Disk (SSD) instead of a normal hard disk (HD). As you know me I’ll remove the installed Linux and install my own Kubuntu. I soon started to look at the best way to install my Kubuntu and I found following recommendations copy and pasted on various sites:

Never choose to use a journaling file system on the SSD partitions
Never use a swap partition on the SSD
Edit your new installation fstab to mount the SSD partitions “noatime”
Never log messages or error log to the SSD

Are they really true or just copy and pasted without knowledge. But first why should that be a problem at all? SSDs have limited write (erase) cycles. Depending on the type of flash-memory cells they will fail after only 10,000 (MLC) or up to 100,000 write cycles for SLC, while high endurance cells may have an endurance of 1–5 million write cycles. Special file systems (e.g. jffs, jffs2, logfs for Linux) or firmware designs can mitigate this problem by spreading writes over the entire device (so-called wear leveling), rather than rewriting files in place. So theoretically there is a problem but what means this in practice?

The experts at storagesearch.com have written an article SSD Myths and Legends – “write endurance” which takes a closer look at this topic. They provide following simple calculation:

One SSD, 2 million cycles, 80MB/sec write speed (that are the fastest SSDs on the market), 64GB (entry level for enterprise SSDs – if you get more the life time increases)
They assume perfect wear leveling which means they need to fill the disk 2 million times to get to the write endurance limit.
2 million (write endurance) x 64G (capacity) divided by 80M bytes / sec gives the endurance limited life in seconds.
That’s a meaningless number – which needs to be divided by seconds in an hour, hours in a day etc etc to give…

The end result is 51 years!

Ok thats for servers, but what is with my Asus 901go?

Lets take the benchmark values from eeepc.it which makes it to a max of 50 MByte/sec. But this is a sequential write, which is not the write profile of our atime, swap, journaling… stuff. That are typically 4k Blocks which leads to 2 MByte/sec. (Side node: The EeePC 901go mount the same disk of SSD ‘EeePC S101, to be precise model ASUS SATA JM-chip Samsung S41.)
We stay also with the 2 million cycles and assume a 16GB SSD
With 50 MByte/sec we get 20 years!
With 2 MByte/sec we get 519 years!
And even if we reduce the write cycles to 100.000 and write with 2 MByte/sec all the time we’re at 26 years!!

And all this is with writing all the time, even ext3 does write the journal only every 30 secs if no data needs to be written. So the recommendation to safeguard SSDs, as the can not write that often is bullshit!!

So lets take a closer look at the 4 points at the beginning of this blog post.

Never choose to use a journaling file system on the SSD partitions: Bullshit, you’re just risking data security. Stay with ext3.
Never use a swap partition on the SSD: If you’ve enough space on your SSD use a SWAP partition it will not be written onto it until there is to less RAM, in which case you can run a program/perform a task which otherwise you could not. And take a look at this article.
Edit your new installation fstab to mount the SSD partitions “noatime”: That is a good idea if all the programs work with this setting as this will speedup your read performace, specially with many small files. Take also a look at nodiratime.
Never log messages or error log to the SSD. Come on, how many log entries do you get on a netbook? That is not an email server with > 1000 log lines per second.

Please write a comment if you disagree or even agree with my blog post. Thx!

In General, IT Security, Linux | 26 Comments

secure file uploading with scponly

November 23, 2008

If you’re administrating Linux servers you may need someone or some script to copy files onto your server. You could now install a special service like a ftp server or you could use a normal ssh user for this. The problem with the first is that you need an extra service which adds complexity and also provides an additional attack vector. The problem with the normal ssh user is that you provide the script or user functionally on your server that he/it does not need for his/its work (like exciting programs) – this is never a good idea.

What I recommend for this is a program called scponly. It does basically what the name says, if a ssh user has it set as its shell the user is only able to use scp functionality. Ubuntu and Debian provide a package for it but you should read an article like this one to know to setup it up securely. For example it is a really bad idea to allow the user to write into his home directory as a writable home directory will make it possible for the user to subvert scponly by modifying ssh configuration files.

In HowTo, IT Security, Linux | 1 Comment

Mini Howto for JMeter, an open source web load testing tool

October 4, 2008

In this post I describe in short how to make your first steps in JMeter. I found JMeter when I wanted to test how stable a new written web application was and searched for a tool that allowed me to record my browsing and rerun it multiple (and parallel) times. JMeter is quite pretty easy to get up and running and it’s quite fun to test and break things on your own server.

As JMeter is a Java application the installation comes basically down to extracting the zip/tar.gz file and start bin/jmeter.sh or bin/jmeter.bat, if you’ve setup your Java correctly.

So now to the actual howto:

Start Jmeter by changing to jakarta-jmeter-2.3.2/bin and executing ./jmeter.sh You’ll see following screen:

First we add a “Thread group” to the “Test Plan” via right click onto “Test Plan” as shown in following screenshot:

After this we add an “HTTP Proxy Server” to the Workbench (as “Non Test Element”) to capture the traffic between your browser and the web site to test. Following screenshot shows how to add the proxy server.

Open the “HTTP Proxy Server” page and change the port if required and set the “Target Controller” to “Test Plan > Thread Group” on the same page.

Now configure your browser to use the Proxy Server (127:0.0.1:8080 in the default settings) and go to bottom of the “HTTP Proxy Server” page and click the “Start” button. Make also sure that you deleted the cache of your browser or even better deactivated it for the test. Otherwise you will not see the full traffic a new visitor would generate.

Now, JMeter will record all the HTTP requests your browser makes, so make sure you have closed all the other tabs you have open, otherwise you will get a mixture of Ad’s and AJAX requests recorded as well. After you did click through the workflow JMeter show test later you click the “Stop” Button and take a first look what JMeter has recorded for you.

Delete any request that you don’t like by right clicking onto the node and selecting “Remove”. Now we’ve recorded everything we need and we wand now to simulate a typical user. For this we want a time delay between the various http requests and the delay should not be fixed. If you want to query the server as fast as possible to you don’t need this step. We add therefore the Gaussian Random Timer as shown in this screenshot:

The last thing we need for a first test run is a Listener which tells us what worked and what not. We use for this “View Results Tree”. This Listener is not good for later use when you want to hammer with multiple threads onto the server.

Now we’re ready for our first run, the default settings are fine (in the Menu: Run > Start).

You should get something like this:

This Listener is good for testing your test setup, as you can look at request and response data. Now it would be the time to add an “Cookie Manager” or “User Parameters”. The First you need if your site requires cookies and the second is handsome when you want different threads to use different user/password combinations to login, as one use can only login once at a time.

After you verified the setup you should disable the “View Results Tree” Listener and choose something like “Aggregate Report”. Change now the settings of “Thread Group” do your likings and hammer your web server.

If you are running a big load test, remember each Listener keeps a copy of the results in memory so you might be better running a Listener > Simple Data Writer instead which writes the results out to a file. You can then read the file in later into any of the reports.

Have fun hammering your web server

ps: Always start with a smaller load, you better off finding and fixing a bug which occurs often under low load, than an obscure bug which occurs only under extreme load.

In HowTo, IT Security | 7 Comments