Lynis – an auditing tool for Linux/Unix

July 19, 2008

The first step to higher security of your system is to assess the current state of the system. Lynis is a small command line tool, licensed under GPL 3, which can help you achieving this. From the authors homepage:

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

He also clearly states what Lynis is not:

Not a hardening tool: Lynis does not fix things automatically, it reports only (and makes suggestions).

More to the technicial stuff: The basis of the program are shell scripts which scan the operating system and installed software (e.g. old software) but also stuff like SSL certificates (e.g. expire date). The software checks for accounts without password or wrong file permissions and it takes also a look at your local firewall. It runs under many Linux and Unix versions including Debian and Ubuntu.

Kpartx: a tool for mounting partitions within an image file

July 12, 2008

Kpartx can be used to set up device mappings for the partitions of any partitioned block device. It is part of the Linux multipath-tools. With kpartx -l imagefile you get an overview of the partitions in the image file and with kpartx -a imagefile the partitions will accessible via /dev/mapper/loop0pX (X is the number of the partition). You can mount it now with mount /dev/mapper/loop0pX /mnt/ -o loop,ro. After unmounting you can disconnect the mapper devices with kpartx -d imagefile.

There are packages for Debian and Ubuntu.

Fix for Kopete 0.12.7 to work again with ICQ

July 2, 2008

Yesterday my Kopete stopped working with the ICQ network. The ICQ told me that my client version is too old. Here is the fix to make it work again. Look in the ~/.kde/share/config/kopeterc file and change the values of the variables to following (which are from trunk):

[ICQVersion]
Build=0x17AB
ClientId=0x010A
ClientString=ICQ Client
Country=us
Lang=en
Major=0x0006
Minor=0x0000
Other=0x00007535
Point=0x0000

After a restart of Kopete everthing works again for me.

Zattoo as backup for satellite TV

June 25, 2008

Today is the first semifinal of the EURO 2008 (=soccer – Germany vs Turkey) which is a big deal here in Europe, and today it was a really sunny day. But just 1h before the game starts it started raining strong in my home town together with lightnings. This leaded to a bad reception of my satellite TV. As the internet via ADSL was working without any problems I started searching for a backup solution and I found Zattoo. And I couldn’t believe it. They support Linux, specially (K)Ubuntu! Wow! I downloaded the .deb file for the 3.20 version but it didn’t work I got a

robert@darksun:~$ zattoo_player
(process:9626): GLib-GObject-CRITICAL **: /build/buildd/glib2.0-2.14.1/gobject/gtype.c:2242: initialization assertion failed, use IA__g_type_init() prior to this function
(process:9626): GLib-GObject-CRITICAL **: g_object_new: assertion `G_TYPE_IS_OBJECT (object_type)' failed
(process:9626): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed

I searched a little bit in the internet and found out that the 3.11 should work which I downloaded it from here. And yes it worked without any problems. One important side note: Your IP address needs to be in one of the countries for which the service is available. Ah and as I use Kubuntu and not Ubuntu I installed following packages before installing Zattoo.

apt-get install libgtkglext1 libgnome-keyring0 libgnomeui-0 libcurl3 libxul0d libgdk-pixbuf-dev

Do you know what a Host Protected Area (HPA) is?

June 17, 2008

It is sometimes also called Hidden Protected Area and it is an area of your hard disk which is normally not visible for the operating system and therefore the applications. It was first introduced in the ATA-4 standard and is defined in ATA-5 as optional feature which is supported by most modern hard disks. The normal use case of this is for system recovery and the backup of important configuration data.

So why is this security relevant? For law enforcement agencies and forensic experts it is important to detect HPAs and recovery data from it. For one someone could hide some sensitive data in it or there could be evidence or traces if the owner does not know about the HPA.

But it is also important for any business and home user, e.g. if you want to fully override your hard disk you need to make sure you also override the HPA. If you’re a user of a current Linux kernel you’re lucky – the kernel will deactivate (temporary) the HPA during booting and so can override everything without problems.

Here are some links which will help you do detect / remove the HPA from your hard disk:

The fallout of the Debian OpenSSL security problem

May 24, 2008

Today I don’t want to write about how the Debian security problem occurred, if it was the fault of the Debian maintainer or the OpenSSL guys. We’re all human so errors can occur, but this shows a much bigger problem we have. Our SSL infrastructure!!

I’m quit sure you read about the weak SSL whitehouse.gov had and that the white house does not handle their SSL stuff by them self, instead the use Akamai for this. If you don’t know Akamai, it is a major content distribution network. They have tens of thousands servers distributed all over the world and the content is served by the closest server to provide higher download speeds for the customs and make a DDOS attack much harder if not impossible. Their customer list includes Microsoft, the New York Times and so on.

So basically the SSL keys of the Akamai servers where weak, and it was possible to get their public keys (it is sent as part of the SSL handshake), and calculate the private ones out of it (there are only 32k possible keys). I know that at least one did it and sent the keys to the CCC, which verify the authenticity of the keys. Sure Akamai replaced their keys immediately. BUT. There is no way to revoke the SSL keys!!

What most people don’t seem to understand so far is that these keys are signed by a CA which is in any browser. This means that a man in the middle attack can easily performed with this. As ATI is also a customer of Akamai, someone could send you a Trojan horse instead of the newest ATI you wanted. SSL has in theory two defenses against this:

  • Keys expire, the Akamai key in October 2008
  • Originally SSL had the idea that CAs publish a list of compromised keys (revoke list) and as part of the SSL handshake the browser should check if a key is on the list. The problem with it was that this does not scale and is a privacy problem too. Browsers don’t implement this or have not activated it by default.

So we’re out in the open for this key until this fall, but that won’t be the end, as e.g. godaddy at least allows to the sign keys for a longer period of time. e.g. 3 years. And the same problem occurs if a private key is leak by other means. The whole foundation of our web security infraction is build on sand. We need something new!!

PS: I want to stress that Akamai did nothing wrong here. They did everything right and still have a problem!

iptables dynamic port script for NFS

May 10, 2008

Some days ago I talked with a friend (here a link to his homepage) about firewalls and file servers and he told me he has a iptables script which adapts to the NFS ports automatically. I asked him for this script and here is it. Thx Hannes for the script.


# rpcinfo -p prints a list of all registered RPC programs
# sed -e '1D' removes the headline
# tr -s ' ' '\t' replaces repeated spaces with a single tab
# cut -f 4,5 we only need the protocol- and port-columns
# sort | uniq removes the duplicate lines
# now we have lines with the needed protocol and port but for splits
# this lines to single words so we have to store the protocol
for l in `rpcinfo -p | sed -e '1D' | tr -s ' ' '\t' | cut -f 4,5 | sort | uniq`
do
  case $l in
    tcp)
      SYN=--syn
      PROTOCOL=$l
        ;;
    udp)
      SYN=
      PROTOCOL=$l
        ;;
    *)
      iptables -A INPUT -p $PROTOCOL --dport $l $SYN -j ACCEPT
    ;;
  esac
done

Kubuntu 8.04 hardy addition packages install script

This script is for my friends, who most know the previous versions already. It installs additional packages for kubuntu 8.04 hardy. I use it for the initial setup of a desktop system. First install Kubuntu from CD and than use this script to get the system which, has all codecs and commonly used programs (be it free or non free software) installed. So this blog entry is for my own reference and for my friends. Basically after running this script you’ll have a system which is ready for usage by a standard user.

Insecurity of Virtual Appliances and some thoughts on 7-zip compression

May 3, 2008

This week I looked for a Ubuntu server 8.04 LTS virtual appliance for Vmware – I found one here. But before I could start testing it I needed to extract the .7z file on my VMware server. The first thing I though was, why the hack 7-zip? Why not use bzip2, which is standard on Linux (beside the faster, but less compressing gzip)?

But I was shown wrong by the first entries at my google search – 7-zip has most of the time the better compression and is not much slower than bzip2. And there is even an open source command line tool on Linux, it is called p7zip. The only thing which prevents me from using it, is that it is not supported by tar so far, as soon that happens I will start using it.

But now to something security related. Almost every virtual appliance I download has openssh as sshd daemon installed. Am I the only guy who things this is a bad idea? The host keys are the same for all virtual appliances. So anyone who knows which virtual appliances I used to setup my server, can use this knowledge to perform a man in the middle attack and get my login name and password. This bad habit seems to occur by almost all virtual appliances I got my hands on. My solutions so far is following on Ubuntu and Debian Systems:


apt-get --purge remove openssh-server && apt-get install ssh

This way I’ve a clean config and new keys. (ssh is a meta package for openssh-client and openssh-server). So there is a easy work around but how many administrators will think about that? I think virtual appliances are made to ease the life of the administrators or to allow even non expert to provide a service based on the appliance. With this goal comes also the responsibility to make the system save by default.

LED blinking on your switch

April 9, 2008

Did you ever have the problem that you didn’t know to which switch port a given ethernet port /cable is connected to? Wouldn’t it be cool if the LED of the switch port would blink so you know which one is the correct one?

You’re lucky – it is possible with Linux. There are even two ways. With some chipsets ethtool -p eth0 works but not with all. But following script also helps in any case:

#/bin/bash
# usage example: blink.sh eth0

while true ; do
  ifconfig $1 down
  sleep 2
  ifconfig $1 up
  sleep 2
done

Put that script into /usr/local/sbin/blink.sh and set the execution permissions. Call it with the device as parameter. Don’t set the blinking below 2sec as it is possible that the connection negation takes up to that amount of time.

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 44 queries. 0.091 seconds.