Category
security
-
08.04.10The SibylThe Sibyl is a project invented and implemented by Pedro (pfortuny) and me (rafacas). Although I have to admit that it was Pedro's idea. It started with the goal of secure storage of the shadow file and, in general, of any database of secret authentication tokens (think of passwords -actually hashes of passwords- of users of a Web-based service, for example). We consider it addresses the main concern on those databases: dictionary attacks and rainbow tables, which have become available at negligible cost: there is a cloud-based service for doing dictionary attacks on a WPA key. Our approach for storing shadow files ...
-
09.25.09Creating RSA keysRSA is an algorithm for public-key cryptography. Its advantage is that it does not require the initial exchange of secret keys unlike symmetric key algorithms. Each user has a pair of keys, one for encryption (the public key) and another one for decryption (the private key). The private key is kept in secret while the public key may be widely distributed. OpenSSL is usually the tool used for creating an RSA key pair (the public and private ones). $ openssl genrsa -out key.pem 1024 Generating RSA private key, 1024 bit long modulus ............................................++++++ .....++++++ e is 65537 (0x10001) This command creates a 1024-bit key pair and ...
-
09.06.09How to verify MD5 or SHA-1 digestsMD5 and SHA-1 are cryptographic hash functions. They are deterministic procedures that take an arbitrary block of data as input and return a fixed-size bit string, the hash value (called message digest or fingerprint as well). Verifying MD5 or SHA-1 digest is highly recommended when you download new software for your system. In most of Linux distros the md5sum and sha1sum commands are available: $ md5sum ubuntu-9.04-desktop-i386.iso 66fa77789c7b8ff63130e5d5a272d67b ubuntu-9.04-desktop-i386.iso $ sha1sum ubuntu-9.04-desktop-i386.iso 19aabf327fdbde9e66db54dc04e3a83b92f70280 ubuntu-9.04-desktop-i386.iso Solaris (even version 10) doesn’t ship either with md5sum or sha1sum installed. However you can use digest: % /usr/bin/digest -a md5 GNUgcc.3.4.4.SPARC.64bit.Solaris.10.pkg.tgz 498c344fe2839631bb7cf4b869b7b830 % /usr/bin/digest -a sha1 GNUgcc.3.4.4.SPARC.64bit.Solaris.10.pkg.tgz a8da8247900dd06a7000fd0e6d41f834d6ab3e40 And in Mac OS X, ...
-
07.10.09Adding password protection on a file with vim$ vim -x filename The -x option uses encryption when writing the file. It will ask for a key: Enter encryption key: ****** Enter same key again: ****** From then on your filename will be encrypted and accessed using the password. The -x option will no longer be necessary when editing the file.
-
05.26.09Auditing ports (FreeBSD)One of the most important aspects of *BSD systems is security. Knowing which installed packages have exploitable vulnerabilities is one of the admin's tasks. Here, the portaudit utility comes in handy. It is not part of the base system, so it must be installed first: % cd /usr/ports/ports-mgmt/portaudit; make install clean To run a simple check: % portaudit Affected package: XXX Type of problem: XXX -- embedded GD library Use-After-Free vulnerability. Reference: <http://www.FreeBSD.org/ports/portaudit/6XXxf31-4254-11de-bXX-0030843d3802.html> Affected package: YYY-0.2.8.4_2 Type of problem: YYY -- integer overflow vulnerability. Reference: <http://www.FreeBSD.org/ports/portaudit/48aab1d0-YYY-YYYYYYY-0030843d3802.html> Affected package: ZZZ-1.10.2_2 Type of problem: ZZZ -- integer overflow. Reference: <http://www.FreeBSD.org/ports/portaudit/4b17ZZZZZZbecb-001cc0377035.html> I have omitted the details of the vulnerable packages of my own machine. I'm sure you ...
-
04.13.09OpenBSD’s pf null pointer dereferenceWe have talked quite a few times about pf, OpenBSD's Packet Filter (firewall). Well, a bug has been discovered which may trigger a kernel panic. There exists a solution, be sure to patch your boxes asap. Notice that the 'editing' solution works on all platforms and versions (at least from 4.2 upwards and probably on older ones).
-
01.09.09Authpf: authenticated routing and firewalling on OpenBSDIn our detailed description of OpenBSD's packet filter (here and there) we mentioned authpf, and spoke of it as a useful tool, but what is it use? I tend to understand it as an instrument for authenticated routing, that is, a way to provide routing (and firewalling etc...) services only to authenticated users. Think of a corporate setting with different users having access to different services according to their identities (and not according to their computer's IPs, which may well be dynamic or different). For example, user boss may access the firm's MAIN smb (ports 139, 435) server and any http ...
-
12.30.08rsync with ssh-rsa+authorized_keysMuch like explained in a previous post, one can use a passwordless RSA key to set up a cron job doing an rsync of one's computer on a remote server, via ssh. The relevant part of the authorized_keys file is (everything in the same line): command="rsync --server -vlogDtpr . /home/pfortuny/backup/",no-port-forwarding, no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ..... Taking into account that the -vlogDtpr depends on the specific options of the rsync command you issue. In my case, the script is simply (right now) $ cat ./bin/backup.sh #!/bin/sh cd /home/pfortuny /usr/bin/rsync -av -e "ssh -i /home/pfortuny/.ssh/backup_key" --filter ": .rsync.dirs" \ ~/ pfortuny@remote.server.mine:"~/backup/" Comments: The option -av is expanded to -vlogDtpr on the server, ...
-
12.18.08Cron job every 5 minutes$ cat < /var/cron/tabs/pfortuny */5 * * * * /usr/bin/my_task The specified task is run every 5 minutes.
-
11.20.08pf, OpenBSD’s [p]acket [f]ilter (2)We introduced OpenBSD's pf in a previous post. In the present one, we are going to start commenting a full-featured firewall configuration which uses quite a few of pf's functionalities: macros, lists, anchors... As we said then, OpenBSD's FAQ contains the complete and detailed documentation. Here is the complete set [but for those related to authpf] of firewall rules, usually stored at /etc/pf.conf (bear with me for the long quote, but I'd rather comment a complete file than do it in parts). # 0) Start: macros and tables ext_if="rl0" int_if="vr0" ext_services = "{smtp www 222}" in_services = "{ssh smtp domain www}" always_open ...