I have recently discovered a new web resource for Tech news and information, thanks to /., Tech-Blog.org. It appears to contain information related to bigger players in the tech market.
Monday, January 24, 2005
Thursday, January 20, 2005
What exactly does a search engine do for me?
How many of your friends really understand what a search engine does? I have found that most of the people who I associate with do not understand that a search engine does not search the Internet...what does it search then?...
Even though the popular search engine Google has indexed over 8,000,000,000 pages that you are allowed to search when you use it, you are not searching the entire Internet... You are searching the internet as Google sees it. What does this really mean? Google does not want to keep track of all of the trash and garbage that is on the Internet, they want to keep track of the data that they think people want to know about. Google has developed a very complex algorithm that allows them to make an automated decision about each page that they potentially index based upon some pre-determined and proprietary parameters. One of the greatest challenges to advertisers and marketers is figuring out exactly what a search engine is looking for so that they show up in the search! If you merely create a web page and then search for it on a search engine an hour later, you will not find it there! Maybe an example will help...
Example:
A search engine is similar to a person who is in an occupation where they need to remember a lot of stuff... When you need to know something, you go to this person because they usually have the answer, or something close to what you want. Well, this person has to obtain this information somehow, and has to prioritize what information they want to learn or retain. Google is a very intelligent person capable of retaining a lot of information (it does run on over 100,000 Linux machines) which gives you a very good chance of finding the data that you want. The only problem is, that like most people, Google does not know everything...and probably never will...
If you really had the capacity to search the entire Internet in the time that your favorite search engine returns the results of your search, then the world you live in would have massive amounts of processing power and more bandwidth than you would know what to do with...
Keeping this in mind, this is why it is very good for all of us that there is more than one search engine... We would not want one company to define the internet that we have the capacity to search, just like we would not want one company deciding what we can do with our computer...(unless you use Windows, the you have already handed the keys to Microsoft).
Even though the popular search engine Google has indexed over 8,000,000,000 pages that you are allowed to search when you use it, you are not searching the entire Internet... You are searching the internet as Google sees it. What does this really mean? Google does not want to keep track of all of the trash and garbage that is on the Internet, they want to keep track of the data that they think people want to know about. Google has developed a very complex algorithm that allows them to make an automated decision about each page that they potentially index based upon some pre-determined and proprietary parameters. One of the greatest challenges to advertisers and marketers is figuring out exactly what a search engine is looking for so that they show up in the search! If you merely create a web page and then search for it on a search engine an hour later, you will not find it there! Maybe an example will help...
Example:
A search engine is similar to a person who is in an occupation where they need to remember a lot of stuff... When you need to know something, you go to this person because they usually have the answer, or something close to what you want. Well, this person has to obtain this information somehow, and has to prioritize what information they want to learn or retain. Google is a very intelligent person capable of retaining a lot of information (it does run on over 100,000 Linux machines) which gives you a very good chance of finding the data that you want. The only problem is, that like most people, Google does not know everything...and probably never will...
If you really had the capacity to search the entire Internet in the time that your favorite search engine returns the results of your search, then the world you live in would have massive amounts of processing power and more bandwidth than you would know what to do with...
Keeping this in mind, this is why it is very good for all of us that there is more than one search engine... We would not want one company to define the internet that we have the capacity to search, just like we would not want one company deciding what we can do with our computer...(unless you use Windows, the you have already handed the keys to Microsoft).
Tuesday, January 18, 2005
Script to Automate Configuration of Tripwire
In a previous post, I gave a general overview of the process used to configure Tripwire on a Linux system. The most time consuming part of the configuration is configuring the twpol.txt file. The following Perl script will aid in configuring this file by going through each line and checking each file to see if it is on your system. If the file is on your system, it will pass by, if not, it will comment that line out so that you will not get an error when you scan your system with Tripwire.
Script:
Keep in mind that this script will only remove entries, and if any files are added which are critical to operation of the system, they should be added to the Tripwire policy through the use of the twadmin tool.
Script:
The resulting file will be in the /etc/tripwire directory and will be named new_twpol.txt. The next step is to back up the old copy and rename the new file to twpol.txt. The next step in the process would be to run the twinstall.sh script.
#!/usr/bin/perl
#
# Author: Joshua M. Miller
# Date: 08/26/2004
#
# Purpose: To automate the configuration of the tripwire policies.
#
use strict ;
my $file = "/etc/tripwire/twpol.txt" ;
my $new_file = "/etc/tripwire/new_twpol.txt" ;
print "Opening $file\n\n" ;
open INFILE, $file or die "Can't open input file : $!" ;
open OUTFILE, ">$new_file" or die "Can't open output file: $!" ;
print "Processing the current tripwire config file...\n" ;
while () {
# If it is a file that requires checking, check it to see if the file is on this system
# If the line begins with a /, then we know it needs to be checked
# If the file is not on this system, comment it out
if (m{^\s+/\w}) {
# Take the file's path from the line
my @tst_file = split(/\s+/,$_) ;
# Check to see if the file exists
unless ( -e $tst_file[1] ) {
$_ = "#" . $_ ;
}
# Debug, print results
print "Result: $tst_file[1]\n" ;
# Test - print this section to the outfile
#print OUTFILE "$tst_file[1]\n" ;
}
# Write the line to the new file
print OUTFILE "$_" ;
}
close INFILE ;
close OUTFILE ;
Keep in mind that this script will only remove entries, and if any files are added which are critical to operation of the system, they should be added to the Tripwire policy through the use of the twadmin tool.
Monday, January 17, 2005
Configuring Tripwire - Just Another Host-Based IDS
Although Intrusion Detection Systems (IDSs) are becoming less popular in the media with the emergence of Intrusion Prevention Systems (IPSs), they are still widely used in the IT Security industry and any network or security administrator would benefit from knowing how to configure and use them. In this article, I will explain how to configure Tripwire 2.3.1.2 on Linux.
Tripwire is a valuable tool because it can generate a database full of Md5 check sums of all important and system files on your system (specified by the administrator). Tripwire can then scan your system periodically or on-demand to verify the integrity of system files -- therefore Tripwire is an integrity checker.
For this article, I am using a Dell Inspiron 5100 Laptop, with Gentoo Linux installed and updated with all of the latest packages for the system. I am going to perform a fresh re-install of tripwire through the portage system.
tertiary_linux ~ # emerge tripwire -vp
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild N ] app-admin/tripwire-2.3.1.2-r2 -debug +ssl 2,201 kB
Total size of downloads: 2,201 kB
tertiary_linux ~ #
tertiary_linux ~ # emerge tripwire -v
Calculating dependencies ...done!
>>> emerge (1 of 1) app-admin/tripwire-2.3.1.2-r2 to /
>>> Downloading http://distfiles.gentoo.org/distfiles/tripwire-2.3.1-2-pherman-portability-0.9.diff.bz2
--08:25:02-- http://distfiles.gentoo.org/distfiles/tripwire-2.3.1-2-pherman-portability-0.9.diff.bz2
=> `/usr/portage/distfiles/tripwire-2.3.1-2-pherman-portability-0.9.diff.bz2'
Resolving distfiles.gentoo.org... 156.56.247.195, 216.165.129.135, 140.211.166.134
Connecting to distfiles.gentoo.org[156.56.247.195]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 739,663 [text/plain]
...
Now, tripwire has been installed and requires configuration. The configuration files are located in the /etc/tripwire directory, as would be expected. An overview of the configuration files follows:
twpol.txt: a file which holds all of the files that Tripwire will check, as well as their criticality levels
twcfg.txt: miscellaneous configuration settings related to key locations and mail setup
twinstall.sh: installation script which creates site keys
One configuration file takes quite a bit of attention to generate properly, this is the twpol.txt file. It is necessary to go through this file (which was designed for Red Hat Linux) and comment out the files that you do not have or want to protect, as well as adding in the files which you do want to protect. The next step is to configure twcfg.txt to your liking. Once you have completed these steps, run the twinstall.sh script. It is critical that you remember the two pass-phrases that you typed in so that you can access or modify the system configuration at a later time.
After the twinstall.sh script has been run, you should move or delete the configuration files twpol.txt and twcfg.txt, which would provide information to anyone who may have compromised your system, these files will have been replaced by encrypted versions. The twadmin tool included with Tripwire will provide a means to modify or re-generate text versions of these files for future reference (pass-phrase required). The configuration of Tripwire is nearly done.
The last step in the configuration is to generate the database which houses the md5 check sum of all of the critical files listed in the twpol.txt configuration file (now stored in tw.pol). This database will serve as a baseline to check your files against when monitoring for suspicious behavior. This database is generated with the following command:
tripwire --init
You will then be prompted for your local passphrase. Tripwire will then generate the baseline database. Once this database has been generated, you can check your system's integrity with the following command:
tripwire --check
The output from this command will be similar to the following, and will also be in a report stored in /var/lib/tripwire/reports, or wherever you specify in the twcfg.txt file before you run the twinstall.sh script:
When you have installed Tripwire, it will create a cron job that will run daily and email the resulting report to root. This will allow you to review the reports without having to run the filesystem check or print the report from the command line. Another option would be to have the cron job also send the report to the printer.
An important part of the Tripwire IDS is that the baseline database be untouched by any attacker, this requires that it be on a read-only medium. One way to achieve this is to have the database burned to a CD-ROM and have Tripwire run in that configuration daily. Be sure to create a backup and secure this CD-ROM so that it may not be tampered with.
There are alternatives to Tripwire for performing integrity checks to your filesystem. One of those alternatives is Aide, which is being developed and not yet in a 1.0 version release. Some people have used the rpm program with the Red Hat systems as an integrity checker, and there is always the option of creating your own application to perform an MD5 of all of your important files and verifying them periodically.
Tripwire is a very valuable tool which can be used in a variety of scenarios. The experienced System Administrator will be able to leverage the existing power to find out what has been tampered with or altered on a system that is of questionable integrity. In a follow-up post I will provide a Perl script which I have created to ease the configuration of the tripwire configuration file twpol.txt and save a substantial amount of time.
Tripwire is a valuable tool because it can generate a database full of Md5 check sums of all important and system files on your system (specified by the administrator). Tripwire can then scan your system periodically or on-demand to verify the integrity of system files -- therefore Tripwire is an integrity checker.
For this article, I am using a Dell Inspiron 5100 Laptop, with Gentoo Linux installed and updated with all of the latest packages for the system. I am going to perform a fresh re-install of tripwire through the portage system.
tertiary_linux ~ # emerge tripwire -vp
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild N ] app-admin/tripwire-2.3.1.2-r2 -debug +ssl 2,201 kB
Total size of downloads: 2,201 kB
tertiary_linux ~ #
tertiary_linux ~ # emerge tripwire -v
Calculating dependencies ...done!
>>> emerge (1 of 1) app-admin/tripwire-2.3.1.2-r2 to /
>>> Downloading http://distfiles.gentoo.org/distfiles/tripwire-2.3.1-2-pherman-portability-0.9.diff.bz2
--08:25:02-- http://distfiles.gentoo.org/distfiles/tripwire-2.3.1-2-pherman-portability-0.9.diff.bz2
=> `/usr/portage/distfiles/tripwire-2.3.1-2-pherman-portability-0.9.diff.bz2'
Resolving distfiles.gentoo.org... 156.56.247.195, 216.165.129.135, 140.211.166.134
Connecting to distfiles.gentoo.org[156.56.247.195]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 739,663 [text/plain]
...
Now, tripwire has been installed and requires configuration. The configuration files are located in the /etc/tripwire directory, as would be expected. An overview of the configuration files follows:
twpol.txt: a file which holds all of the files that Tripwire will check, as well as their criticality levels
twcfg.txt: miscellaneous configuration settings related to key locations and mail setup
twinstall.sh: installation script which creates site keys
One configuration file takes quite a bit of attention to generate properly, this is the twpol.txt file. It is necessary to go through this file (which was designed for Red Hat Linux) and comment out the files that you do not have or want to protect, as well as adding in the files which you do want to protect. The next step is to configure twcfg.txt to your liking. Once you have completed these steps, run the twinstall.sh script. It is critical that you remember the two pass-phrases that you typed in so that you can access or modify the system configuration at a later time.
After the twinstall.sh script has been run, you should move or delete the configuration files twpol.txt and twcfg.txt, which would provide information to anyone who may have compromised your system, these files will have been replaced by encrypted versions. The twadmin tool included with Tripwire will provide a means to modify or re-generate text versions of these files for future reference (pass-phrase required). The configuration of Tripwire is nearly done.
The last step in the configuration is to generate the database which houses the md5 check sum of all of the critical files listed in the twpol.txt configuration file (now stored in tw.pol). This database will serve as a baseline to check your files against when monitoring for suspicious behavior. This database is generated with the following command:
tripwire --init
You will then be prompted for your local passphrase. Tripwire will then generate the baseline database. Once this database has been generated, you can check your system's integrity with the following command:
tripwire --check
The output from this command will be similar to the following, and will also be in a report stored in /var/lib/tripwire/reports, or wherever you specify in the twcfg.txt file before you run the twinstall.sh script:
There will be more information present, but the summary is displayed above. You can see that Tripwire will check all of your specified files and directories and tell you when they have changed.
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
*Tripwire Data Files 100 1 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/genksyms)
Shell Related Programs 100 0 0 0
(/sbin/getkey)
Critical Utility Sym-Links 100 0 0 0
Critical system boot files 100 0 0 0
*System boot changes 100 1 1 29
*OS executables and libraries 100 0 0 2
Security Control 100 0 0 0
Login Scripts 100 0 0 0
*Critical configuration files 100 0 0 1
Shell Binaries 100 0 0 0
*Root config files 100 1 1 1
Total objects scanned: 236798
Total violations found: 38
When you have installed Tripwire, it will create a cron job that will run daily and email the resulting report to root. This will allow you to review the reports without having to run the filesystem check or print the report from the command line. Another option would be to have the cron job also send the report to the printer.
An important part of the Tripwire IDS is that the baseline database be untouched by any attacker, this requires that it be on a read-only medium. One way to achieve this is to have the database burned to a CD-ROM and have Tripwire run in that configuration daily. Be sure to create a backup and secure this CD-ROM so that it may not be tampered with.
There are alternatives to Tripwire for performing integrity checks to your filesystem. One of those alternatives is Aide, which is being developed and not yet in a 1.0 version release. Some people have used the rpm program with the Red Hat systems as an integrity checker, and there is always the option of creating your own application to perform an MD5 of all of your important files and verifying them periodically.
Tripwire is a very valuable tool which can be used in a variety of scenarios. The experienced System Administrator will be able to leverage the existing power to find out what has been tampered with or altered on a system that is of questionable integrity. In a follow-up post I will provide a Perl script which I have created to ease the configuration of the tripwire configuration file twpol.txt and save a substantial amount of time.
Sunday, January 16, 2005
Comparing Software Security to Physical Security
On Crypto.com, there is a very interesting article titled "Safecracking for the Computer Scientest" which goes into great detail on the construction, strengths, and weaknesses of physical locks and enclosures, then comparing these items to Software Development. The article is well written, with an interesting point made. The author would suggest that since physical security devices are constructed without an expectation of perfection, but rather with an expectation of imperfection, that software be developed in the same manner and have allowances for such imperfections so that it will withstand security vulnerabilities more effectively. This is a very interesting topic worthy of consideration and debate.
Saturday, January 15, 2005
Should Virus Writing be a Crime?
I just read an article on News.com (thanks to Slashdot.org) that is an interview with an ex-virus writer about his new job and some of the issues that he faces in it. It seems to me that most people focus on how bad virus' are, and how anyone who might write a virus is evil and should be banned from the IT industry for life... I think that this article is well written and shows people that writing virus' does not mean that you're a criminal.
Writing virus' is similar to penetration testing, or figuring out how a system might be vulnerable. Unless the person writing the virus actually releases the virus or causes some sort of damage, they have not hurt anyone, but they have provided some knowledge to the community so that improvements may be made on existing systems and security. One stipulation to my last statement is that the virus author should release the source-code so that it may be studied and serve as a learning tool.
Link to article.
Writing virus' is similar to penetration testing, or figuring out how a system might be vulnerable. Unless the person writing the virus actually releases the virus or causes some sort of damage, they have not hurt anyone, but they have provided some knowledge to the community so that improvements may be made on existing systems and security. One stipulation to my last statement is that the virus author should release the source-code so that it may be studied and serve as a learning tool.
Link to article.
Wednesday, January 12, 2005
Google Hacking: Essential Skill
Search engines are extremely useful tools. How much time do you spend each day searching on the internet? It is worth knowing how to use your favorite search engine well, and to know how to get the data you want. If you spend some time learning how to use your favorite search engine, you will save yourself time in the long haul. For all of those who use Google to search, there is a great site devoted to finding useful and revealing information here. If you register, you can download the "Google hacking guide", which outlines many tips and tricks to aid in your search of valuable information.
With the following search, you will return sites that probably contain sensitive or private information:
allinurl: admin mdb
One option that I consider invaluable at this point is the site: option, it allows the user to search only the specified domain during the search. If I wanted to search my blog, I could use the following string:
site:itsecureadmin.blogspot.com admin
Although the above string does not return anything, play with that option while searching a site that you are familiar with. You can also specify the extension of the file you are searching for, or the filetype.
There are many, many options to choose from and there is a Google Hacking Database that is maintained on johnny's web site.
Disclaimer: All information contained in this post is for educational purposes and should serve as a guide to protecting your own server or software, in addition to aiding those who search for knowledge without the intent to cause harm or damage to others.
With the following search, you will return sites that probably contain sensitive or private information:
allinurl: admin mdb
One option that I consider invaluable at this point is the site: option, it allows the user to search only the specified domain during the search. If I wanted to search my blog, I could use the following string:
site:itsecureadmin.blogspot.com admin
Although the above string does not return anything, play with that option while searching a site that you are familiar with. You can also specify the extension of the file you are searching for, or the filetype.
There are many, many options to choose from and there is a Google Hacking Database that is maintained on johnny's web site.
Disclaimer: All information contained in this post is for educational purposes and should serve as a guide to protecting your own server or software, in addition to aiding those who search for knowledge without the intent to cause harm or damage to others.
Tuesday, January 11, 2005
Great Reference Website --
I have recently stumbled upon a jewel of a website. For anyone who loves technical books, check out http://www.techbooksforfree.com. This website has some great books and serves as an index for many, many technical books that are on-line.
Monday, January 10, 2005
Setting up Samba to recognize a Linux group as a Domain Administrator group
When using Samba to act as a Primary Domain Controller (PDC), it is important to map Linux groups to Windows groups so that you do not have to use the root user to perform any Domain Administrator functions. The tool provided to perform this task is within the net command set, called groupmap. Groupmap is used to map any Linux group to any Windows group, which will allow the systems administrator to specify a group to function as Domain Administrators and another group to act as Domain Users. In the following commands, I'll demonstrate how I map the Linux group smb_users to the Windows Domain Users group and the Linux group smb_admins to the Windows group Domain Administrators. I am assuming that the Linux groups have already been created.
See what the current mapping status is:
net groupmap list
Map the Domain Admins group:
net groupmap set "Domain Admins" "smb_admins"
Map the Domain Users group:
net groupmap set "Domain Users" "smb_users"
Verify that the mapping worked:
net groupmap list
Now, you must restart Samba for the changes to take effect. This will allow you to use members of the Domain Admins group to add machines to the domain and administer machines on the domain.
See what the current mapping status is:
net groupmap list
Map the Domain Admins group:
net groupmap set "Domain Admins" "smb_admins"
Map the Domain Users group:
net groupmap set "Domain Users" "smb_users"
Verify that the mapping worked:
net groupmap list
Now, you must restart Samba for the changes to take effect. This will allow you to use members of the Domain Admins group to add machines to the domain and administer machines on the domain.
Monday, January 03, 2005
Script to parse IPTables Logs
In a previous post, I demonstrated how to set up IPTables to log incoming traffic. I have created the following script to parse my logs for network traffic, returning IP addresses and associated ports:
(Please see previous post for logging configuration.)
(Please see previous post for logging configuration.)
#!/bin/bash
#
# Program: ipports
# Purpose: To list all external IPs that have been logged by the firewall from
# the /var/log/messages file and the associated ports that the IP was
# attempting to connect to.
#
# Author: Josh Miller
# Date: 08/26/2004
LOGFILE='/var/log/messages'
OUTFILE='ipports.out'
TMP='ipports.tmp'
# Default to external logs
PARAM1='EXTERNAL'
echo
echo
# Determine which type of logs to parse and report from if user input present
if [ -n "$1" ] ; then
if [ $1 == "-e" ] ; then
PARAM1='EXTERNAL';
echo "Parsing $LOGFILE for external IP addresses/ports..."
elif [ $1 == "-i" ] ; then
PARAM1="INTERNAL";
echo "Parsing $LOGFILE for internal IP addresses/ports..."
elif [ $1 == "-o" ] ; then
PARAM1="SRC" ; # Select all logs
echo "Parsing $LOGFILE for all IP traffic/ports..."
elif [ $1 == '-h' ] ; then
echo " Usage: $0 [-e | -i | -o | -h ]"
echo
echo " -e: parse logs for external IP sources"
echo " -i: parse logs for internal IP sources"
echo " -o: parse logs for all IP sources"
echo " -h: this help message"
echo
exit ;
fi
else
echo "Parsing $LOGFILE for external IP addresses/ports..."
fi
# Print out each IP address, with two additional fields, one of which will be the Destination Port
COUNTER=0 ;
for i in `cat $LOGFILE | grep $PARAM1 | awk '{print $10 , $19 , $20}' | sort -u` ;
do
# Make certain to loop three times before writing to the outfile
if echo $i | egrep "^DPT=" > /dev/null ; then
DPORT=`echo $i | cut -c5-9` ;
elif echo $i | egrep "^SRC=" > /dev/null ; then
SRCIP=`echo $i | cut -c5-19` ;
fi
let COUNTER+=1 ;
if [ $COUNTER -gt 2 ] ; then
echo "$SRCIP $DPORT" >> $OUTFILE ;
let COUNTER=0 ;
fi
done
# Apply a header to the output file
echo
echo " >>> IP and Port log <<< " > $TMP ;
echo
echo "IP Address Port # " >> $TMP ;
echo "==================================" >> $TMP ;
# Sort the data and reapply to file
cat $OUTFILE | sort -u >> $TMP ;
cat $TMP > $OUTFILE ;
cat $OUTFILE
# Clean up
rm $TMP ;
rm $OUTFILE ;
Sunday, January 02, 2005
Using IPTables to Log Useful Network Data
This post is the second post related to the configuration of IPTables. Please see the first post for the initial configuration.
One of the most valuable tools at the disposal of any system or security administrator is the logging capability of the system under administration or investigation. The ability to configure the system to log important events and parse those logs for useful information is a valuable skill to have, which can result in decreased downtime and prevent or detect cyber crime. Any good system logger will have the capability to log specific events and output those events in an easy to parse format. A logging application is also considered a form of HIDS (host-based intrusion detection system). In the following post, I will describe how to setup IPTables to log useful network data.
The following instructions were created using IPTables v. 1.2.11 on a Fedora Core 3 system. I will use the same format that I have used previously in posting, which references the IPTables/Netfilter tutorial at Netfilter.org. I will assume that if you are using a system which allows you to compile your own kernel that you know how to make sure that the proper modules are compiled into the kernel. I will also assume that the only interfaces with network connectivity are ethernet devices. If you are using a modem or non-ethernet device for network traffic, adjust the instructions as needed.
The first step is to create a new table, which will house the rules to log network traffic:
iptables -N log_table
The next step is to create the rules used to log traffic. I use a format that was introduced to me by a co-worker, who I will refer to by first name only as Kaleb. I will log all traffic in one of two categories; internal traffic and external traffic. The following command will setup the IPTables logging of all internal traffic, which is traffic on the local network (assuming 192.168.1.0/24 local netework):
iptables -A log_table -s 192.168.1.0/24 -i eth+ -m limit --limit 3/minute -j LOG --log-prefix 'INTERNAL: ' --log-level 5
The next step is to setup logging on the external traffic:
iptables -A log_table -s ! 192.168.1.0/24 -i eth+ -m limit --limit 3/minute -j LOG --log-prefix 'EXTERNAL: ' --log-level 5
Finally, we add this table to the INPUT and FORWARD tables so that all traffic is logged before it moves on to the other tables:
iptables -A INPUT 1 -j log_table
iptables -A FORWARD 1 -j log_table
Remember to save the configuration:
/etc/init.d/iptables save active
Now, we can monitor the logs for traffic and test the logging by checking email, browsing the Internet, or using another network tool. I always use tail to monitor my logs, a good way to use this tool if you are not familiar with it is the following command:
tail -f -n 100 /var/log/messages
Watch the output while you check your mail or browse the web. The '-f' flag will update the output automatically as the file is updated, while the '-n 100' shows the last 100 lines of the file initially.
One downside to this configuration is that your logs will now grow constantly while you are accessing the network, or while any network traffic is coming to you. One benefit to this is that it will help give you a reason to build some good log-parsing scripts.
One of the most valuable tools at the disposal of any system or security administrator is the logging capability of the system under administration or investigation. The ability to configure the system to log important events and parse those logs for useful information is a valuable skill to have, which can result in decreased downtime and prevent or detect cyber crime. Any good system logger will have the capability to log specific events and output those events in an easy to parse format. A logging application is also considered a form of HIDS (host-based intrusion detection system). In the following post, I will describe how to setup IPTables to log useful network data.
The following instructions were created using IPTables v. 1.2.11 on a Fedora Core 3 system. I will use the same format that I have used previously in posting, which references the IPTables/Netfilter tutorial at Netfilter.org. I will assume that if you are using a system which allows you to compile your own kernel that you know how to make sure that the proper modules are compiled into the kernel. I will also assume that the only interfaces with network connectivity are ethernet devices. If you are using a modem or non-ethernet device for network traffic, adjust the instructions as needed.
The first step is to create a new table, which will house the rules to log network traffic:
iptables -N log_table
The next step is to create the rules used to log traffic. I use a format that was introduced to me by a co-worker, who I will refer to by first name only as Kaleb. I will log all traffic in one of two categories; internal traffic and external traffic. The following command will setup the IPTables logging of all internal traffic, which is traffic on the local network (assuming 192.168.1.0/24 local netework):
iptables -A log_table -s 192.168.1.0/24 -i eth+ -m limit --limit 3/minute -j LOG --log-prefix 'INTERNAL: ' --log-level 5
The next step is to setup logging on the external traffic:
iptables -A log_table -s ! 192.168.1.0/24 -i eth+ -m limit --limit 3/minute -j LOG --log-prefix 'EXTERNAL: ' --log-level 5
Finally, we add this table to the INPUT and FORWARD tables so that all traffic is logged before it moves on to the other tables:
iptables -A INPUT 1 -j log_table
iptables -A FORWARD 1 -j log_table
Remember to save the configuration:
/etc/init.d/iptables save active
Now, we can monitor the logs for traffic and test the logging by checking email, browsing the Internet, or using another network tool. I always use tail to monitor my logs, a good way to use this tool if you are not familiar with it is the following command:
tail -f -n 100 /var/log/messages
Watch the output while you check your mail or browse the web. The '-f' flag will update the output automatically as the file is updated, while the '-n 100' shows the last 100 lines of the file initially.
One downside to this configuration is that your logs will now grow constantly while you are accessing the network, or while any network traffic is coming to you. One benefit to this is that it will help give you a reason to build some good log-parsing scripts.
Friday, December 31, 2004
How Grid Computing Differs from Cluster Computing
After doing some research on grid computing through IBM's web resources, I have come across the following outline which amplifies the differences between grid and cluster computing. This topic has been mis-understood by most people who I have discussed it with. Hopefully this will aid in my understanding and ability to discuss the topic intelligently.
Quoted from http://www-106.ibm.com/developerworks/grid/library/gr-heritage/
How grid differs from cluster computing
Cluster computing can't truly be characterized as a distributed computing solution; however, it's useful to understand the relationship of grid computing to cluster computing. Often, people confuse grid computing with cluster-based computing, but there are important differences.
Grids consist of heterogeneous resources. Cluster computing is primarily concerned with computational resources; grid computing integrates storage, networking, and computation resources. Clusters usually contain a single type of processor and operating system; grids can contain machines from different vendors running various operating systems. (Grid workload-management software from IBM, Platform Computing, DataSynapse, and United Devices are able to distribute workload to a multitude of machine types and configurations.)
Grids are dynamic by their nature. Clusters typically contain a static number of processors and resources; resources come and go on the grid. Resources are provisioned onto and removed from the grid on an ongoing basis.
Grids are inherently distributed over a local, metropolitan, or wide-area network. Usually, clusters are physically contained in the same complex in a single location; grids can be (and are) located everywhere. Cluster interconnect technology delivers extremely low network latency, which can cause problems if clusters are not close together.
Grids offer increased scalability. Physical proximity and network latency limit the ability of clusters to scale out; due to their dynamic nature, grids offer the promise of high scalability.
For example, recently, IBM, United Devices, and multiple life-science partners completed a grid project designed to identify promising drug compounds to treat smallpox. The grid consisted of approximately two million personal computers. Using conventional means, the project most probably would have taken several years -- on the grid it took six months. Imagine what could have happened if there had been 20 million PCs on the grid. Taken to the extreme, the smallpox project could have been completed in minutes.
Cluster and grid computing are completely complementary; many grids incorporate clusters among the resources they manage. Indeed, a grid user may be unaware that his workload is in fact being executed on a remote cluster. And while there are differences between grids and clusters, these differences afford them an important relationship because there will always be a place for clusters -- certain problems will always require a tight coupling of processors.
However, as networking capability and bandwidth advances, problems that were previously the exclusive domain of cluster computing will be solvable by grid computing. It is vital to comprehend the balance between the inherent scalability of grids and the performance advantages of tightly coupled interconnections that clusters offer.
Quoted from http://www-106.ibm.com/developerworks/grid/library/gr-heritage/
Quoted from http://www-106.ibm.com/developerworks/grid/library/gr-heritage/
How grid differs from cluster computing
Cluster computing can't truly be characterized as a distributed computing solution; however, it's useful to understand the relationship of grid computing to cluster computing. Often, people confuse grid computing with cluster-based computing, but there are important differences.
Grids consist of heterogeneous resources. Cluster computing is primarily concerned with computational resources; grid computing integrates storage, networking, and computation resources. Clusters usually contain a single type of processor and operating system; grids can contain machines from different vendors running various operating systems. (Grid workload-management software from IBM, Platform Computing, DataSynapse, and United Devices are able to distribute workload to a multitude of machine types and configurations.)
Grids are dynamic by their nature. Clusters typically contain a static number of processors and resources; resources come and go on the grid. Resources are provisioned onto and removed from the grid on an ongoing basis.
Grids are inherently distributed over a local, metropolitan, or wide-area network. Usually, clusters are physically contained in the same complex in a single location; grids can be (and are) located everywhere. Cluster interconnect technology delivers extremely low network latency, which can cause problems if clusters are not close together.
Grids offer increased scalability. Physical proximity and network latency limit the ability of clusters to scale out; due to their dynamic nature, grids offer the promise of high scalability.
For example, recently, IBM, United Devices, and multiple life-science partners completed a grid project designed to identify promising drug compounds to treat smallpox. The grid consisted of approximately two million personal computers. Using conventional means, the project most probably would have taken several years -- on the grid it took six months. Imagine what could have happened if there had been 20 million PCs on the grid. Taken to the extreme, the smallpox project could have been completed in minutes.
Cluster and grid computing are completely complementary; many grids incorporate clusters among the resources they manage. Indeed, a grid user may be unaware that his workload is in fact being executed on a remote cluster. And while there are differences between grids and clusters, these differences afford them an important relationship because there will always be a place for clusters -- certain problems will always require a tight coupling of processors.
However, as networking capability and bandwidth advances, problems that were previously the exclusive domain of cluster computing will be solvable by grid computing. It is vital to comprehend the balance between the inherent scalability of grids and the performance advantages of tightly coupled interconnections that clusters offer.
Quoted from http://www-106.ibm.com/developerworks/grid/library/gr-heritage/
Microsoft Stops Pushing Passport as Universal Web Login
The Passport system, used by Microsoft to authenticate users in their Hotmail and MSN instant messenger technologies, is no longer being pushed as an authentication tool for on-line transactions at non-Microsoft websites. According to an article on The Seattle Times, E-Bay and Monster.com have stopped using Passport to authenticate users on their systems. This is excellent news, as having a proprietary system implemented as an Internet standard would be a terrible blow to the freedom and security of the existing systems. Imagine having to wait another month for the next roll-out of security patches from Microsoft (or any other vendor) before you could make any "safe" online transactions.
The importance of having open standards that are available for auditing by the public and professionals who are not worried about how much they are going to make from the success or failure of the system they are auditing is of extreme importance when considering the security and privacy of financial information. We, as consumers and security professionals, must take a stand against proprietary standards and push for open standards that are not subject to a profit margin and investors who only care about how their bank account grows.
The importance of having open standards that are available for auditing by the public and professionals who are not worried about how much they are going to make from the success or failure of the system they are auditing is of extreme importance when considering the security and privacy of financial information. We, as consumers and security professionals, must take a stand against proprietary standards and push for open standards that are not subject to a profit margin and investors who only care about how their bank account grows.
Wednesday, December 29, 2004
Book Review: The Cuckoo's Egg, by Cliff Stoll
If spooks and spies, computer security, and down to earth common sense with the scientific method appeal to you, this book will be an exciting read that you will not be able to put down.
"The Cuckoo's Egg", by Cliff Stoll, is a novel written by an astronomer at Berkeley who begins by helping some systems administrators and ends up chasing a German hacker who works for the KGB. Cliff, who is relating a true story based upon his experience, tracks down and provides the evidence to convict this hacker by working with the FBI, CIA, NSA, OSI, and other agencies. The book is around 350 pages, and has over 50 chapters, making for short chapters.
On a technical note, the techniques, procedures, and equipment in the book are described well so that the reader will have their curiosity piqued. The hacking techniques show how insecure the common administrator left their system 20 years ago (and to some degree today). The most common way that the hacker entered a system was by using a default username and password. All the technical readers will note how the interaction by the "computer experts" is very minimal, while giving credit to the author (I imagine we would all do the same, so I don't blame him).
I highly recommend this book to technical and non-technical crowds alike. Enjoy!
Amazon Link
"The Cuckoo's Egg", by Cliff Stoll, is a novel written by an astronomer at Berkeley who begins by helping some systems administrators and ends up chasing a German hacker who works for the KGB. Cliff, who is relating a true story based upon his experience, tracks down and provides the evidence to convict this hacker by working with the FBI, CIA, NSA, OSI, and other agencies. The book is around 350 pages, and has over 50 chapters, making for short chapters.
On a technical note, the techniques, procedures, and equipment in the book are described well so that the reader will have their curiosity piqued. The hacking techniques show how insecure the common administrator left their system 20 years ago (and to some degree today). The most common way that the hacker entered a system was by using a default username and password. All the technical readers will note how the interaction by the "computer experts" is very minimal, while giving credit to the author (I imagine we would all do the same, so I don't blame him).
I highly recommend this book to technical and non-technical crowds alike. Enjoy!
Amazon Link
Windows vs. Linux - Discussion at Microsoft
On December 11th there was an article posted to Technet which is a discussion between two Microsoft employees about the differences between Windows and Linux. The discussion was well done at promoting the strengths of Microsoft and spreading some myths about Linux, as well as revealing some truths that people should be aware of.
One of the problems with the mindset of those who set Microsoft against Linux is that the two really are not comparable. This is brought up in the article by stating that "nobody runs just a kernel". Linux is a kernel. Windows is not just a kernel, it's an entire suite of software with a kernel in there somewhere. Another point that Microsoft tries to press in the article is how Microsoft supports open-standards better than the open-source community, which is completely incorrect. Microsoft works with Microsoft products. I know that Microsoft is working toward creating software to work with other technologies (SFU), but most people I know are not using these technologies and are not aware of them. Most users are not upgrading to the latest version of Windows and Office.
I like the way that Microsoft admits that many people in the IT industry want to be able to integrate their systems and not have to hassle with incompatibilities, I second that. I would love to be able to work with Windows and Linux with fewer hassles. I believe that those hassles could be solved easier if Microsoft were willing to work with others, although the open-source community will continue to solve the problems of compatibility.
The end result for me as an IT professional is "which tool will perform the job better now and in the future". The most common answer for me happens to be Linux. A huge factor that I see in this arena is that most IT people I work with know next to nothing about Linux and have no experience working with Linux. As the demand for Linux and the ability to do what you want to do with your systems increases, the demand for people with Linux skills will increase. I think that a very common mindset today among the IT crowd is that they won't learn a new technology unless their employer pays them to learn it. This makes it easy to set ourselves above the crowd by learning these new technologies. The hard-working self-starter will rarely be out of a job.
I think that it is very important to know the technologies in the field and not take a stand that limits yourself to just one vendor or technology. The IT professional who is valuable to his place of work will make sure they study both Microsoft and OTM technologies.
One of the problems with the mindset of those who set Microsoft against Linux is that the two really are not comparable. This is brought up in the article by stating that "nobody runs just a kernel". Linux is a kernel. Windows is not just a kernel, it's an entire suite of software with a kernel in there somewhere. Another point that Microsoft tries to press in the article is how Microsoft supports open-standards better than the open-source community, which is completely incorrect. Microsoft works with Microsoft products. I know that Microsoft is working toward creating software to work with other technologies (SFU), but most people I know are not using these technologies and are not aware of them. Most users are not upgrading to the latest version of Windows and Office.
I like the way that Microsoft admits that many people in the IT industry want to be able to integrate their systems and not have to hassle with incompatibilities, I second that. I would love to be able to work with Windows and Linux with fewer hassles. I believe that those hassles could be solved easier if Microsoft were willing to work with others, although the open-source community will continue to solve the problems of compatibility.
The end result for me as an IT professional is "which tool will perform the job better now and in the future". The most common answer for me happens to be Linux. A huge factor that I see in this arena is that most IT people I work with know next to nothing about Linux and have no experience working with Linux. As the demand for Linux and the ability to do what you want to do with your systems increases, the demand for people with Linux skills will increase. I think that a very common mindset today among the IT crowd is that they won't learn a new technology unless their employer pays them to learn it. This makes it easy to set ourselves above the crowd by learning these new technologies. The hard-working self-starter will rarely be out of a job.
I think that it is very important to know the technologies in the field and not take a stand that limits yourself to just one vendor or technology. The IT professional who is valuable to his place of work will make sure they study both Microsoft and OTM technologies.
Wednesday, December 22, 2004
Basic IPTables/Netfilter Configuration on Fedora Core 3
Having recently installed Fedora Core 3 on one of my machines, I have had an opportunity to view the firewall settings when using the GUI provided to set the security on Red Hat. When installing the operating system, I chose to enable the firewall and allow SSH connections from the internet. With these settings in mind, the following output results from 'iptables -L -v':
To interpret what RedHat has done here, they have allowed SSH access into my machine, but they have also allowed other items to get in. I meant to only allow SSH access into my machine, but it seems RedHat has other ideas.
Several issues come to mind when viewing this configuration. If I were a cyber-criminal, I would now know what the signature for a Red Hat system was so that I could exploit it based on the ports that are open by default. I could do a mass portscan with nmap, hping2, or another port scanner, and identify systems to match with known vulnerabilities. This is why it is very important to know your system, or pay someone to know your system, and to use third-party tools to verify the security of your system.
The important thing to do at this point is to close down the holes in the firewall that do not belong there. I have adopted a method that I have taken from an IPTables/Netfilter tutorial which creates a block table to reference in INPUT and FORWARD, while then going back to add additional tables for other services that you want available. I will demonstrate how to do this here:
Create the block table:
iptables -N block
Then, add rules to the block table to allow loopback traffic and related or established traffic in:
iptables -A block -i ! eth+ -m state --state NEW -j ACCEPT
iptables -A block -m state --state RELATED,ESTABLISHED -j ACCEPT
Next, add a rule to drop all other traffic:
iptables -A block -j DROP
Finally, reference the block table from the INPUT and FORWARD tables with the following commands:
iptables -I INPUT 1 -j block
iptables -I FORWARD 1 -j block
View the results with 'iptables -L -v -n':
You will note that the block table is referenced above the RedHat default tables which will make all traffic go through the block table and not reach the RedHat table. The firewall is now at a good starting point, and will block all traffic not requested from the inside first. Now the RedHat firewall table can be de-referenced and deleted, as shown:
iptables -D INPUT 2
iptables -D FORWARD 2
iptables -F RH-Firewall-1-INPUT
iptables -X RH-Firewall-1-INPUT
Now, with another 'iptables -L -v -n', you will see that the configuration is ready to be saved and tweaked for specific uses. Save the configuration with '/etc/init.d/iptables save active'.
The next step for this specific setup is to allow SSH access into the machine. This is done using the same concept as before, by creating a table for this service and adding it to the INPUT and FORWARD tables when it is ready. The commands used are as follows:
iptables -N ssh_table
iptables -A ssh_table -p tcp --dport 22 -j ACCEPT
Now we reference this table from the INPUT and FORWARD tables as follows:
iptables -I INPUT 1 -j ssh_table
iptables -I FORWARD 1 -j ssh_table
Finally, save the changes:
/etc/init.d/iptables save active
Take another look at your configuration and make sure it looks right. This small tutorial does not even touch on the many, many capabilities of IPTables/Netfilter, but it does provide a starting point to secure your system from many overt and brute-force attacks.
[root@primary ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
377K 461M RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 298K packets, 50M bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
37548 26M ACCEPT all -- lo any anywhere anywhere
4 280 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
75 5864 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
310K 434M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
974 58420 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
28095 1845K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
To interpret what RedHat has done here, they have allowed SSH access into my machine, but they have also allowed other items to get in. I meant to only allow SSH access into my machine, but it seems RedHat has other ideas.
Several issues come to mind when viewing this configuration. If I were a cyber-criminal, I would now know what the signature for a Red Hat system was so that I could exploit it based on the ports that are open by default. I could do a mass portscan with nmap, hping2, or another port scanner, and identify systems to match with known vulnerabilities. This is why it is very important to know your system, or pay someone to know your system, and to use third-party tools to verify the security of your system.
The important thing to do at this point is to close down the holes in the firewall that do not belong there. I have adopted a method that I have taken from an IPTables/Netfilter tutorial which creates a block table to reference in INPUT and FORWARD, while then going back to add additional tables for other services that you want available. I will demonstrate how to do this here:
Create the block table:
iptables -N block
Then, add rules to the block table to allow loopback traffic and related or established traffic in:
iptables -A block -i ! eth+ -m state --state NEW -j ACCEPT
iptables -A block -m state --state RELATED,ESTABLISHED -j ACCEPT
Next, add a rule to drop all other traffic:
iptables -A block -j DROP
Finally, reference the block table from the INPUT and FORWARD tables with the following commands:
iptables -I INPUT 1 -j block
iptables -I FORWARD 1 -j block
View the results with 'iptables -L -v -n':
[root@primary ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
59 3817 block all -- * * 0.0.0.0/0 0.0.0.0/0
413K 463M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 block all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 301K packets, 50M bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
37548 26M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
12 672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
75 5864 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
311K 434M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
988 59180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
63650 3290K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain block (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- !eth+ * 0.0.0.0/0 0.0.0.0/0 state NEW
52 3120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 697 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
You will note that the block table is referenced above the RedHat default tables which will make all traffic go through the block table and not reach the RedHat table. The firewall is now at a good starting point, and will block all traffic not requested from the inside first. Now the RedHat firewall table can be de-referenced and deleted, as shown:
iptables -D INPUT 2
iptables -D FORWARD 2
iptables -F RH-Firewall-1-INPUT
iptables -X RH-Firewall-1-INPUT
Now, with another 'iptables -L -v -n', you will see that the configuration is ready to be saved and tweaked for specific uses. Save the configuration with '/etc/init.d/iptables save active'.
The next step for this specific setup is to allow SSH access into the machine. This is done using the same concept as before, by creating a table for this service and adding it to the INPUT and FORWARD tables when it is ready. The commands used are as follows:
iptables -N ssh_table
iptables -A ssh_table -p tcp --dport 22 -j ACCEPT
Now we reference this table from the INPUT and FORWARD tables as follows:
iptables -I INPUT 1 -j ssh_table
iptables -I FORWARD 1 -j ssh_table
Finally, save the changes:
/etc/init.d/iptables save active
Take another look at your configuration and make sure it looks right. This small tutorial does not even touch on the many, many capabilities of IPTables/Netfilter, but it does provide a starting point to secure your system from many overt and brute-force attacks.
Monday, December 20, 2004
Secure Shell Tunneling (On Linux)
SSH tunneling is a bit of knowledge that any security professional should have under their belt. Here I will explain some rudimentary elements to SSH tunneling. The purpose of SSH tunneling is to provide a secure means of transporting data over a non-secure channel. In essence, SSH tunneling is creating a VPN (Virtual Private Network).
SSH tunneling can be used to route any traffic from one computer to another, as long as there is an SSH server on one end and an SSH client on the other end. It is a requirement that there be an account with shell access used to create the tunnel. One common use of SSH tunneling is to secure email transfers when the email server has no secure transport protocol in place. This is a problem at my place of work, which is a large university that does not provide a secure means to check email. In order to prevent my username and password from passing between my machine and the mailserver in the clear, I use SSH tunneling to encrypt all traffic. I will explain how I did this in the following steps:
1. First, setup the SSH tunnel between the local machine and the mailserver for pop3 and smtp transport, note the use of high-end port numbers to allow the tunnels to be established by a non-privileged user:
ssh -L 52110:localhost:110 -L 52025:localhost:25 -l -N mailserver
This command will be answered with a password prompt, which is the password for the SSH account you are using to connect to the mailserver. To verify the tunnels have been established, open another shell and use netstat to see if your machine is now listening on those two ports:
netstat -l --inet
2. Next, configure your mail client to check for mail on localhost:52110 and to send mail on localhost:52025 host/port configurations.
SSH tunneling can be used to route any traffic from one computer to another, as long as there is an SSH server on one end and an SSH client on the other end. It is a requirement that there be an account with shell access used to create the tunnel. One common use of SSH tunneling is to secure email transfers when the email server has no secure transport protocol in place. This is a problem at my place of work, which is a large university that does not provide a secure means to check email. In order to prevent my username and password from passing between my machine and the mailserver in the clear, I use SSH tunneling to encrypt all traffic. I will explain how I did this in the following steps:
1. First, setup the SSH tunnel between the local machine and the mailserver for pop3 and smtp transport, note the use of high-end port numbers to allow the tunnels to be established by a non-privileged user:
ssh -L 52110:localhost:110 -L 52025:localhost:25 -l
This command will be answered with a password prompt, which is the password for the SSH account you are using to connect to the mailserver. To verify the tunnels have been established, open another shell and use netstat to see if your machine is now listening on those two ports:
netstat -l --inet
2. Next, configure your mail client to check for mail on localhost:52110 and to send mail on localhost:52025 host/port configurations.
Couple of security questions...
Two questions that I'd like to consider and possibly come up with an answer to. These questions are in regard to a Windows/Linux domain environment:
1. Is it more secure, yet still easy to administer, to have all client machines under their own control, with a domain administrator role only having the power to patch and virus scan, rather than have a domain administrator have more power than the local administrator?
I think it is more secure to have a network/domain where the domain administrator only has update and user management, while the local administrators have more and complete control over their system. This would prevent the entire domain from being compromised when the domain administrator account becomes compromised.
2. Is it more secure, yet still easy to administer, to have only one user with administrator privileges, rather than have multiple levels of administrator access? One example here is the Windows method of having a domain administrator and an enterprise administrator, in addition to a plethora of other administrators...
With most *nix systems, there is a user assigned to each application or process that has administrative rights over that process, which makes it unnecessary to use root to perform most actions. The root user is only required for actual system administration. Along with this, it is very easy in *nix systems to switch roles and become the root user, or the apache user.
Please post comments.
1. Is it more secure, yet still easy to administer, to have all client machines under their own control, with a domain administrator role only having the power to patch and virus scan, rather than have a domain administrator have more power than the local administrator?
I think it is more secure to have a network/domain where the domain administrator only has update and user management, while the local administrators have more and complete control over their system. This would prevent the entire domain from being compromised when the domain administrator account becomes compromised.
2. Is it more secure, yet still easy to administer, to have only one user with administrator privileges, rather than have multiple levels of administrator access? One example here is the Windows method of having a domain administrator and an enterprise administrator, in addition to a plethora of other administrators...
With most *nix systems, there is a user assigned to each application or process that has administrative rights over that process, which makes it unnecessary to use root to perform most actions. The root user is only required for actual system administration. Along with this, it is very easy in *nix systems to switch roles and become the root user, or the apache user.
Please post comments.
Tuesday, December 14, 2004
Microsoft Users Run as Admins?
In an article posted on http://news.com, Microsoft's CIO, Ron Markezich, talks about many issues from outsourcing to testing software in-house. One point that he brings up is how his users "are the admins of their machines". This statement is not suprising, but provides more insight to me as to why it is so difficult to administer a Windows domain full of non-privileged users. A well known security basic is that users should be granted only enough power to perform their function, and if the software vendor is testing the application in a state that is not the normal method of use by their customers, the customer is going to have a less than satisfying experience using the application. One way to correct this problem would be to perform testing by half of the users as admins with the other half as non-privileged users.
Link to Article
When a department in Microsoft is testing software in a non-secure manner, this indicates to me that they are not taking security seriously. Security is a market that Microsoft has taken a huge hit on. Only when they realize just how important security is will they stand a chance and have the potential to be competitive among people who do take security seriously -- until then, they will have to cater to people who don't know any better than to run as admins and become infected with spyware and other malware, which will further tarnish their reputation.
Link to Article
When a department in Microsoft is testing software in a non-secure manner, this indicates to me that they are not taking security seriously. Security is a market that Microsoft has taken a huge hit on. Only when they realize just how important security is will they stand a chance and have the potential to be competitive among people who do take security seriously -- until then, they will have to cater to people who don't know any better than to run as admins and become infected with spyware and other malware, which will further tarnish their reputation.
Thursday, December 09, 2004
FreeBSD Configuration
I figured out what the problem was with my mouse on FreeBSD, and learned some interesting things in the process. The problem with the configuration was that my mouse is not supported by the FreeBSD system, which caused the mouse to behave very erratically. The mouse that I was using at the time was a PS/2 LabTec Optical Wheel mouse. I am now using a Packard Bell PS/2 2-button mouse. I'll have to find a supported optical wheel mouse to use with this system.
An interesting thing about FreeBSD is that you have two options when configuring the mouse. You can use what is called moused to control the mouse, or you can let X control the mouse. If you use moused to control the mouse, you have a mouse even in the console when X is not running. There are a couple of different settings to adjust when using one or the other, but neither is difficult to configure. If you are using the 'sysinstall' program to configure the mouse, you don't have to touch any configuration files. You can just type 'sysinstall' from the command prompt as the root user, then select 'configuration', then select 'mouse'. At that point you will be prompted with setting the port, protocol, and enabling the mouse. Configuring the mouse to work with X is the same process as when configuring X on Linux.
Another interesting item to note is that when you use the 'sysinstall' program to configure the system, it does not delete entries in the /etc/rc.conf file, it shows the changes and maintains the old settings as a history. This feature is very useful, as you can see what the old settings were and when you changed them. I heartily recommend this feature to any developers for integration into existing systems.
An interesting thing about FreeBSD is that you have two options when configuring the mouse. You can use what is called moused to control the mouse, or you can let X control the mouse. If you use moused to control the mouse, you have a mouse even in the console when X is not running. There are a couple of different settings to adjust when using one or the other, but neither is difficult to configure. If you are using the 'sysinstall' program to configure the mouse, you don't have to touch any configuration files. You can just type 'sysinstall' from the command prompt as the root user, then select 'configuration', then select 'mouse'. At that point you will be prompted with setting the port, protocol, and enabling the mouse. Configuring the mouse to work with X is the same process as when configuring X on Linux.
Another interesting item to note is that when you use the 'sysinstall' program to configure the system, it does not delete entries in the /etc/rc.conf file, it shows the changes and maintains the old settings as a history. This feature is very useful, as you can see what the old settings were and when you changed them. I heartily recommend this feature to any developers for integration into existing systems.
Subscribe to:
Posts (Atom)