Posts with the tag Security

VPN with tinc and IPv6 (Using OpenWrt Routers)

The vpn software tinc has full support for IPv6 according to its projects' web site.

Here are the features in short:

  • Encryption, authentication and compression
  • Automatic full mesh routing
  • Easily expand your VPN
  • Ability to bridge ethernet segments (check this)
  • Runs on many operating systems and supports IPv6

Installing tinc

On OpenWrt Routers:

opkg update
opkg...

Read on

REINER SCT cyberJack RFID komfort

The REINER SCT cyberJack RFID komfort is a smartcard and RFID card reader popular in Germany as it supports the German identity card and its RFID technology. Here are my notes on the device, some tweaks and how to use it.

Current problems

As of 2011-12-28 I'm having a couple of problems with...

Read on

Problems with a Drupal 7.0 installation when changing the Bartik theme: PHP safe mode

If you get an error message like the following when changing the color scheme / color set of the Bartik theme in Drupal 7 you might have PHP Safe Mode enabled.

* The specified file themes/bartik/logo.png could not be copied, because the destination directory is not properly configured. This...

Read on

Backup saved passwords in Ubuntu

To make a backup of the saved passwords in Ubuntu just make a backup of the folder ~/.gnome2/keyrings/. This is where Gnome stores its password keyrings (named something like somename.keyring).

You can also export all your passwords from the Gnome Keyring using the python module keyring as described in <a...

Read on

Get rid of an additional password prompt after Gnome login to unlock the default keyring when you changed your login password

If you get a password prompt like the following when logging on to Gnome on Ubuntu Linux your login password might differ from your keyring password file (~/.gnome2/keyrings/default.keyring):

An application wants access to the keyring 'default' but it is locked.

So to get arround this and have the default keyring...

Read on

Secureley Erase Data

I have an old hard disk and I want to waste it. So I want to make sure there is no data left on the device:

  • shred
  • wipe

Overwrite the hard disk /dev/sdd using 1 run:

sudo shred -vn 1 /dev/sdd

A fast alternative:

sudo sh -c 'cryptsetup -d /dev/urandom -c aes-xts-plain...

Read on

Local SOCKS-5 Proxy by only connecting via SSH

http://daniel.molkentin.de/blog/archives/96-SOCKS-Proxy-via-SSH.html

ssh -D 8080 someuser@somecomputertouseasgateway

then setup the browser on this machine to use localhost:8080

...

Read on

denyhost

http://denyhosts.sourceforge.net/
http://www.heise.de/security/artikel/SSH-vor-Brute-Force-Angriffen-schuetzen-270140.html

denyhost can help keep out unwanted guests from your ssh server.

/etc/hosts.deny:

#
# /etc/hosts.deny
#

ALL: ALL: DENY

# End of file

/etc/hosts.allow:

#
# /etc/hosts.allow
#

sshd: ALL EXCEPT /etc/hosts.evil

# End of file
...

Read on

React to IP Takeover

When someone has taken your IP, react!

Set your IP to the correct one (belonging to you):

sudo ifconfig eth0 201.2.16.41 netmask 255.255.255.0

and run arping to get the IP back on your side:

sudo arping -U -c 3 -I eth0 201.2.16.41
sudo arping -A -c 3 -I eth0 201.2.16.41

Also have...

Read on

HowTo generate secure passwords using pwgen

http://wiki.ubuntuusers.de/Shell/pwgen

sudo aptitude install pwgen

pwgen can generate safe passwords for you. It is a command line tool and can be used like this:

pwgen -s -y 8 1

-s means create a secure password, -y means it should contain at least one special character, 8 means it...

Read on

Set up a Unix User Account with SFTP Access but no other Rights (such as Shell Access)

An easier solution just by setting a line in the configuration of the ssd daemon can be found in the blog post Chroot SFTP users.

http://forum.ubuntuusers.de/post/1884322/
http://manpages.ubuntu.com/manpages/karmic/man1/scponly.1.
http://wiki.ubuntuusers.de/scponly
http://sublimation.org/scponly/wiki/index.php/Main_Page

sudo aptitude install scponly

configuration:

sudo -s
cd /usr/share/doc/scponly/setup_chroot
gunzip setup_chroot.sh.gz
chmod +x setup_chroot.sh
./setup_chroot.sh

this adds the user etc...

sudo...

Read on

SSH Welcome Banner

To warn unauthorized users logging in via ssh, you can add a ssh banner.

echo "Banner /etc/issue.net" | sudo tee -a /etc/ssh/sshd_config > /dev/null
cat << EOF | sudo tee /etc/issue.net
***************************************************************************
          ...

Read on

AqBanking CLI

AqBanking is used as a backend for gnucash and therefore very mature. It features a CLI to query CSV files of transactions and more.

There is a newer blog post on this subject: AqBanking CLI on Mac OS...

Read on

Write the system status to a logfile every hour

It may happen that your system is slow for some reason, it may fail completely, be under an attack, it can even have a troyan and you do not even know. I found a script recently which integrates into your system via a daily cronjob. It uses logrotate. So it...

Read on

Analyse illegal SSH login attempts

Filter the authentication log file for failed authentications and count the attempts (lines in the log file):

grep -i fail /var/log/auth.log | wc -l

Check for all attacks with non existing usernames:

grep -i "Failed password for invalid user" /var/log/auth.log | cut -d " "...

Read on

Forbid root Login via SSH

Edit the configuration file of the SSH daemon:

sudo gedit /etc/ssh/sshd_config

Change the line containing PermitRootLogin yes to PermitRootLogin no , save the file and restart the SSH server.

sudo /etc/init.d/ssh restart
...

Read on

Defend Your Network From Slow Scanning

http://www.builderau.com.au/strategy/businessmanagement/soa/Defend-your-network-from-slow-scanning/0,339028271,339272421,00.htm

...

Read on

Anonymising Internet Usage

with Tor

http://wiki.ubuntuusers.de/Tor
https://help.ubuntu.com/community/TOR

installation http://wiki.ubuntuusers.de/Tor/Installation

gpg --keyserver subkeys.pgp.net --recv-keys 0x94C09C7F
gpg --export 0x94C09C7F | sudo apt-key add -
echo "deb http://mirror.noreply.org/pub/tor jaunty main" | sudo tee -a /etc/apt/sources.list
sudo apt-get update 
sudo apt-get install tor

setup of a HTTP-Proxy for tor Tor being a Socks-Proxy (not a HTTP-Proxy) means you can't...

Read on

tinc vpn - with automatic full mesh routing

tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. It runs on many platforms including Linux, FreeBSD, OpenBSD, NetBSD, MacOS/X, Solaris, Windows 2000, XP, Vista and Windows 7.

The installation of tinc on Ubuntu Linux is...

Read on

Set up NetworkManager for VPN

http://wiki.ubuntuusers.de/NetworkManager#VPN

sudo aptitude install network-manager-openvpn network-manager-pptp network-manager-vpnc
...

Read on

Set up Port-Knocking

The installation of the port knocking daemon is quite simple:

sudo apt-get install knockd

To start the knockd daemon automatically: uncomment START_KNOCKD=1 in /etc/default/knockd.

Configuration:

Edit the config file /etc/knockd.conf:

[options]
   logfile = /var/log/knockd.log
[openSSH]
   sequence    = <span...

Read on

Chroot SFTP users

OpenSSH supports jailing SFTP users to a directory (using chroot) just by changing its configuration file:

Basically you add the users you want to jail to a linux user group (sftp) and add the following lines to /etc/ssh/sshd_config:

### Comment out the following line:
#Subsystem sftp /usr/lib/openssh/sftp-server
### and replace with:
Subsystem sftp...

Read on