Security

Changing a Passphrase with ssh-keygen

ssh-keygen -f .ssh/id_dsa -p

source

By WladyX on 8 September, 2010 | Security, Ssh | A comment?

Ubuntu Automatic Updates

sudo apt-get install unattended-upgrades update-notifier-common

/etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Allowed-Origins {
"Ubuntu lucid-security";
// "Ubuntu lucid-updates";
};

/etc/apt/apt.conf.d/10periodic:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Also check:

cat /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists “1″;
APT::Periodic::Unattended-Upgrade “1″;

log: /var/log/unattended-upgrades
source

By WladyX on 2 July, 2010 | Scripts, Security, Ubuntu | 1 comment

lshell

lshell lets you restrict a user’s shell environment to limited sets of commands, choose to enable or disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user’s commands, implement timing restrictions, and more.

source

By WladyX on 7 May, 2010 | Cool Apps, General, Link, Scripts, Security, Ssh | A comment?

Logwatch with Metalog on Gentoo

http://en.gentoo-wiki.com/wiki/Logwatch_with_Metalog

By WladyX on 21 April, 2010 | General, Gentoo, Scripts, Security | A comment?

Proxy internal site with Apaches’ Proxy module

reverse proxy

source

By WladyX on 14 April, 2010 | Apache, General, Security | A comment?

Postfix and Dovecot with StartSSL certificates

Dovecot:

% wget http://www.startssl.com/certs/ca-bundle.crt
% cat ssl.crt sub.class1.server.ca.pem > /etc/ssl/dovecot/dovecot_crt.pem
% ln -s ssl.key /etc/ssl/dovecot/dovecot_key.pem
% cp ca-bundle.crt /etc/ssl/apache2/

dovecot.conf:

ssl_ca = </etc/ssl/apache2/ca-bundle.crt
ssl_cert = </etc/ssl/dovecot/dovecot_crt.pem
ssl_key = </etc/ssl/dovecot/dovecot_key.pem

http://nooms.de/articles/startssl.html

Postfix:

% ln -s ssl.crt cert.pem
% ln -s ssl.key key.pem

main.cf:

## TLS parameters ##

smtpd_use_tls=yes
smtpd_tls_cert_file=/etc/ssl/postfix/cert.pem
smtpd_tls_key_file=/etc/ssl/postfix/key.pem
smtp_tls_CAfile = /etc/ssl/apache2/ca.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

http://forum.startcom.org/viewtopic.php?t=80

Also see:

Configure PureFTPd To Accept TLS Sessions

By WladyX on 9 November, 2009 | General, Mail, Security | 3 comments

Linux Security Notes – AIDE File Integrity

cat /etc/aide/aide.conf
# AIDE conf

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes

# Here are all the things we can check - these are the default rules
#
#p:      permissions
#i:      inode
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#md5:    md5 checksum
#sha1:   sha1 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#R:      p+i+n+u+g+s+m+c+md5
#L:      p+i+n+u+g
#E:      Empty group
#>:      Growing logfile p+u+g+i+n+S
#haval:         haval checksum
#gost:          gost checksum
#crc32:         crc32 checksum

# Defines formerly set here have been moved to /etc/default/aide.

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

# Next decide what directories/files you want in the database

# Kernel, system map, etc.
=/boot$ Binlib
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
#/usr/games Binlib
# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib
# Log files
=/var/log$ StaticDir
#!/var/log/ksymoops
/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
!/var/log/aide
/var/log Logs
# Devices
!/dev/pts
# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
# you may uncomment this to get rid of them. They're harmless but sometimes
# annoying.
#!/dev/cpu/mtrr
#!/dev/xconsole
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run
# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc

# You can look through these examples to get further ideas

# MD5 sum files - especially useful with debsums -g
#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1

# Check crontabs
#/var/spool/anacron/cron.daily Databases
#/var/spool/anacron/cron.monthly Databases
#/var/spool/anacron/cron.weekly Databases
/var/spool/cron Databases
#/var/spool/cron/crontabs Databases

# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
#/usr/share/man ManPages
#/usr/local/man ManPages

# docs
#/usr/doc ManPages
#/usr/share/doc ManPages

# check users' home directories
/home Binlib

# check sources for modifications
/usr/src L
#/usr/local/src L

# Check headers for same
#/usr/include L
#/usr/local/include L

Linux Security Notes – AIDE File Integrity | HowtoForge – Linux Howtos and Tutorials

By WladyX on 19 October, 2009 | General, Security | A comment?

Linux Keylogger – Snoopy logger


SourceForge.net: Snoopy Logger

By WladyX on 18 February, 2008 | General, Security | A comment?

Securing the /tmp partion

Mount /tmp with noexec, nodev and nosuid flags. In most cases, a simpletmpfs ramdisk with a maximum size of 100 MB should be enough. Justinsert this line into /etc/fstab, and do a “mount /tmp” afterwards:

tmpfs /tmp tmpfs nodev,noexec,nosuid,size=100M,mode=1777 0 0

If a scriptkiddie still manages to drop a file in /tmp, there is no wayto execute it.

Gentoo Forums

By WladyX on 30 November, 2006 | General, Security | A comment?
Newer entries