Using wget behind a proxy in Linux

If you are behind a proxy and would like to download a file, you could do this by issuing this commands:

export http_proxy=proxy.anonymous.com:8080
export use_proxy=on
wget http://www.serversolaris.com/Crypt-SSLeay.tgz

A strong Unix Password

The strong of a cryptographic solution is not recommended to be into the obscurity of the algorithm, the most usefull and most hard to vulnere solutions are public algorithms, which everybody can see, for example PKI, CAST, PGP, all them are public.
So.. the obvious hard point of a security system is a strong password, they part of the mechanism that no other knows. The password could be interpreted as something you know, you have, something that uniquely identifies you or a combination of these.

But taking in consideration just a password (something you know) i would like to share some best practices in Linux.

DON'T DO THIS

• A password of less than 8 characters is easily breaked by brute force attack. You can set the PASS_MIN_LENGTH in /etc/login.defs file to force long enough passwords.

• Don't use words that can be found in a dictionary or encyclopedy of any existing language, a good technique would be to input the password in "google" and see if something was found :-)

• Don't use any personal detail (phone, ages, names, etc).

• Any combination of these.

THESE METHODS ARE MORE EFFECTIVE:

• Replace letters with numbers, for example "3" for "e", "4" for "A", "7" for "T".

• Create a mnemonic from a phrase only you know, for example "i like linux and security" would be converted in "illas", add some numbers and your password would be secure, remember to use a larger than 8 digits password.

• Mix uppercase and lowercase letters

• Use special characters: "-", "!", ":", "@".

In Linux or Solaris it is possible to create secure passwords with the "mkpasswd" utility.

# mkpasswd -l 20
jnXbrScbzbtnwqg99hho

Forcing logrotation with logrotate

In my previous post i explained how to setup a simple logrotation (http://serverlinux.blogspot.com/2006/02/logrotate-in-linux.html), now i would like to show a simple but usefull command that forces the logrotation, independent of the normal execution.

# logrotate -f /etc/logrotate.conf

For more information, see "man logrotate". LOGROTATE(8).

10 most important Unix Security issues

A good place for security education is the SANS/FBI site (http://www.sans.org/top20/). These are the most important Unix related security issues:

1. Web Server. One of the places that an intruder is going to check first is for vulnerabilities in your Apache version and in you cgi-scripts.

2. Remote Procedure Calls. RPC Services should be down if they are not required, they allow a remote user to execute instructions in your computer; the intruder usualy gains root access this way.

3. SNMP (Simple Network Management Protocol). This protocol is known to have had its vulnerabilities and their password can be easily cracked and more easier captured from the network.

4. SSH (Secure Shell). SSH has been exploited before, if you do not need it then you can turn it off, or filter the source ip addresses with TCP Wrapper.

5. Remote Services (Trusted host). This was a setup in the machines based on the rely of other machines IP address, and leaved access without asking password. Their binaries are "rsh", "rcp", "rlogin" and "rexec". They exist and can be used also today, the attacked can do a party with your machine if they use a technique known as "ip spoofing".

6. FTP (File Transfer Protocol). Many vulnerabilities have been found in FTP, as exploits and protocol weaknesses, like clear text password transfer (resolved in SFTP).

7. LPD (Line Printer Daemon). This daemon is also remotely exploitable with help of an overflow and a shellcode, gaining root access if the server is running as root.

8. BIND/DNS (Dynamic Name Server). DNS Flooding, exploits and other attacks are available, if you are going to set up a DNS, use a firewall to filter any port that you do not want.

9. Sendmail. This mail transfer agent is known for its buffer overflows and remote exploits, though it has resolved its issues, always appears something new. It is recommended to use qmail.

10. Weak Password / No Passwords in the system. I do not need to explain this.

Many people that talk about security talk about a false sense of security that one can have in the cyberspace, i do not totaly agree with them, i see very often thay it is created a false sense of insecurity also. The items i have listed before create some sense of insecurity and alert; but do not worry, if you are going to run one of this critical services, just keep in mind:

* Use a well configured firewall (pay more attention to "well configured" than "firewall")
* Set up correctly an Intrusion Detection and Prevention System.
* Ask for help a security professional, here in Argentina we have very good ones :-)

Find out the php.ini location in your LAMP setup

In the command line write:

echo "<?php phpinfo(); ?>" | php | grep php.ini

How to enable shadow passwords in Linux

It is important that you use shadow passwords, because this puts another layer of security against password cracking and also enable the possibility to set policies about how often the password must be modified.

Using the Linux Shadow Suite
I am going to show you the "chage" command, it changes the number of days between password changes and the date of the last password change.

chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user

It is not recommended to modify the /etc/passwd or /etc/shadow file because this could result in the corruption if at the same time another process writes the files. To modify the /etc/passwd file, use the vipw command:

Vipw edits the password file after setting the appropriate locks, and does any necessary processing after the password file is unlocked. If the password file is already locked for editing by another user, vipw will ask you to try again later. The default editor for vipw is vi(1).

To list the users password expiration settins:

$ chage -l walter
Minimum: 0
Maximum: 99999
Warning: 6
Inactive: -1
Last Change: Apr 09, 2004
Password Expires: Never
Password Inactive: Never
Account Expires: Never

Suggestions:

* Set the minimum password lenght to eight characters.
* Force the users to change their passwords every four to six weeks.

Introduction to Iptables (Part 3)

In this case i am going to explain some iptables features related with UDP. UDP (User Datagram Protocol) has the characteristic of being connectionless.

The packets format is this:
In this packet format can be seen that UDP has no flags like TCP. UDP cares only about the source and destination addresses.

In Iptables, udp is specified with the "-p udp" argument. Similar rules apply to udp than with TCP matching, negation and port ranges are allowed:

-sport (--source-port) <port>
--dport (--destination-port) <port>

This rule matches any UDP packet with source port of 161 (SNMP)
iptables -A INPUT -p udp --sport 161 -j ACCEPT

This rule logs all the packets with destination port with range from 161 to 180
iptables -A INPUT -p udp --dport 161:180 -j LOG

To learn more about UDP, see the RFS 768

Introduction to Iptables (Part 2)

In my previous post i explained some general packet matching with Iptables, now i am going to explain the TCP packet matching generalities, where the commands displayed following, all match specific values from the TCP packet headers, for example the source and destination ports, tcp options, tcp flags (for example the syn, fin, etc).

You use the --protocol argument to match TCP packets, and optionally, the source port of the packet can be specified with "--sport (--source-port) ", the source port can be a numeric value or the name of the port, that should match the port number we want in the /etc/services file.

Here are two examples:
iptables -A INPUT -p tcp --sport 23 -j REJECT
iptables -A INPUT -p tcp --sport telnet -j REJECT

This rules do the same, they reject the inbound traffic from the TCP port 23 of the remote host). The usage of port names instead of the number, creates a little more cpu consume and could be told as "speed penalty" in large rulesets.

It is possible also to specify a range of ports in the rules, lower and upper port separated by a colon. Here i filter all the ports between 10 and 999:
iptables -A OUTPUT -p tcp --sport 10:999 -j REJECT

All TCP source ports except the 80 are accepted with this rule:
iptables -A INPUT -p tcp --sport ! 80 -j ACCEPT

The same can be done with a range of ports:
iptables -A INPUT -p tcp --sport ! 1024:40000 -j LOG

If the first port is numerically higher than the second, iptables swaps both numbers around automatically.

To specify a TCP destination port, the "-dport (--destination-port) [port]" is used, and its rules are the same than in TCP source port matching.

For example, to stop users in your private network to connect to IRC, supposing that IRC uses the ports between 6667 to 66670, you may want to add this rule:
iptables -A OUTPUT -p tcp --dport 6667:6670 -j REJECT

To match a specific flag in the TCP header, you have to make use of "--tcp-flags [mask] [flags]".

The [mask] argument is a list of flags separated by commas, which should be matched.
The [flags] argument is a list of flags that must be set, any flag listed in the [mask] argument, but not in the second, this means that the flag must be unset.

The possible flags are: SYN, ACK, FIN, RST, PSH and URG. ALL and NONE are also possible.

In this example, the SYN,ACK and FIN flags are the mask, and the SYN flag is the one that has to be set:
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN SYN -j ACCEPT

The mask can also be inverted, meaning that the ACK and FIN should be set, but not the SYN:
iptables -A FORWARD -p tcp --tcp-flags ! SYN,ACK,FIN SYN -j ACCEPT

Matching a particular TCP flag:
This is accomplished with the "--syn" flag, it is usefull because the SYN flag is the TCP start sequence also known as the "3 way handshake", explained in this picture:

iptables -A FORWARD -p tcp --syn -j ACCEPT iptables -A FORWARD -p tcp ! --syn -j ACCEPT

Creating a complete LAMP solution in Centos Linux

Download Apache: httpd-2.2.9.tgz
Download PHP: php-5.2.6.tgz

Uncompress and compile Apache:
./configure --with-pgsql --with-apxs2=/usr/local/apache/bin/apxs --with-xml --disable-dom --without-pear --with-pgsql --with-gd --with-zlib --enable-sockets

Uncompress and compile PHP:
./configure --with-pgsql --with-apxs2=/usr/local/apache/bin/apxs --with-xml --disable-dom --without-pear --with-pgsql --with-gd --with-zlib --enable-sockets --with-mysql

If you get this message:
If configure fails try --with-jpeg-dir==[dir]
configure: error: libpng.(a|so) not found.

Do the following:
Download libpng-1.2.29.tar.bz2 from http://www.libpng.org/pub/png/libpng.html
Uncompress and:
cd libpng-1.2.29
cp scripts/makefile.linux Makefile
make prefix=/usr && make install

Download http://www.zlib.net/zlib-1.2.3.tar.gz, uncompress it, then:
cd zlib-1.2.3
./configure --prefix=/usr && make && make install

To add jpeg support to PHP, download jpegsrc.v6b.tar.gz from ftp://ftp.uu.net/graphics/jpeg/
Uncompress it and: jpeg-6b]# ./configure --prefix=/usr && make && make install

Now configure PHP with jpeg and postgresql support:
./configure --with-pg --with-apxs2=/usr/local/apache/bin/apxs --disable-dom --without-pear --with-pgsql --with-gd --with-zlib --enable-sockets --with-jpeg-dir=../jpeg-6b/

Introduction to Iptables usage in Linux

I am going to explain the generic matches, the ones that apply to all the IP packets. In general, the patch pattern looks like "-s (--src, --source).

For example:
iptables -A INPUT -s 10.10.10.5 -j DROP

The IP address could also be a hostname, in that case it would be resolved to an ip address before being added to the chain. The field of the IP address could also be a range of addresses using a netmask. This instruction is applied in the INPUT chain, but it could be used also in the OUTPUT chain if the machine has more than one ip address.

iptables -A INPUT -s 10.10.10.0/24 -j DROP

This instructions matches the first 24 bits of the address. This means, it matches addresses between 10.10.10.0 - 10.10.10.255.

iptables -A INPUT -s ! 10.10.10.5 -j DROP

The exclamation mark negates the ipaddress, this matches the packets where the source IP is no 10.10.10.5

The "-d (--dst --destination)" matches the destination address of the packets and is used generaly on the OUTPUT chain. The same rules than in the -s option apply (address ranges can be specified as hostnames, a single IP address or a range, and negation of the addresses). For example:

iptables -A OUTPUT -d ! 10.10.10.4 -j REJECT

The "-i (--in-interface) " specify on which network interface the rule should take effect, for example "eth0". This options could be used in the FORWARD, INPUT and PREROUTING chains. The network interface also accepts wildcards, for example, if you want to filter all the traffic from a privat eaddress such as 10.10.10.2 in all the interfaces:

iptables -A INPUT -s 10.10.10.2 -i eth* -j DROP

This would drop all packets arriving on eth0, eth1, eth2, etc.

A final "-p" option allows to work with a specific protocol, for example, if you want to drop all the UDP packets:

iptables -A INPUT -p udp -j DROP

The protocols that can be used are:
TCP, UDP, ICMP, ALL (this is for all the protocols).

Analysing logs in Linux

Part of the security and sysadmins tasks is the log analysis and decision taking. There is plenty of information in http://www.linux.org/apps/all/Administration/Log_Analyzers.html.

The tools i recommend is called "Lire", this tool permits the creation of several reporting formats, including html, pdf, xml, between others. It also permits to analyze many log file formats, which include MySQL, Iptables, BIND, Apache, Qmail, Postfix, Syslog and more. Lire is GPL'ed Free Software (and Open Source), built around the idea of extendibility.

This tool is available from http://www.logreport.org/lire, it has been deveploped in Perl and i recommend you to install all the dependence modules with CPAN (type "perl -M CPAN -e shell" on the command line as root).

Logging on a remote server with syslog

Hi, it is a good security feature to log in a remote host, because an attacker should have access to that host to delete the logs, and this adds another security layer to the architecture you build.

Linux logging facilities are managed mostly by the syslog Daemon. Syslog uses the configuration file /etc/syslog.conf to know where to log every system message.

If you want to log in a remote host, you would add this line to syslog.conf

auth.*; authpriv.* @192.168.100.7

It is required that the syslog daemon is started in the 192.168.100.7 host and it should also, be listening for messages thay come from the network. It is important that you know that this feature is by default "off". You have to start syslog with a "-r" argument to enable this.

To force syslog to re-read syslog.conf, send a SIGHUP signal to syslog.

Happy logging !

Loading modules in RHEL 3.0 and prior Linux versions

In RHEL 3.0 when you install a new module you may be tempted to put them in the file modules.conf. This may not work, because the modules are not in the initrd boot image.

The solution is to create a new file called /etc/rc.modules which loads the modules, this file do not exist by default, but if you see the file /etc/rc.d/rc.sysinit there you are going to see that it checks for the existence of the file, and if it exists, it executes it:

# Load modules (for backward compatibility with VARs)
if [ -f /etc/rc.modules ]; then
/etc/rc.modules
fi

This is the procedure to create the file:

echo "modprobe qla2300" >> /etc/rc.modules
echo "modprobe qla2300_conf" >> /etc/rc.modules
chmod 700 /etc/rc.modules