Sunday, 21 June 2009

Using dd for a secure disk wipe

The best tool I know of for wiping disks is DBAN which boots from CD and can wipe all attached hard drive to MOD standards. If you are serious about wiping your data forever then I strongly recomment you look to DBAN.  Or take the drive apart and physically destroy the platters.  For a quicker homemade version read on.  Bear in mind that a small mistake here can COMPLETLY AND IRRETREVABLY DESTROY ALL YOUR DATA! You have been warned.


UPDATE: This is unlikley to be as effective on newer SSD based hard drives due to their wear leveling technology.

To wipe a disk (eg sda) use the following (multiple times if paranoid):
# dd if=/dev/urandom of=/dev/sda ; sync
Or a quicker version which is not as secure but should be fine unless you have pissed off GCHQ or similar (in which case its probably already to late anyway):
# dd if=/dev/zero of=/dev/sda ; sync
To determine current progress find the PID of the dd process then pass it a command using kill:
# ps -A | grep dd
# kill -USR1 <pid>

Monday, 15 June 2009

NTP time setup on Windows

Main ntp server I use: 0.uk.pool.ntp.org  To find a suitable server pool for your location visit http://www.pool.ntp.org/en/ and browse teh active servers (on the right)

To update the time on a domain computer from the PDC use the following command (can take a few minutes to actually take effect):
# w32tm /resync
To identify the current time server:
# net time /querysntp
To set the time server:
# w32tm /config /manualpeerlist:<server name> /syncfromflags:manual /reliable:yes /update
To reset the ntp server to the domain controller:
# w32tm /config /syncfromflags:domhier /update
To report on time difference between current computer and server:
# w32tm /stripchart /computer:<servername> /samples:5 /dataonly

Wednesday, 10 June 2009

Runlevels and services in linux

Redhat
To list all services:
# chkconfig --list
To turn on/off a service
# chkconfig [service] [on|off]'
Debian
To start automatically on boot:
# update-rc.d [service] defaults

Monday, 8 June 2009

Linux local user account password policies

Setup a password policy
NOTE: Tested on Redhat ES5 only so far, should work on all Linux
This will setup a password policy of a min 8 char with at least one each of [uppercase|lowercase|numbers|symbols]. Passwords expire after 90 days and if not reset within a further 7 days the account is inactivated. Warnings are issues from 7 days before password expiry.  This is all for local accounts only, not domain accounts.

Edit /etc/pam.d/system-auth
Edit the password line so it looks as follows:
password requisite pam_cracklib.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
ucredit is uppercase, lcredit lowercase, dcredit didget (numbers) and ocredit is other (symbols). By having a negative number you are requiring at least that many of each type.

Edit /etc/login.defs
Set the following values, all fairly self explanatory
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7
Edit /etc/default/useradd
Sets how long after password expires before locking the account
INACTIVE=7
Enable password history to prevent reuse
These 3 steps will probably have been done by system install, check anyway.
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 600 /etc/security/opasswd
Edit /etc/pam.d/system-auth and add to the line as shown below:
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=24
Lock account after set number of invalid passwords
# touch /var/log/faillog
# chown root:root /var/log/faillog
# chmod 600 /var/log/faillog
Edit /etc/pam.d/system-auth.
Directly under "auth required... pam_env.so" add:
auth required pam_tally.so onerr=fail deny=6 no_magic_root unlock_time=1800
Directly under last "account required" add:
account required pam_tally.so no_magic_root
Manual commands
Manually set for pre existing user accounts
To show current settings on account:
# chage -l [username]
For pre existing users you need to manually update their security token for this to take effect
# chage -m0 -M90 -I7 -W7 [username]
m=min age, M=max age, I=inactive after period, W=warn period before expire, all in days

Force expire a users password
To force a password to expire and therefore require a new password from them on next login (useful with new accounts where you want the user to change the password to something they will remember immediately):
# chage -d0 [username]
Show a count of all failures
# faillog -a
To clear failed passwords for a user
# faillog -u [username] -r

GPG - Public private key encryption

GPG is a good tool for encrypting with public private key cryptography. I tend to create a signing key with no expiry and then add encryption keys which expire after one year. Adding additional encryption keys is done using the addkey command.  Many people either create a whole key pair that never expires (not quite as secure) or create a whole new key pair every year (paranoid?).  As ever the less often you change things the less secure but unless you are encrypting military secrets or similar GPG is probably more than adequate.

Useage

Generate new key
# gpg --gen-key
To list keys
# gpg --list-keys
Using keyserversTo find a key on a keyserver use the following command. A list of all matching keys will be displayed along with the ability to select which you wish to import
# gpg --search-keys 'domain.com'
To update keys on your keyring to the latest version on the keyservers run the following command:
# gpg --refresh-keys'
Edit a GPG key
# gpg --edit-key 01234567
->Trust (sets the trust level on a key)
->lsign (signs locally - will not export to key serveers)
->quit

To encrypt a file
# gpg -e -r person-who-is-allowed-to-decrypt@domain.com [file]
--batch - batch mode, will not prompt for anything, will just work or fail
--armor - ASCI armour the file (use only "normal" chars, less likely to be corrupted by a system which tries to interpret, makes resultant file bigger)
--always-trust - automatically trust recipients for this encryption. Useful for eg scripts where you do not want to have to create a private key and sign the recipient keys, and don't want to hit "y" to override this check each time.

To decrypt a file
# gpg -d [file]
To setup GPG for automatic encryption of a file with cron first install GPG and import the keys we need from keyservers:
$sudo yum install gpg
$sudo -H gpg --keyserver keyserver.ubuntu.com --search-keys <name_of_person_or_company>

The -H is required for sudo to use the root $home otherwise it tries to use the current user $home and fails with bad permissions. Import any keys you need and repeat for all required keys.
Now you can run the following in root's crontab inside a script to encrypt a file using GPG:
gpg --batch --always-trust -e -r email.of@recieipent <file to encrypt>

Tuesday, 2 June 2009

Identify processes running on a network port

If you want to check what process is using one of your network ports a good utility to use is netstat:

[root@sideshow ~]# netstat -natup | grep 161
udp 0 0 0.0.0.0:161 0.0.0.0:* 9580/snmpd
In this example I checked port 161 and found that snmpd (a network monitoring program) was running on the port.  You could also grep for "apache" to see what ports apache is listening on.

Exchange 2003 SSL with different local and FQDN

If using a different SSL fqdn for external access compared to internal hostname then it will not be possible to edit settings in Exchange System Manager, failing with the error c103b404. Editing IIS exchadmin & public folders should fix but often does not. You can manually force this fix using ADSIEDIT mmc plugin, browse to config setting & remove :443:.
Full instructions in experts exchange question 22939627

SSH Tunnels

SSH tunnels can provide encrypted tunnels over the internet and also tunnel through many firewalls - effectively it is a VPN.

Options:
-R - connections to remote server will be tunneled
-2 - Use ssh version 2 (more secure)
-NX - Don't execute any remote commands, just create tunnel
-f - Background process
-C - use compression
# ssh -R 1234:local-server:80 username@remote-server
With the above command anyone trying to go to remote-server:1234 will be redirected to local-server:80 as seen from the machine initiating the ssh connection.

Autossh
Autossh can be used to maintain a ssh tunnel, bringing it back up automatically if it fails.

Options as above with addition of:
-M - monitoring port to use
# autossh -2 -fN -M 2000 -R1234:localhost:80 user@remote-server

SSH auto login key generation

To generate a key for SSH login purposes run the following on the computer you want to login FROM.  The key files will be created in the users ~/.ssh/ directory.
# ssh-keygen -t rsa (Could also use -t dsa)
Enter a password if required, if intending to use for an automated account then leave password blank (in which case I STRONGLY recommend you also restrict the command as shown further down). Copy file *.pub to remote server and then add the key to the authorized keys file of the remote user.  Also check permissions are set correctly or it will not work.
# cat *.pub >> ~/.ssh/authorized_keys2
# chmod 600 authorized_keys2
Login with the following to see verbose errors etc:
# ssh -v user@remotehost
It is possible to restrict the command which can be run with this type of connection to increase security. This allows us to only allow a specific rsync command for example so if the key is compromised it will limit the damage that can be done. To enforce this edit the beginning of the authorized_keys file as shown below, replacing with the command you want to be run and the correct key.
command="rsync --server -vlogDtprc . /var/www/html" ssh-dss AAAAB3Nz…[rest of key goes here]
See also: SSH tunnels post

Troubleshooting:
Check the file permissions of all the key files (and directories) as if incorrect it will fail with unhelpfull error message.
Note that password expiry policies still apply even if only using keys. The account will still block logins and enforce a password change even if you are trying to login with a key file - not what you want to happen on an automated account...
Check the spelling of the file "authorized_keys" - the number of times I have typed "authorised_keys" by mistake....

Monday, 1 June 2009

Redhat useful commands

To find installed version of a package
# rpm -qa | grep [package]
Configure networking on RedHat
#/usr/sbin/system-config-network
Configure firewall and SELinux on RedHat
#/usr/sbin/system-config-securitylevel-tui

Red Hat ES4
# rpm -e [packagename] -> Uninstall package
# up2date --nox -u -> Updates all packages
# up2date --nox -i [package_name] -> Installs package
# up2date --nox -d [package_name] -> Downloads package only
# up2date --showall | grep [package_name] -> Shows versions of packages available
# up2date --configure --nox -> Configure settings eg skip lists
Red Hat ES5
# yum list updates
# yum update
# yum list firefo*
# yum install [package]
# yum remove [package]