You are here: Home / Archives for Blogs

Forcing ssh login via s/key

February 3, 2010 By Leave a Comment

In the back of my mind are the recent attacks against Google and others by the Chinese government.  I keep asking myself how I would setup and defend against such attacks, and more importantly mitigate them. The end goal of this exercise for me, is to limit Internet access to devices that have authenticated to the gateway/proxy.  Thus when the user logouts of their workstation for the day and goes home, their computer is now cut off from the Internet.

I’ve thought about using key based authentication.  Trick is, if the system has a keyboard logger installed, then both the keys and the passphrase protecting the keys can be stolen.  Harder than most, but not fool proof.

I’m thinking of a case where the user’s computer is compromised by someone external to the company.  At this point my intent is to limit the ability of the computer to access the Internet.  If the computer can not talk with the Internet then the person who compromised the system can not get data out of the company network.

At this point the solution in my head was to use authpf, ssh, and s/key.  I would prefer that users not have a local password.  Instead they can only use s/key to login.  I also would prefer that users don’t have to type user:skey@host and instead just user@host and have s/key forced upon them.  I created a new login class, a new user, and had s/key as the authentication method for the class.  I assigned the user to the class.  Then  I ‘su – user’ and then tried skeyinit but the “user” then gets prompted for their password.  Because their login class requires s/key the password being requested is an s/key password.  A catch-22.  :(

If you’re reading this and have a suggestion or idea on how I might work around this or otherwise accomplish my goal, please leave a comment.

Filed Under: Blogs, security Tagged With: , , ,

Quick MySQL backup script

January 6, 2010 By Leave a Comment

I now and again add/delete websites and their subsequent databases too my server(s).  I use the following script to backup the databases.  Using this I don’t have to worry about remembering to change the script to capture a database or to stop looking for a database.  The script (which runs as root) learns the databases from mysql just before doing the backups.

#!/bin/sh
cd backups/
for DB in `echo "show databases;" | mysql| grep -v ^Database`; do
mysqldump --add-drop-table $DB |bzip2 -c > $DB.`date -u +%Y%m%d-%H:%M:%S`.sql.bz2

done
Filed Under: Blogs Tagged With: , ,

iPhone – ip forwarding YES

November 27, 2009 By Leave a Comment

As I tweeted earlier I was poking around my jail broken iPhone and discovered IP forwarding does work.  I’ve been searching for ways to tether my iPhone to various computers.  I was able to use OpenSSH and establish a SOCKS proxy yesterday.  That works nicely and given the “Location” feature of OS X and the Profile support of Firefox, that does provide a decent solution.

Problem is that Mail.app does not like to speak IMAPS  over a port forwarding SSH tunnel.  Actually it may been SMTPS over an SSH tunnel that it may dislike completely. Which I never did figure out or understand why. From a packet perspective they go into the tunnel and come out.

I’m looking to setup my iPhone into an IP router for my computers.  Now that I know the phone is capable of IP forwarding it is just a matter of getting the rest of the stuff setup. Ideally I want to setup an SSH VPN between my portable computer and my server.  Then all of my traffic will be encrypted until it exits @ my server at which point I don’t care.

I’m going to continue exploring the possibilities of the iPhone as a router and also as a stealth attack device.  Inside Cydia the normal good network goodies of nmap, netcat, tcpdump and are now installed on my phone.

Yes I’ve changed the default root password from ‘alpine’ to something else.  I go a step further on any public facing SSH enabled devices, I only allow key based authentication.

If you have any tips or suggestions let me know.

Filed Under: Blogs, security, Tech Tagged With: , ,

idea for authpf

November 25, 2009 By Leave a Comment

I know some sites trust their servers and let the servers talk to anywhere on the Internet or internally.

Just had a thought, instead all servers should be blocked for all traffic except for business needed traffic. What about updates? The servers need to go fetch updates. (In those cases where the patches/updates are not handled in a centralized method.) Give those who are responsible for patching servers an authpf account that gives the server the permission to go get updates.

When the sysop logouts of the gateway system the rules are reverted back to a very restricted state. The nice part is that this will work 24×7 and the firewall admins need not be around to change the rules.

To further contain possible unwanted behavior, give each application owner their own ID and limit that ID to the specific IPs of the application servers.

What do you think?

Filed Under: Blogs Tagged With: , ,

Capturing packets with a router

November 18, 2009 By Leave a Comment

I came across this story of how to capture packets using a Cisco router.  Nice when you don’t have any alternatives.

Filed Under: Blogs Tagged With: , , ,
« Older Posts
Newer Posts »