Wednesday, November 3, 2010

Stuxnet Virus Worm - Cyber Attack False Flag by Iran

I got this from Study4cyberwar. This site is dedicated to cyberwar information. They have some good information to keep you updated.
Read more

Sunday, June 20, 2010

Using ClamAV to Protect Your Windows Clients

ClamAV can scan incoming emails and you also can configure Squid web proxy to use ClamAV as well. One of the coolest options is that Samba can be configured to use ClamAv to scan files when they are accessed. Note: Using ClamAV on your Linux servers to sanitize oncoming data to filter email and HTTP traffic won't make you completely safe so I advise to still have a local anti-virus program installed on those Windows PC. Most distros have ClamAV in the repository except for RHEL and CentOS so if you have them installed just search the web for the RPMs. ClamAV supports a server mode making it avaiable to other available systems on the network. With this feature you can have one centralized ClamAV server that is kept up to date and has some horsepower to be used by other machines, such as an email server to scan for viruses without bogging down your email server.
To get started install claman-scanner-sysvinit package on Fedora or Clamav-daemon on Debian based systems. On Fedora the clamd conf file (/etc/clamd.d/scan.conf) will need to be edited by uncommenting the TCPScoket and TCPAddr lines.
One of the important things that has to be done is updating the signatures of the antivirus. The majority of antivirus scanners rely on signatures to detect viruses; very few scanners implement heuristic or behavior-based monitoring which I believe to be the better choice. To update ClamAv with the up to date signatures install the clamav-update package on Fedora or the clamav-freshclam on Debian. The configure file in /etc/clamav/freshclam.conf is used for updating info. Then you can add freshclam to a cronjob so it can run regularly and notify you of the results:

0 * * * * /usr/bin/freshclam | mail -s "freshclam update info"

Note: To make sure clamd has the most up to date signatures you need to configure freshclam to send a "RELOAD" command to it.
Fedora: NotifyClamd /etc/clamd.d/scan.conf
Debian: NotifyClamd /etc/clamav/clamd.conf

Getting email protection is simple as installing clamsmtp,it will act as a proxy and filter email. In todays world one of the most popular techniques for creating botnets is by what is called "drive-by" downloads. That is where an attacker inserts malicious content into a web page and then infects several hundred or thousands Windows clients that are then compromised and taken over; the answer to that is to use Squid web proxy and install c-icap; basically ICAP is like Milter for Sendmail, in that it allows the offload of antivirus processing to a different server.

Now we move on to Samba protection. What happens when someone brings a removable media with a virus onboard, and it copies itself onto the file server in hoping to infecting others? The samba-vscan module adds on-access scanning for Samba. The minute a file with a virus is accessed it should be detected and block access to the file. Samba-vscan is not in Debain so you can get it at Open
Read more

Wednesday, May 12, 2010

Controlling login attempts with PAM (Pluggable Authentication Module)

It is generally a good and sensible practice to lock out a user after a number of failed login attempts, with some exceptions. You don't want to give an intruder unlimited attempts, but you don't want clumsy users pestering you all the time for login resets. And users who wish to play practical jokes locking out other users by trying to su to a different user's account, and failing on purpose.

On Debian, add this line to /etc/pam.d/common-auth:

auth required onerr=fail no_magic_root

And this line to /etc/pam.d/common-account:

account required onerr=fail deny=3 reset no_magic_root

On Red Hat, add the above two lines to /etc/pam.d/system-auth. This gives users three chances to log in, then locks them out if they fail. The no_magic_root option is very important -- this prevents the root user from being locked out. In this era of great bootable rescue disks like Knoppix, that's nowhere near the catastrophe it used to be.

When the offending user has sufficiently soothed your upset sensibilities, restore access this way:

# pam_tally --user doofusfred --reset=0
user doofusfred (1006) had 29

It even tattles on how many times the user tried to login.
Read more

Working with User and Group Management

Group Commands

Group definitions reside in the /etc/group file. A standard Linux /etc/group file contains the following information: groupname:x:groupid:user list.

The “x” in the group definition file is a deprecated placeholder for a group password.

To find out which groups you belong to, type groups at a command prompt.

$ groups
khess rdpusers
By default on most Linux systems, when an administrator creates a new user account, the system automatically creates a group account with the same name as the user account. An SA can specify a group when he creates the account but the group must already exist.

Here are two illustrative examples:

# useradd fred

# grep fred /etc/passwd

# grep fred /etc/group
# useradd -g 100 -c "Bob Alobdob" bob

# grep bob /etc/passwd
bob:x:505:100:Bob Alobdob:/home/bob:/bin/bash

# grep bob /etc/group
Why did the system return no response when you typed in grep bob /etc/group? It’s because the users group is Bob’s primary group. If users were a secondary group, Bob’s username would appear in the list. For example, create a new user with rpdusers (Group ID 504) as a secondary group.

# useradd -G 504 -c "Jon Shmon" john

# grep john /etc/passwd
john:x:506:507:Jon Shmon:/home/john:/bin/bash

# grep john /etc/group
A group must exist before you assign users to it. The groupadd command creates new groups with a specific Group ID (GID) and name.

# groupadd -g 1040 accounting

# grep 1040 /etc/group

You may also create a new group with just a group name and the system will assign a GID for you with the command, # groupadd groupname.

The groupmod command allows you to change the group name but the SA will have to change any files associated with the old group manually.

# groupmod -n accounting beancounters
# grep 1040 /etc/group
Note: Don’t confuse chgrp (changes group permissions) with groupmod (changes the name of a group).

You can remove a group with the groupdel command.

# groupdel beancounters
If you prefer to edit configuration files directly, although you shouldn’t, the vigr command edits the /etc/group file in a safe manner by setting locks so that only one administrator at a time can edit the file.

Administrators rely heavily on the “group” commands for group administration, user administration and in scripting those functions for automated solutions.

User Commands

I call this collection of utilities the “user” commands because their functionality centers on user administration and not on action taken by the users themselves. Even if a user knows the location of these commands (/usr/sbin), they still can’t issue them without root privilege.

For example, a clever user on your system tries to issue useradd and vipw.

$ /usr/sbin/useradd steve
useradd: Only root may add a user or group to the system.

$ /usr/sbin/vipw
vipw: Couldn't lock file: Permission denied
vipw: /etc/passwd is unchanged
The User commands have their Group analogs; you add a new user with useradd, modify a user account with usermod and delete a user account with userdel. And you edit the /etc/passwd file directly with vipw. You’ve already seen the useradd command in action in the Group Commands discussion.

The usermod allows Admins to alter any user account attribute including the user’s real name (comment field), home directory name, account expiration date, disabling functionality, group add and change, login name, account locking and unlocking, alter the user’s shell and more.

# grep khess /etc/passwd
khess:x:500:500:Kenneth Hess:/home/khess:/bin/bash

# usermod -c "Ken Hess" khess

# grep khess /etc/passwd
khess:x:500:500:Ken Hess:/home/khess:/bin/bash
The usermod command requires some restraint and careful typing when issuing commands that can make a user account unusable. Let’s say that Bob Alobdob, from an example in the Group discussion, wants his login name and home directory changed to robert.

# usermod -d "/home/robert" -m -l robert bob

# grep robert /etc/passwd
robert:x:505:100:Bob Alobdob:/home/robert:/bin/bash
Notice how I explicitly entered “/home/robert” in the command? If you don’t specify the whole path, Robert won’t have a home directory nor will its contents exist anymore. The command, as shown, changes his current home directory from /home/bob to /home/robert, his login from bob to robert and the -m moves the contents of his “bob” home directory to his “robert” home directory. User permissions change to robert as well for all files in his home directory.

Note: You cannot change the login name of a currently logged in user.

The userdel command’s function might seem obvious to you but you might surprise yourself after issuing the command to find that the user’s home directory is still intact.

Why would any programmer allow that directory to remain as clutter on your home filesystem? This is actually a failsafe mechanism and you should thank the thoughtful programmer who maintains userdel.

What if two user names only differ by a single letter and you removed the wrong one? The incorrectly deleted user’s home directory and files were wiped from the system with a slip of your finger. With the failsafe mechanism in place, you have to manually remove the home directory and hopefully you would catch your error before doing so.
Read more

Saturday, April 24, 2010

Reset the MySQL root password on Ubuntu/Debian Linux

How to change the MySQL root password. Enter the following lines in your terminal.

Stop the MySQL Server.
sudo /etc/init.d/mysql stop

Start the mysqld configuration.
sudo mysqld --skip-grant-tables &

Login to MySQL as root.
mysql -u root mysql

Replace YOURNEWPASSWORD with your new password!
Read more

Sunday, April 11, 2010

Preventing SSH Attacks With DenyHosts

SSH is a great way to remotely administer a server. However, it still has a number of issues when you open it up to the world. The server and client communications are secure but that doesn’t mean the hosts involved are. Opening an SSH service to the world allows for brute force attacks and means that the carbon interface is still the weakest link.
There are some very simple steps you can take to really harden remote access over SSH, especially if you can’t simply tie the service down to a limited number of source ports.

First things first, sshd_config. In Ubuntu this is usually found in /etc/ssh and can be used to configure a great number of features. The simplest ones to deal with are always the best. Restricting the users who can login via SSH is a first principle. This can be done in one of two ways, by user or by group. AllowGroups allows any user in this group authenticated access to the server via SSH. A more fine grained approach is to use the AllowUsers option.

Another easy win is by moving the listen port from 22 to some other randomly assigned port. This reduces the likelihood of a scan showing SSHD running.

Other steps you might want to take include disabling root access, disable password authentication and using keys only.

sudo apt-get install denyhosts

DenyHosts is a python script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

Denyhosts acts as a dynamic blocker for SSH and other services. It relies on the /etc/hosts.deny and hosts.allow. It dynamically builds a list of hosts that repeatedly connect to your server. By default the service will block connections from IP sources that are repeated attempting to connect and access your host. The denyhosts process is configured in /etc/denyhosts.conf

Once you’ve put these steps in place you can rest assured the SSH on a public facing host is much more secure.
Read more

Saturday, February 20, 2010

Working with Debian packages from the Command Line.

Here is a few command line entries that I use almost daily.

apt-cache search (packagename)will produce the following:

chicagonpg@Quadzilla ~ $ apt-cache search gftp
gftp-common - shared files for other gFTP packages
gftp-gtk - X/GTK+ FTP client
gftp - X/GTK+ FTP client
gftp-text - colored FTP client using GLib

Then to install just sudo apt-get install gftp-gtk (gtk is the gnome gui app)

Once installed you can check what version you have by doing:

gftp-gtk --version

chicagonpg@Quadzilla ~ $ gftp-gtk --version
gFTP 2.0.19

I have version 2.0.19

To check if you have a certain application installed on your system
use dpkg -s

chicagonpg@Quadzilla ~ $ dpkg -s vlc
Package: vlc
Status: install ok installed
Priority: optional
Section: video
Installed-Size: 3912
Maintainer: Ubuntu Developers
Architecture: amd64
Version: 1.0.2-1ubuntu2.1
Replaces: vlc-nox (<< 0.9.2-1) Provides: mp3-decoder Depends: vlc-nox (= 1.0.2-1ubuntu2.1), libaa1 (>= 1.4p5), libc6 (>= 2.8), libdbus-1-3 (>= 1.0.2), libfreetype6 (>= 2.2.1), libfribidi0 (>= 0.10.9), libgcc1 (>= 1:4.1.1), libgl1-mesa-glx | libgl1, libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0), libnotify1 (>= 0.4.5), libnotify1-gtk2.10, libqtcore4 (>= 4.5.1), libqtgui4 (>= 4.5.1), libsdl-image1.2 (>= 1.2.5), libsdl1.2debian (>= 1.2.10-1), libstdc++6 (>= 4.2.1), libtar, libvlccore2 (>= 1.0.0~rc1), libx11-6, libx264-67 (>= 1:0.svn20090502), libxcb-keysyms1 (>= 0.3.6), libxcb1, libxext6, libxinerama1, libxv1, libxxf86vm1, zlib1g (>= 1:, ttf-dejavu-core
Recommends: vlc-plugin-pulse (= 1.0.2-1ubuntu2.1)
Suggests: mozilla-plugin-vlc, videolan-doc
Conflicts: vlc-nox (<< 0.9.2-1) Description: multimedia player and streamer VLC is the VideoLAN project's media player. It plays MPEG, MPEG2, MPEG4, DivX, MOV, WMV, QuickTime, mp3, Ogg/Vorbis files, DVDs, VCDs, and multimedia streams from various network sources. . VLC can also be used as a streaming server that duplicates the stream it reads and multicasts them through the network to other clients, or serves them through HTTP. . VLC has support for on-the-fly transcoding of audio and video formats, either for broadcasting purposes or for movie format transformations. Support for most output methods is provided by this package, but features can be added by installing additional audio plugins (vlc-plugin-pulse, vlc-plugin-sdl) or video plugins (vlc-plugin-sdl, vlc-plugin-ggi, vlc-plugin-svgalib). There is also a web browser plugin in the mozilla-plugin-vlc package. Homepage: Original-Maintainer: Debian multimedia packages maintainers

As you can see the status is installed but it also gives you some good information on the package as well.
Read more

Shaun Mallette's Blog Design by Insight © 2009