Tag Archives: Security
CAcert Inc: The Free Community Digital Certificate Authority
Posted on 05. Jul, 2004
Free email and server certificates. Australian too!
http://www.cacert.org/...
Sobig.f
Posted on 21. Aug, 2003
News from my email provider SpamCop shows how bad email virus traffic is getting lately:
Ouch.
SmoothWall 2.0: Block ORANGE from talking to RED
Posted on 11. Jan, 2003
After learning all about iptables and pulling apart all the configuration files in SmoothWall, I figured out the simple two line change to /etc/rc.d/rc.firewall.up that will block all traffic on ORANGE (eth1) from talking to RED (ppp0):
change:
iptables -A FORWARD -m state --state NEW -o ppp0 -j ACCEPT
iptables -A FORWARD -m state --state NEW -o ippp0 -j ACCEPT
to:
iptables -A FORWARD -m state --state NEW -i eth0 -o ppp0 -j ACCEPT
iptables -A FORWARD -m state --state NEW -i eth0 -o ippp0 -j ACCEPT
Explicity specifying only eth0 can connect to ppp0 rather than ALL, easy huh?
SmoothWall secured
Posted on 08. Jan, 2003
After several weeks of continual connection problems using my Netgear MR314 residential gateway to connect to Tel$tra ADSL, I finally bit the bullet and turned my multi-purpose RH8 box into a dedicated firewall box. My first choice of Linux firewall distros was IP Cop v1.2 based on CM's recommendation, however during the install process I discovered that it didn't support any of my *very* common NICs, my Netgear FA311's or my spare 3Com 905's. So short of recompiling the IP Cop kernel with the natsemi drivers, I couldn't run IP Cop. Lucky for me, SmoothWall 2.0 Beta 2 has superior driver support with both the 3C905 and FA311 drivers included in the distro, so I installed that and was up and running in no time. I've got Squid running on my smoothie box as well, and have almost figured out how to get AdZapper running with Smoothwall 2.0 too. It's nice to have a proper dedicated firewall complete with IDS protecting my home LAN. Still no solution to how I'm going to plug my SmoothWall box into the Sydney Wireless network cheaply though. Possibly a third NIC in the amber zone connected to another machine.
UPDATE: Approach determined and hardware ordered! I've ordered an D-Link 900AP+ Ethernet-to-Wireless bridge that I'll plug into a third NIC on my SmoothWall box in the ORANGE zone, essentially placing Sydney Wireless in my DMZ (thanks CM). I can then pinhole services through to the GREEN zone as required. I've also ordered a D-Link 8.5dbi pico that has a miserable 1KM range, but will be fine for local hookup to the other Sydney wireless AP in my area. Nice thing about using the D-Link is that I can have a nice long CAT5 run from my SmoothWall box to the D-Link, rather than losing a lot of signal on a 9M coaxial run to the antenna on my balcony.
UPDATE: Hmmmm.. experimentation with my DMZ reveals flaws with this approach. First of all wireless hosts on my ORANGE network can gateway to my RED network and then use my Internet connection, there seems to be no way to block ORANGE access to the RED interface in SmoothWall. Secondly, I can't NAT from the ORANGE network to my GREEN network (not that I should be anyway, but I kind of wanted to..)
UPDATE: It might work using some creative static routes.
UPDATE: Looking forward to AMBER zone support in IP Cop.
http://www.smoothwall.org/...
PGP 8.0 Beta 2
Posted on 08. Nov, 2002
The latest PGP 8.0 beta is out (probably been out for a while). Can't see any major differences other than proper XP compatibility. Worth a look.
http://www.pgp.com/...
Hackworthy?
Posted on 28. Oct, 2002
Hmm, I received an alert that someone in Vietnam of all places had been trying to hack my easyDNS login. Interesting, but why try hack me? Ah well, whatever keeps you amused my friend.
Big nasty Internet
Posted on 04. Oct, 2002
Just saw some of the usual alarmist column filler media coverage on the Bugbear virus, and I was just thinking through all the protection measures I have had to put in place for me to use the Internet safely.
For starters I have my home network protected by a packet filtering router and independent firewalls running on each workstation. I use various techniques to monitor for spyware and detect if an unauthorised program is trying to connect to the Internet from my workstations.
All my workstations run the latest antivirus software with regularly updated virus definition files and heuristic checking. I have two layers of email virus protection, the first provided by initially forwarding all of my email through SpamCop and then integrated virus checking inside my email clients.
To fight spam, all email is forwarded through SpamCop which uses clever detection techniques to determine if the email is spam and also checks a number of well maintained DNS blacklists (listed below), before finally forwarding what it believes to be a genuine email to my inbox.
SpamCop blacklists:
SpamCop Blacklist, SPEWS level 1, Osirusoft open relay inputs, ORDB open relays, Spamhaus Blacklist, South Korea (the country), Osirusoft Open Proxies, monkeys.com open proxies, China (the country)
I pay $60 a year for spamCop, but getting a nice email like this makes it all worthwhile:
The infected file was saved to quarantine with name: 1033687268-RAV16345.
The file (part0000:)->(IFRAME0000) attached to mail (with subject: Registration Notification) sent by wlc-registration@indiana.edu to anthonyjhicks@**.net
is infected with virus: HTML/IFrame_Exploit*.
The mail was silently discarded because it contained dangerous code.
http://spamcop.net/...
Linux Firewall/Server Distros Mini-Review Redux
Posted on 02. May, 2002
"Well nearly six months on I thought I'd update my older review of a few Linux distro's.
1. E-Smith
Well six months on the office fileserver running E-Smith is still running. I agree with my initial impressions: "next time around I think I'd almost sooner handcraft a cut-down RedHat install (or maybe another distro) if I just wanted a fileserver."
I found after a few weeks of operation that on a low-powered machine that there was way too much kruft which needed removal/tweaking, and annoyances such as user-management mysteriously breaking and being unable to login as root remotely by default. Then again, this isn't a power user distro, never is, never will be -- certainly I can't take away from E-Smith the fact I had a simple server up in a short period of time.
However, when I get the opportunity I will replace the office file server (almost no downtime except when someone has *cough* pressed the off button on our lab rack) with another distro. (Or migrate to a corporate-supported solution, but that's another story, interestingly it's also Linux-powered).
2. SmoothWall
Smoothwall has been protecting our home network for some six months now. In that time my main gripe "Perhaps a little too much 'attitude' on the web site/in the doco IMHO." has been if nothing further sustained by the wider community by a fork of the code base known as IPcop. I was amused to read that one person's comment that one of the main benefits of this fork was no Richard Morrell. Also, my comment "no corporation currently has a viable business model sustaining future development" was correct -- with the founders of the project later closing off source for a number of 'payware' extensions to the project, even simple things like running an ext3 filesystem or multiple RED-network IP addresses. At least Smoothwall has a business model now.
However for a number of reasons, in particular the increasing 'payware' focus of the Smoothwall team (sneaking nagware into an "update" is completely unacceptable, bordering on scurrilous, at least they had the decency to remove this nagware with the following update released a few days later), I wasn't really happy with this distro, so I thought I'd give a fork of Smoothwall, IPcop a try.
3. IPcop
IPcop is a fork of the Smoothwall distro. A 26M bootable ISO CD gets one started. I've resetup my home network with RED (i.e. hostile internet), YELLOW (DMZ), and GREEN (trusted network) interfaces, whereas previously I was only running RED and GREEN. I'm still working out whether to run my work laptop SSL tunnelling into work on the GREEN or YELLOW networks. (The key difference being that GREEN can access YELLOW, but no the other way around). Likewise, setting-up an IPsec tunnel into our home network would also be an interesting exercise. I note that an AMBER network (for use by a wireless network secured by IPsec) is in the design phase for IPcop V2, which will have a long-running daemon accessible by XML-RPC for configuration. Indeed, given that IPcop V2 is virtually a complete re-write this will be interesting to watch the end-result.
I've only been running IPcop for a few days, but already I'm much happier -- no minimalist spyware which 'reports home' the fact you have installed Smoothwall, and there is an easy patch for using EasyDNS for one's dynamic DNS provider. Indeed, the documentation is much, much better than could be found on the Smoothwall site, which I wasn't expecting given that this is a fork of the Smoothwall base.
Pro's?
Once again, this is a distro that you can get up and running quickly with for a firewall/caching-proxy. Of note, the filesystem is ext3 based, so doing a power-off during operation is less likely to cause problems. Likewise, getting easyDNS DDNS installed was relatively straightforward because of the good doco. Likewise, setting up an NTP client on the box was easy, again because of good doco. The community around this product seems to have a much more postive feel than for Smoothwall.
Gripes?
I still want a firewall to protect my home network NOT to allow all outgoing traffic. I plan to block all ports except 80, 443 globally, then other (e.g. RTCW) on a case-by-case basis. This should prevent most SMTP-borne worms and IRC-controlled DDoS agents. I note other Linux firewall distros (or a 'real' Linux distro using IPtables/IPchains) would allow this, but that's the price you pay for a 'dumbed-down' firewall distro. Also, I still have an outstanding gripe for an 'appliance form factor' case -- the only such case available last time I looked has since been obsoleted -- I'm told by AusPCMarket that the reason is that "the problem is that there are no CPUs available any more that will work in it, as there are currently none that accept the Tualatin Core Celeron/PIII CPUs. There will be a similar device available from Shuttle end-May for P4 and AMD CPUs." I plan to build a TV/PVR appliance when this ships, but that's another story.
4. Gentoo
Gentoo is, unlike E-Smith, Smoothwall, or IPcop, a general-purpose Linux distro, similar to RedHat, SuSE or Debian. Where the difference ends is that this almost a 'Linux from scratch' distro -- from just 16MB of bootable ISO image the whole system (C compiler/glibc upwards) gets compiled and installed, with appropriate optimisation according to CPU. On a broadband connection, with a medium (P600+) CPU, this takes four or so hours, with a slow 486 CPU this takes nearly a whole day. (Note Gentoo now makes available binary installs). And yes, you need to compile your own kernel -- four flavours to choose from. However the upside of this is an innovative BSD-style Portage system which makes fetching/compiling from source new components (e.g. SAMBA, SSHD) very easy (although somewhat flakey -- I've blown up a couple of installs when rsync'ing the latest Portage list) and the fact that virtually nothing is installed by default. The combination of these two make this 'non-standard' distro worth the price of admission.
Since the Gentoo distro got slashdotted the community has become a lot larger, which hopefully is a postive thing (although I suspect a lower signal to noise ratio, alas.) Although all I really want now is the product I work with daily to be supported with this distro and I'd be very happy. Not likely to happen any time soon, of course. Still, I'm currently working on building a Gentoo-based CVS server for the office and using PAM modules for LDAP authentication, it'll be interesting to see what the result looks like.
I'll post another update on how I've found Gentoo and IPcop in six months or so..." [via CM]
Guidelines for Hardening W2K
Posted on 21. Apr, 2002
"Nice set of guidelines for securing W2K." [via CM via Cryptogram]
http://www.itbuynet.com/...
Short Friedman Piece on Post Sep 11 changes
Posted on 27. Dec, 2001
[via CM]
http://www.nytimes.com/...
Even weblogs need good security
Posted on 18. Dec, 2001
It's always amusing to scan through my server log database and see the range of exploits being attempted on this site on a daily basis (perhaps I should add a drop-down - "today's exploits"). A common one that appears every few days is a test to see if I have an incorrectly configured formmail script that could exploited by a spammer (see log entry below). I don't have this script on my server, so I can only guess the search engine being used by the spammers' automated exploit utility incorrectly thinks I have the formmail script and keeps visiting my site to try and use it.
Date: 13/12/2001 12:23:49
User Address: 168.191.68.32
Authenticated User: -
Status: 500
Content Length: 209
Content Type: text/html
Request: GET /cgi-bin/formmail.pl?recipient=sexbuggyblue@aol.com,&subject=darlene
&email=jhnsjmd899@aol.com
&=http://anthonyjhicks.com/cgi-bin/formmail.pl HTTP/1.1
Browser Used: Microsoft URL Control - 6.00.8862
Error:
Referring URL:
Server Address: anthonyjhicks.com
Elapse Time (ms): 0
Considering my box runs Linux, it's amusing that get so many Windows specific exploits aimed at running DLL's on the file system and the so on. A good reason not to be running Microsoft and IIS eh?:
Date: 14/12/2001 04:35:06
User Address: 12.98.177.247
Authenticated User: -
Status: 404
Content Length: 231
Content Type: text/html
Request: GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0 HTTP/1.1
Browser Used: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Error:
Referring URL:
Server Address: anthonyjhicks.com
Elapse Time (ms): 10
Anyway, i guess my point is even non-critical sites need reasonable security. duh.
Buy security, avoid court order
Posted on 17. Dec, 2001
"Buried in the latest crypto-gram newsletter was this nugget: 'Counterpane acquired two customers recently, both of whom needed us to improve their network's security within hours, in response to this sort of legal threat. We came in and installed our monitoring service, and they were able to convince a judge that they should not be turned off. I see this as a trend that will increase, as attacked companies look around for someone to share fault with.' Interesting trend." [via CM]
http://www.counterpane.com/...
O’Reilly on ANX VPN
Posted on 30. Oct, 2001
"O'Reilly has a article on some of the policies involved in building a VPN between a group of loosely related companies. No rocket science, but interesting nevertheless." [via CM]
http://www.oreillynet.com/...
Linux Firewall/Server Distros Mini-Review
Posted on 28. Oct, 2001
"A mini review on the results of playing with a couple of different 'appliance' Linux distro's:
1. E-Smith
Aimed squarely at the SME market as an 'all in one' Linux NAT router/firewall & SMB/HTTP/FTP server. Installs from a bootable CD (available for download only as an 339M ISO image). Does a nice job at making installation nearly painless -- although my old P90 doesn't support booting from CD, so I had to cut a floppy to boot from. I had this running as DHCP server for my home network in no time, NAT'ing out to the public internet via PPPoE. The downloadable 'Blade' which turned Apache into an MP3 server was a nice touch.
I guess usage is my highest compliment -- this distro is now running on an old P133 in the office as a workgroup fileserver with a shiny new 40GB hard disk.
Pros? Under the covers is a fairly innovative way of 'templating' the maintenance of the Linux system. For a small business on a tight budget, this could well serve them as an inexpensive firewall/fileserver (although I have concerns about mixing the two functions on the one box).
Gripes? E-Smith wants to be *both* a fileserver and a firewall -- no easy switch to flick to make it one or the other. Have to disable a whole bunch of services (e.g. Appletalk routing, Squid etc.) just to make the box runnable with 64MB of memory. (Yes I know memory is cheap -- that's not the point). I also had to do way too much hacking on the box to make it share a bunch of SAMBA shares 'just right' -- next time around I think I'd almost sooner handcraft a cut-down RedHat install (or maybe another distro) if I just wanted a fileserver.
2. Smoothwall
Smoothwall has a different focus -- it only tries to be a firewall. (Although interestingly they seem to have no issue with running Squid and Apache for it's web based admin console.) Again, a downloadable ISO image, although only 20MB or so this time, and setup was done in under half an hour.
Smoothwall certainly justifies the name Smooth -- the web-based console is very cleanly done, includes nice features like throughput graphs and a comprehensive IDS system (snort).
Pro's? On slickness of admin and size of install alone, this is a very nice firewall appliance. The web-based SSH applet is a nice touch, as is the usage graphing. Boot up and shutdown time is very fast.
Gripe's? Hard to name any. Perhaps a little too much 'attitude' on the web site/in the doco IMHO.
Conclusions?
E-Smith: would suit some SME's, particularly with the Mitel Networks monitoring/value added options (although too pricey when converted to AUD's)
Smoothwall: professionally packaged NAT router/firewall. Very nicely done, although no corporation currently has a viable business model sustaining future development.
Other thoughts?
I'd happily pay for an 'appliance case' for this type of box. Requirements would be principally driven around form-factor, noise and cost. Slashdot has had a few examples that come close of late -- certainly would beat the current packaging of a mid 90's low-cost-Taiwanese case that my experimenting was done in.
Also, while I like EasyDNS as my provider of DNS/Dynamic DNS, I hate having to muck around with installing additional packages to make this work. Why can't updating Dynamic DNS be standardised? What does it have to be so hard?" [via CM]
Bruce Schneier on Post-September 11
Posted on 03. Oct, 2001
"As always, Bruce Schneier has some interesting things to say about, in this case, post-September 11 security. Some very interesting links." [via CM]
http://www.counterpane.com/...
Anatomy of a DDOS
Posted on 01. Jun, 2001
"Interesting dissection of a DDOS attack against grc.com. Although I'm not sure I entirely agree with his rant against the evils of the WinXP + Win2K ip stack." [via CM]
http://grc.com/...
OutGuess - Universal Steganography
Posted on 26. Apr, 2001
Interesting tool lets you hide information in JPG's etc.: "OutGuess is a universal steganographic tool that allows the insertion of hidden information into the redundant bits of data sources." [via CM]
http://www.outguess.org/...
PORNsweeper
Posted on 03. Nov, 2000
I had a quick chat to a couple of the security consulting guys at my company today and they told me how they were 'testing' PORNsweeper from the makers of MIMEsweeper. Apparently it uses image analysis based on skin tones. From the site: "PORNsweeper is an add-on module for MAILsweeper for SMTP and works at the gateway to provide a policy-based content security and image analysis solution. PORNsweeper scans images attached to e-mails or embedded in e-mail attachments for inappropriate content such as nudity and pornography, according to your content security policy."
http://www.us.mimesweeper.com/...
Hackers take ‘Notes’ at DefCon
Posted on 31. Jul, 2000
Someone finally gets around to high-lighting the rather dodgy (and superceded) the default one-hash implementation for HTTP passwords in the Domino Address Book. Nothing amazingly new here, a correctly secured address book and server is still relatively secure from external attack. It's amusing that I've come to depend on recognising various hashes, eg. 355E 98E7 C7B5 9BD8 10ED 845A D0FD 2FC4 for 'password' when trying to figure out passwords to use for authentication during development. [via SM]
http://www.securityfocus.com/...
