Tuesday, February 28, 2006

Security Updates

Having had much more free time recently (or at least not being at work) I've had time to review my network security. What started out as annoyance at looking at /var/log/secure daily and seeing multiple attempts to access my system via brute-force ssh, combined with an interest to learn a few new skills turned into something of an obsession with locking down just about every application and service I could find.

It all started with my log files. Day after day, my host on the LAN which had ssh forwarded to it was logging numerous failed attempts from all over the world to login, and I was not alone; reports of the same activity are all over the internet of brute-force attacks. Initially it didn't seem very worrying as the usernames sent were all of the type root, apache, mysql, admin and I had only allowed myself to login via ssh in the config file. Later though I noticed all sorts of other names being sent so it was inevitable that mine would be used at some point, and sometimes the same IP address would be logged several hundred times just in one day. I was reluctant to disable the forwarding rule on my firewall at this time as I was finding remote access too useful. My first counter-measure was denyhosts, a script which runs as a cronjob searching the logfiles for repeated failed login attempts (you can set the threshold) then adding these IP addresses to /etc/hosts.deny. This did indeed work as my steadily growing hosts.deny faile proved, but the attacks continued and I still felt uneasy. What if some one got lucky between runs of the cronjob? Next on the list of defenses was public-key access. Yes I admit that I was still using username/password combination; I'd simply never got around to understanding how to apply public-key crypto to ssh. I'm not going to explain here either as there are many excellent guides already on the internet such as Steve Friedl's here.

At about the same kind of time I discovered openvpn, an SSL site to site vpn which supports most flavours of Linux/Unix as well as Mac and Windows. Even better, its released under the GPL. Unlike many 'SSL' vpn's you may have seen/heard about which are just web front ends to applications, openvpn is a true network level (OSI 2/3) vpn solution which while using the proven security of openssl, avoids the complexity and problems of ipsec. Once you've got your head around generating and deploying the certificates it really is so easy to setup, with easy to read config files only a few lines long for the most simple configurations (the openvpn website has a lot of good documentation/exampls and a quick start guide). You may have guessed by now that I really like it :) - Anyway, I started thinking - why use ssh when I've got openvpn which is at least as secure now (probably more so) and which also gives me access to my entire network remotely?

So now ssh forwarding is turned off on my firewall and I use openvpn for remote access. There is still loads that I haven't mentioned yet like clamav, WPA, rkhunter, truecrypt. I'll have to write part 2 later.....

Sunday, February 26, 2006

Fedora Core 4, DHCP and DNS Dynamic Update

Having previously posted about dynamic update with Solaris 10 reminded my of my earlier problems with FC4 in updating my dns records with BIND (via dhcpd). Whilst I thought about it I'd thought I'd add the solution that worked for my laptop here. Create a file called /etc/dhclient.conf with the following content:

send host-name "myhostname";

For further information: man dhclient , man dhclient.conf


Friday, February 24, 2006

Solaris 10, DHCP and DNS Dynamic Update

I recently managed to find the time to install Solaris 10 on my Ultra2. Since I've now moved away from assigning static ip's on my network (except for a few essential hosts) I choose the DHCP option when running the installer. Interestingly the installer never asked for a hostname during setup and sure enough when I first booted my Ultra2 it was now known as 'unknown' and of course no hostname was registered in DNS. To fix this I created the file /etc/nodename which contained just the hostname for the system and /etc/hostname.hme0 which contains one line:

inet hostname

The suffix in the above file name refers to the interface name.

A reboot later my Ultra2 was successfully registering its hostname in DNS.

All things google

Following an invite by my friend Marcus to join googlemail, I have now signed up for their free webspace with the beta Google Pages an AJAX web publishing application. Had a quick play but I'm not quite sure what I'm going to do with it yet (which probably puts me in the same boat as all the other people who signed up on day one just to see what all the fuss was about). Anyway, this all brought me to yet another google offering: blogspot. Will I have the time for this? Time will tell....

All things have a beginning

OK, so we can't preview unless we've got a posting. Fair enough.