LinuxBasix 034 Podcast segment notes

FWKNOP Tech Segment

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called Single Packet Authorization exists, where only a single ‘knock’ is needed, consisting of an encrypted packet.[1

Single Packet Authorization

Single Packet Authorization (a form of Port Knocking), is a technique for securely communicating authentication and authorization information across closed firewall ports, usually with the goal of opening certain ports to allow temporary access. By keeping most or all ports closed on a server hosting remotely-accessible services, it is possible to make that host invisible to the outside, thus protecting each listening service.

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA).

Steps to take:

Install fwknop Server

pre-requisite for fwknop:
# apt-get install libgdbm-dev

Download and install fwknop(client and server)
# wget -c http://www.cipherdyne.org/fwknop/download/fwknop-2.0.0rc2.tar.gz
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# ./configure
# make
# make install

Side note: If you get the following error while loading  “shared libraries: libfko.so.0: cannot open shared object file: no such file or directory” then you may need to create a symbolic link in the /usr/lib directory for the library file:

# cd /usr/lib
# ln -s /usr/local/lib/libfko.so.o.o.2 libfko.so.0

Config files:

Browse to –> /usr/local/etc/fwknop), you will see two files access.conf and fwknop.conf.

Edit the  fwknop.conf file, and  uncomment and set the options  for your interface “PCAP_INTF eth0”.

Next edit your access.conf file to allow access  based on your liking (users, port, key, etc).

A simple suitable config:

SOURCE: ANY;
KEY: P@$$W0r); //must be over 8 characters
REQUIRE_USERNAME: infolookup;
OPEN_PORTS: tcp/222;
FW_ACCESS_TIMEOUT: 30;

clear out your old IP rules and some default rules to drop all incoming traffic.

IP Tables rule:

#!/bin/sh
# Script to reset your iptable rules

# Load modules for  tracking and NAT
modprobe iptable_nat

# Initialize all the chains by removing all rules
iptables –flush
iptables -t nat –flush
iptables -t mangle –flush

# Delete any user-defined chains
iptables –delete-chain
iptables -t nat –delete-chain
iptables -t mangle –delete-chain

# Set default policies
iptables –policy INPUT DROP
iptables –policy OUTPUT ACCEPT
iptables –policy FORWARD DROP

# Accept all traffic on the loopback (lo) device
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# log all incoming and forward traffic on eth0 device
#iptables -A INPUT -i eth0 -p all -j DROP
iptables -A INPUT -i eth0 -j LOG –log-prefix “DROP”
iptables -A FORWARD -i eth0 -j LOG –log-prefix “DROP”

# Accept internally-requested input
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept internally-requested forward
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept user-specified traffic
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo “iptables policy enabled”

Start the server with –> # fwknopd -f -vv

Testing rules after configuration:

I tried to ssh to the Ubuntu server via my windows box which is IP 192.168.19.1 on port 22 and as you can see from the below image I was block and it was logged as expected:

Next I launched the windows client and typed in my configured information that was set-up during the config stage. Once you click “Send SPA” then try to login again via your SSH client within 30 secs and you should be able to now get in.

Additional reading:

http://www.cipherdyne.org/fwknop/

http://www.securitygeneration.com/single-packet-authorization/

http://aerokid240.blogspot.com/

http://www.cipherdyne.org/fwknop/download/ –> Windows client

Notes for Linux Basix Eps22

Today’s post will serve as a sort of show notes for the Linux Basix podcast that I will be a guest on tonight.

Discussion Links:

  1. SET v0.7 aka “Swagger Wagon” new release, I did a blog posting on the 14th highlighting SET, and I am mentioning it here again because I think it worth taking a look at this program. For anyone not familiar with the Social-Engineer Toolkit (SET), it’s specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. The group also had a Social Engineering Capture the Flag competition at”Defcon 18″ and the have finally release the full report http://www.social-engineer.org/resources/sectf/Social-Engineer_CTF_Report.pdf
  2. A report was published detailing the exploits of a former Google engineer who allegedly used his internal clearances to access private Gmail and GTalk accounts so that he could spy on and harass people, including four minors, read more over at http://techcrunch.com/2010/09/14/google-engineer-spying-fired/. Now this brings me back to a similar point I made a while back, we have to stop putting all our truth in the cloud-base services because we never know if or how much the are violating our privacy.
  3. Second time’s a charm “Linux Kernel 0-day bug”, on the 16th I did a quick new bulletin post highlighting a serious Linux vulnerability. The vulnerability was found in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of  kernel version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access, Read the complete article over at The Register..
  4. Is Stuxnet the ‘best’ malware ever? Even though this is not Linux related issue, I know a lot of us fix our friends and family computers and its always good to keep-up on new malware threads. The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals. They work for the two security companies that discovered that Stuxnet exploited not just one zero-day Windows bug but four — an unprecedented number for a single piece of malware, read full article over at computerworld.com.
  5. Tunneling SSH over HTTP(S), Not much to talk about this one but I think it’s pretty cool and you should give it a try, I know I will. –> http://dag.wieers.com/howto/ssh-http-tunneling/

Tech Segment: Building your test lab


During this segment I i will be discussing what I have been up too for the last  few days and thats rebuilding my home network so I can  have more that just a laptop to perform my various testing.

Equipment used in lab:

  • HP DL 380 G4 server with 6 drives (2X75, 4X150) with ESXi installed.
  • Cisco 3500 switch
  • Cisco 2621 router
  • Verizon FIOS Wifi router.
  • PFsense FW

OS currently installed:

  • FreeBSD
  • Ubuntu server
  • Snorby IDS

Router config:

RT01#sh run
Building configuration…

Current configuration : 1202 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RT01
!
enable secret 5 10g1n///
enable password 7 10g1n///
!
ip subnet-zero
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.29.19.1 255.255.255.0
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 10.29.20.1 255.255.255.0
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 10.29.21.1 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description Transit-to-FW
ip address 172.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
!
router rip
version 2
network 172.0.0.0
network 10.29.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.1.1.1
no ip http server
!
line con 0
password 7 10g1n///
login
line aux 0
line vty 0 2
password 7 10g1n///
login
line vty 3 4
password 7 10g1n///
login
!
end

Switch Config:

SW01#sh run
Building configuration…

Current configuration:
!
! No configuration change since last restart
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname SW01
!
enable password 7 10g1n///
!
username infolookup password 7 10g1n///
!
ip subnet-zero
no ip domain-lookup
!
interface FastEthernet0/1
description Uplink-to-Verizon
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/2
description Firewall-OUT-interface
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/3
description Firewall Inside-Transit
switchport access vlan 11
!
interface FastEthernet0/4
description Link to Router  – Fa0/1
duplex full
switchport access vlan 11
!
interface FastEthernet0/5
!
interface FastEthernet0/18
!
interface FastEthernet0/19
switchport access vlan 30
spanning-tree portfast
!
interface FastEthernet0/20
description Inside-workstation
switchport access vlan 40
spanning-tree portfast
!
interface FastEthernet0/33
description ESX Host
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,30,40,50,1002-1005
switchport mode trunk
!
interface FastEthernet0/34
!
interface FastEthernet0/35
description ESXi Host-Mgmnt
duplex full
speed 100
switchport access vlan 40
spanning-tree portfast
!
interface FastEthernet0/36
!
interface FastEthernet0/48
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,30,40,50,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN30
ip address 10.29.19.10 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN100
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 10.29.19.1
!
line con 0
exec-timeout 0 0
password 7 10g1n///
login local
transport input none
stopbits 1
line vty 0 4
password 7 10g1n///
login local
line vty 5 15
no login
!
ntp clock-period 11259018
ntp server 153.16.4.130
end

PFsense Config:

  • Configured port forwarding, you can do this via the interface or be editing /config/config.xml
    • Forward to my FreeBSD box
    • Configured my dynamic DNS  host (free of course)
    • Forward my VMware ESX connection over SSH
    • Configured Snort to send logs to Snorby

Links:

Notes for Linux Basix Eps019

The below post is just a quick writeup that can be serve as an addition to the show notes for my segment on the Linux Basix podcast.

Discussion Links:

  1. Gmail made you look like a spammer this week –>  Graham Cluley’s blog Over 4 million Gmail users had their email messages being sent multiple times. “At least if your home or business computer was spewing out spam you can pull the cable out of the back of your PC. With web base services like Gmail you dont have that option”
  2. http://blog.commandlinekungfu.com/ and http://shelldorado.com/shelltips/beginner.html–> Great blogs for learning the commandline, keep reading and you will be a command line Ninja one day.
  3. http://garinkilpatrick.com/21-wicked-wordpress-plugins/–> Tons of interesting plug-ins for you to have fun with.
  4. http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html –> 20 Linux System Monitoring Tools Every SysAdmin Should Know, with over 143 comments a **Must Read**.

Installing OpenSSH 5.6

Now in keeping with my theme of always keeping your software update, I notice that a new version of OpenSSH was released on August 24th. Why update you might as?

List of features that my change your mind:

Changes since OpenSSH 5.5
=========================
Features:

* Added a ControlPersist option to ssh_config(5) that automatically
starts a background ssh(1) multiplex master when connecting. This
connection can stay alive indefinitely, or can be set to
automatically close after a user-specified duration of inactivity.

* Hostbased authentication may now use certificate host keys. CA keys
must be specified in a known_hosts file using the @cert-authority
marker as described in sshd(8).

* ssh-keygen(1) now supports signing certificate using a CA key that
has been stored in a PKCS#11 token.

* ssh(1) will now log the hostname and address that we connected to at
LogLevel=verbose after authentication is successful to mitigate
“phishing” attacks by servers with trusted keys that accept
authentication silently and automatically before presenting fake
password/passphrase prompts.

Note that, for such an attack to be successful, the user must have
disabled StrictHostKeyChecking (enabled by default) or an attacker
must have access to a trusted host key for the destination server.

* Expand %h to the hostname in ssh_config Hostname options. While this
sounds useless, it is actually handy for working with unqualified
hostnames:

Host *.*
Hostname %h
Host *
Hostname %h.example.org

* Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
keys in addition to RFC4716 (SSH.COM) encodings via a new -m option
(bz#1749)

* sshd(8) will now queue debug messages for bad ownership or
permissions on the user’s keyfiles encountered during authentication
and will send them after authentication has successfully completed.
These messages may be viewed in ssh(1) at LogLevel=debug or higher.

* ssh(1) connection multiplexing now supports remote forwarding with
dynamic port allocation and can report the allocated port back to
the user:

LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`

* sshd(8) now supports indirection in matching of principal names
listed in certificates. By default, if a certificate has an
embedded principals list then the username on the server must match
one of the names in the list for it to be accepted for
authentication.

sshd(8) now has a new AuthorizedPrincipalsFile option to specify a
file containing a list of names that may be accepted in place of the
username when authorizing a certificate trusted via the
sshd_config(5) TrustedCAKeys option. Similarly, authentication
using a CA trusted in ~/.ssh/authorized_keys now accepts a
principals=”name1[,name2,…]” to specify a list of permitted names.

If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply. These options
are useful for role accounts, disjoint account namespaces and
“user@realm”-style naming policies in certificates.

* Additional sshd_config(5) options are now valid inside Match blocks:

AuthorizedKeysFile
AuthorizedPrincipalsFile
HostbasedUsesNameFromPacketOnly
PermitTunnel

* Revised the format of certificate keys. The new format, identified as
ssh-{dss,rsa}-cert-v01@openssh.com includes the following changes:

– Adding a serial number field. This may be specified by the CA at
the time of certificate signing.

– Moving the nonce field to the beginning of the certificate where
it can better protect against chosen-prefix attacks on the
signature hash (currently infeasible against the SHA1 hash used)

– Renaming the “constraints” field to “critical options”

– Addng a new non-critical “extensions” field. The “permit-*”
options are now extensions, rather than critical options to
permit non-OpenSSH implementation of this key format to degrade
gracefully when encountering keys with options they do not
recognize.

The older format is still supported for authentication and may still
be used when signing certificates (use “ssh-keygen -t v00 …”).
The v00 format, introduced in OpenSSH 5.4, will be supported for at
least one year from this release, after which it will be deprecated
and removed.

Install time…

I am attempting to install this on a headless Ubuntu server the first command I am going to try is:

# sudo apt-get install openssh-server openssh-client

Now since this was a recent release your average apt-get install command wouldn’t work here because it takes some time for the many repository to be populated with the new versions.

Obtaining your copy…

Just do a quick wget

wget http://filedump.se.rit.edu/pub/OpenBSD/OpenSSH/portable/openssh-5.6p1.tar.gz

Prerequisites
—————-

You will need working installations of Zlib and OpenSSL.

Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/

OpenSSL 0.9.6 or greater:
http://www.openssl.org/

Building / Installation
————————–
To install OpenSSH with default options:

./configure
make
make install

While I was waiting with excitement for my new app to build and install I keep getting the following error “configure: error: *** OpenSSL headers missing – please install first or check config.log ***”

Decided to upgrade to version Ubuntu 10.04

  1. Install update-manager-core if it is not already installed:
    sudo apt-get install update-manager-core
    
  2. Follow the on-screen instructions.
  3. sudo do-release-upgrade
  4. edit /etc/update-manager/release-upgrades and set Prompt=normal
  5. Launch the upgrade tool:

Only to realize that the fix was to install the libssl-dev package

apt-get install libssl-dev

Other useful commands I used:

uname -a –> Print basic information currently available from the system (Kernel version and so on)

ssh -v –> Shows you ssh version number

cat /etc/issue –> Shows you your Ubuntu build version

openssh version –> Shows you your openssh version number

Lastly you can take a read of my posting on the DLL hijacking issue if you haven’t been following it.

Links:

http://www.openssh.com/txt/release-5.6

ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL