Jan 20

SSH Key Based Login

The first step in setting up SSH Key Based Authentication is to create a set of keys for yourself. This can be done using either PuttyGen on Windows or from the command prompt on Linux as follows:

ssh-keygen -t rsa

This will create a set of RSA type keys. Your public key (~/.ssh/id_rsa.pub) will be uploaded to the remote server and your secret key (~./id_rsa) will be kept on any device you will use as a client to connect to your server. You can now SCP your public key to the remote server using WinSCP or via the command prompt:

scp ~/.ssh/id_rsa.pub root@myserver.co.za:~

Now let’s login to our remote server via SSH and configure sshd to accept keys only. The first step is to create a .ssh directory (if it doesn’t exist already) and place the public key in the right place. We then set the required permissions:

cd ~
mkdir .ssh
cp id_rsa.pub .ssh/authorized_keys
chmod u=rwx,go= .ssh
chmod u=rw,go= .ssh/authorized_keys

With that setup, we need to open up our /etc/ssh/sshd_config file in our favourite editor:

vim /etc/ssh/sshd_config

Ensure these lines are uncommented and set to “yes”:

RSAAuthentication yes
PubkeyAuthentication yes

Restart the SSH server to apply these changes

/etc/init.d/sshd restart

Notice

VERY VERY NB… Test your key works 100% before going any further.

At this point, the server will accept either the key or a password. Once you are completely satisfied that your key is working, you can disable the password login by editing /etc/ssh/sshd_config and changing the PasswordAuthentication option as follows:

PasswordAuthentication no

Once this is done, restart the SSH server again to apply the changes and disable password logins. From this point on, you will ONLY be able to login with your key:

/etc/init.d/sshd restart

It is STRONGLY recommended you back your private key up (id_rsa) to ensure you don’t loose access to your server if your PC crashes.

Oct 14

General Security Tips

Over the last few months, I’ve been experimenting with various IT security applications and techniques. I’d like to present a few of my favorite. These are designed to compliment each other, so I recommend using all these applications for maximum benefit.

1. Password Management

Using the same password for more than one service is a huge security risk. All it takes is for somebody to get hold of your password and suddenly they have access to all your other online services (Facebook, Gmail, etc). Because this is such a common mistake, it is one of the first things a would-be intruder would attempt.

This is where a Password Manager comes in handy. I recommend Keepass for this – It’s open source and available on every platform imaginable (Android, IOS, Windows, Linux, OSX, etc). You create one secure “Master Password” that grants you access to your encrypted password safe where an entry for each of your accounts lives. I use the built-in password generator set to a length of 25 characters for each of my entries, ensuring I have unique and VERY secure passwords. Obviously, make sure the “Master Password” is sufficiently complex, as a poor choice here would compromise the security of all your other passwords. I store the file that Keepass creates on my personal cloud service or an encrypted flash drive (See below).

2. Personal Cloud

People love using Dropbox as an alternative to flash drives. It allows you to access your files anywhere, without having to carry around a physical device. This is all well and good, but how much do you trust Dropbox not to dig through your personal stuff?

All you need to host your very own storage cloud is a virtual or dedicated server and a free installation of ownCloud. While you can use the web-interface to manage your files, there are plenty of client apps for various platforms. Be sure to “force SSL” to prevent eavesdropping. Also, enable encryption in the settings menu. This will encrypt your ownCloud files on the server’s hard drive, preventing an intruder to your server from accessing your files.

3. File Encryption

One of the nicest ways to encrypt files is through TrueCrypt. It’s an open source, cross-platform application that creates encrypted devices and volumes. Essentially, you can either encrypt an entire device (flash drive) or create a volume that is mounted as a virtual drive upon successful decryption. You have many different options available, but I recommend using AES-Twofish-Serpent which is a cascading cipher. What this means is the volume is encrypted first with AES, then the result is done via Twofish and then via Serpent. This makes it incredibly hard to crack as you are effectively dealing with 3 layers of encryption.

As far as passwords go, obviously the strength of your encryption is only as good as the password you choose. TrueCrypt allows you to also include a “key file” in the mix. A “key file” can be any file at all. When chosen, the password is mixed with a hash of the first 1024 bytes of the chosen key file. The result of this is used to encrypt the volume. This effectively provides you with two-factor encryption as you need to know the password as well has have the key file to decrypt the volume.

Sep 03

MySQL Replication

Master/Slave MySQL replication is very simple. Let’s assume we have two servers (db01 and db02). There is a database called “mydatabase” setup on db01 that we wish to start replicating to db02.

First, let’s create a replication account on the master (db01) which the slave (db02) will use to connect. Change the username and password to whatever you need:

GRANT REPLICATION SLAVE ON *.* TO ‘db02replication’@'%’ IDENTIFIED BY ‘KJN2342ebwhwhq’;

Flush the privileges to ensure this account is still there when MySQL gets restarted in future:

FLUSH PRIVILEGES;

Connect to the master MySQL and lock the tables in the database to prevent somebody writing to the DB. We need to do this as we need a stable point where we can start the replication:

USE mydatabase;

FLUSH TABLES WITH READ LOCK;

With the DB locked, we need to get some information on the binary logfile and the position of the last write:

 

SHOW MASTER STATUS;

+——————–+———–+——————–+————————-+

| File                     | Position | Binlog_do_db | Binlog_ignore_db |

+——————–+————+——————-+————————-+

| mysql-bin.031 | 123456   | mydatabase   |                                   |

+——————–+————+——————-+————————-+

1 row in set (0.00 sec)

Write down the “File” and “Position” entries. “mysql-bin.031″ is the name of the current binary log and “123456″ is the position in that file where the last write statement was executed. If we neglected to lock the DB earlier and make it read only, this would change constantly and we would have no way to tell the slave where to start replication from.

Exit the SQL shell and do a mysqldump on the database in question. This will be shipped off to the slave, an empty database created and the mysqldump imported. From there we will begin the replication with both servers at exactly the same point. Here’s the commands for those of you who are too lazy to figure this out:

mysqldump -u root -p mydatabase > sqldump.sql

scp sqldump.sql root@db02:/root

ssh root@db02

mysql -u root -p -e “create database mydatabase”

mysql -u root -p < sqldump.sql

Now login to the SQL shell on db02 and run this (Substituting master server IP,username, password, bin-file and position as required):

CHANGE MASTER TO MASTER_HOST=’172.16.0.5′, MASTER_USER=’db02replication’, MASTER_PASSWORD=’KJN2342ebwhwhq’, MASTER_LOG_FILE=’mysql-bin.031′, MASTER_LOG_POS=123456;

Start the replication by typing:

START SLAVE;

Now go back to the master and unlock the tables to allow users to write to the DB:

UNLOCK TABLES;

The last step is to verify the servers are in sync. On the master, run

SHOW MASTER STATUS;

And on the slave:

SHOW SLAVE STATUS;

Confirm that the “position” changes on BOTH servers with each write to the master. If you are on a quiet machine, simple create a bogus database and then do a few insert or update queries. Remember, select queries (and anything else that doesn’t write to the DB) will not increment the position indicator as only database writes are replicated.

 

Jun 14

Open Source Encryption

I thought I would write a quick tutorial on setting up GPG on Ubuntu 13.04.

First step is to create some keys:

gpg –gen-key

Just follow the on-screen instructions. Now be sure to make a backup of your
public and private keys!!

 

gpg -a -o public_key.asc Your Name Goes Here
gpg -a -o secret_key.asc –export-secret-keys Your Name Goes Here

Obviously, keep the secret_key.asc file somewhere safe. It will require your
password if somebody tried to import the key, but never rely on just that.
Now, get hold of the ID for your public key.

gpg –list-key

You will see something that looks like this:

pub    2048D/B53F491E        2013-06-14 [expires: 2023-06-12]
uid Daniel Kritzinger <daniel@danielkritzinger.nom.za>
sub    2048g/0D37F039              2013-06-14 [expires: 2023-06-12]

Take the 8 digit hex entry from the “pub” key (Just after the first / – Mine is B53F491E).
Let’s send this to a few key servers so other people can easily contact encrypt stuff for us.

gpg –send-keys B53F491E gpg –send-keys –keyserver pgp.mit.edu B53F491E
gpg –send-keys –keyserver keyserver.ubuntu.com B53F491E

Typically, I would then install the Enigmail plugin for Thunderbird. The config is very simple.

Jun 12

Google Hacking Part 1

Most people are unaware of the more advanced search capabilities of Google. This is the first part of a series of posts I intend to do on these advanced search functions.

Finding backups of SQL databases:

filetype:sql inurl:co.za

Simple enough, it searches all .co.za domains looking for files ending in .sql. Clueless sysadmins frequently leave backups/sqldumps lying around on web servers.

Lists of contact details

filetype:csv inurl:co.za

Again, nothing fancy. For some crazy reason people have lists of personal contacts exported to CSV and lying around on web servers!

Jun 12

AES256 via PHP

Here are two very basic PHP functions I use to encrypt and decrypt strings with a key using AES256.


function EncryptAES256($key, $message)
{
$hash = sha1($key);
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $hash, $message,”cbc”);
return base64_encode($ciphertext);
}


function DecryptAES256($key, $message)
{
$ciphertext = base64_decode($message);
$hash = sha1($key);
return mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $hash, $ciphertext,”cbc”);
}