Book Review : PGP & GPG : Email for the Practical Paranoid

Sending email unencrypted can be compared to sending a postcard. Anybody who choose to can read the contents of your email. You should know that there are various tools available that makes it easy for strangers to snoop into email you send to your people. If you want to ensure your email is secure and it is read only by its intended recipients, then you should consider encrypting your email.

Book - Configuring IPCop Firewalls

IPCop is a powerful, open source, Linux based firewall distribution for primarily Small Office Or Home (SOHO) networks, although it can be used in larger networks. It provides most of the features that you would expect a modern firewall to have, and what is most important is that it sets this all up for you in a highly automated and simplified way.

This book is an easy introduction to this popular application.

Google Demonstrates The Advantages Of Using Google Notebook

Google is pulling in all stops to win over all skeptics to the Google Chrome OS way of computing.

The prominent feature being - "You just cannot lose your data on a Google Chrome notebook". Google has gone to great lengths to convince us about this - so much so that it destroys 25 computers to create this stupefying video.

Domain name theft - how it is done and steps to prevent it

Let's say you have a sudden insight on a name which is apt for your website and you wish to register this name as a domain name. You fire up your web browser and visit any one of the innumerable sites which help in checking if this particular domain name is available or not and to your absolute delight, nobody has yet registered your domain name.

So you decide to register it as soon as you can take time ... perhaps tomorrow because today you have an official deadline to meet. And the next day when you try to register the same domain name, you find to your dismay that it has already been snapped up by somebody else. How did this happen ? Was this a case of bad luck ? Maybe not. You may be the victim of a rogue company which has picked up your name after they intercepted your search the previous day. In effect the person or entity which has registered your domain name has stolen your domain research. The act of typing the domain name in the wrong place may allow these squatters to register the domain before you.

Jay Westerdal of domaintools.com has written an insightful piece on various precautions you can take while searching for your domain name prior to registering it. These steps help to a certain extent in mitigating domain name theft even before you have laid your hands on it.

Review : EnGarde Secure Linux

EnGarde Secure Linux is a Linux distribution that is tailor made with security in mind. This is a review of the Community edition of EnGarde Secure Linux which is freely available to download and use.

EnGarde Secure Linux is released by its parent company Guardian Digital in two forms - one is the Community edition which is available for free download and the other is the commercial Professional edition which includes support. The community edition of EnGarde is full featured, secure and is built entirely from open source and it contain many of the capabilities of the Professional edition.

Guardian Digital claims they have over 500 corporate clients across USA, Canada and the rest of the world who use EnGarde Secure Linux.

I decided to install the Community edition of EnGarde Secure Linux on my machine and take it for a spin.

One of the unique aspects of EnGarde Secure Linux is that it ships with only those packages that are absolutely necessary to function as a server. So you won't find software such as a X Windows server or other desktop utilities which is expected in any normal Linux distribution. What you will find are the necessary databases, web server, mail server and DNS server. You can configure EnGarde Secure Linux to function as any of those, or all of them.

Installation of EnGarde Secure Linux

EnGarde Secure Linux installs itself on your machine using a text based installer. If you just want to try out EnGarde Secure Linux, that is also possible because the ISO functions as a LiveCD as well. In the LiveCD mode, you can try out all the features that EnGarde Secure Linux has to offer without making changes to your hard disk.

Basically, These are the steps I had to go through in installing EnGarde Secure Linux on my machine.

Fig: Booting from the CD-ROM (Check out all of them)

Fig: Decide on the partitioning scheme. (Check out all of them)

• Change root and WebTool password - this is applicable only if you are using EnGarde as a LiveCD.
• Decide on whether you want DHCP or static networking
• Choose between running EnGarde in Installation mode or LiveCD mode - Here I chose Installation mode as I wanted to install it on my machine.
• Choose the language - English is default.
• Decide on the partitioning of your hard disk. You can either partition your hard disk automatically where the installer will create the necessary partitions - usually /,/var and /home. Or you can choose to do it manually.

EnGarde Secure Linux cannot reside next to another OS. If you choose to install EnGarde Secure Linux, it will wipe your hard disk prior to installing itself.

• Decide on the type of hard disk - whether IDE or SCSI.
• Choose the packages - The packages are broadly classified into 6 sections namely Databases, DNS, Firewall, Mail services, Network Intrusion Detection and Web services. I selected all the packages and pressed OK and the installer started copying all the files to the hard disk.
• Next I had to configure the network card and provide information such as the IP address, netmask, the default gateway and the network address.
• Then it prompted me to provide a fully qualified domain name for my machine.
• Lastly I had to enter the IP address of the primary and secondary name server.

That was it. EnGarde Secure Linux was now fully installed on my machine.

Facts at a glance

• Very secure out of the box.
• Cost effective - Helps companies & corporations reduce support costs.
• Comprehensive audit system - provides accountability.
• Can be fully configured from a remote location via any web browser.
• Around 220 packages are included with EnGarde Secure Linux. You can add another 300 of them using the customized WebTool.
• EnGarde is available for i686 and x86 64 bit architectures and uses RPM packages managed by the apt-get command line tool.
• Very well documented. Check out the video tutorials and documentation.

How secure is EnGarde Secure Linux

EnGarde implements security by following a number of rules.

It locks down the box in 3 ways namely -

1. Host level
2. Network level, and
3. Releasing up to date security patches for software.

At the host level, EnGarde Secure Linux implements a number of features such as TCP wrappers, restricted user rights at a global level, and SELinux policies in enforcing mode.

At the network level, EnGarde Secure Linux ships with a plethora of network tools which allow a system administrator to analyse the security level of his machine and take preventive measures. Among other things, it has a unique WebTool through which you can do any and all system administration tasks from a remote location including rebooting or shutting down the server.

This means that after installation, you can safely place the server in a locked room and not worry about its physical security.

Up to date security patches of software are released on a regular basis (more like every month) enabling system administrators to plug any security holes in the server software they run. This is automated to a certain level via the Guardian Digital Secure Network (GSDN). And you are prompted to register and create a GSDN account (for free) - it is not an option.

Guardian Digital WebTool

After installation, you can physically lock your computer running EnGarde Secure Linux away from prying eyes, behind closed doors.

This is because you can access it from any of your other computers in your network by typing the https://your-machine-ip-address:1023/ address in a web browser.

You log in to the Guardian Digital WebTool using two different passwords depending on whether you are using EnGarde as a LiveCD or if you have installed it on a machine.

For LiveCD : The login name is admin and the password is the root password you set while booting the EnGarde Linux CD.

When Installed : The login name is admin and the password is lock&box. And the first time you log into the Admin section, you are confronted with an initial configuration screen.

Here the first thing you need to do is register for a free GSDN account. The GSDN account provides up-to-date automated security fixes to your server. Next you have to change the root and WebTool password. Then specify the NTP servers as well as your geographic location. Lastly, you need to fine tune the services you would require to run on your remote server.

Fig: WebTool main page - View more images here.

WebTool is the pivot with which you can effectively administer the system remotely from within a web browser.

A few things you can do using the WebTool are as follows.

• Manage users
• Manage database servers
• Configure the web server (Apache)
• Implement DNS,
• View all the security logs
• Manage mail servers,
• Enable and disable system level services
• Configure firewall
• Run most of the security tools such as snort bundled with EnGarde and view their output in the web browser.

The WebTool is a one stop shop for troubleshooting and managing your server from a remote location.

To sum up, I found EnGarde Secure Linux to be a unique blend of a robust Linux server topped up with loads of security features coupled with the very powerful Guardian Digital WebTool which aids in administering the server remotely, all from within a web browser.

Cracking a 13 digit alphanumeric password in 160 seconds

The story might seem right out of science fiction. But it is true, with the rapid steep increase in computing power, it is now possible to crack a password from its encrypted state much more quickly with the aid of right kind of tools.

Jeff Attwood writes to indicate that he was able to crack a 13 digit alphanumeric password - the password in question is "Fgpyyih804423" - in just 160 seconds. For the cracking, he made use of an open source tool called Ophcrack - which is a Windows password cracker based on Rainbow tables.

A Rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plain text password from a password hash generated by a hash function. For example in Linux you can store your password encrypted using MD5 or the more powerful SHA1 and SHA256. I may add that while installing Debian, Mandriva or Open SuSE, the installer asks whether you want to encrypt your password in MD5 or the more powerful SHA encryption. Choose SHA because MD5 can be easily broken....

To see your passwords in hash form in Linux, just log in as 'root' and view the /etc/shadow file.

So what this open source tool called Ophcrack does is it uses the rainbow tables to crack the passwords (thankfully only Windows passwords) in real time. They have released a LiveCD based on SlaX Linux distribution which can be used to automate the process to a large extent. The ophcrack developers claim the liveCD cracks passwords automatically, no installation necessary, no admin password necessary (as long as you can boot from CD)- so there.

While Jeff does make it sound scary, with the right precautions, Rainbow password cracking can be made useless. Thomas Ptacek a security expert explains some of the secure password schemes and the precautions you can take to secure your machine from a remote attack based on Rainbow tables.

Is it possible to hack into a gmail address ? - Really scary

Who doesn't have a gmail id now a days ? In my honest opinion, I am yet to discover a more user friendly web mail host. Gmail is non-intrusive, provides all the advanced and usable features such as POP3, mail search and much more.

But recently at a Black Hat security convention, Robert Graham, the CEO of errata security, surprised attendees by hijacking a Gmail session on camera and reading the victim’s email. He went even further by demonstrating the attack by taking over another journalist’s Gmail account and then sending emails from that account. Really scary.

So how do you protect yourself from somebody sniffing your email while it is in transit and then hacking into your gmail account ? There is one way to make it much harder for sniffing your mails. That is by sending and receiving mails using Gmail's SSL feature. SSL stands for Secure Sockets Layer and is used to provide secure data transfer across the web, for instance ecommerce sites use SSL to transmit your credit card details. Google provides the SSL feature for gmail and all it takes to enable SSL in Gmail is by typing the address https://mail.google.com instead of http://mail.google.com. Make note of the 's' in 'https'. What this does is instead of encrypting only the username and password, Gmail encrypts the whole mail session and this makes it possible to transfer your mails in a secure manner.

So the next time you decide to log on to your gmail account, use https instead of http and you will be fairly safe from getting your mail sniffed in transit.

Howto: Build an selinux policy the Red Hat enterprise way

Red Hat / Fedora has now got GUI tools to help edit and create SElinux policy files. And it is much more simpler to create a custom selinux policy in Red Hat Enterprise Linux.

In this detailed article, Dan Walsh gently walks you through the policy module creation process.

A lot of people think that building a new SELinux policy is magic, but magic tricks never seem quite as difficult once you know how they’re done. This article explains how to build a policy module and gives you the step-by-step process for using the tools to build your own.

Read more on a step by step guide to creating an selinux policy module explained by Dan Walsh.

Update: Also check out this PDF presentation on Managing Red Hat Enterprise Linux 5 which also contain information on SELinux.

SSH tutorial for Linux

These are some of the SSH tutorials / guides you will find on this blog.

• What is SSH ? - An introduction to SSH with examples.
• SSH Keys - Their usage and Why you should use them ?
• Mosh - A better alternative to SSH.

How to find out if your Linux machine has been hacked ?

It is very rare that your Linux PC which you use as a Desktop will get compromised especially if you do not run any services like a web server, mail server and so on. More over many modern Linux distributions like for example Ubuntu, targeted at the end user ship with all the ports closed by default. And others like PCLinuxOS bundles with it a robust firewall. So it makes the job of an intruder all the more harder to crack into your machine.

But suppose after all the precautions you take, some resourceful cracker succeeds in finding a loophole and hacks into your machine, how do you detect that your machine has been compromised in the first place?

Lars has written a step-by-step process by which he ascertains that a Linux server run by his friend has been compromised by an intruder. His findings throw light on what you can expect and the steps to take when you are suspicious of getting your machine rooted.

The server was running a fairly updated Ubuntu 6.06 LTS. He goes on to conclude that the compromise could have been caused by :

1. An exploit unknown to the public.
2. A user accessing this server from an already compromised host. The attacker could then sniff the the password.
   

Read this very interesting article which throws some light on the actions of a hacker.

TrueCrypt Tutorial: Truly Portable Data Encryption

TrueCrypt is one of the many disk encryption tools available in Linux and other Unices. Some of the features of truecrypt are as follows (and I quote):

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
  
  1. Hidden volume (steganography).
  2. No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
• Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.
  

Lipiec at Polishlinux.org has written a very good tutorial which explains how to setup and use truecrypt in Linux. He explains right from the start which is - download the code, compile, and install it to creating encryption volumes. Just so you know, truecrypt has been made available in deb and rpm formats as well. So if you are using one of the major Linux distributions such as Debian, Ubuntu or Fedora, you can skip the compilation from source step.

Truecrypt is available for Linux and Windows but the developers have provided a easy to use GUI only for Windows platform. Linux users are still made to depend on the command line to setup and manage encrypted volumes using truecrypt.

Check for Rootkit in Linux

This article explains various ways of detecting rootkits in Linux.

Care to break the law using GNU/Linux ? Then here are a couple of ways of getting free internet access.

The dawn of the internet era has seen more and more people jump on to the internet bandwagon and spend a significant part of their free as well as work time online. Each day we find different ways in which we can make use of the Internet and slowly but surely, the world wide web is getting more and more ingrained in our daily lives. And as with any popular medium, we find energy being dissipated in various quarters in getting free access to it by taking advantage of the loopholes found in the technology being used.

Doug has an interesting article where he describes how to use ICMP tunneling to get access to your neighbours internet connection.

ICMP stands for Internet Control Message Protocol which is used to carry the information about the status of the network. It has a wide variety of uses such as reporting on the availability of remote hosts, the errors in the underlying network and detecting network congestion. 'ping' - one of the most common programs which is used to test the network connectivity of up to three layers of OSI model uses ICMP to do its task.

And on a different note, Karl Bitz explains how to crack WEP using a machine running Ubuntu. The usual assumptions in both cases being that you as well as the neighbour in question rely on wireless technology to connect to the internet.

On a personal note, I do not support illegal ways of gaining things. In fact one very strong motivating factor for me to embrace GNU/Linux was the freedom from being dependent on (often pirated) proprietary software. But from a theoretical point of view, both the articles are interesting because they throw a wee bit more light on the technologies underlying the wireless internet access.

How to Secure Apache Web Server

In an earlier post I had explained how to host websites on ones personal machine using apache webserver as well as password protecting the website using .htaccess and .htpasswd files.

How to securely erase the hard disk before selling ones computer

There are times when the news sites are abuzz with sensational news items. I am speaking of those news items which tempts one to pitch in and have his/her say come what may. And the news of someone who bought a laptop on Ebay only to find it defective and how he took revenge on the seller by posting all the personal data on the hard disk on a website is by now a legend.

Now it is hard to decide who is in the right here - the person who published the private data on the website (for all you know, the laptop in question could have been damaged in transit) or the seller who is now the talk of the town, whose life is being dissected. There is no way to know. But that is besides the point. The truth is that it is scary to realize that it is next to impossible to delete all the data that one stores on ones storage media without completely destroying it. Because, with the right tools anybody can retrieve even deleted data.

So what can be done to alleviate the situation ? If you are using GNU/Linux or any other UNIX, then you have a tool called shred which can be used to wipe all the data from the hard disk. Here is how it works. Suppose I want to erase all the data on my hard disk, then I boot using a LiveCD like Knoppix and open a shell and type the following command:

# shred -vfz -n 100 /dev/sda

Here /dev/sda is my whole hard disk. And I am asking shred to make -n 100 passes by overwriting the entire hard disk with -z zeros. And shred program -f forces the write by changing the permissions wherever necessary.

Another GPLed tool (though not specifically related to Linux) which is quite popular is Darik's Boot and Nuke (DBAN) which also does a great job of securly erasing the data on your hard disk.

Experts in the field of retrieving data can still get some data from a hard disk that has been wiped in the above manner. But at least ordinary folks who buy second hand laptops and computers will find it beyond their means to lay their hands on your data if you have wiped your hard disk this way prior to selling your PC or laptop.

.htaccess File Generator

Apache is one of the most flexible web server around. And one of the features that aids it in being flexible is a hidden file which goes by the name '.htaccess'. This file is used by web site administrators to make configuration changes on a per-directory basis especially when the administrator does not have access to the main configuration file of the apache web server.

You can use this file (.htaccess) to password protect files in a particular directory in your website, give mod-rewrite rules, force HTTP requests to use secure socket layer and so on. In fact, one can write just about any rule that he/she can configure in the main configuration file of the apache webserver.

But if you find writing code to be a hassle, then this webpage will aid in creating a .htaccess file from scratch with the parameters of your choice.

Password protect your website hosted on Apache web server

At times, when I am browsing the web, I click on a link such as this one and instead of a web page, I get a dialog box asking me to enter my user name and password. And only after I have been authenticated do I get access to the website (or page). This feature of password protection is very simple to implement in Apache web server.

Basically, the whole process of password authentication banks on just two files . Them being :

1. .htpasswd - This file contains the user name - password combination of the users who are allowed access to the website or page. This file can reside anywhere other than the directory (or path) of your website. But usually, it is created in the Apache web server directory (/etc/apache2/.htpasswd). This is because, this file should not be accessible to the visitors to the site.
2. .htaccess - This file defines the actual rules based on which users are given access or denied access to a particular section or whole of the website. This file should reside in the base directory of one's website. For example, if my website is located in the path '/var/www/mysite.com' and I want to provide user authentication to the entire website, then I will store the file .htaccess in the following location - '/var/www/mysite.com/.htaccess '.
   

If one is implementing this feature for the first time on one's server, then he has to create the .htpasswd file. I chose to create the .htpasswd file in the apache 2 configuration directory. After this, one can add any number of users and assign passwords to them. This is done by the htpasswd utility which gets installed with the apache2 web server.

# htpasswd -c /etc/apache2/.htpasswd ravi
New password: *****
Re-type new password: *****
Adding password for user ravi
#_

In the above command, -c option asks the htpasswd utility to first create a .htpasswd file in the /etc/apache2 directory. Simultaneously, I have provided the name of the user (myself) and the utility asks me to type a password which is used to authenticate me before allowing access to the site.

Note: Any number of users and their password may be entered in the same .htpasswd file per website.

Now I make this .htpasswd file readable by all the users as follows:

# chmod 644 /etc/apache2/.htpasswd

Next step is the creation of the file .htaccess which will prohibit the full or a part of the website which is situated in /var/www/mysite.com. Since I am interested in password protecting the whole website, I create the file in the /var/www/mysite.com base directory. But if I am interested in protecting only a sub-directory (say by name 'personal') of this site, then I will have to create it in the '/var/www/mysite.com/personal' directory.

# touch /var/www/mysite.com/.htaccess

Now I enter the following lines in the .htaccess file :

AuthUserFile  /etc/apache2/.htpasswd
AuthGroupFile /dev/null
AuthName  MySiteWeb
AuthType Basic
require user ravi

Here 'AuthUserFile' points to the place where I have stored the .htpasswd flat file which contains the user names and passwords.

AuthGroupFile points to the group file which contains the group of users. Here I have opted to not have a group file and hence points it to /dev/null .

AuthName directive sets the name of the authorization realm for this directory. This name can contain spaces.This is a name given to users so they know which username and password to send.

AuthType value of Basic instructs apache to accept basic unencrypted passwords from the remote user's web browser.

The last line - require user ravi - tells apache that only the user with name 'ravi' should be allowed access provided the right password is entered. If more than one user is to be allowed access, then those user names could also be appended to the line. Suppose I want another user also to access the file, I modify the line as follows:

require user ravi john

And if I want all the users listed in the .htpasswd file to be allowed access, the line is modified as thus:

require valid-user

The .htaccess file also has to be provided the right file permissions.

# chmod 644 /var/www/mysite.com/.htaccess

One more step is needed; that is to change a line in the apache2 configuration file. In a previous article titled "Host websites on your local machine using Apache websever", I had dwelled upon the modular structure of the Apache 2 configuration files.

Following that structure, assuming my configuration file for the website /var/www/mysite.com is stored in /etc/apache2/sites-available/mysite.com , I open the file in an editor and change the following line :

<Directory /var/www/mysite.com/>
...
AllowOverride None
...
</Directory>

TO

<Directory /var/www/mysite.com/>
...
AllowOverride AuthConfig
...
</Directory>

... and save and exit the file. Now restart apache web server to re-read the configuration file.

Note: If you are using apache instead of apache2, then the file to be edited is /etc/httpd/conf/httpd.conf though the lines to be edited are the same.

That is it. From now on any user who visits the website will first have to enter the correct username and password before he is allowed access to the website.

Configuring Apache webserver to restrict access to your website

Apache Webserver is the most popular web server and has a market share of around 60%. Here I will explain a small but very useful feature of the apache web server - which is restricting access to (a part of) your website to only the privileged few by implementing username and passwords.

There are two ways of restricting access to documents.

1. Either by the hostname of the browser being used
2. By asking a username and password
   

The first method can be used to, for example, restricting documents being used within a company. But if the people who are accessing documents are widely dispersed, then the second method is more suitable.

Here I will explain the second method - ie, assigning username and passwords to users who are authorized to access the documents. This is known as user authentication.

Setting up user authentication takes two steps :

1. Create a file containing username and passwords - Apache webserver has a utility called htpasswd to create the file containing username and passwords. Here I am creating a file called 'users' in the /usr/local/etc/ directory.
   

Note: For security reasons, the above file should NOT be under the document root. It can be anywhere BUT the document root.
The first time you run the htpasswd utility, you run it using the -c flag as follows:

# htpasswd -c /usr/local/etc/users gopinath

The -c argument tells htpasswd to create a new users file. When you run the above command, you will be prompted to enter a password for the user gopinath, and confirm it by entering it again. Other users can be added to the existing file in the same way, except that the -c argument is not needed. The same command can also be used to modify the password of an existing user.

After adding a few users, the /usr/local/etc/users file might look like this :

gopinath:WrU90BHQai36
kumar:iABSd12QWs67
ankit:Wer56HsD12s6

The first field is the username and the second field is the encrypted password.

Now comes the Apache server's configuration part. Open the apache server's configuration file /etc/httpd/conf/httpd.conf (your configuration file will be in different location depending on the distribution you are using) and look for the line :

AllowOverride None 

And change it to

AllowOverride AuthConfig

If you want to protect the document root itself, create a file '.htaccess' in the top directory path and include the following lines to it:

#File: .htaccess
AuthName "Only Valid Access"
AuthType Basic
AuthUserFile  /usr/local/etc/users
require valid-user

AuthName - directive specifies a realm name for this protection. Once a user has entered a valid username and password, any other resource within the same realm name can be accessed with the same username and password.

AuthType - directive tells the server what protocol is to be used for authentication. At the moment, 'Basic' is the only method available. However, a new method, 'Digest' is about to be standardized, and once browsers start to implement it, Digest authentication will provide more security than Basic authentication.

AuthUserFile - tells the server the location of the user file created by htpasswd utility. A similar directive, AuthGroupFile, can be used to tell the server the location of a group's file.

Lastly don't forget to restart the web server which rereads the changed configuration files :

# service httpd restart

From here on when you try to access your protected site or the directory via the web browser, you will be asked for authentication first. And only those users whose name has been entered in the file pointed to by the AuthUserFile directive will be allowed access to your site.