Prefetch Technologies // Keeping your cache lines cozy

Archive

Posts in Security

Verifying SSH host keys

securityJul 15, 2006 1 min read

If you use SSH to access remote servers, the ssh client will prompt you each time you connect to a new server, and ask you to accept the servers host key: The authenticity of host 'mail.me.net (1.2.3.4)' can't be established. RSA key fingerprint is 72:c6:5f:e7:85:c8:23:5f:c6:c9:99:88:dd:aa:bb:dd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'mail.me.net,1.2.3.4' (RSA) to the list of known hosts…

$ read more →
earlier

Accessing services behind a NAT

securityJun 25, 2006 2 min

I use the OpenBSD PF (packet filter) firewall at home to protect the systems I run, and to provide access to a few services over the Internet. The services I make accessible to the Internet run on servers in RFC 1918 address space, which requires my OpenBSD gateway to perform translate IP addresses and apply inbound filter policies for the services I expose. The PF documentation describes how to do this, but I thought I would share the setup I use in case folks are interested. To begin, you should define one or more tables and macros to make your firewall rule file easier to manage…

$ read more →

Maximizing IP Filter performance with group statements

securityMar 29, 2006 4 min

Solaris 10 ships with the IP filter firewall package, which is a fast, flexible and verstile firewall engine. IP filter by default will read /etc/ipf/ipf.conf to get the list of rules (e.g., pass in all) to apply to traffic as it traverses the interfaces in a system, and these rules will be applied in a top down fashion. If rules are not optimally ordered and grouped, CPU cycles will be wasted, since IP filter will have to check the packet against a set of rules that don't apply to the type of traffic that is passing through the interface. The following rule set is a good example of a poorly written IP filter configuration file: When a sytem using this rule set receives a new connection on TCP port 995 (secure POP), the IP Filter firewall engine will need to evaluate 8 rules prior to allowing the connection through…

$ read more →

Sending breaks through ssh

securityMar 21, 2006 1 min

I have a small lab at home, and periodically need to gain console access to one or more of the machines. Since I don't have a KVM switch or a monitor to devote to each machine, I will typically hook up a serial cable to port A on machine one, and serial port B on machine two. Once the connection is in place, I use minicom or tip to connect to node one once I establish an SSH session to node two. Since tip and SSH both default to using "~" as the escape character, issues will arise if you need to send a break remotely…

$ read more →

Removing messages from POP3S servers

securityFeb 27, 2006 1 min

While checking my e-mail recently, I noticed that my inbox contained several new messages that were roughly 3MB in size. The quantity of messages was choking my poor text-based e-mail client, so I needed to figure out what has happening. After spending a few minutes reviewing my maillog, I noticed that my mail retrieval program was erroring out while popping the 3MB message (it transferred the message, but wasn't issuing a dele when it finished). Since my mail retrieval program was having issues retrieivng the 3MB file, I decided to fire up openssl and delete the message myself: I really dig openssl, and find myself using it daily…

$ read more →