Archive
Posts in Security
Protecting rpcbind with tcp_wrappers
While perusing some of the new features in Solaris 10, I saw that rpcbind is now tcp_wrappers aware. This allows you to limit which services can send RPC requests to a server, and can be used to deny all RPC requests except those originating from the host itself. To enable tcp_wrappers and limit inbound requests to the loopback interface, the svccfg(1m) utility can be run to enter the SMF configuration console: Once in the SMF configuration console, you need to select the rpc/bind service with the 'select' command: Once the service is selected, you can view the service properties using the 'listprop' command: Once the properties have been reviewed, you can enable tcp_wrappers by setting the 'config/enable_tcpwrappers' attribute to 'true': To exit the SMF configuration console, the 'end' keyword can be used: After the SMF service has been configured, the tcp_wrappers hosts.deny and hosts.allow files need to be updated to limit RPC requests to the loopback interface: Once these files are created, you can start using a tcp_wrapped rpcbind by restarting the rpc/bind process with the svcadm utility: After the rpcbind process has been restarted, each non-local connection to TCP port 111 will be RST: I digs me some tcp_wrapper!
$ read more →Measuring approximate CPU speeds with openssl
I use a variety of hardware in my day-to-day activities, and was curious to see how they compared to each other. While I could run a micro benchmarking tool to get detailed information on memory, cpu, network and disk throughput, I thought it would be easier to use openssl's 'speed' option to get a rough approximation of each machines capabilities. The results are listed below: Ultra 10 with (1) 440 MHZ UltraSPARC IIi CPU: Fujitsu 250 with (1) 900 MHZ UltraSPARC64V CPU: Powerbook G4 with (1) 1.5 GHZ G4: IBM HS20 Blade with (1) 3.0 GHZ Intel Xeon CPU w/ Hyperthreading:
$ read more →Verifying digital signatures
I recently downloaded the samhain file integrity verification suite, and wanted to verify the authenticity of the package. The samhain developers distribute samhain as tar archive, which includes the source code and a detached ASCII signature file: To verify the source code that is contained in the file samhain-2.0.10a.tar.gz using the detached ASCII signature stored in the file samhain-2.0.10a.tar.gz.asc, I downloaded the samhain developers public key, and imported it into my keychain with the gpg "--import" option: Once the public key was imported, I used gpg's "--fingerprint" option to extract a digital fingerprint from each public key: Once I had the fingerprint and the keyid, I verified both pieces of information with a trusted source. After I verified the authenticity of the key I imported, I used gpg's "--verify" option along with the signature file (an encrypted hash) to verify the files contents with the key I just imported: Verifying signatures can help ensure that the source code you download hasn't been replaced with a malicious variant. The gpg(1) manual contains lots of information on signatures, and provides a detailed breakdown of the available gpg options.
$ read more →Beware of your printer
I read the article Is Your Printer Spying On You? in awe. While I have always known that government intelligence agencies were working back room deals in the sake of "protecting America," it never dawned on me that they are using the printer companies to identify people through the material they print. This is some spooky stuff!
$ read more →Solaris 10 rpcbind runs with reduced privileges
While messing around with ppriv(1m) today, I noticed that rpcbind(1m) was modified to run with reduced privileges in Solaris 10: The !proc_exec and !proc_exec privilege settings are super cool (the "!" means a privilege has been revoked). These privilege reductions should reduce the chance of fork()'ing a process and exec()'ing shell if a buffer overflow is found in rpcbind (which has historically been a security nightmare).
$ read more →