Archive
Posts in Security
Integrating ssh-agent into your login process
Most of my readers utilize SSH keys to access remote systems. The security bene fits are well known, and key-based authentication makes automating remote t asks a whole lot easier. When you use key-based authentication it becomes imperative to protect your private key, since a third party could access your systems if they were able to gain access to your account. The SSH key generator (ssh-keygen) will attempt to encrypt your private key by default, and can also be used ssh-keygen to add a password to a private key after the fact…
$ read more →How to figure out if a processes has been chroot()'ed
A number of applications (e.g., custom chroot jails, openssh, vsftp, apache) support the ability to chroot themselves. To find out if a process called chroot() at startup, you can check the /proc/ /root entry for the process. For non-chrooted processes this entry will point to /: For a chrooted process the root directory will point to the directory passed to the chroot() system call: Chroot environments can be made secure, especially if you follow the coding practices discussed in Building Secure Software and Using Chroot Securely. These are must reads for anyone who plans to use chroot()!
$ read more →A couple of gotchas with the OpenSSH chroot() implementation
I previously discussed the OpenSSH Match directive, and how it can be used to chroot SSH and SFTP users. Over the past couple of months I've encountered some gotchas with the chroot implementation in OpenSSH. Since I had to figure these items out myself, I figured I would share my findings here so folks wouldn't need to spend hours looking at source code (if you want to geek out and see how this works, check out session.c in the OpenSSH source code). The first gotcha occurs when the users home directory doesn't have the correct permissions…
$ read more →How to encrypt an SSH private key
If you are using SSH key-based authentication you should be encrypting your private key. This ensures that if someone breaks into your server and steals your keys, they won't be able to utilize them to access other systems. If your private key isn't encrypted you can use the ssh-keygen utilities "-p" option to do so: This option can be used to change the password used to encrypt a private key, and to add a password to an existing private key. Viva la OpenSSH!
$ read more →Using exec-shield to protect your Linux servers from stack, heap and integer overflows
I've been a long time follower of the OpenBSD project, and their amazing work on detecting and protecting the kernel and applications from stack and heap overflows. Several of the concepts that were developed by the OpenBSD team were made available in Linux, and came by way of the exec-shield project. Of the many useful security features that are part of exec-shield, the two features that can be controlled by a SysAdmin are kernel virtual address space randomizations and the exec-shield operating mode. Address space randomization are controlled through the kernel.randomize_va_space sysctl tunable, which defaults to 1 on my CentOS systems: The exec-shield operating mode is controlled through the kernel.exec-shield sysctl value, and can be set to one of the following four modes (the descriptions below came from Steve Grubb's excellent post on exec-shield operating modes): A value of 0 completely disables ExecShield and Address Space Layout Randomization > A value of 1 enables them ONLY if the application bits for these protections are set to “enable” > A value of 2 enables them by default, except if the application bits are set to “disable” > A value of 3 enables them always, whatever the application bits The default exec-shield value on my CentoOS servers is 1, which enables exec-shield for applications that have been compiled to support it: To view the list of running processes that have exec-shield enabled, you can run Ingo Molnar and Ulrich Drepper's lsexec utility: In this day and age of continuos security threats there is little to no reason that you shouldn't be using these amazing technologies…
$ read more →