Archive
Posts in Security
Configuring a Linux NFS server in a SELinux-managed environment
The Linux kernel has supported NFS for as long as I can remember. All of the major distributions (Redhat, CentOS, Fedora, Suse, Ubunut) ship with NFS client and server support and have all of the user land daemons and tools needed to configure and debug NFS. I spent some time this past weekend bringing up a new NFS server in a SELinux-managed environment, and thought I would share my experience with my readers. Setting up a Linux NFS server with SELinux can be done in just a few simple steps: Configure SELinux to allow remote hosts to access content that is exported through NFS…
$ read more →Using TCP Wrappers to protect Linux and Solaris services
I have been using tcp wrappers for years, and it's a very simple way to allow and deny network access to applications. TCP wrapper functionality is built into the system libwrap.so module, which various applications are linked against. To see if a given application supports tcp wrappers, you can use the ldd utility: TCP wrappers is configured through the /etc/hosts.allow and /etc/hosts.deny files. The hosts.allow file allows you to control which services will be accepted, and the hosts.deny file allows you to control which services will be denied…
$ read more →A couple useful tidbits about the Linux /dev/random and /dev/urandom devices
Linux contains two devices that provide a source of entropy for the system. The first device is /dev/random, and the second is /dev/urandom. /dev/random is a character special device that provides a source of entropy until the system-wide entropy pool is exhausted, at which time it will block until additional entropy is available. /dev/urandom is a character device that uses the system entropy pool until it is depleted, then falls back to a pseudo-random number generator…
$ read more →Forcing your Linux users to wait after they input an incorrect password
When I run through my security checklist after building a host, one of the first things I change is the login fail delay. This option allows you to force a user to wait a given number of microseconds after a login failure before being able to try another password. For applications that perform brute force attacks this can be extremely handy, since the application performing the brute force attacks will stall in between unsuccessful passwords, hopefully allowing you to catch them in the act through log event notifications (this of course assumes the password attack occurs serially). To configure a login delay on a CentOS or RHEL server, you can do one of two things…
$ read more →Displaying GPG public keys in ASCII format
I was debugging a gpg issue earlier this week, and needed to dump the contents of a public key in some type of human readable form. After a bit of googling I came across the crazy awesome pgpdump utility, which provides a command line interface to display the contents of a GPG public key. To use this tool, you can pass the key file as an argument to pgpdump: Pgpdump will display the algorithms used to create the key, as well as the key-lengths that were used. This is amazingly helpful when debugging key-related issues (hash algorithm mismatches, key-size discrepancies, etc.), and I will definitely be adding this tool to my SysAdmin toolkit!
$ read more →