I came across a useful blog post with 20 SSH configuration tips.
I’ll have more to say later about why the tips are useful, but the title of “Top 20 OpenSSH Server Best Security Practices” is not really accurate.
Archive for the ‘BSD’ Category
SSH Configuration Tips
Wednesday, March 10th, 2010Apple Genius Bar Advice on Notebook Battery Life
Sunday, December 13th, 2009I talked to an Apple Genius recently about improving notebook battery life.
His recommendations to improve notebook battery life were:
- kill any runaway programs
- reduce screen brightness to 50% or less
- move any Desktop files you don’t need on the Desktop to another folder. This reduces the amount of screen redraw work.
- update to the latest SMC firmware
- once a month, unplug the power adapter and run your notebook until it sleeps automatically. Then plug in the adapter and allow it to charge for 8 hours.
- if there’s still a problem, drop by an Apple store and he’ll run the battery diagnostics program from their bootable service iPod nano. Bring along your receipt in case there’s a problem still covered under warranty.
Reducing the screen brightness from max to 50% immediately improved battery life on my old notebook by 50%, from about 2:15 to 3:30.
Also, remove the plastic packaging from new batteries to prevent them from permananently sticking to the plastic battery casing. The plastic is sticky on one side and can be cut into several cell phone display protectors. 
apple.com: Apple Notebook Battery Care
apple.com: Lithium-Ion Battery Care
support.apple.com: Apple Portables: Tips for maximizing your battery charge
gizmodo.com: How To Maximize Your iPhone 3G’s Questionably Adequate Battery Life
theappleblog.com: What’s the Ideal Strategy to Maximize Notebook Battery Lifespan?
Load Balancing and Routing with Two ISP Connections Overview
Saturday, November 21st, 2009Connecting 2 different Internet providers to your home or office can provide a number of benefits:
- connection fail-over, increasing availability (best compatibility, since only 1 network route provided from your office to a remote site, and thus most likely to work reliably)
- load balancing, increasing total bandwidth (2 routes available, which can confuse secure sites, and SOHO devices usually have practical issues)
- reducing Internet access cost by replacing 1 expensive provider with 2 cheaper, perhaps less-reliable or slower providers.
How you connect with 2 different ISPs depends on whether you want to buy or build …
Here’s 3 options to consider:
1. DIY with Linux iptables
- assemble a linux machine with 3 network interfaces (WAN1, WAN2, LAN)
- read the iptables page on split access and multipath routes, understanding that you are getting routing-based stickiness
- do some testing and tweaking of weights and other configuration items.
You don’t have to be a network engineer to get this working, but you should know things like static routing with the linux route command, to have a reasonable chance of success.
I’d suggest investing at most 4 hours in a project like that, then move on to one of the next options.
2. Use an Existing Open Source Project
- pfSense – based on FreeBSD. Dual-WAN Load Balancer FAQ, Dual-WAN Router Tutorial.
- Untangle is a subscription-pay but 95% Open Sourced software firewall with WAN failover ($5+/month) or WAN load balancing ($10+/month) modules
- m0n0wall, based on FreeBSD, is working on multi-WAN support
- LokiWall1 for Linux (2006)
- LokiWall2 for Linux (coming soon)
3. Buy a Dual-Wan Router Appliance
There are several SOHO appliances available for under $350.00:
- Cisco (LinkSys) RV042 and RV082 (fanless, size of a hardcover book, is export-restricted, requires a free online support account and approval of 3 EULAs to download drivers.) I have used the RV082 for a month, and noticed: the built-in switch ports cannot drive cables longer than about 15 meters, the default failover probe settings are 5x for 30 seconds, which is too long, so I use 3x for 15 seconds. Otherwise it seems to work ok with two WAN connections, one fiber and the other DSL, though failback is not supported and failover is not logged. The average IT employee or power user can configure the web-based admin screens with no training.
- Netgear FVX538 and FVS336
- Netgear FVS124G (Discontinued)
- HotBrick LB-2 (XinCom XC-DPG502?)
- Peplink
Most, if not all appliances, are just linux or BSD embedded systems. But appliances are pre-tested, nicely packaged, and have a friendly web-based UI and technical support.
Also, an appliance will use less power and emit less noise than the typical desktop PC running linux.
Unfortunately, it’s hit-or-miss whether your appliance (or it’s firmware version) will work reliably. Most blogs report less than glowing results, especially with load balancing.
tomshardware.com: Dual WAN router suggestions needed (2008)
dslreports.com: Best Dual Wan Router? (2007)
Advantages/Disadvantages of Dual Wan Routing
linuxquestions.com: Script to Load Balance two ISPs with ip route & ip rules
mikrotik.com
Soekris
NFS Server Opinions
Friday, November 6th, 2009
At one of the large Internet companies that I worked at, NFS was heavily used for sharing files for internal processing.
Here are some of my opinions based on that experience.
The first thing to do for greater performance and reliability is to plug server nodes and the fileserver into the same backplane in the same switch using Cat6 factory-made cables.
Next, you have to pick NFS client and server software.
Some implementations:
- linux NFS4 – really scary because linux NFS3 is historically flaky, and this is newer and more complicated
- linux NFS3 – scary because linux NFS is historically flaky
- FreeBSD NFS3 – prolly works
- Solaris NFS3 – prolly works
- NetApp filer – works pretty well
To emphasize the different experiences that linux and Sun folks have had with NFS, a roomful of linux people gasped when a Sun storage engineer asked why you wouldn’t run MySQL on NFS.
Some filesystem stress test tools:
- fsx.c (ported from Next to FreeBSD and linux)
- bonnie
- make -j 10x in loop
- unpack and build emacs on a network/distributed filesystem (traditional acceptance test by scientific cluster sponsors – rarely passed)
Check the nfs configuration file on each node, also ifconfig output for errors.
Obviously, write temp files to local disk or a a RAM disk like linux tmpfs.
If you can design your application to retry disk IO a few times on read or write errors, that also helps, especially under heavy fileserver load.
Regarding distributed filesystems or cluster filesystems, the few success stories that I’ve heard are implementations on homogeneous hardware, where the code was tweaked for their specific servers, NICs, switches and apps by an on-site team of kernel and networking programmers.
Mac OS X MacPorts and Fink software port systems
Wednesday, September 23rd, 2009Like other Unix-based systems, the Mac also has packaging and network repository systems for installing Open Source software.
I have been using the MacPorts system, which is quite nice and has over 6300 packages in source form. Another is fink, which uses Debian tools like dpkg, dselect and apt-get to manage over 2500 packages, both source and binary forms.
In general, just type “sudo port install packagename” to have MacPorts install whatever Open Source programs you want, including end-user apps like R and octave.
The only wrinkles so far have been that packages are sources, so have to be built on your machine (slowly – ‘port upgrade outdated’ is glacial if you have a lot of stale packages installed, so ensure your AC adapter is plugged in), and some common package dependencies, like tiff, require Apple Xcode 3.1 (a free download) or higher to be installed these days or one gets the following fatal error message:
[...] ---> Extracting tiff On Mac OS X 10.5, tiff 3.9.1 requires Xcode 3.1 or later but you have Xcode 3.0. Error: Target org.macports.extract returned: incompatible Xcode version [...] Error: Status 1 encountered during processing.
Xcode (and MacPorts) are not updated from Mac OS X Software Update, so you must do that manually. Obviously that is a potential security problem.
Some handy port commands
# see what ports are available
port list
port list all
# see what ports are already locally installed
port installed | grep -v xorg
# commonly-used packages for developers
sudo port install vim lynx links wget aquaterm htop
# easy way to install X11 and most common package dependencies in about 2 hours, so use an AC adapter
sudo port install octave r
# for Internet engineers (yes, PHP 5.3.0+ with Apache2 is installed …)
sudo port install apache2 php5 mysql5 squid lighttpd nginx pound varnish webalizer wget wireshark
To activate PHP5:
cd /opt/local/apache2/modules
/opt/local/apache2/bin/apxs -a -e -n "php5" libphp5.so
To configure daemons like apache2 to start at boot time and also start immediately, first edit the respective configuration file (on notebooks I usually restrict listening to 127.0.0.1), then:
sudo port load apache2
# update MacPorts system
sudo port selfupdate
sudo port upgrade outdated
If you want to use vector graphics in an AquaTerm with gnuplot or octave, you may need to start AquaTerm first, or set the following envariables in your .profile startup script:
GNUTERM=aqua
GNUTERMAPP=/opt/local/var/macports/software/aquaterm/1.0.1_5/Applications/MacPorts/AquaTerm.app
MacPorts FAQ
Ryan Schmidt’s comments on tiff and the dependency on Xcode 3.1
Fink can be tricky to install with a securely configured Mac, but installation can be done from the command line easily:
hdiutil attach Fink-0.9.0-Intel-Installer.dmg
sudo installer -pkg "Fink 0.9.0-Intel Installer.pkg" -target /
/sw/bin/pathsetup.sh
fink selfupdate
fink --version
fink list
macosx.com: How to Install a .dmg File At a Command Line?
Install Apache 2 and PHP 5 with MacPorts
Install Tsoft for WINDOWS on your Mac with WINE via MacPorts Project
ocf.berkeley.edu: Security Issues concerning X
Interesting Event Since Unix Epoch
Friday, February 13th, 2009Keep an eye on your computer today for an interesting event in Unix time.
Here are some useful Unix commands:
$ date -d @1234567890
Fri Feb 13 15:31:30 PST 2009
$ watch -d -n 1 date +%s
cnet.com: Time for Unix nerds to celebrate 1234567890 Day
cnet.com: Square Root Day revelers to party like it’s 3/3/09
cnet.com: National Pi Day? Congress makes it official
IMUG Meeting: iPhone International Features and Apps
Thursday, November 20th, 2008Lee Collins and Deborah Goldsmith from Apple gave a comprehensive talk on internationalization support on the iPhone since the English-only 1.0 release. Now at 2.1, dozens of languages are supported, driven by potential sales markets.
They have a very strict space budget for code and fonts since every byte they use is one less for the end-user.
As much as possible, they try to provide the full ICU API for developers to use.
Regular Truetype fonts are used, though there’s no hint information and there’s no mechanism to add your own.
Chuck Soper (Vela Design Group) talked about porting VelaClock to the iPhone, and made some recommendations for the Apple iPhone apps store.
He would like to see longer sales history information than 7 days, ideally unlimited. Also, he would like to see feedback and ratings reviews across countries, since loading 100 country forums is tedious.
He also wanted to know best to provide mib and strings to translators.
He says half his sales come from the Apple Store.
Some of his customers use VelaClock to do things like plan night flights.
I had a chances to try out the Blackberry Bold, with it’s new UI and hi-res screen. The screen has the same number of pixels as an iPhone, but half the dimensions.
I also tried a gPhone. It has a built-in compass, so Google StreetView knows what direction you’re pointing the phone and can show real-time updates based on that direction. Very cool to see.
Thanks to Apple for hosting the event in Cupertino.
Defcon 15, Las Vegas
Sunday, August 5th, 2007I gave up on Defcon after Defcon 11 because of the venue overcrowding at the Alexis Hotel. But since I had no other plans this weekend and they moved to the larger Riviera hotel last year, I decided to give them another shot this year.
What an improvement! 7,000 attendees and 5 talk tracks, yet now fairly well-organized. I registered Thursday at 9:30 am for $100, but they had already run out of the awesome white animated SMT LED badges with a “HUMAN” cut-out conference badges, and programs.
They should have done a photocopy run of the schedules, but didn’t, which is bad since the schedules are not posted outside the lecture rooms.
Security staff in red shirts called “goons” vigilantly enforced access points and fire codes. I was told that lecture room exits had to be clear in case of sudden emergencies like a smoke bomb attack.
The hotel was big enough that the attendees didn’t swamp the hotel, and the rooms for Tracks 2, 3 and 4 were usually big enough. The Track 5 room and the closing ballroom were too small. Hotel security seemed happy and stayed in the background.
The hotel coffee shop was very busy but served ok food ($10 for a hamburger and fries.) The upstairs dinner buffet was a good deal at $16. Good variety of fresh food and desserts, including prime rib, mexican and asian food.
I didn’t bring a notebook computer this year because it would just get hacked if I turned it on, and I also left my Blackberry off. I understand that some people buy a computer at Fry’s and return it after the weekend to get re-imaged, or use it as a honeypot. Some people did use their work Blackberrys with bluetooth disabled. One guy had a Nokia 770 wifi PDA that he planned to re-image after going home. Nice screen with scalable fonts.
The talks that I attended on Thursday and Friday were very strong, usually presented by the original researchers or somebody deeply involved in the topic. Defcon talks are unusual in that most audience questions are held until after the talk in a separate Q&A room. Not my preference, since expert attendees often get more out of the questions that the talk.
Thursday
Thomas Holt: The Market for Malware
Insight into mainly Russian malware industry:
- pincher programs for intercepting username and password data
- joiner programs to bind pincher program payloads with images or downloads
- like to be paid with e-gold, don’t like Western Union
- like ICQ, irc
- tools cheaper for other Russians to purchase than foreigners
- forums for promoting and rating developers and programs
- good authors provide good customer support, upgrades ($10), manuals and customization ($30)
- admin UI programs very polished and professional looking – some are even skinnable.
Pilgrim: How to be a WiFi Ninja
Pilgrim is the real deal – he knows how wifi works, owns a wifi accessories shop in Florida and is a perennial show vendor.
He gave tips on improving wifi transmission and reception:
- thinner cable is lossier, so keep under 10′
- cable is optimized for Channel 6
- wifi signals transmit better in drier air
- most omni AP transmitters can be made more directional by using a tin-foil reflector behind them, preferably parabolic shape
- used Dish satellite receiver antenna could be very useful
- made a wok dish antenna and recommends it
- recommends USB receivers over PC Cards because of external antenna
- recommends USB cable run to smart antenna instead of long runs of cable
- transmit power isn’t everything. try to balance transmitter, receiver, cable and geometry
- re-orient AP antennae to get better vertical or horizontal reception, especially in 2-storey buildings. same when war-driving.
Broward Horne: Click Fraud Detection with Practical Memetics
Broward gave a great talk.
He has the website RealMeme.com and does experiments in web site promotion and Internet mindshare. He left some blog comments on Casey Serins’ IAmFacingForeclosure.com website but received no traffic to his site initially. He posted a comment inquiring about that, got a bunch of traffic, and upon log analysis realized that it was bot traffic, implying that Casey was involved with bots for AdSense click fraud.
He showed some graphs of discussion activity before and after the Pope’s death, which expanded the bandwidth of discussion, and the SARS outbreak, which barely registered.
D.J.Capelis: Virtualization: Enough holes to work Vegas
Awesome talk on how pathetic x86 virtualization is from a security perspective.
He talked mainly about VMware Server and Xen, but problems generally applicable are:
- vulnerable to physical attacks and DoS at PCI level for shared hardware like video, network and drive controllers
- vulnerable to IP and MAC address changes
- vulnerable to practically undetectable covert channels between VMs
- vulnerable to timing attacks similar to the Intel HT ones
- all the image migration tools use plaintext, possibly across ethernet
- any rogue partition can violate all other partitions, subverting your firewall and network security
- bad default configurations, as documented.
The expensive VMware ESX product fixes a few but not all of the above problems.
He’s hoping IBM can leverage their 30 year virtualization experience on LPARs to do a good job.
He released a script to somewhat improve the default security configuration of VMware Server.
Dave Josephsen: Homeless Vikings, (short-lived BGP prefix hijacking and the spamwars)
He presented a history of spam and countermeasures timeline with commentary (he likes content filtering and thinks anything else is just a pointless technical arms race that can’t be won by the good guys).
Then he talked about how BGP can be used by spammers to spoof address blocks or commandeer unassigned IP space, likely the same techniques used by intelligence agencies now.
Gadi Evron: Webserver Botnets
Peter Gutmann: The Commercial Malware Industry
Some repetition of the talk at 10 am, but with more detail.
Daniel Peck & Ben Feinstein: CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript
They demonstrated some utilities for de-obfuscating javascript malware and presented some graphs that illustrated how malware and legitimate javascript profile very differently.
Also, they talked about spidering and analyzing some web sites and being surprised at how clean myspace is for example – no JavaScript malware found, probably a credit to their staff.
atlas: Remedial Heap Overflows: dlmalloc style
atlas did a Linux Buffer Overflow 101 class.
He used python to inject the shell code.
All the hotels surrounding the Rivera were full, so I stayed in the Hilton Vacation Getaway Hotel, a moderate walk from the Riviera. My $169 room was a very nice and new suite with a 30″ HDMI plasma TV, jacuzzi, shower, bedroom TV and laundry. The downstairs deli tuck shop is very complete and you can order custom sandwiches there. There is also an outside grill with $5 hamburgers and $4 hotdogs that’s open for lunch. The basement business center is 24 hours and has computer rentals and printing for $1/page. The hallway vending machines have $1 sodas.
Friday
Brendan O’Connor: Greater than 1: Defeating “strong” Authentication in Web Applications
Excellent talk reviewing US online banking so-called strong authentication, then attacking it.
- in-person banking is 2-factor authentication (something you have (card) and something you know (PIN)
- online banking is not 2-factor (you know a PIN but normally you don’t provide card, token or biometrics)
- browser fingerprinting is pointless because everybody buys the same configurations from Dell or HP
- browser fingerprinting is pointless because the implementations are bungled (commented source, little effort)
- banks should display all recent logins, not just the last one
- bank should not star out account numbers, then display the full check thumbnail!
- bolt-on auth systems from 3rd-party vendors weaken overall security and increase the attack surface
- SiteKey is worthless, since they have a limited image catalog indexed by alt tag
- knowledge base questions based on public databases as implemented now are worthless, but could be improved by displaying the same question until correctly answered and not randomizing choices
He finished by demonstrating a MITM attack by writing a newbie-level Perl program to relay the browser fingerprint, setting up Defcon Bank and doing a MITM attack on his personal bank which uses Sitekey.
David Byrne: Intranet Invasion With Anti-DNS Pinning
He discussed DNS pinning issues with IE and Firefox, pinning in Java and also how LiveConnect in Firefox and Opera reduce pinning. Also he showed how to use an exploited browser as a web or socks proxy and talked about using the socket capabilities in Flash 7 and above.
In his demo, he owned somebody’s browser, ran Nessus 3, and started a shell.
Billy Rios & Nathan McFeters: Biting tha Hand that Feeds You – Storing and Serving Malicious Content From Well Known Web Servers
Billy and Nathan are the reason for the recent Firefox 2.0.0.5 and 2.0.0.6 updates.
They talked about:
- XSRF
- serving warez from webmail hosts, in particular Yahoo! and gmail, because they’re free anonymous accounts, have a large storage capacity, good network bandwidth, high-reputation domain names, and plausibly deniable.
- domain substitution
- what can you trust on the Internet? only the domain name in your location bar
- Flash settings XML config file
- browser scheme and %00%00 filetype handlers
- IE 7 and Firefox URI hand-off exploits
- possibly KDE registry might also be vulnerable to filetype handler issues.
The award ceremonies went on 2 hours. It was interesting to learn about the whole Defcon community: security, logistics, press, events, speaker coordination, etc.
40 hardware kits were handed out to people wanting to hack the badge, but only 7 submissions resulted. The 2 winners built a graphical, gray-scale multimeter and a pong game. DT suggested it would be hard to top the badge next year, unless it was converted to a fibrillator or laser beams were added.
A 17 year-old won one of the lock-picking categories. The overall winner mentioned preferring home-made tools.
Some of the award winners received a Black Badge – good for free life-time show admittance. Some got a used notebook or Dish receiver.
The trivia show winning team was booed for their poor result – sometimes needed a dozen clues and still getting the wrong answer – but still got black badges. Next year there will be a pre-qualifying test.
I took one of the airport shuttle buses back to the airport. Depending on how you look at it, either I got a free ground tour of Las Vegas, or they wasted a half hour of my time trying to find a passenger who booked 24 hours in advance but didn’t show up on time. Eventually they found him … back at the Riviera.
theinquirer.ne: How to break forensics software
GData: An Online MD5 Hash Database
