SSH is often required to access Linux machines that run on the Cloud infrastructure. SSH is perfect to keep confidentiality and integrity of data exchanged between two networks and systems. However, this service exposes a new attack surface that could be exploited by a threat agent. The aim of this post is to provide tips on how to reduce the above-mentioned risks by performing hardening of the OpenSSH server. It provides you with a few recommendations on things to tweak to improve security of your OpenSSH server. You will also find some suggestions on how to improve cryptography. (Thanks to Jean-Philippe Aumasson for his help with this part of the blog post).
#1: Only Use SSH Protocol 2
Disable legacy protocol version 1. SSH-1 is obsolete and should be avoided. SSH-1 has man-in-the-middle attacks problems and security vulnerabilities.
#2: Change the port number and limit IP binding
To avoid robots and standard scan to your OpenSSH server it’s a good idea to change the port number. To something above 10,000. To bind to 172.20.16.89 and 22.214.171.124 IPs add or correct the following to sshd_config:
If you use use IPv4 only:
#3: Limit Users’ SSH Access
By default all accounts can login via SSH using their password or a public key. As example allows only sma, sysadm and jpa user to use the system via SSH. Add the following to sshd_config: Continue reading
I was in Grenoble on Nov 14-15 for GreHack, a security conference organized by a group of enthusiast students from the local university. (Full disclosure: Kudelski Security was one of the sponsors.) With about 235 attendees to the conference and 37 teams registered to the CTF GreHack was a popular success. I was kindly invited to give the opening speech, where we respected a minute of silence for Cédric Blancher.
The contributed talks covered diverse topics including mobile malware analysis, scanning of 0.0.0.0/0 for vulnerable DNS servers or PLCs, or DDoS using game servers’ amplification. I was especially looking forward seeing my friend Markku and attending his presentation of a “professional” RAT: this custom RAT (and associated C&C) stands out with a secure communication protocol based on Markku’s BLINKER protocol (to be presented at CT-RSA 2014: “BLINKER is significantly faster than SSL to set up (…)”) and on the CBEAM0 sponge-based authenticate cipher (to appear as a CAESAR submission, I presume).
Unfortunately, due to last-minute issues he couldn’t make it to Grenoble and his talk was replaced with Paul Rascagnères’ famous “APT2″ operation, which was nominated for the Pwnie Award in the category “Epic 0wnage” earlier this year. Although the targetted group was not APT1 as initially suspected it’s still an amazing work, and I think Paul even had to do some ciphertext-only cryptanalysis of Chinese operating systems.
Other highlights were
Herbert Bos’ accessible yet technically satisfying keynote “Tain’t not enough to fuzz all the memory errors”, about formal techniques to detect memory bugs. Based on the techniques presented, Herbert and his team created a fuzzer that discovered buffer overflows in ffmpeg and poppler (see the Usenix Security 2013 paper and presentation).
Halvar Flake’s survey keynote “The many flavors of binary analysis”, where we learnt that Microsoft doesn’t backport security patches in Win 8 to Win 7 when the issue was found internally (“free 0days for Win 7″, as he put it).
A proud sponsor of Grehack-2013-hacking-conference on November 15 in Grenoble, Kudelski Security is offering a FREE event entry to the company’s Linked-in follower #999.
Looking forward to name the winner!
The popular Latin proverb Virtus in medio stat (Virtue stands in the middle) may be the answer to many essential questions in life. Facebook and social networks may become evil. It all depends on how we use them.
All data uploaded to the Internet remains on the Internet eternally, out of control. Data means pictures, feelings, jokes, opinions… that we have voluntarily put in public’s hands. Data which, out of its initial context, could make us be seen as an impolite or irresponsible in the best case, or as a criminal, in the worst.
A meaningful example illustrating this scenario is the case of the machinist implicated in the terrible railway accident which occurred in Spain last July. 78 passengers died and 178 were injured in one of the most tragic train crashes in that country. Soon after the accident, all eyes were put on the driver. He was initially treated by the press and the public opinion with compassion and solidarity. What a terrible charge to live with! Due to a human error that anybody could have made! How could the security of a train rely on one person only?
The Association Francophone des Spécialistes de l’Investigation Numérique (AFSIN) held its annual conference on September 10-12 in Neuchâtel, Switzerland. The JFIN (“Journées Francophones de l’Investigation Numérique”) event is an excellent opportunity to meet and debate with french-speaking forensics experts from police forces, justice and government administrations of several French-speaking countries like Belgium, Switzerland, Québec province of Canada, and of course, France.
Various technical topics were discussed during the conference: new techniques for extracting and analyzing data, communication tapping, geolocation, botnets … The event also allowed informal exchanges about the legal and psychological aspects of information retrieval. Police officers can, for example, revise and adjust their standard approaches in interrogation of a suspect to convince him to give away the password to a device.
Exciting as well, was the debate around a way to use a handgun: while the Canadian police would use it only as the last resort or for lethal action, the Swiss police could use it to immobilize the runaway by aiming at an arm or a leg. Continue reading
DISCLAIMER: This how-to must be taken as is, it should not replace the official documentation and is not meant to do so. It may be useful as these features are quite new and not heavily documented on the net.
OpenBSD supports booting from a raid volume since version 5.3. Before that, the way to have redundancy for the root partition was to place /altroot on a second disk and to manually switch to it in the case of failure of the first disk.
It also supports booting from encrypted volumes. Sadly it doesn’t supports booting from raid+encrypted volumes yet (they’re working on it).
For my setup I want to have redundancy (meaning RAID1) and, ideally, crypto everywhere. As it’s not yet possible I decided to create one softraid1 partition containing “/” and a second softraid1/encrypted partition containing some mount points: /tmp, /var, /usr, /usr/X11R6, /usr/local, /usr/src, /usr/obj
Below, I’ll describe the steps to obtain such setup.
1. boot an install media (I used PXE here)
2. drop to a (S)hell in the installation program
3. create the devices nodes: Continue reading
This summer, after some 18 months of waiting, the famous Leapmotion 3D controller has finally arrived. For those not aware of this device, this is a small USB gadget you plug into your PC or MAC, which contains IR and two sensors which allow a generation of a virtual 3D sphere, of approximately 60 cm in diameter, above the device. This sphere is designed to recognize the hand’s and most importantly fingers’ gestures.
Is this the future of remote controlling? Well, maybe. Anyway, it’s a good start, as the device works pretty well! From my own limited experience using it, it requires a strong behavior change compared to our habits today with so-called “natural” extensions of a laptop or a PC: a mouse and a keyboard (especially the mouse!).
While with “Leap” I’m definitely missing something (it’s difficult to put my finger on it) to claim I’m totally taken by this device; maybe, the upcoming MYO could please me more (it should be available in 2014). With MYO, which is an armband, the gesture detection will be done by an integrated gyroscope and sensors understanding the movement of muscles (especially those of fingers and hands). This will bring up completely different use cases than “Leap” and I look forward to discovering the reality of gesture detection precision when I get to lay my hands on this device. In any case, MYO sounds promising! Continue reading