Tag - security

Entries feed - Comments feed

Wednesday, March 29 2017, 19:21

Strengthening ssh

A few weeks ago I stumbled on the ssh_scan project. This little ruby gem project let's you scan machines and help you make sshd harder to break in. Installing it on my fedora workstation was like sudo dnf install rubygem-sqlite3 && gem install ssh_scan

you can then run it with -t hostname and fix you ssh config: {{ludo@Oulanl ~$ ssh_scan -t gandi.mozfr.org I, 2017-03-29T19:19:30.527949 #26982 INFO -- : You're using the latest version of ssh_scan 0.0.18 [

 {
   "ssh_scan_version": "0.0.18",
   "ip": "2001:4B98:DC0:51:216:3EFF:FE8E:A45A",
   "port": 22,
   "server_banner": "SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3",
   "ssh_version": 2.0,
   "os": "debian",
   "os_cpe": "o:debian:debian",
   "ssh_lib": "openssh",
   "ssh_lib_cpe": "a:openssh:openssh:6.7p1",
   "cookie": "17386450c207cb71d06224d2810e45ac",
   "key_algorithms": [
     "curve25519-sha256@libssh.org",
     "ecdh-sha2-nistp256",
     "ecdh-sha2-nistp384",
     "ecdh-sha2-nistp521",
     "diffie-hellman-group-exchange-sha256",
     "diffie-hellman-group14-sha1"
   ],
   "server_host_key_algorithms": [
     "ssh-rsa",
     "ssh-dss",
     "ecdsa-sha2-nistp256",
     "ssh-ed25519"
   ],
   "encryption_algorithms_client_to_server": [
     "aes128-ctr",
     "aes192-ctr",
     "aes256-ctr",
     "aes128-gcm@openssh.com",
     "aes256-gcm@openssh.com",
     "chacha20-poly1305@openssh.com"
   ],
   "encryption_algorithms_server_to_client": [
     "aes128-ctr",
     "aes192-ctr",
     "aes256-ctr",
     "aes128-gcm@openssh.com",
     "aes256-gcm@openssh.com",
     "chacha20-poly1305@openssh.com"
   ],
   "mac_algorithms_client_to_server": [
     "umac-64-etm@openssh.com",
     "umac-128-etm@openssh.com",
     "hmac-sha2-256-etm@openssh.com",
     "hmac-sha2-512-etm@openssh.com",
     "hmac-sha1-etm@openssh.com",
     "umac-64@openssh.com",
     "umac-128@openssh.com",
     "hmac-sha2-256",
     "hmac-sha2-512",
     "hmac-sha1"
   ],
   "mac_algorithms_server_to_client": [
     "umac-64-etm@openssh.com",
     "umac-128-etm@openssh.com",
     "hmac-sha2-256-etm@openssh.com",
     "hmac-sha2-512-etm@openssh.com",
     "hmac-sha1-etm@openssh.com",
     "umac-64@openssh.com",
     "umac-128@openssh.com",
     "hmac-sha2-256",
     "hmac-sha2-512",
     "hmac-sha1"
   ],
   "compression_algorithms_client_to_server": [
     "none",
     "zlib@openssh.com"
   ],
   "compression_algorithms_server_to_client": [
     "none",
     "zlib@openssh.com"
   ],
   "languages_client_to_server": [
   ],
   "languages_server_to_client": [
   ],
   "auth_methods": [
     "publickey"
   ],
   "fingerprints": {
     "rsa": {
       "known_bad": "false",
       "md5": "e8:43:a9:22:59:01:2b:ff:c7:48:2e:69:68:0c:af:37",
       "sha1": "59:07:90:6f:31:fc:1a:55:aa:9b:d0:eb:31:26:0d:11:6f:95:a8:41",
       "sha256": "41:8a:f9:4f:3d:b1:e4:85:82:91:7c:92:cc:43:f1:5e:dd:c7:7a:08:ca:33:8c:05:c1:e9:79:0c:73:8e:ef:f4"
     },
     "dsa": {
       "known_bad": "false",
       "md5": "f2:d1:d4:cf:20:92:83:f5:95:1d:96:61:47:2f:82:13",
       "sha1": "3f:6c:52:ff:0a:89:92:97:28:1e:db:35:db:aa:a8:15:bb:66:e2:27",
       "sha256": "c3:b6:d8:bc:8c:a8:5b:e8:8a:13:09:d8:62:70:db:06:67:5a:52:17:29:be:c6:b6:e3:1c:50:d1:30:23:10:a8"
     }
   },
   "start_time": "2017-03-29 19:19:30 +0200",
   "end_time": "2017-03-29 19:19:31 +0200",
   "scan_duration_seconds": 0.716352392,
   "duplicate_host_key_ips": [
     "192.168.10.160",
     "192.30.253.113",
     "192.30.253.112",
     "2001:BC8:3364:200::"
   ],
   "compliance": {
     "policy": "Mozilla Modern",
     "compliant": false,
     "recommendations": [
       "Remove these Key Exchange Algos: diffie-hellman-group14-sha1",
       "Remove these MAC Algos: umac-64-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, hmac-sha1"
     ],
     "references": [
       "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
     ]
   }
 }

] }}

Based on the wiki, it's a matter of editing /etc/ssh/ssh_config and /etc/ssh/sshd_config. Before restarting ssh, test your configuration with sshd -t and voila !!!!

Monday, February 20 2017, 04:42

Securing for cheap some sparse CentOS boxes

I'm a full time sysadmin at a big company where we have plenty of tools that would be way to much when dealing with a box or two. On my free time I also do some sysadmin for fun - and profit as I learn from it.
When you setup a machine it's clean , packages are up to date and no known security holes are there. But then on gets busy and forgets the machine, which of course gets hacked and is used by non friendly people. On the Debian side of things install and configure apticron and you're done. You'll get an email when things need to be patched - with description of why and command to do it. SO it's quite easy to stay up to date, but that's Debian, how about if you run Centos ?

Saturday, February 18 2017, 14:28

Fosdem 2017's ksp notes from signing

I just finished signing keys with my second key. This year I've signed 98 keys. I've switched to gpg2 for my new key. I will probably retire the old one at some point. Some keys I had issues with because of the Ed25519/eddsa key format which is not supported by all key servers. So you need to use a subset of the key servers (I use the ipv6 subset - but it's not good enough) to get and sign those keys you need to use subset.pool.sks-keyservers.net.