Category: security

Configuring a secure Ubuntu Linux Virtual Private Server

Posted by Dhananjay Nene – October 5, 2009

This post is based on my notes for an initial configuration for an Ubuntu 9.04 Virtual Private Server with a focus on security. At that time I searched for a number of references on security, and while I have not kept the note of all their URLs, most of what I write below is as a result of other documents even though I cannot specifically cite them (in other words, there is little originality except perhaps for attempting to cover the entire gamut of configuration activities into one article).

Keep in mind that these steps are based on my notes which might be a little incomplete especially around the part where acidbase is installed.

Initial Configuration

These steps cover the initial setup of a server

Setup the hostname

Lets say the hostname we want to setup is vps.

$ echo “vps.mydomain.com” > /etc/hostname
$ hostname -F /etc/hostname

Now update the /etc/hosts file to reflect the hostname and the fully qualified domain name
Replace 12.34.56.78 with the IP address of your host

127.0.0.1 localhost.localdomain localhost
12.34.56.78 vps.mydomain.com vps

Updating the ubuntu repositories

You will need to update your ubuntu repositories to include jaunty-updates and universe repositories. This is so that you may install additional packages as required from these repositories as well. In my case, the earlier version of the file /etc/apt/sources.list was as follows.

However please note, that repository selection and its update strategy may be linked to your company or application strategy. Please make sure these steps are consistent with your policy. If not, kindly adapt consistent with your team / organisations policy. Also instead of us.archive.ubuntu.com, you may find other country specific server names. In that case you may want to continue to use the other server name as already listed in your file.

deb http://us.archive.ubuntu.com/ubuntu/ jaunty main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ jaunty main restricted

deb http://security.ubuntu.com/ubuntu jaunty-security main restricted
deb-src http://security.ubuntu.com/ubuntu jaunty-security main restricted

Upon adding jaunty-updates and the universe repositories, the resultant file is as follows.

deb http://us.archive.ubuntu.com/ubuntu/ jaunty main restricted universe
deb-src http://us.archive.ubuntu.com/ubuntu/ jaunty main restricted universe

deb http://security.ubuntu.com/ubuntu jaunty-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu jaunty-security main restricted universe

deb http://us.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted universe
deb-src http://us.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted universe

Now update the sources. This will scan all the repositories

$ sudo apt-get update

Finally upgrade ie. replace any existing packages which have a newer upgrade

$ sudo apt-get upgrade

Download the language pack

To add the necessary for the preferred language of your choice add the appropriate language pack. In my case I add support for english (en)

$ sudo apt-get install language-pack-en

Set the timezone

Set the timezone of the server. You may choose to set it based on server location, or typical user location or to UTC.

$ dpkg-reconfigure tzdata

That will start a small app, from which you can select the timezone. I selected None of the Above which offered me a choice of timezones based on UTC offsets and subsequently selected UTC.

Setting up Mail sending

I do not need this VPS to act as a mail server. However I do need to have capabilities to send email from this machine. Many unix tools routinely assume the existence of sendmail or equivalent MTA. However that is an overkill in this context. So we shall not be installing sendmail or postfix or exim or any other equivalent. Instead we shall configure this server to be only able to send out mail using an SMTP account on another mail server. For this we shall install a tool called mailx. Note: If you have mailx already installed through another ubuntu package called mailutils, you may either continue with the same (in which case you will need to configure the remainder of the mail stack correspondingly eg. sendmail) or remove mailutils and add heirloom-mailx

$ sudo apt-get install heirloom-mailx

We shall also configure a global configuration for sending out mail. In my case its all right to always send mail using only one account irrespective of the process or user who is sending it.

$ sudo vi /etc/nail.rc

Note that in the above configuration, we shall be placing the mail account password in clear text. Make sure it is a mail account you do not use for any other purposes and that its password is not the same as used for any other purposes. Now enter the following as contents of the /etc/nail.rc file. Obviously change the relevant fields to appropriate values. Note that this file is configured for sending mail via gmail. You may need to configure it differently based on your own SMTP configurations.

set smtp-use-starttls
set from=my_user_id@gmail.com
set smtp=smtp.gmail.com:587
set smtp-auth-user=my_user_id@gmail.com
set auth-login=my_user_id@gmail.com
set smtp-auth-password=my_password

You can try testing whether this got set up successfully. Enter the following (replace youremailid@youremaildomain.com by the email id where you would like the mail to be sent to)

$ mail youremailid@youremaildomain.com
Subject: This is a test mail
Hello
.

Basic Security

In this section we shall make some basic configuration changes with a view to enhance the system security.

Mounting the shared memory as read only

Open and edit the file /etc/fstab to add an entry to mount shared memory in read only mode. The reason we do it is because many exploits use shared memory to attack other running services.

If you have a good reason to make shared memory writeable skip this step.

$ vi /etc/fstab

Now add the following line at the end of the file

tmpfs /dev/shm tmpfs defaults,ro 0 0

Tightening the passwords

One of the easiest exploits is to attempt a brute force login using dictionary based attacks. In order to ensure strong ie. non-guessable passwords we shall update the password checking policy so that it allows only strong passwords. A simple way to ensure that is to ensure a reasonable minimum length and to ensure multiple character classes.

First lets install a new pam authentication module pam_cracklib. To install the same run the following

$ sudo apt-get install libpam-cracklib

Answer ‘Y’ to the prompt it asks for regarding continuing.

Note: if you did not add the universe repository to your sources.list file, you will not be able to install libpam-cracklib. In that case you will need to skip this step.

This should’ve resulted in the file etc/pam.d/common-password having an entry for pam_cracklib.so and pam_unix.so. Update the pam_cracklib.so entry to add one more requirement ie. minclass=4.

In my case, the resultant two lines in /etc/pam.d/common-password are as follows. Note that I added the minclass=4 clause manually.

password requisite pam_cracklib.so retry=3 minlen=8 difok=3 minclass=4
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512

There. You now have a strong password scheme which will conduct a whole range of password checks in addition to ensuring that the password has a minimum length of 8 and each new password has at least one each of the four character classes. The four character classes are lower_case, upper_case, digit and special_characters (the last one being any non alpha-numeric character)

Creating the first user

Note: if you have already created at least one more non root user this step is not required. We are primarily creating the new user so that we shall eventually allow sudo and remote ssh login privileges to the user and disable remote ssh privileges for the root user.

Setup the first new user. One of the reasons you should create a new user is so that it will afford you the ability to allow him to perform root actions through sudo, and thus subsequently allow you to disable root access over ssh. By default when one creates a new user, another group gets created with the same name as well. In this case we shall create a new group “dev” and then create a new user associated with that group “someuser“. Use the groupname and the username as you would like to setup when executing the commands below. In the commands below we create a new home directory for the user, associate the /bin/bash shell with his account instead of the default /bin/sh, (I just prefer bash to the plain sh) and finally set the password for him.

$ groupadd dev
$ mkdir /home/someuser
$ useradd -d /home/someuser -s /bin/bash -g dev someuser
$ chown someuser.dev /home/someuser
$ passwd someuser

We shall also create the .ssh directory for the user which we shall be using later

$ mkdir /home/someuser/.ssh
$ chmod 700 /home/someuser/.ssh
$ touch /home/someuser/.ssh/authorized_keys
$ chmod 600 /home/someuser/.ssh/authorized_keys
$ chown -R someuser.dev /home/someuser

Now we shall create the keypair for the user to log in to the host remotely. Note that if you are going to do this for multiple users, then you might want to have each user run the next step locally and then copy over his public key onto the server before continuing to the ssh tightening operations described later.

The user should do the following on his local workstation from which he is most frequently likely to connect to the server (not the server that we are hardening).

Note: the part after -C in ssh-keygen is just a comment to identify the keys – enter something to identify the user and his machine.
Also make sure not to keep the passphrase blank though ssh-keygen will allow a blank passphrase. The reason is that if the user’s local machine is compromised the attacker can then get an easy access to the server being hardened.

change someuser and some.host.com below based on the user id and vps name correspondingly

$ mkdir ~/.ssh
$ ssh-keygen -t dsa -b 1024 -C “some user on his desktop”
$ scp ~/.ssh/id_dsa.pub someuser@some.host.com:/home/someuser/.ssh/someuser.pub

Now the user should himself ssh to the remote server and on the remote server move his public key into the authorized_keys file. So execute the following command after being connected to the VPS

$ cd .ssh
$ cat someuser.pub >> authorized_keys
$ rm someuser.pub

At this stage the user can disconnect from the VPS and attempt to reconnect using ssh. If all works well, he should get connected to the vps in a manner where it does not prompt him for a password but instead he does get prompted for the passphrase to his private key (assuming he did set one).

This stage of updating the authorized_key file can also be performed by an administrative user / root once we later reconfigure ssh to only allow public key based logins.

Enabling the user to perform sudo operations

We shall enable any group who belongs to the group ‘admin‘ to be able to conduct root operations through using sudo.

First create a group ‘admin‘. subsequently associate the user with that group as well. Note : For best security ensure you allow associate only a very small number of users with the ‘admin’ group since that will effectively allow them control over the whole machine (assuming you setup the privileges as I subsequently describe below).

$ groupadd admin
$ adduser someuser admin

Now we shall enable any user who belongs to the admin group to perform root actions by using sudo. To edit the sudo policy file do the following

$ sudo visudo

At the end of the file which is now opened up – add the following line

%admin ALL=(ALL) ALL

Note this grants all superuser privileges to the users who belongs to admin group when conducting operations using sudo. You can use the sudo policy configurations to set up far more fine grained set of privileges, but thats beyond the scope of this document.

To test whether the configuration worked successfully, you can login as someuser and execute the following command.

$ sudo cat /etc/shadow

Tightening up ssh

To create the group and associate the users with them perform the following command (use the appropriate username instead of someuser for each user who you would like to allow SSH access).

sudo addgroup sshlogin
sudo adduser someuser sshlogin

More…

I demand a website security policy

Posted by Dhananjay Nene – January 7, 2009

Came across Weak Password Brings ‘Happiness’ to Twitter Hacker. While it primarily focused on the fact that a user with admin privileges and with account access over the internet had a weak password, which is rather surprising, Makes me very worried to now have accounts on so many websites which might not be treated with appropriate level of rigour.

I therefore demand that sites who want me to create an account with them enforce and publish a security policy comprising of at least the following basic password protection guidelines (I have attempted to keep out so many of the advanced ones to keep it simple)

  1. We shall never store your password in plain text in the databases, in the logfiles, on a piece of paper. In fact we will never store it anywhere in plain text – Period. We shall always store it as a hash digest (SHA1 or stronger) or only in case our functionality requires us to be able to access the password in plain text (eg. to pass on to another website), we shall store it in an encrypted fashion with an industry standard encryption scheme such as 3DES or equivalent in which case the encryption key will also be securely stored.
  2. The said encryption or hashing process will include both random salts and also the unique internal or external user identifier, so that two user’s sharing the same password will still not have the same hash / encrypted string.
  3. For password reset requests not triggered by a logged in end user (eg. administrator initiated), we will strive to autogenerate new passwords on demand and mail them out to the user directly. rather than let the administrators set it to a password of their choice. For situations that require an alternative workflow, we will ensure that password reset requests not coming from the user directly will get approved by at least another different admin person before getting effected (4 eyes principle).
  4. We will ensure that the login sequence always proceeds over SSL

Just like privacy policies I expect the websites to start publishing a minimum security policy without giving away any substantial implementation details. I think it is only reasonable for me to expect the websites to earn my trust before entrusting them with my password.

Update: Random passwords were being generated but how these passwords were shared with others is unclear – eg. “After resetting the password for the account, he gave the credentials to five people”. vs. “doesn’t know what the reset passwords were, because Twitter resets them randomly with a 12-character string of numbers and letters.”

Why you may want to evaluate replacing a md5 signed certificate

Posted by Dhananjay Nene – January 3, 2009

A few days ago I blogged about “Separating fear from fact – On rogue CA certificates“. It was an attempt at understanding and then expressing that understanding about the rather complex issue raised by the attack. My understanding in that post was subsequently reinforced by other incidents that this attack has less to do with the security of the web site itself and more to do with the probable security of the interactions of the end user with the web site.

One easy way to find out whether your site has a md5 certificate in its chain is to use the SSL Blacklist 4.0 Firefox plugin. After installing the plugin open an https connection with your site. If there is a md5 certificate in the chain (excluding the root CA certificates), you are likely to see a pop up box as below :

ssl-blacklist-output-2

If you do see that, you have to deal with the fact that over a period of time more and more users are likely to see the same and feel concerned about interacting with your site. Is the fear well founded ? It is my rather speculative belief that the fears are likely to be far more than the actual risk the user runs, and the dialog box shown above makes things seem far more serious then what they perhaps could be in most cases.

However as in this case, the attack has been published and plugins like these are in the wild. The appropriate response would be to recognise that there is indeed a likelihood of your user’s interaction with such certificates now perceived to be statistically carrying a higher degree of risk than those with non MD5 certificates.

So even if your site continues to be as secure as it was before the attack was published, your user’s interactions no longer might be perceived to be so. Hence, you might want to evaluate the option of replacing the certificate with a non md5 signed certificate. Verisign has already waived its fees on such replacement certificates, so there might not be any additional explicit cash outflow in such a situation (though you would need to spend additional time and effort for implementing the change).

Separating fear from fact – On rogue CA certificates

Posted by Dhananjay Nene – December 31, 2008

Earlier today a paper summary “MD5 considered harmful today. Creating a rogue CA certificate” and an article “MD5 collision creates rogue Certificate Authority” appeared about a presentation to be made at the Chaos Communication Congress in Berlin. John Viega commented on the issue by writing a lengthy post “The sky is not falling (re: today’s PKI attack)“. Tim Callan from Verisign soon after reverted with its response “This morning’s MD5 attack – resolved“. This post refers to implications of the same for websites and internet users the way I understand it.

What does the attack do ? The attack describes a mechanism by which a malicious user can create a rogue CA certificate and in turn create and sign tons of additional certificates which will also be rogue but which for all practical purposes shall be treated as valid certificates by a browser. It specifically refers to an attack mechanism which exploits the MD5 collision generation ease (which has been known for quite some time) and the fact that root CAs use (or now perhaps used to use) MD5 for generating the certificate digests and some predictable mechanisms for generating additional data (eg. serial numbers). While most CAs will soon plug the hole (if they haven’t already), the primary concern point relates to the fact that someone already may have created rogue CA certificates and can use that to create additional certificates at will.

I run a website with https and have a certificate. Should I be concerned ? You have a certificate that proves your credentials. This certificate continues to be valid and there is no change in its status. However there is now a possibility that someone who has setup a rogue CA can now issue additional certificates that claim to be you. Thus while this particular attack does not apparently increase your website vulnerability, it does make it potentially feasible for the rogue CA to now send your users to some other site which uses the new rogue certificate claiming to be you. However such new sites will typically use a different domain and are unlikely to use the same domain you do so long as you own and manage your website domain. Thus if your company is called ABC and hypothetically runs the website “abc.com”, another certificate could get issued by a rogue CA asserting the claims to be “ABC” running on a hypothetically different site- “abc2.com”. Users by default are unlikely to be entering abc2.com into their browser address bars to get to you and to that extent you are not so likely to be affected. Note that you are still vulnerable to phishing attack (as you were before this attack was discovered) where a malicious site “abc2.com” could send spurious hyperlinks to your user through email or websites which point to “abc2.com” which used a certificate issued to abc2.com. What this attack makes possible but only in conjunction with yet another separate class of attacks called “redirection attacks” is that a rogue certificate can now be presented to your users as “abc.com” and they will be no wiser. So in summary, most existing risks especially those related to phishing continue, but now another possibility exists whereby another site can claim to be your site and present a more authentic set of credentials that support its claim – but only in conjunction with exploiting an additional set of malicious net based attacks.

However if your certificate has been signed using md5, you should consider reverting back to your CA to replace it with a new one. This is not absolutely necessary since the existing certificates even if signed using md5 have not been invalidated or rendered insecure per se. Verisign has already suspended its normal replacement fees for such certificates. Update:Given the fact that plugins like SSL blacklist are likely to offer warnings to the end users should they come to your site, I would think that it might make sense to replace the certificates not because your current site or certificates are any less secure, but that the user’s interaction potentially could be (it is the user who runs a higher risk now).

Should I be concerned as a user ?Yes. Make sure you continue to follow all the good anti-phishing practices. Try to make sure your browsers are regularly updated with the security patches. Also make sure by either looking at the address bar (if the page is not in frames) or especially by looking at the domain name in the certificate that you are indeed communicating with a domain that you are aware of as the valid domain for the site. If the above attack has been used in conjunction with a redirection attack you are unlikely to be able to figure it out. The only way to protect yourself against such a possibility is to ensure that every certificate in the signing chain has been signed using a non-md5 algorithm (a rather onerous task to perform each time a new https connection is initiated). While I am not aware of any such existing capabilities, I would not be surprised if I start seeing either newer configuration parameters or browser add ons which disallow any https connections which use one or more md5 signed certificates in the certificate chain.

So is the sky falling ? It isn’t in the sense that existing websites or certificates haven’t become any more vulnerable. As John Viega and the original researchers point out, it is exceedingly difficult to spoof a valid already issued website certificate – it requires a specially crafted certificate request. The primary vulnerability stems from creating a rogue CA certificate and using that in turn to generate addtional rogue certificates on demand. This does allow phishing sophistication to be taken a notch higher and more difficult to detect. Given that CAs have either already or are in the process of fixing the vulnerability, newer rogue CA certificates may no longer be feasible using the attack method specified. However if and whether any current rogue CA certificates have already been manufactured is anybody’s guess (the researching attackers did create one even though it was back dated so as to be non-functional). Since this is a question that is tough to answer, probably a way to make people feel a little bit more secure is to allow a capability (configuration / addon) in the browsers to disallow / warn of any https communications with an md5 signed certificate anywhere in the chain.

Update:The following firefox addons have since the writing of this post appeared which check for md5 digests in the certificate chain.

  • SSL Blacklist 4.0 : Allows root CA certs to be md5 signed since these are not likely to be rogue certificates.

Disclaimer :I am a software architect and not a specialist security professional. These are my opinions expressed to the best of my understanding as of the time of writing this post. As in all matters related to health, law and security you should consult an appropriate professional when you need reliable advice and opinions. As with any developing piece of news, I do wonder if I might have not understood something entirely accurately. If you do find any errors or omissions, do point them out in the comments.

How can a ISP not be up to date on security ?

Posted by Dhananjay Nene – September 27, 2008

A few days back I blogged about wireless security becoming a prominent issue in India. In that I had essentially defended the ISPs given the fact that they could not be expected to ensure security of all the domestic routers that connect into their network.

I received a document in mail today from my ISP explaining the steps I need to take to secure the WiFi network. While it contained a number of useful suggestions, this one completely surprised me. Here’s a snapshot from the document.

WEP ?

Just to feel a little bit confident (or otherwise) about the suggestion, lets review what some other data sources say about WEP.

Wikipedia : Wired Equivalent Privacy

Beginning in 2001, several serious weaknesses were identified by cryptanalysts with the result that today a WEP connection can be cracked with readily available software within minutes.

Microsoft : Improve the security of your wireless home network with Windows XP

64-bit WEP (Wired Equivalent Protection). The original wireless encryption standard, it is now outdated. The main problem with it is that it can be easily “cracked.” Cracking a wireless network means defeating the encryption so that you can establish a connection without being invited.

The authors of one of the more important studies (circa 2006) “Intercepting Mobile Communications: The Insecurity of 802.11” on a summary page “Security of the WEP algorithm” state :

We have discovered a number of flaws in the WEP algorithm, which seriously undermine the security claims of the system. In particular, we found the following types of attacks:

  • Passive attacks to decrypt traffic based on statistical analysis.
  • Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext.
  • Active attacks to decrypt traffic, based on tricking the access point.
  • Dictionary-building attack that, after analysis of about a day’s worth of traffic, allows real-time automated decryption of all traffic.

Our analysis suggests that all of these attacks are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network.

Note that our attacks apply to both 40-bit and the so-called 128-bit versions of WEP equally well. They also apply to networks that use 802.11b standard (802.11b is an extension to 802.11 to support higher data rates; it leaves the WEP algorithm unchanged).

Moreover the document refers to only one particular router configuration. So if the consumer (who is unlikely to be so hardware configuration savvy) owns a different router model, he has to figure it out for himself of how to configure his router based on another router configuration.

So it has been known to be insecure starting 2001, and this is the advice going out to home owners from the ISPs. This is somewhat scary. When the agencies that are probably the most likely educators in the realm of security are themselves offering such solutions, implementing security is going to be indeed tough.

Suggestion : Can all the ISPs in India collectively get together and create a security related site, and list out the various configuration steps for all the major models being sold in India ? (and please hire a consultant who makes sure suggestions such as WEP aren’t made).

The original full document containing the suggestions can be found here.