WhiteWinterWolf Practical IT security, *nix systems & networking

Latest articles in ‘Hardening’

9. ---

   

   • encryption
   • hardening
   • privacy

   RSA key lengths, elliptic curve cryptography and quantum computing

   Some tools, like PGP, are still stuck¹ to legacy cryptography, mainly the RSA algorithm. For such tools, RSA-2048 is often described as strong enough for any foreseeable future, anything above being overkill The GnuPG official documentation in particular even goes this far as considering that using RSA-3027 or RSA-4096 constitutes “an improvement so marginal that it’s really not worth mentioning”, adding that “the way to go would be to switch to elliptical curve cryptography”.

   The assertion that this improvement is “marginal” is debatable, as is the trust in the elliptical curves to protect us in the future.

   Longer RSA keys

   While the NIST considers RSA-2048 to be safe for commercial use up to 2030, it still advises the use of at least a RSA-3072 key for beyond (see BlueKrypt’s Keylength website to get an overview of various recommendations).

   Read quickly, such recommendation …

   Continue

10. ---

    

    • firefox
    • browser
    • hardening

    How to (more) safely use the Firefox password manager

    Security professionals often recommend to use a dedicated password manager software, such as KeePass¹, which allows to easily prevent password reuse while ensuring a safe storage of the passwords.

    Did I just say… “easily”? For the wide public, this “easiness” may not be so obvious. The fact alone to have to install, learn and use a new software just to store the password which allows to access the website which, in turn, allows you to do your things: end-users often consider this over-killing…

    And they may be right.

    Their usual reaction is therefore either to rely on a single “well thought and complex password” to secure their whole digital life, or build an over-engineered mental algorithm to create unique (but easily guessable, even when they don’t think so) passwords, loosing data because of a forgotten password or being stuck because they are currently at their office while their …

    Continue

11. ---

    

    • cheatsheet
    • selinux
    • linux
    • *nix
    • hardening

    SELinux cheatsheet

    This page is only designed as a memory-refresher. SElinux may be a complex thing to get right, if you are not familiar with it yet I highly encourage you to read Sven Vermeulen books.

    SELinux state

    To detect whether SELinux is enabled or not:

    • From a script, selinuxenabled doesn’t produce any output and its exit code gives SELinux status.
    • From an interactive prompt, sestatus provides more information.

    SELinux main configuration file is /etc/selinux/config, it defines:

    • SELINUX=: SELinux state:

      • enforcing: Enabled and block unauthorized actions (policy violations).

      • permissive: Enabled, but only logs unauthorized actions and does not block them (useful for development and HIDS purposes).

      • disabled: SELinux is completely disabled.

        Warning

        If SELinux has been temporarily disabled (which is not recommended, there are usually cleaner ways to proceed), a global relabel will be required before re-enabling SELinux.

        More information.

    • SELINUXTYPE=: The policy currently in use, available policies depend …

    Continue

12. ---

    

    • book
    • selinux
    • linux
    • *nix
    • hardening

    SELinux System Administration & SELinux Cookbook (Sven Vermeulen)

    Sven Vermeulen, the author of these two books, is deeply involved in the Gentoo community.

    Quoting his biography from the book introduction:

    In 2003, he joined the ranks of the Gentoo Linux project as a documentation developer and has since worked in several roles, including Gentoo Foundation trustee, council member, project lead for various documentation initiatives, and (his current role) project lead for Gentoo Hardened SELinux integration and the system integrity project.

    He is both knowledgeable technically, pedagogically and in SELinux. In these books, he uses his talent to spread the light on a domain which is often conceived as obscure and daunting, explaining in a clear and effective way how and why the things are the way they are so everything finally takes its place into our minds.

    Don’t let the affiliation with the Gentoo project let you think that these books are only about Gentoo. These books …

    Continue

13. ---

    

    • hardening
    • *nix
    • freebsd
    • linux

    Isolate your services using jails and containers

    Containers and jails allow you to make your system more secure, more reliable, more flexible and, at the end of the day, easier to manage. Once you get used to it, it become difficult to conceive to setup a server without such features.

    But what are they exactly?

    Containers and jails

    Containers and jails designate different implementations of operating-system-level virtualization. Like a lot of low-level security features we encounter in today’s world, this functionality can be traced back to the old mainframes, where reliability and parallelism are at the core of the system, and which allow to partition a host system into smaller isolated systems.

    This feature then went through commercial Unixes to finally reach open-source operating systems. The first open-source OS to really implement this feature was FreeBSD which offers its jail functionality since 2000 (FreeBSD 4.0). In the mean time there were several more-or-less successful attempts …

    Continue

14. ---

    

    • android
    • selinux
    • hardening

    How to examine Android SELinux policy

    Examining SELinux policy should be a trivial thing, but Android turns this into some kind of nightmare. In fact, Google has designed Android mainly from a consumer perspective, and not for power users. The result is that, as soon as you want to do something outside of using the latest Facebook app or playing Candy Crush, you very quickly find yourself back in realm of early-2000 Linux, when a developer-like knowledge was required to change what should be simple settings. I believe that the situation will fastly evolve as Android system gets more mature, but for now we have to do with what we have got…

    As you said, there are two reasons why it is necessary to compile your own SELinux toolset:

    • The system provided toolset is usually a version behind. While Android’s SELinux relies on policy DB version 30, current Linux boxes usually handle only version up …

    Continue

15. ---

    

    • encryption
    • hardening

    What is the difference between HTTP and HTTPS with a self-signed certificate?

    Security difference

    First, let’s talk about SSL (now called TLS by the way), which adds the ‘S’ at the end of HTTPS and is in charge of “securing the communication“. The clue to answer this question is indeed to fully understand what we mean by “securing the communication”.

    SSL, no matter if it is a self-signed certificate which is being used or one signed by a trusted CA, will ensure that the communication between you and the remote host remains confidential and that no one can tamper with any data exchanged.

    The warning message shown by browser about self-signed certificates is therefore not about that.

    But, how can you be sure that the remote host answering to your requests is really the one you expect? With public websites, for which you have no direct way to authenticate the certificate by yourself, this is just impossible. Here comes external …

    Continue

16. ---

    

    • selinux
    • linux
    • *nix
    • hardening

    Can SELinux really confine the root user?

    Several projects such as [this one][play_root] propose a free root access to a Linux box in order to demonstrate SELinux confinement abilities. Even given a root access on a box, SELinux still prevents any harm from being done.

    Is this for real or is there any trick behing such setup?

    This is indeed possible because SELinux does not actually care about the current Unix user: all it sees is a supplementary metadata called the context (which includes, among other fields, a domain field) and which lets SELinux decide whether the requested action can be authorized or not.

    What one usually conceives as the root user should be mapped in SELinux as a root Unix user running either the unconfined_t or sysadm_t SELinux domain. It is the classical full-powered omnipotent root user.

    However, one could perfectly setup his system to spawn a root shell (I mean root Unix user shell …

    Continue

17. ---

    

    • hardening
    • *nix
    • freebsd
    • linux
    • openbsd

    Do randomized PIDs bring more security?

    The issue

    I read an article in the french magazine MISC (no. 74 - July/August, 2014) publishing a flaw affecting stunnel and libssh.

    To make things short, this flaw relies on the fact that a hello cookie created by the server is generated using the current Unix timestamp (so up to the second) and the PID of the process handling the request. The exploit sends a high number of connection attempts in order to force the server to generate duplicated cookies. At the end this attacks aims to deduce the server private keys.

    The author explains that such attack is not realizable on systems using traditionnal sequential PID because it would require more than 65000 connections attempts to made in less than one second.

    However, thanks to random PIDs used on some “hardened” systems the author demonstrates that, with 20 connection attempts per seconds, there is statistically more than one …

    Continue