Installing Vaultier under Fedora

Vaultering.

So there I was; trying to install Vaultier on a dedicated CentOS machine. Turns out there is only a docker installation, an installation script for Ubuntu and manual install. And for the latter it’s only for Ubuntu (or Debian). Tough luck.

But how hard can it be to install this in CentOS? Next to impossible. The software shipped in the default repositories (and epel) are too old to actually get it to work (without compiling a lot on my own, but that would break the nice updates). And updates are a must on a server that handles sensitive data.

So I took the next best thing: Fedora 24 Server. Even that turned out to be ugly; but in the end it worked. Here is how I did it.

(more…)

XenServer, Patch 22 and Crypto

The What

I am using XenServer as my private solution for my network. It’s fast, reliable, open-source and free (as in free beer). I am sort of a fanboy. That said we are using XenServer at work, too.

Somewhat recently Citrix, maker of XenServer released hotfix XS65ESP1022 aka Patch 22, release notes:

This hotfix supports the upgrade of OpenSSL package to version 1.0.1.

Files Updated

stunnel-4.15-17.x86_64.rpm
make-3.81-3.el5.x86_64.rpm
openssl-wrapper-0.1-59.x86_64.rpm
openssl-xs-1.0.1e-42.xs15.x86_64.rpm
ca-certificates-2012.87-1.noarch.rpm
openssl-xs-libs-1.0.1e-42.xs15.x86_64.rpm
openvswitch-2.1.3-13.7579.x86_64.rpm
xenserver-transfer-vm-6.5.0-116122c.noarch.rpm

The bold one however, introduces some issues. If you (like everyone) installed extra packages in the Dom0 (the hypervisor) and maybe even used packages from epel then stuff will break apart. For example:

(more…)

Implementing DNSSEC

Foreplay

DNS is on of the most basic and needed database structures on the planet. Its’ hierarchical, and goes from top to bottom.
If you have no clue on how DNS works, you should check out this fine tutorial over at webhostinggeeks.com. Once you did that, come back here and we talk security. But seriously, read that. Now.

The issue

Like I said (and you read, if you haven’t: shame on you!) DNS is hierarchical, top-to-bottom approach. And spoofing or tampering can happen in any level, even at the bottom (dns server hijacking).

Enter DNS-SEC.

(more…)

Fedora 23 and fwbuilder

Fedora & Fwbuilder

For both work and private entertainment I have been using fwbuilder, a graphical clicky-clicky firewall configuration tool that totally rocks when you have a shitload of servers to manage. Added a new trusted ip? net? *click*, done. And by deploying the rules with puppet it’s a breeze and almost fun.

As only of recently I began using Fedora (both vanilla and kde spin) as my workstation OS, and so far I like it. Before that I have been using Ubuntu 12.04 LTS since it came out. But it was aged and the upgrade kind of failed (ati, *cough*).

So back on my new and shiny Fedora Station I typed the magic words:

~ $ sudo dnf install fwbuilder
Last metadata expiration check: 2:05:43 ago on Tue May 3 13:21:44 2016.
No package fwbuilder available.
Error: Unable to find a match.

Yikes! Fwbuilder is not in the main repo. I googled and it turns out fwbuilder was removed back in Fedora 21, running 23 any hope of using a 21’ish rpm is gone. Tarball of binaries? No. Nothing.

rpmfind et all does not yield any sort of result. So we need to get our handy dirty.
(more…)

http public key pinning (hpkp)

Quick trusted overview.

We now live in a work of free ssl certificate for everyone [startssl, let’s encrypt]. This is awesome not only for security, as in you encrypt your in-transit data, but also for authenticity, that is, you prove (by proxy) to everyone that the data stream originated from your server. This is done by trusting the certificate, or more precise: the certificate path.

unpinned
A trusted certificate path.

A certificate path starts from the certificate authority, the company or entity you gives you your certificate. Most of the time your certificate is signed not directly by your certificate authority (CA) but by/through an intermediate certificate authority. Your browser (Firefox, Opera, Iexplore, Safari et all) comes with a list of trusted ‘root certificates’. All certificates signed by any of those trusted root-CAs are automatically trusted as long as the chain of trust is complete. So your browser trusts, for example, startssl root-CA. StartSSL created and signed an intermediate-CA so that is trusted, too. This one, in turn, issued your server CA. As your browser trusts the entire chain you should not see any security warnings when you visit your site.

The problem.

So what is the issue here? Your browser already trusts all the certificates issued by any trusted root-CA. There you have it. The problem. You trust any issued certificate. So when an obscure Chinese root-CA issues valid certificates for your domain, that certificate is automatically trusted by anyone. A man in the middle or imposer attack was never this easy. Think this is a theoretical problem? It’s not. There are many cases out there.

(more…)

PFsense and XenServer

The players

I like XenServer. It’s a rock solid (albeit basic) virtualisation platform that’s not only open-source but can handle any OS you throw at it. Management is a bliss and in my many years of using it both professionally and privately I yet have to encounter a (non-hardware related) crash or other issue with it.

Installation is a breeze. All you need is the ISO, burn it an install it on some hardware you have lying around (it works even inside VirtualBox for a Test-drive; and yes: It also works inside XenServer. Xenception.). The hardware specifications are based on what you are going to do with it. From basic testing to high end computing with several hundreds of cores– no problem there.

The other piece of software I totally like is pfsense, a software based firewall distribution. With some minor tweaking you can get a real neat setup working.

Those two are just screaming to get together and have  party. Bring the party hats!

(more…)

Lenovo S21e, Linux and the Touchpad

The ‘Ahh’.

I recently bought a Lenovo S21e notebook. I wanted something light, thin and before all: cheap. The usage of a notebook is restricted on doing stuff on the balcony or garden; “stuff” being puppet code, general server management and light web applications. For that the tiny S21e for a mere 180€ at amazon (note: the price actually increased since I bought it) seemed good enough. Sharp display, full size keyboard and no fans or other moving parts. It has no SSD either; the mass  storage is an embedded 64Gb flash card which speed is in between a native spinning hard disk and a SSD. The soldered 2gb ram seemed enough for it’s task and the quad core Celeron; well, it’s a Celeron.

It came with Windows 8 & Bing pre-installed. I always boot into the pre-installed system at least once to test the hardware for defuncts. Later on you can’t tell if it’s a hardware or software problem. A practice that sure helped me…

(more…)

Authenticated with partial success

The What

It’s hardening time again.

Following up on my post “DNSSEC, SSH and keys.” this is another post in the series of hardening your SSH server and your server in general. Are you using password login or public keys?

1238895886504840879

Indeed. Why not both? And I am not going to recommend you that should put a password on your ssh keys (which is nice) but rather recommend real two-factor authentication: Public Key and a Password. What does it do?

(more…)

WordPress, Nginx and Security

The Issue

If you are using WordPress then you undoubtedly have noticed an ever increasing number of login attempts on wp-admin.php. There are botnets out there that do nothing else but try to login to (any) WordPress Backend site. The reason is simple and not what you think; they are not going to defacing your site but rather looking for mailservers in good standing.  Once “hacked” into your wp-admin, they most commonly infect a theme and call that theme to send tens of thousands of Spam mails to the point where your server can no longer send email due to the fact that it’s blocked on most rbl’s out here. This is in fact so common, that removing malware from WordPress themes is a (near)fixed task at work.

But even if you have chosen a good, strong password combined with a non-standard username there is still the matter of exploiting bugs and glitches which might even bypass authorization altogether.

A Solution

The solution is simple, place a htaccess-protection in front of it. A htaccess protection is plain stupid from a technical point of view – not much can break, not much can be bypassed. By adding another layer of authentication you effectively protect your wp-admin and all current and future bugs and exploits.

But this would mean having to log in twice. Yuck.

And don’t think about using the same username and password combination for both locks.

A better solution

How I am doing it and how I recommend it: Run nginx (it does work with apache, too!) and always serve tls pages which is a best practice and good for your seo on google. I am assuming you already have a working nginx setup and your site is already being served out of nginx. So edit your nginx configuration add add these lines to enable tls:

(more…)

DNSSEC, SSH and keys.

Yes, Sir!

If you are reading this blog, odds are you are an System Administrator or at very least someone with technical skill and Linux knowledge. Following this train of thought, giving our connected world, leads us to the fact that you have used ssh at some point. And chances are you seen this prompt:

The authenticity of host 'mx1.alpha-labs.net (46.229.47.141)' can't be established.
RSA key fingerprint is 50:88:9e:56:e9:2a:2f:d7:7f:e7:a9:3d:0f:23:9e:52.
Are you sure you want to continue connecting (yes/no)?

Be honest: Did you ever really read this passage? I wager you typed “yes” to get on with the job at hand. This however, is a major security concern. You see, encryption is only awesome if you talk to the right person. What use is the most sophisticated encryption if you encrypt with your enemy?

You need to be sure you talk to the right guy, or in this case the right server. The fingerprint printed above should be checked against a trusted source, be it written, given in person or phone call. No one does this, period. So everyone is just typing yes — or even worse: Disabling this check altogether (please don’t).

Do you know DNSSEC? With a fully trusted path coming from the root name servers “.” across the tld registries (.net) all the way down to the local system administrator on fqdn level (alpha-labs.net) or even lower (mx1.alpha-labs.net).

(more…)