Today i’ve released the kpassgen Package in KDE:KDE4:Community. It is planned to publish in Contrib too. (more…)
Archive for the ‘Security’ Category
suspend to disk with encrypted root file system on lvm
July 13th, 2009 by AndreasStiegerSuspend to disk a.k.a. Hybernation doesn’t quite work when running openSUSE in an encrypted root file system and swap on LUKS on LVM, as with Ludwig Nussel’s instructions. The system is not able to resume from the swap area, because the initial ramdisk opens the lvm system before the luks. This results in only root logical volume being opened at that time, but not the swap volume. A regular boot follows.
Here’s the mkinitd boot scripts (or their symlinks, rather) in question:
$ ls -1 /lib/mkinitrd/boot
...
61-lvm2.sh
71-luks.sh
...
Until all this is properly supported, here is a quirk to make it work: Make the lvm2 initrd boot script depend on the luks one*.
Edit /lib/mkinitrd/scripts/boot-lvm2.sh (this is what 61-lvm2.sh points to) and change the third line from
#%depends: evms
to
#%depends: evms luks
Recreate the initrd.
$ cp -iv /boot/mkinitrd /boot/mkinitrd.backup
$ mkinitrd
You will notice that the symlinks were renamed now:
71-luks.sh
72-lvm2.sh
No try suspending to disk, you should be prompted for your luks password and resume from disk should work.
$ s2disk
*This of course assumes that you only have lvm devices inside luks, not the other way around. It’s not too hard to have both – simply duplicate and adjust the luks script and run one instance before and one after lvm.
Stop ssh brute force attack using SuSEfirewall
June 22nd, 2009 by Jigish GohilEdit /etc/sysconfig/SuSEfirewall2:
#do not open ssh ports here
FW_SERVICES_EXT_TCP=""
FW_CONFIGURATIONS_EXT=""
#add this rule
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
#Restart firewall:
rcSuSEfirewall2 restart
Now attacker will just have three attempts to break in.
encrypted root file system on LVM
March 18th, 2009 by lnusselopenSUSE 11.1 doesn’t officially support an encrypted root file
system which also means YaST doesn’t allow to create such a setup.
By manually creating an encrypted partition and putting LVM into the
encrypted container it’s however possible to trick YaST into
accepting that as root file system.
(more…)
Saschas Backtrace: Interview with Petko D. Petkov on Netsecurify
December 24th, 2008 by Sascha MannsPetko D. Petkov is one of the founding-members of the Gnucitizen-hacker-network. They work inbetween internet, computers and security and always have very interesting projects going on, for example the “House of Hackers” a social-network for hackers and security experts. The Gnucitizen define themself as “a leading information security think tank, delivering solutions to local, national and international clients“.
Thier latest project is Netsecurify, an automated, webbased, remote testing tool, that enables security-testings of applications. One of the primary goal of the projects is not only to have a pioneering sort-of feeling, but foremost to support low-profit or non-profit organisations to have a robust and stable security-testing tools for free. They think of organisations, that otherwise would not be able to affort security experts and testing. We had a short interview with Petko D. Petkov on Netsecurify, their motivation, software design and overall goals.
What does the tool Netsecurify exactly do?
Netsecurify is a remote, automated, vulnerability assessment tool. The tool follows the SaaS (Software as a Service) model, i.e. it is a service which runs from Amazon’s scalable computing infrastructure. In it’s core, the tool performs several assessments, all based on open source technologies, and also provides recommendations through a flexible recommendation engine. The tool also allows 3rd-party organizations to enhance the reports.
Netsecurify is very simple to use. All the user has to do is to login and schedule a test for a particular network range. Once we approach the specified scheduled data, we run the test. When the test is done, the user is notified via email or by other means which we are working on at the moment. The user then logs in and downloads a copy of the report. For security reasons, the report is destroyed 30 days after it has been completed.
What was your motivation for starting the project?
The primarily motivation for starting this project is to provide free, quality, flexible, automated information security testing tool which can be employed by charity organizations, 3rd world countries, and in general, organizations and companies who cannot afford to spend money on security. Also, a huge motivational factor is the fact that no one has done a project like this. We are the first to do it. 🙂 This is pretty cool.
Who are the people behind the project and how is the project organized (agency, virtual, decentralized)?
Technically speaking, the people behind Netsecurify are GNUCITIZEN. However, we welcome anyone who is interested to join us and help us improve it. Because the testing engine is based on open source technologies which we have glued together and we are continually enhancing, we are planning to contribute back to the community everything that we do and as such close the circle of energy. In theory, this makes the entire security community part of the Netsecurify project.
What is the basic design concept and how do you think will the project develop and evolve?
We have a scalable backend and very easy to use and flexible frontend. In between we have several APIs which allow us to expand the service as we go. The tool hasn’t been just built from scratch. There was a lot of thought and design considerations put into this project before the actual code. We follow the KISS (Keep it Simple Stupid) principle. We find that this approach works quite well for us. In the future we are planning to continue simplifying and enhancing the product.
Do you have other projects planned, that will be coming at us in the future?
We always have. Expect to see more from the GNUCITIZEN team soon.
Thanks to Martin Wisniowsky (mw@node300.com)
Original Link to this Interview: http://digitaltools.node3000.com/5minutes/interview_with_petko_d_petkov_on_netsecurify_testing_tool.php
Package Management Security on openSUSE
July 16th, 2008 by Andreas JaegerThere has been a report (with further information at this page and at the FAQ) looking at package management security on various distributions that IMO was rather condensed in its summary report and therefore raised some false alarms for various distributions including openSUSE.
Ludwig, one of our security experts, sent out a mail with a reaction to the report and I’d like to point out some of the things from the report and how it’s handled in the openSUSE 11.0 distribution.
Let me state first the major lines of defense that openSUSE uses:
- Package downgrade is not possible, YaST will not do this automatically and therefore many of the attacks (installing an old and vulnerable package) are not possible.
- The openSUSE download redirector serves the metadata from a known and trusted source. I advise everybody to use the download redirector via http://download.opensuse.org.
- The openSUSE updates have both cryptographically signed packages and cryptographically signed meta data – and YaST check these signatures and reject files that do not match the signature.
The described attacks are:
- “Replay Attack: Metadata Replay”: Not possible since the openSUSE download redirector serves the metadata from a central location. The only chance here would be a man-in-the-middle attack but this would not help since YaST will not do a package downgrade.
- “Replay Attack:Mirror Control”: Yes, it’s easy to become an openSUSE mirror but this will not degrade your security since the metadata comes from the download redirector and we only redirect to mirrors that contain the right version of a package – and the redirector monitors that the mirrors contain the right files. YaST is designed with mirrors going out of date or getting corrupted in mind.
- Attacks called “Extraneous Dependencies”, “Unsatisfiable Dependencies”, “Provides Everything” on the other attacks page: Let me cite the page where it mentions protection against these attack: “The easiest way is to use a package manager that signs the repository metadata (like APT or YaST)”.
- “Endless Data Attack”: This is basically a denial of service attack which the admin will soon notice and can then take appropriate action. It cannot happen for metadata since those come from the download redirector but it could happen with openSUSE for packages since we do download the complete file and do not use the file size information contained in the metadata yet. This is something we plan to address for our next release.
Note that when I speak about YaST I mean everything that uses the openSUSE package management library libzypp which includes YaST, zypper and the updater applets.
Note also that the FAQ has a question about the download redirector: “Q: What about OpenSUSE’s download redirector? Does it increase or decrease my security? A: OpenSUSE’s download redirector increases the user’s security…”. I’d like to thank Christoph Thiel, Marcus Rückert and Peter Pöml for their work over the years on the redirector. Peter is the current maintainer and did the last rewrite including the serving of metadata.
Note: if you use SUSE Linux enterprise products, then only servers owned by Novell are used via secure https connections which avoid all these attacks.
Our package management and security experts have been reviewing and improving the security aspects of the package management stack continuously – and the report shows that they were successfull.
Advertisement
-
Lizards
Adrian Schröter (12)
Agustin Chavarria (6)
Alessandro de Oliveira Faria (13)
Alex Barrios (12)
Alexander Naumov (10)
Alexander Orlovskyy (3)
Alin M Elena (5)
Andrea Florio (27)
Andreas Jaeger (70)
Andreas Stieger (12)
Andrew Wafaa (31)
Arvin Schnell (9)
Atri Bhattacharya (3)
Bernhard Wiedemann (31)
Bonnie Kurniawan (1)
Bruno Friedmann (98)
Calumma Brevicorne (29)
Carl Fletcher (1)
Christopher Hobbs (17)
Ciaran Farrell (3)
Stephan Kulow (17)
craig gardner (2)
Stephan Barth (2)
Thomas Schmidt (2)
Dinar Valeev (1)
Dirk Mueller (2)
Dmitry Serpokryl (7)
Efstathios Iosifidis (21)
Fabio Mucciante (5)
Federico Lucifredi (9)
Greg Freemyer (1)
Holger Sickenberg (2)
Hubert Mantel (1)
Ilya Chernykh (5)
Ismail Donmez (1)
J. Daniel Schmidt (2)
James Tremblay (7)
Jan Blunck (4)
Jan Loeser (3)
Jan Madsen (1)
Jan-Christoph Bornschlegel (3)
Jan-Simon Möller (20)
Javier Llorente (12)
Jigish Gohil (85)
Jiri Srain (1)
Jiří Suchomel (3)
Johan Kotze (5)
José Oramas M. (6)
Josef Reidinger (16)
Juergen Weigert (1)
Julio Vannini (9)
Dinar Valeev (5)
Kevin "Yeaux" Dupuy (11)
Klaas Freitag (55)
Lars Vogdt (11)
Ludwig Nussel (13)
M. Edwin Zakaria (4)
Marcus Hüwe (39)
Marcus Meissner (2)
Marcus Moeller (3)
Marcus Schaefer (4)
Martin Lasarsch (8)
Martin Mohring (11)
Masim "Vavai" Sugianto (20)
Michael Andres (1)
Michael Löffler (7)
Michal Marek (7)
Michal Vyskocil (12)
Miguel Angel Barajas Hernandez (2)
P Linnell (2)
Nelson Marques (55)
Nenad Latinović (1)
Nikanth Karthikesan (2)
Przemyslaw Bojczuk (1)
Peter Pöml (4)
Petr Gajdos (2)
Petr Mladek (60)
Petr Uzel (5)
Ray Wang (1)
Raymond Wooninck (1)
Ricardo Chung (7)
Ricardo Varas Santana (7)
Richard Bos (11)
Robert Schweikert (16)
Rossana Motta (1)
Rupert Horstkötter (10)
Sascha Manns (66)
saydul akram (3)
Sebastian Siebert (6)
Shawn Dunn (2)
Stanislav Visnovsky (7)
Stefan Haas (1)
Stefan Hundhammer (5)
Stefan Schubert (7)
Steffen Winterfeldt (8)
Suresh Jayaraman (3)
Susanne Oberhauser (3)
Thomas Göttlicher (6)
Thomas Schraitle (26)
Togan Muftuoglu (3)
Tuukka Pasanen (36)
Will Stephenson (22)
YaST Team (90)