The Magnet Blog

Archive for the 'Technology' Category

SSH Key Authentication

magnet June 23rd, 2008

If you’re reading this article, you probably use SSH (Secure Shell). If you don’t know what SSH is, or you want to know more about it, go to SSH or type “man ssh” on a Linux/Unix environment. Typical implementations of SSH use a username and password to authenticate users. This method has considerable drawbacks:

* Any password can be guessed over time

* Most people don’t watch their secure.log for failed login attempts

* By default, the root account may be remotely logged into via SSH, leaving the system completely vulnerable if someone is able to brute-force the login credentials .

If you run SSH on the standard port 22/tcp, and it’s listening on our public UNT network, and password authentication is enabled, then malicious users outside the UNT domain are attempting to log in. By trying every possible character combination (and especially common ones), they will succeed eventually.

$: So what are SSH keys ? Key

Ans:* SSH keys are a pair of cryptographic keys used to authenticate users instead of (or in addition to) a username/password. One key is private and goes on your source device in the ~/.ssh directory, and the public key goes in the destination device’s ~/.ssh/authorized_hosts file.

$: How long does it take to generate SSH keys ?

Ans *:- Just Seconds …

But there are Two of them RSA & DSA !!!!!

$: So do I use RSA or DSA ?

Ans *:- RSA has undergone more public cryptanalytic scrutiny, and

is tried and true.

DSA is based off a different encryption algorithms (privately developed by the NSA), and can sign faster, but verifies slower. Keep in mind this means 300 milliseconds of difference. RSA can be used to encrypt or sign. DSA is only intended for signing.

$: What are the commands to create and implement SSH keys ?

For this instruction set, I’ll use RSA for simplicity. To use DSA instead, simply specify “-t DSA” when you use ssh-keygen.

>>First, type the ssh-keygen command to generate your ssh-key pair.

# ssh-keygen -t rsa

Generating public/private rsa key pair.

>>At this prompt, hit enter unless you want to specify a custom name.

Enter file in which to save key (/Users/exampleuser/.ssh/id_rsa):

Now you’ll be twice asked to create a passphrase. If you don’t use one, you can SSH to another machine without having to type anything. However, if anyone else ever has your private key, or a copy of it, they’ll have all the same connectivity privileges that you do. For this reason, we recommend that you use a passphrase, and you can use ssh-agent if you wish to only type your password once per day. If you are a system administrator and want to use blank passphrases for easy automated connections, you can bind certain commands directly to the SSH keys to limit privileges of those auto connecting accounts.

# Enter passphrase (empty for no passphrase):

# Enter same passphrase again:

After this, you’re done with creating the keypair. Now all that’s left is copying the *.pub key to your remote (destination) computer.

>>The following command will securely transmit the key to the destination host.

# scp id_rsa.pub user@host:/home/username/.ssh

# scp id_rsa.pub user@ipaddr:/home/username/.ssh

>>Now SSH into that remote machine, and move into the .ssh directory.

If you don’t see a file called “authorized_hosts” or “authorized_keys“, then create it and move the *.pub key into it with the following command.

# cat id_rsa.pub > authorized_keys

If the file already exists and may contain other keys already, then type this to append your key to the existing contents.

# cat id_rsa.pub >> authorized_keys

You may need to chmod 700 the destination’s ~/.ssh directory and chmod 600 the actual authorized_keys file. These permissions requirements may vary depending on your UNIX/LINUX variant.

Now you should be able to ssh from your source to destination computer without having to use a password. At this point, to completely thwart brute-force login attacks, you can edit your destination host’s /etc/sshd_config file to disallow password authentication.

!!!! BE CAREFUL DOING THIS REMOTELY; CONSOLE ACCESS IS RECOMMENDED. BACK UP THE ORIGINAL SSHD_CONFIG FILE FIRST. !!!!

#PasswordAuthentication yes
PasswordAuthentication no

>>To Debug problems with SSH key connections, you can try the verbose switch with SSH.

# ssh -v user@ipaddr

Thank you

Magnet Systems Team

SSHD Filter

magnet January 22nd, 2008

Installing and configuring SSHD Filter
Introduction - SSHDFilter is open source tool by which we can manage SSH service effectively and we can secure our system from brute force attack. This tools will block brute force attack by using IPtables.

You can downaload the sshdfilter from the following location http://www.csc.liv.ac.uk/~greg/sshdfilter/ and then untar the tar.gz file…

#wget -c http://www.csc.liv.ac.uk/~greg/sshdfilter-1.5.5.tar.gz
#tar xvzf sshdfilter-1.5.5.tar.gz
#cd sshdfilter-1.5.5

1] Decide which linux distribution .partconf file you need to use -

rh7390 - RedHat 7.3, RedHat 9.0, Fedora Core 2.0 or CentOS 4.3
rhFC30 - RedHat Fedora Core 3.0, Fedora Core 4.0, Red Hat Enterprise Linux ES release 4, or CentOS 3.x
deb31 - Debian 3.1 (sarge) or Debian (sid, but see README.debian)
su10rc1 - SuSe 10.0 RC 1, Gentoo and Slackware
dbear - Dropbear, a light weight sshd daemon

(Our distribution was Fedora 5 so we selected rhFC30)

#cat etc/sshdfilterrc patterns/rhFC30.partconf > /etc/sshdfilterrc

2] Edit /etc/sshdfilterrc to suit your needs -

make sure that below two rules are uncommented, These are the blocking and unblocking rules.

#vi /etc/sshdfilterrc

firewalladd=’iptables -A $chain -p tcp -s $ip –dport 22 -j DROP’
firewalldel=’iptables -D $chain -p tcp -s $ip –dport 22 -j DROP’

Set the CHAIN -
chain=’SSHD’
If you would like to set a mailer you can set it from here:
#mail=’mail -s \”sshdfilter event for $ip, $event\” greg\@abatis.flint’
Set the sshd path, from where the sshd daemon is or will be running :-
sshdpath=’/usr/sbin/sshd’
Now comes the main part of setting the user Policy : this will define the number of attempts that should be allowed and what is to be done after the number of failures, These are the policies through which we can block the unwanted ssh attacks -

(At present we have set the following policies )
4,3d=INVALID
2,5d=’^root$’
4,3d=’^magnet$’
0,8d=NOID
The First Policy “4,3d=INVALID” defines , if any person trying to ssh to the server with an invalid username, after 4 attempts , his name will get inserted into the iptables SSHD chain and he will get blocked for 3 days.
The Second Policy ” 9,3d=’^root$’ ” defines, if any peroson tries to ssh the server with root as the user, after 2 unsuccessfull attempts, his name will get inserted into iptables and he will be blocked for 5 days.
The Third Policy ” 4,3d=’^magnet$’ ” is similiar to the second one, If any person, trying to ssh the server with magnet as the user, after 4 unsuccessfull attempts, his name will get inserted into iptables and he will be blocked for 3 days. Please note, Here magnet is one of the users on the server, You can mention the users of your server.
The Fourth Policy ” 0,8d=NOID ” defines, Catch and block all No ssh id events, instant block for 8 days.

You can add more policies to the policy section, the specifications are mentioned in the file.
Once the policies and settings have been done, save and exit the file.

3] Add the SSHD chain to your iptables firewall setup -
#iptables -N SSHD

#/etc/init.d/iptables save

4] Add a jump to SSHD rule with something like -

# iptables -A INPUT -p tcp -m tcp –dport 22 -j SSHD

copy sshdfilter.pl to /usr/sbin/sshdfilter, or maybe /usr/local/sbin/sshdfilter -

#cp source/sshdfilter.pl /usr/sbin/sshdfilter

Copy the man pages sshdfilter.1 and sshdfilterrc.5 to /usr/share/man/man{1,5} respectively -

#cp man/sshdfilter.1 /usr/share/man/man1/
#cp man/sshdfilterrc.5 /usr/share/man/man5/

Then copy the sshdfilter and sshd file to /etc/init.d/sshdfilter and start services…
(Before doing the above step, Please ensure to take a backupof the original sshd file)

#cp etc/init.d/sshdfilter /etc/init.d/
#cp etc/init.d/sshd.rhFC30 /etc/init.d/sshd
#/etc/init.d/sshdfilter start
#/etc/init.d/sshd restart

5] To confirm that sshdfilter is running -

# ps -aux | grep ssh
/usr/bin/perl /usr/sbin/sshdfilter
/usr/sbin/sshd -e -D

You should be seeing some output like the above one, that is the sshdfilter process and the sshd should be running with the -e and -D options.

If you see the above outputs, the installation is complete and you are done with SSHD, you can now try doing some ssh attacks to your server.

6] You can check the logs in -

#tail -f /var/log/secure
OR
#tail -f /var/log/messages

Hope this tutorial was helpful to you, we would like to have some feedbacks from you.
Please feel free to mail.

Thank You,
Magnet Systems Team .

General , Technology
Comments(0)

PHP Optimization

magnet January 5th, 2008

Hello All,

Last week we had a session on PHP Optimization in Mumbai & later in Ahmedabad.

The session was about various techniques to be followed to ensure your code is optimized, as well as the various other components which contribute in a major fashion to optimizing your scripts. Those components are the database, caching & web server. A small brief was also touched upon Zend engine, Zend optimizer & APC Accelerator.

Here were some of the major highlights from the session:

1. Difference between Optimization & Scalability. A trade-off is involved between the two always
2. Optimization is different from following good programming practices
3. Database is the major bottleneck in most of the cases
4. If you just optimize your PHP code, there are very good chances that the optimization achieved will be negligible. This is because PHP itself is very fast
5. Output buffering saves a lot of time & memory
6. Few Optimization myths i.e. echo vs print, use of comments, references, etc.
7. How Jobby started on PHP & not JAVA after interviewing Digg.com’s Senior Developer

You can find the slides at: http://blog.magnettechnologies.com/uploads/PHP_Optimization.html

Following resources were referred:

http://phplens.com/lens/php-book/optimizing-debugging-php.php
http://www.oreillynet.com/onlamp/blog/2006/04/digg_phps_scalability_and_perf.html
http://www.moskalyuk.com/blog/php-optimization-tips/1272
http://ilia.ws/archives/12-PHP-Optimization-Tricks.html
http://www.dublish.com/articles/10.html
http://www.danga.com/memcached/
http://www.zend.com/en/products/guard/optimizer/

Thank You.

Vishal Kothari