If you’re reading this article, you probably use SSH (Secure Shell). If you don’t know what SSH is, or you want to know more about it, go to SSH or type “man ssh” on a Linux/Unix environment. Typical implementations of SSH use a username and password to authenticate users. This method has considerable drawbacks:

* Any password can be guessed over time

* Most people don’t watch their secure.log for failed login attempts

* By default, the root account may be remotely logged into via SSH, leaving the system completely vulnerable if someone is able to brute-force the login credentials .

If you run SSH on the standard port 22/tcp, and it’s listening on our public UNT network, and password authentication is enabled, then malicious users outside the UNT domain are attempting to log in. By trying every possible character combination (and especially common ones), they will succeed eventually.

$: So what are SSH keys ?

Ans:* SSH keys are a pair of cryptographic keys used to authenticate users instead of (or in addition to) a username/password. One key is private and goes on your source device in the ~/.ssh directory, and the public key goes in the destination device’s ~/.ssh/authorized_hosts file.

$: How long does it take to generate SSH keys ?

Ans *:- Just Seconds …

But there are Two of them RSA & DSA !!!!!

$: So do I use RSA or DSA ?

Ans *:- RSA has undergone more public cryptanalytic scrutiny, and

is tried and true.

DSA is based off a different encryption algorithms (privately developed by the NSA), and can sign faster, but verifies slower. Keep in mind this means 300 milliseconds of difference. RSA can be used to encrypt or sign. DSA is only intended for signing.

$: What are the commands to create and implement SSH keys ?

For this instruction set, I’ll use RSA for simplicity. To use DSA instead, simply specify “-t DSA” when you use ssh-keygen.

>>First, type the ssh-keygen command to generate your ssh-key pair.

# ssh-keygen -t rsa

Generating public/private rsa key pair.

>>At this prompt, hit enter unless you want to specify a custom name.

Enter file in which to save key (/Users/exampleuser/.ssh/id_rsa):

Now you’ll be twice asked to create a passphrase. If you don’t use one, you can SSH to another machine without having to type anything. However, if anyone else ever has your private key, or a copy of it, they’ll have all the same connectivity privileges that you do. For this reason, we recommend that you use a passphrase, and you can use ssh-agent if you wish to only type your password once per day. If you are a system administrator and want to use blank passphrases for easy automated connections, you can bind certain commands directly to the SSH keys to limit privileges of those auto connecting accounts.

# Enter passphrase (empty for no passphrase):

# Enter same passphrase again:

After this, you’re done with creating the keypair. Now all that’s left is copying the *.pub key to your remote (destination) computer.

>>The following command will securely transmit the key to the destination host.

# scp id_rsa.pub user@host:/home/username/.ssh

OR

# scp id_rsa.pub user@ipaddr:/home/username/.ssh

>>Now SSH into that remote machine, and move into the .ssh directory.

If you don’t see a file called “authorized_hosts” or “authorized_keys“, then create it and move the *.pub key into it with the following command.

# cat id_rsa.pub > authorized_keys

If the file already exists and may contain other keys already, then type this to append your key to the existing contents.

# cat id_rsa.pub >> authorized_keys

You may need to chmod 700 the destination’s ~/.ssh directory and chmod 600 the actual authorized_keys file. These permissions requirements may vary depending on your UNIX/LINUX variant.

Now you should be able to ssh from your source to destination computer without having to use a password. At this point, to completely thwart brute-force login attacks, you can edit your destination host’s /etc/sshd_config file to disallow password authentication.

!!!! BE CAREFUL DOING THIS REMOTELY; CONSOLE ACCESS IS RECOMMENDED. BACK UP THE ORIGINAL SSHD_CONFIG FILE FIRST. !!!!

#PasswordAuthentication yes
PasswordAuthentication no

>>To Debug problems with SSH key connections, you can try the verbose switch with SSH.

# ssh -v user@ipaddr

Thank you

Magnet Systems Team

You can downaload the sshdfilter from the following location http://www.csc.liv.ac.uk/~greg/sshdfilter/ and then untar the tar.gz file…

#wget -c http://www.csc.liv.ac.uk/~greg/sshdfilter-1.5.5.tar.gz
#tar xvzf sshdfilter-1.5.5.tar.gz
#cd sshdfilter-1.5.5

1] Decide which linux distribution .partconf file you need to use -

rh7390 - RedHat 7.3, RedHat 9.0, Fedora Core 2.0 or CentOS 4.3
rhFC30 - RedHat Fedora Core 3.0, Fedora Core 4.0, Red Hat Enterprise Linux ES release 4, or CentOS 3.x
deb31 - Debian 3.1 (sarge) or Debian (sid, but see README.debian)
su10rc1 - SuSe 10.0 RC 1, Gentoo and Slackware
dbear - Dropbear, a light weight sshd daemon

(Our distribution was Fedora 5 so we selected rhFC30)

#cat etc/sshdfilterrc patterns/rhFC30.partconf > /etc/sshdfilterrc

2] Edit /etc/sshdfilterrc to suit your needs -

make sure that below two rules are uncommented, These are the blocking and unblocking rules.

#vi /etc/sshdfilterrc

firewalladd=’iptables -A $chain -p tcp -s $ip –dport 22 -j DROP’
firewalldel=’iptables -D $chain -p tcp -s $ip –dport 22 -j DROP’

Set the CHAIN -
chain=’SSHD’
If you would like to set a mailer you can set it from here:
#mail=’mail -s \”sshdfilter event for $ip, $event\” greg\@abatis.flint’
Set the sshd path, from where the sshd daemon is or will be running :-
sshdpath=’/usr/sbin/sshd’
Now comes the main part of setting the user Policy : this will define the number of attempts that should be allowed and what is to be done after the number of failures, These are the policies through which we can block the unwanted ssh attacks -

(At present we have set the following policies )
4,3d=INVALID
2,5d=’^root$’
4,3d=’^magnet$’
0,8d=NOID
The First Policy “4,3d=INVALID” defines , if any person trying to ssh to the server with an invalid username, after 4 attempts , his name will get inserted into the iptables SSHD chain and he will get blocked for 3 days.
The Second Policy ” 9,3d=’^root$’ ” defines, if any peroson tries to ssh the server with root as the user, after 2 unsuccessfull attempts, his name will get inserted into iptables and he will be blocked for 5 days.
The Third Policy ” 4,3d=’^magnet$’ ” is similiar to the second one, If any person, trying to ssh the server with magnet as the user, after 4 unsuccessfull attempts, his name will get inserted into iptables and he will be blocked for 3 days. Please note, Here magnet is one of the users on the server, You can mention the users of your server.
The Fourth Policy ” 0,8d=NOID ” defines, Catch and block all No ssh id events, instant block for 8 days.

You can add more policies to the policy section, the specifications are mentioned in the file.
Once the policies and settings have been done, save and exit the file.

3] Add the SSHD chain to your iptables firewall setup -
#iptables -N SSHD

#/etc/init.d/iptables save

4] Add a jump to SSHD rule with something like -

# iptables -A INPUT -p tcp -m tcp –dport 22 -j SSHD

copy sshdfilter.pl to /usr/sbin/sshdfilter, or maybe /usr/local/sbin/sshdfilter -

#cp source/sshdfilter.pl /usr/sbin/sshdfilter

Copy the man pages sshdfilter.1 and sshdfilterrc.5 to /usr/share/man/man{1,5} respectively -

#cp man/sshdfilter.1 /usr/share/man/man1/
#cp man/sshdfilterrc.5 /usr/share/man/man5/

Then copy the sshdfilter and sshd file to /etc/init.d/sshdfilter and start services…
(Before doing the above step, Please ensure to take a backupof the original sshd file)

#cp etc/init.d/sshdfilter /etc/init.d/
#cp etc/init.d/sshd.rhFC30 /etc/init.d/sshd
#/etc/init.d/sshdfilter start
#/etc/init.d/sshd restart

5] To confirm that sshdfilter is running -

# ps -aux | grep ssh
/usr/bin/perl /usr/sbin/sshdfilter
/usr/sbin/sshd -e -D

You should be seeing some output like the above one, that is the sshdfilter process and the sshd should be running with the -e and -D options.

If you see the above outputs, the installation is complete and you are done with SSHD, you can now try doing some ssh attacks to your server.

6] You can check the logs in -

#tail -f /var/log/secure
OR
#tail -f /var/log/messages

Hope this tutorial was helpful to you, we would like to have some feedbacks from you.
Please feel free to mail.

Thank You,
Magnet Systems Team .

Last week we had a session on PHP Optimization in Mumbai & later in Ahmedabad.

The session was about various techniques to be followed to ensure your code is optimized, as well as the various other components which contribute in a major fashion to optimizing your scripts. Those components are the database, caching & web server. A small brief was also touched upon Zend engine, Zend optimizer & APC Accelerator.

Here were some of the major highlights from the session:

1. Difference between Optimization & Scalability. A trade-off is involved between the two always
2. Optimization is different from following good programming practices
3. Database is the major bottleneck in most of the cases
4. If you just optimize your PHP code, there are very good chances that the optimization achieved will be negligible. This is because PHP itself is very fast
5. Output buffering saves a lot of time & memory
6. Few Optimization myths i.e. echo vs print, use of comments, references, etc.
7. How Jobby started on PHP & not JAVA after interviewing Digg.com’s Senior Developer

You can find the slides at: http://blog.magnettechnologies.com/uploads/PHP_Optimization.html

Following resources were referred:

http://phplens.com/lens/php-book/optimizing-debugging-php.php
http://www.oreillynet.com/onlamp/blog/2006/04/digg_phps_scalability_and_perf.html
http://www.moskalyuk.com/blog/php-optimization-tips/1272
http://ilia.ws/archives/12-PHP-Optimization-Tricks.html
http://www.dublish.com/articles/10.html
http://www.danga.com/memcached/
http://www.zend.com/en/products/guard/optimizer/

Thank You.

Vishal Kothari

“The Egroupware Fable”

We had got this project of installing egroupware on one of our clients server. Something that we had never heard about, So our first task was to find out what actaully EGroupware is, this required a little bit of googling, and this is what we found :

eGroupware is a free enterprise ready groupware software for your network. It enables you to manage contacts, appointments, todos and many more for your whole business. It comes with a native web-interface which allows to access your data from any platform all over the planet. Moreover you also have the choice to access the eGroupware server with your favorite groupware client (Kontact, Evolution, Outlook) and also with your mobile or PDA via SyncML. eGroupWare is platform independent.

In short what we can say, egroupware is like a Content Management System, which allows you to manage your contacts, check your emails, manage your websites, manage your files and many other features.

After we were through what egroupware was, now was the main part where we need to know what are the prerequisites and what is the configuration reuiqred.

It was not easy, when we first started with the requirements of egrouware, we came to know after we had downloaded the egroupware installation package and we started with the egroupware installation test. And we realised that we will have to recompile apache and as well as PHP. That was ok. But still the main task was to clear up all the warning messages that the egroupware installation page would show. Even after PHP was recompiled and reconfigured we then realised that it was still not over. There were many packages that the egroupware required and which we had still not installed. you can say these were the kerberos which is related to the gcc, g++ and gcc-c++ packages and the libjpg, libpng and libfreetypedir, liblstool, libmcrypt.

Even after doing all the above tasks, the warnings were still not cleared, we were on the debugging path trying to find what went missing, and finally found that its the libmcrypt that has been installed. The thing is, libmcrypt needs to be installed with POSIX thread disabled, so again a little bit of googling and it was done and there PHP was ready to take on the egrouware.

There’s this new thing we found about PHP that was required with for the Egroupware and that is the PEAR, its a name of a fruit. But here PEAR is PHP Extension and Application Repository.

After PEAR was done, we were ready to go ahead with the egrouware and as per the steps mentioned, we entered the required details about the server and its mail mysql application and Egroupware was all setup and DONE.

If you would like to know the steps required for installation of Egroupware, you can visit our Little Blog at :

http://www.egroupware.co.nr

Thank You

Systems Team
Magnet Technologies

www.magnettechnologies.com

I am planning to have something up from my side daily based on following categories - one for each day !

1. Personal - Monday - When you are back at office after a cool week end you have something personal to share !
2. Technology - Tuesday - It’s time to work !
3. Literature - Wednesday - Kuchh sher-o-shayari ho jaye !
4. Inspiration - Thursday - In the midst of week you really need inspirationton continue your work !
5. Fun - Friday - It’s time for Fun Friday !

6. Working Saturday - Sorry ! I am too busy in planning my Sunday and no time to write blog…………

I hope I will continue writing and will be in touch with you all………

1. What is height of Fashion?

A. Dhoti with a zip .

2. What is height of Secrecy?

A. Offering blank visiting cards.

3. What is height of Active laziness?

A. Asking for a lift to house while on a morning walk.

4. What is height of Craziness?

A. Getting a blank paper Xeroxed.

5. What is height of Forgetfulness?

A. Seeing the mirror and trying to recollect when you saw him / her last.

6. What is height of Stupidity?

A. A man looking through a keyhole of a glass door.

7. What is height of Honesty?

A. A pregnant woman taking one and a half ticket.

8. What is height of Suicide?

A. A dwarf jumping from the footpath on the road.

9. What is height of De-hydration?

A. A cow giving milk powder.

– Ami Sanghavi

I went home and started selecting the traditional outfit for next day’s event. Finally the day arrived. I came to office and saw most of the MAGNETEERs in their normal casual outfits and very few were wearing the traditional outfits, but later on rest of MAGNETEERs wore their traditional outfits. It seems that everyone was excited about event. At round about 12:00 PM Garba music was turned on and my feet were telling me to go on the floor and dance like anything (though I am bad at Garba). Now its 3:20, the golden moment time arrived and everyone gathered for the Garba event. Our DJ ( Deepak Jadhav) was ready with his Music systems. Ankur did the grand opening with his “Jhatkas” and Ketan was following him. Gradually everyone started dancing with each other.

First round was a marvelous opening for every one, as each and every one enjoyed and the round was lasted for 45 minutes. Among all MAGNETEERs, three best couples were chosen by Jury (Meenaben + Gaurav). Those talented persons were Ankur and Sangeeta, Ketan and Megha, Vivek and Ami.

Now it was a time for second round, in which all the three
Couples showed their best performances. We were wondering for the results that who would be the winner. Results were disclosed on Monday. As expected “Ketan and Megha” were the winners for their out standing performance and the best appearance prize was given to Ankur and Ami.

We had a wonderful time which Most of the MAGNETEERs will remember rest of their life. Following snaps represents the best time that we enjoyed at Magnet’s floor.

Enjoy ur free time by visiting these creative websitessssssssss……..

http://www.smashingmagazine.com/2007/07/17/exploring-design-outstanding-start-pages/

http://leoburnett.ca/

http://www.capitalcomm.com.my/

http://www.mhq.nl/

http://www.hellosweetie.co.uk/

http://lab.mathieu-badimon.com/

http://www.vault49.com/

http://www.pr0jects.com/portfolio/

http://www.dontclick.it/

Cheers
Gaurav

# Sawaariya

# OSO (Om Shanti Om)

Which movie will hit the Box Office. Voice out your comments!

But asking too many questions can kill somebody……. BEWARE