fast sftp 
sftp -o Ciphers=blowfish-cbc USER@HOST

[ view entry ] ( 583 views )   |  print article
apparmor create a new profile 
aa-genprof can not connect to internet, therefore i do it manually

/etc/apparmor.d/usr.bin.program:
#include <tunables/global>
/usr/sbin/program flags=(complain) {
#include <abstractions/base>
}

start program and use it

aa-logprof -f /var/log/syslog -m "STARTSCAN-TIMESTAMP FROM SYSLOG"

Answer the questions and save it.

if no audit logs occur remove "flags=(complain)"

reload a rule: apparmor_parser -r usr.bin.program

[ view entry ] ( 659 views )   |  print article
secure rsync 
I want to rsync on my local-host via ssh from a remote host without a ssh enabled root account but full access to the whole filesystem.

local-host:
ssh-keygen -t rsa
copy ~/.ssh/id_dsa.pub to remote-host:/home/rsyncuser/.ssh/authorized_keys

rsync files with ssh:
rsync -vaHxr --numeric-ids --delete --rsync-path=rsync_wrapper.sh \
-e "ssh -c arcfour -o Compression=no -x" \
rsyncuser@remote-host:REMOTEDIR LOCALDIR

remote-host (source of files to rsync):
groupadd -g 3001 rsyncuser
useradd -u 3001 -g rsyncuser -s /bin/bash -m rsyncuser
/home/rsyncuser/.ssh/authorized_keys:
from="192.168.0.2,",command="/home/rsyncuser/validate-rsync.sh"
ssh-dss 012345678...
limit access with from (optional).
On sucessfully ssh login command is executed.

/home/rsyncuser/validate-rsync.sh:
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo “Rejected”
;;
*\;*)
echo “Rejected”
;;
*\(*)
echo “Rejected”
;;
*\{*)
echo “Rejected”
;;
*\<*)
echo “Rejected”
;;
*\`*)
echo “Rejected”
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
/usr/bin/rsync_wrapper.sh:
#!/bin/sh
/usr/bin/sudo /usr/bin/rsync "$@";
/etc/sudoers:
rsyncuser ALL = NOPASSWD: /usr/bin/rsync


[ view entry ] ( 696 views )   |  print article
Secure DDNS with bind9 for ADSL 
dnssec-keygen -a RSAMD5 -b 1024 -n HOST -k -r /dev/urandom home.domain.org

put content of XXX.key into your zonefile

move xxx.key and xxx.private to your client with sftp

/etc/ppp/ip-up.d/ip_update:
#!/bin/sh

TTL=60
SERVER='NAMESERVER'
ZONE='DOMAIN'
HOSTNAME='HOSTNAME.DOMAIN'
KEYFILE='PATH/KEYFILENAME without endings (.key)'

[ -n "$PPP_LOCAL" ] || exit 0

logger "ip_update: Updating dynamic IP $PPP_LOCAL on $SERVER"

RESULT=$(nsupdate -v -k $KEYFILE 2>&1 << EOF
server $SERVER
zone $ZONE
update delete $HOSTNAME A
update add $HOSTNAME $TTL A $PPP_LOCAL
send
EOF)

RC=$?

[ $RC != 0 ] && \
logger "ip_update $PPP_LOCAL on $SERVER failed ($RC/$RESULT)"

exit $RC

Manual update a zonefile with bind 9.3:
rndc freeze zone
edit the zone
rndc unfreeze zone

References:

secure-ddns-howto
running-a-secure-ddns-service-with-bind

[ view entry ] ( 476 views )   |  print article
Secure DNS with bind9 master/slave 
* chrooted
* chaos, internal and external zone
* TSIG updates/zonetransfers for master/slave

apt-get install bind9
/etc/init.d/bind9 stop

/etc/default/bind9: OPTIONS="-u bind -t /var/lib/named"
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mkdir -p /var/lib/named/var/log
cp /etc/localtime /var/lib/named/etc
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

/etc/default/syslogd: SYSLOGD="-a /var/lib/named/dev/log"

dnssec-keygen -a hmac-md5 -b 512 -n host linux.lan

/etc/bind/named.conf on master AND slave:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

/etc/bind/named.conf.options on master AND slave:
acl "internal" { 192.168.0.2; 127.0.0.1; };
acl "trusted" { internal; };

acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
46.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
192.0.2.0/24;
! 192.168.0.2; 192.168.0.0/16;
197.0.0.0/8;
198.18.0.0/15;
223.0.0.0/8;
224.0.0.0/3;
};

logging {
channel default_syslog {
// Send most of the named messages to syslog.
syslog local2;
severity info;
};

channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/named.log" versions 5 size 20m;
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { default_syslog; };
category lame-servers { audit_log; };
};

key "masterslave" {
algorithm hmac-md5;
secret "---HASHKEY---";
};

server IP_OF_OTHER_SIDE(/etc/bind/slave) {
keys {
masterslave;
};
};

options {
directory "/var/cache/bind";
statistics-file "/var/log/named.stats";
memstatistics-file "/var/log/named.memstats";
dump-file "/var/log/named.dump";
zone-statistics yes;

// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;

// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;

// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;

// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
interface-interval 0;

allow-transfer { key masterslave; };

// rndc reload won't work because of dynamic updates enabled with
// allow-update { key masterslave; };

allow-recursion { trusted; };

allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
allow-query-cache {
// Accept queries of our cache from our "trusted" ACL.
trusted;
};

blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

//disabled for random prorts query-source address * port 53;
transfer-source * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
PROVIDER_DNS1;
PROVIDER_DNS2;
};

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};

master:

/etc/bind/master_linux.lan
$TTL 3D
@ IN SOA ns1.linux.lan. hostmaster.linux.lan. (
200710131 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
TXT "Linux.LAN, serving YOUR domain :)"
NS ns1 ; Inet Address of name server
NS ns2
MX 10 mail ; Primary Mail Exchanger
localhost A 127.0.0.1
ns1 A MASTER_IP
ns2 A SLAVE_IP
mail A MAIL_IP

/etc/bind/named.conf.local
zone "linux.lan" {
type master;
file "/etc/bind/master_linux.lan";
};

slave:

/etc/bind/named.conf.local:
zone "linux.lan" {
type slave;
file "/etc/bind/slave_linux.lan";
masters { MASTER_IP; };
allow-notify { key masterslave; };
};

rndc-confgen > /etc/rndc.conf

copy parts to /etc/bind/named.conf.options on master AND slave:
key "rndc-key" {
algorithm hmac-md5;
secret "---HASHKEY---";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

master:
/etc/bind/named.conf.local
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;

zone "." {
type hint;
file "/dev/null";
};

zone "bind" {
type master;
file "/etc/bind/db.bind";

allow-query { trusted; };
allow-transfer { none; };
};
allow-recursion { none; };
};

view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.

match-clients { internal; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;

include "/etc/bind/zones.rfc1918";

zone "internal.ournetwork.com" in {
// Our internal A RR zone. There may be several of these.
type master;
file "/etc/bind/db.internal";
};
zone "7.7.7.in-addr.arpa" in {
// Our internal PTR RR zone. Again, there may be several of these.
type master;
file "/etc/bind/db.7.7.7";
};
};

// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.

match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
allow-recursion { none; };

include "/etc/bind/zones.rfc1918";
include "/etc/bind/zones.local";
};

master and slave /etc/bind/zones.local:
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};

zone "ournetwork.net" in {
type master;
file "/etc/bind/db.ournetwork";
allow-query { any; };
};

zone "8.8.8.in-addr.arpa" in {
type master;
file "/etc/bind/db.8.8.8";
allow-query { any; };
};

master and slave /etc/bind/db.bind:
$TTL    1D 
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
2001013101 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.


version.bind. CHAOS TXT "BIND 9.1.3+robhacks"
authors.bind. CHAOS TXT "are better coders than I. :)"

slave:
/etc/bind/named.conf.local
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;

zone "." {
type hint;
file "/dev/null";
};

zone "bind" {
type master;
file "/etc/bind/db.bind";

allow-query { trusted; };
allow-transfer { none; };
};
};

// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.

match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;

include "/etc/bind/zones.local";
include "/etc/bind/zones.rfc1918";

zone "ournetwork.net" in {
type slave;
file "/etc/bind/db.ournetwork";
allow-query { any; };
masters { MASTER_IP; };
};

zone "8.8.8.in-addr.arpa" in {
type slave;
file "/etc/bind/db.8.8.8";
allow-query { any; };
masters { MASTER_IP; };
};
};


References:
secure-bind-template
Bind9 Administration
bin9 hardening

[ view entry ] ( 678 views )   |  print article

<<First <Back | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | Next> Last>>